Gen.Variant.Strictor.56002_52ddeb2f6f

by malwarelabrobot on August 4th, 2014 in Malware Descriptions.

Gen:Variant.Strictor.56002 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.IEDummy.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 52ddeb2f6f10044b710a210078609a97
SHA1: 378d3435569f63cd05bc19870791ea7d8b658daf
SHA256: ece6ea8fc1c0431085bea0d8e444f96393e5843692416516cce3beddd50456fa
SSDeep: 12288:B1NcR8MGmg3eduPDAk9i 04lx2R0dzFldWG6txK x9j5oM1RbkkkqbvaaGqe9Xhf:qv1fdynjbldWG6txKooSzoZhb/L
Size: 782476 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MEW11SEv12, MEW11SEv11, UPolyXv05_v6, Mew11SEv12Eng
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1856

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU9ALEH.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGBKRY7.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (619 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (6789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19376 bytes)
%System%\drivers\etc\hosts (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic1[1].gif (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (247 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (15394 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (668 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (7697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (619 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA5X76IW.htm (976 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.19[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pic1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\base_MIN_11.19[2].css (0 bytes)

Registry activity

The process %original file name%.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 83 F6 21 EF CD A9 37 7B 0C BA 11 C5 D6 FE 84"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\MediaPlayer\Health\{75451200-3571-4A62-9708-2C6998D2FB8F}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1290 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.cfyuanji.com
127.0.0.1 www.cfyuanji.net
127.0.0.1 www.cfyuanji.cc
127.0.0.1 cfyuanji.com
127.0.0.1 cfyuanji.net
127.0.0.1 cfyuanji.cc
127.0.0.1 www.cfyalan.com
127.0.0.1 www.cfyalan.net
127.0.0.1 www.cfyalan.cc
127.0.0.1 yy.cfyalan.com
127.0.0.1 cc.cfyalan.com
127.0.0.1 cfyalan.com
127.0.0.1 cfyalan.net
127.0.0.1 cfyalan.cc
127.0.0.1 www.cftianyue.com
127.0.0.1 www.cftianyue.net
127.0.0.1 www.cftianyue.cc
127.0.0.1 cftianyue.com
127.0.0.1 cftianyue.net
127.0.0.1 cftianyue.cc
127.0.0.1 www.cfty.cc


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
MEW 4096 3145728 0 0 d41d8cd98f00b204e9800998ecf8427e
 3149824 843776 781964 5.43219 c255c36dd687ac57990ac37ea1aebb46

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E93C28C20555F6D3950211B08CB2C4F57&Url=&referer=http://www.cfmogu.com/
hxxp://115.236.16.240/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E3EDC15C0529F3E2BF0D5AD113A674B7B&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393
hxxp://61.130.108.34/acpa/webgame/cy.html?from=tgly_14516
hxxp://115.236.16.240/AShow.aspx?AID=9756
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1570658577
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1222734529
hxxp://42.156.162.7/img/pic1.gif
hxxp://pcookie.split.cnzz.com/app.gif?&cna= RtlDGPZslwCAbhrJiZ/6hAT
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E7136586F99B9B7E73C90B1A205C1D7CF&Url=&referer=http://www.cfmogu.com/
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1435798481
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=811241341
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3EEE93164D10FA9E02A75B0DFE9AC2B853&Url=&referer=http://www.cfmogu.com/
hxxp://121.12.125.70/Ä¢¹½Í¼Æ¬.gif
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=913325146
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E5E719A5E196287AC9BA5124B5F8B91F6&Url=&referer=http://www.cfmogu.com/
hxxp://115.236.16.240/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E54CE47FAF93D97D66027B30FBBD49D53&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393
hxxp://115.236.16.240/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E053448793B8BCB8181D9A3A313E01F3C&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393
hxxp://pcookie.split.cnzz.com/app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=126137642
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=601757883
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=916191384
hxxp://115.236.19.58/xm/novoice-270-200.swf
hxxp://xnop006.tlgslb.com/index.html?ad=457980
hxxp://xnop006.tlgslb.com/index.html?ad=314238
hxxp://115.236.16.240/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1DE2C6588D895ED19146532D57DCED5822914FE61C840909B6&referer=http://www.cfmogu.com/&utz=1407051797170
hxxp://xnop006.tlgslb.com/css/v8/s_index.css
hxxp://xnop006.tlgslb.com/images/v8/s_index/banner/2.jpg
hxxp://pic.51img1.com/v3/op/gamenew.51.com/platform/act/51wt/apic_img/swfobject.js?file_v=20140103001
hxxp://xnop006.tlgslb.com/images/v8/s_index/banner/1.jpg
hxxp://xnop006.tlgslb.com/images/v8/s_index/banner/3.jpg
hxxp://61.130.108.34/stat/pv_stat/?p_k=tst_6nmu_tgly_14516&r=0.22328514849634517
hxxp://reg.ztgame.com.ztinfoga.com/registe/embed/fast_reg.jsp?source=xx_site&cssurl=f1e80feafceca9e68264b5bb06ad1e7d6382bea4956b5cf7d3407bc6665d6e5756eb68df5217a1ae&jsurl=f1e80feafceca9e68264b5bb06ad1e7d73f5939c49635bc5704967d1d992469c16fa151123af164b&returntype=1 101.226.182.18
hxxp://115.236.16.240/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1DE2C6588D895ED19185E61A613F19D3F8F76CC11C543A6715&referer=http://www.cfmogu.com/&utz=1407051797498
hxxp://myconf6room.dtwscache.glb0.lxdns.com/event/promimg/?src=pming393
hxxp://xnop006.tlgslb.com/images/v8/s_index/banner/4.jpg
hxxp://reg.ztgame.com.ztinfoga.com/registe/script/jquery.js 101.226.182.18
hxxp://tg.wohai.com/download/download!todownload22.action?sid=14516 117.27.152.107
hxxp://static.verycdn.net/game/upload_data/201403/201403181447095327ebeda78ee_1290.swf?v=3&s=7580
hxxp://myconf6room.dtwscache.glb0.lxdns.com/css/base_MIN_11.19.css
hxxp://game.51.com/act/51wt/html/wtcookie/?r=0.3066260606754981 61.130.108.8
hxxp://xnop006.tlgslb.com/scripts/jquery.js
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/LAB_0.1.js
hxxp://static.verycdn.net/img5/flashlayer/533138d44ad23/1.swf?v=3
hxxp://static.verycdn.net/img5/flashlayer/533138d44ad23/2.swf?v=3
hxxp://static.verycdn.net/img5/flashlayer/533138d44ad23/3.swf?v=3
hxxp://121.12.125.70/1.htm
hxxp://61.130.108.34/tools/js_flow_cookie/?channel_alias=tgly_14516&r=0.14722984178657245
hxxp://hm.e.shifen.com/h.js?a610b27b706bb69c6967099c6e5789fb
hxxp://61.130.108.34/tools/wt_js/?channel_alias=tgly_14516&js_type=js_1&callback=wt_js_callback
hxxp://static.verycdn.net/img5/flashlayer/533138d44ad23/ps.swf?v=3
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=816163607&si=a610b27b706bb69c6967099c6e5789fb&st=1&v=1.0.62&lv=1&tt=我嗨娱乐平台
hxxp://61.130.108.34/stat/pv_stat/?p_k=swf1_6nmu_tgly_14516&r=0.40592882574853384
hxxp://fj.fz.cuc02.goocdn.com/img/spreads/0709body_bg.jpg
hxxp://fj.fz.cuc02.goocdn.com/img/spreads/af.jpg
hxxp://hm.baidu.com/h.js?a610b27b706bb69c6967099c6e5789fb 61.135.185.140
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=811241341
hxxp://www.cfmogu.com/1.htm
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1222734529
hxxp://vj0.6rooms.com/js/LAB_0.1.js 61.146.152.57
hxxp://cdn.51img5.com/img5/flashlayer/533138d44ad23/3.swf?v=3 219.153.67.214
hxxp://p1.pic.51img1.com/v3/op/gamenew.51.com/platform/act/51wt/apic_img/swfobject.js?file_v=20140103001 61.130.109.50
hxxp://vj1.6rooms.com/css/base_MIN_11.19.css 61.146.152.57
hxxp://xx.ztgame.com/images/v8/s_index/banner/2.jpg 122.228.251.71
hxxp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
hxxp://xx.ztgame.com/css/v8/s_index.css 122.228.251.71
hxxp://icon.cnzz.com/img/pic1.gif
hxxp://reg.ztgame.com/registe/embed/fast_reg.jsp?source=xx_site&cssurl=f1e80feafceca9e68264b5bb06ad1e7d6382bea4956b5cf7d3407bc6665d6e5756eb68df5217a1ae&jsurl=f1e80feafceca9e68264b5bb06ad1e7d73f5939c49635bc5704967d1d992469c16fa151123af164b&returntype=1 101.226.182.18
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=601757883
hxxp://pcookie.cnzz.com/app.gif?&cna= RtlDGPZslwCAbhrJiZ/6hAT 42.120.219.171
hxxp://c.myzwqwe12.com/AShow.aspx?AID=9756
hxxp://p.okm918.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E7136586F99B9B7E73C90B1A205C1D7CF&Url=&referer=http://www.cfmogu.com/
hxxp://v.6.cn/event/promimg/?src=pming393 61.146.152.57
hxxp://p.okm918.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E93C28C20555F6D3950211B08CB2C4F57&Url=&referer=http://www.cfmogu.com/
hxxp://reg.ztgame.com/registe/script/jquery.js 101.226.182.18
hxxp://xx.ztgame.com/images/v8/s_index/banner/1.jpg 122.228.251.71
hxxp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E3EDC15C0529F3E2BF0D5AD113A674B7B&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393
hxxp://cdn.51img5.com/img5/flashlayer/533138d44ad23/ps.swf?v=3 219.153.67.214
hxxp://xx.ztgame.com/index.html?ad=314238 122.228.251.71
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=913325146
hxxp://tg.51.com/tools/wt_js/?channel_alias=tgly_14516&js_type=js_1&callback=wt_js_callback
hxxp://file.wohai.com/img/spreads/af.jpg 58.22.104.53
hxxp://p.okm918.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3EEE93164D10FA9E02A75B0DFE9AC2B853&Url=&referer=http://www.cfmogu.com/
hxxp://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=816163607&si=a610b27b706bb69c6967099c6e5789fb&st=1&v=1.0.62&lv=1&tt=我嗨娱乐平台 61.135.185.140
hxxp://p.okm918.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1DE2C6588D895ED19185E61A613F19D3F8F76CC11C543A6715&referer=http://www.cfmogu.com/&utz=1407051797498
hxxp://tg.51.com/stat/pv_stat/?p_k=swf1_6nmu_tgly_14516&r=0.40592882574853384
hxxp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E54CE47FAF93D97D66027B30FBBD49D53&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393
hxxp://cdn.51img5.com/img5/flashlayer/533138d44ad23/1.swf?v=3 219.153.67.214
hxxp://file.wohai.com/img/spreads/0709body_bg.jpg 58.22.104.53
hxxp://xx.ztgame.com/images/v8/s_index/banner/3.jpg 122.228.251.71
hxxp://pcookie.cnzz.com/app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr 42.120.219.171
hxxp://p.okm918.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1DE2C6588D895ED19146532D57DCED5822914FE61C840909B6&referer=http://www.cfmogu.com/&utz=1407051797170
hxxp://tg.51.com/tools/js_flow_cookie/?channel_alias=tgly_14516&r=0.14722984178657245
hxxp://cdn.51img5.com/img5/flashlayer/533138d44ad23/2.swf?v=3 219.153.67.214
hxxp://p.okm918.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E5E719A5E196287AC9BA5124B5F8B91F6&Url=&referer=http://www.cfmogu.com/
hxxp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E053448793B8BCB8181D9A3A313E01F3C&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=916191384
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1570658577
hxxp://tg.51.com/stat/pv_stat/?p_k=tst_6nmu_tgly_14516&r=0.22328514849634517
hxxp://www.cfmogu.com/Ä¢¹½Í¼Æ¬.gif
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1435798481
hxxp://xx.ztgame.com/images/v8/s_index/banner/4.jpg 122.228.251.71
hxxp://cdn.51img3.com/game/upload_data/201403/201403181447095327ebeda78ee_1290.swf?v=3&s=7580 59.49.43.54
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=126137642
hxxp://xx.ztgame.com/index.html?ad=457980 122.228.251.71
hxxp://xx.ztgame.com/scripts/jquery.js 122.228.251.71
vi6.6rooms.com 27.195.145.74


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE
ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /Ä¢¹½Í¼Æ¬.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cfmogu.com
Connection: Keep-Alive
Cookie: CNZZDATA4693566=cnzz_eid=402806039-1407069686-&ntime=1407069686


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:37 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>


GET /v3/op/gamenew.51.com/platform/act/51wt/apic_img/swfobject.js?file_v=20140103001 HTTP/1.1
Accept: */*
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p1.pic.51img1.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:32 GMT
Content-Type: application/x-javascript
Last-Modified: Mon, 06 Jan 2014 03:45:43 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
f07...............v.H.W.....Y..1.......`'.....{...l!1..8X..U......f...
.....y...x9..w.I.h.8.....Z..)%...#/..1"J$.1.)......-......1.,....>.
./J.l.{..3Z.v..ag$1>..?...)g.f.E..i... ..}...pg..1'..]z....;...|...
Hh....­....cn|.....i.`\...~..'..86. $.....1.I4.F....h.0..h.......x..
...MO...k....._.).b8.M...,.lB.s...h..3.?.K....k.a...g.(...%..}..9.....
f.........S..0.'.1..%..{I.<..(...........Z.1....-..mj.&|.......A...
]oKAZt.In.{.`c..5.....4..~..iJ...|..qY@9..=.4.W...3].;.7C. -6l4...So.o
.A.,.......0y..>w?........X. :[email protected]...~k.
B2.v....6.)....o...V..|?...2....6..P.H.L.....X\...2..........WI. ...._
nU..?u!.W....[.|e........bP..HC}eI.J......l....=.B.._.....5...u.....4.
..L......O.Q.Z.h3f..m66..m62<...p.6...C.9i..u_vz..v.\..W.L..-wb...1
".; .(%N8..<.D.|.....ms...0t.@.....;..t.........%....u......'<..
..:X#.W..0H..2.C...F..vM.7...x.nO..L....Q.....>....h,.sl:..9.;.D*..
..$.. .J.}.m.< .b...<_;Q.....(!.R...b...g.s.....................
n.BV......".....6...:..[.M.....OM......d...v..x....N....M......p.%N/..
c.y..g....b.<.'..d..A6....V.n6....=@....../oo...)_.....J.1$.J..h..`
.6...vf............/hx.......a.\.G..$.^.h....J.....(HA0..S...l"-.F_}.d
.."..Zv.O-.....-.(.L...$...<.4...4.#........lO...P..%.^9....3......
...5g.. -dj...y........^.Z..AI.d..N......j.1.3oBF.o.............'...m.
g.....%:....2..<........XU\......j..H.O...:.u.x.tu.I.P...j....h(2..
...}.jK.60,.:...g.D.@4#....!....<.C...X.....#MW...*.0.tY..&d\\zn2..
.e.LU.1..].h...'.:..g.B.5..............`...K7.`.7....{}.BI....\..D
<<< skipped >>>


GET /h.js?a610b27b706bb69c6967099c6e5789fb HTTP/1.1
Accept: */*
Referer: hXXp://tg.wohai.com/download/download!todownload22.action?sid=14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Etag: 633fcf6665acb606e8718014d2a4b93f
Cache-Control: max-age=0, must-revalidate
Content-Encoding: gzip
Content-Type: application/javascript
Set-Cookie: HMACCOUNT=AF30599A7B97B45D; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Connection: Keep-Alive
Content-Length: 5355
Date: Sun, 03 Aug 2014 12:41:39 GMT
Server: apache
.............(.(function(){var c={id:"a610b27b706bb69c6967099c6e5789fb
",dm:["wohai.com"],etrk:[],js:"tongji.baidu.com/hm-web/js/",icon:'',br
:false,ctrk:false,align:-1,nv:-1,vdur:1800000,age:31536000000,rec:0,rp
:[],trust:0,vcard:0,.:k......)\.....I..1."Oa0..`..I.'.J...3_..&..9G..i
]F_4..tttt.R...d...Yf...o/iR...........IPDibZ7.i0.Y7..........z0......
tt:&....*[email protected]..{>...,{....0-O.....'....;.8M3..
..-.H..Y..L.....n.v.F..<.....U...........,.\.C.BzC.>qai..d\.f..D
4.lNEs..L43b......<..X..g..0*6..M...`n..W<....X..R&!.F....._C<
;9$).>.t.../.$*8 .....K.P..\.......?Mc....B.........)....A)..5.$/X.
.....}..;.#2".{NC'......{f....nF...b...]K...a.Ml...........d.....3....
w..L.U..M8..V..YZ.........:..*....kw{_...[....../...q..V....o...4)....
Aq.i..C.z..Y.`n=9JJP.[..<H.P@aqo...!...9..R.....xP8.,-R..3g..M.6KW&
lt; >;..c3.......=..=.....o._....i..h2....f.\.ge.,k.G.j./j..v...~.c
2.....]X2....=.^.....l.......fu.E....7.#..l...(!....0..N.e...Z..t..%..
}4.E.....7.YC...!..Y...N&..s......K....8.>..lWoi#..G...0.89.s.x_...
q..>....g...K1...:.`...\7.Y .a;..F.[hP..W.C.~......i.7B.lA..h.M.B.,
..).<L.r.....t.q......D...E..x.l.\.]`..Y..... ..!;9...*.x.].l...?(.
ei....yPf. .....".{y......%..O....-?......9..}{........f.X.........I..
.....4.S.Rl.,K3.b~..M...qK/.5...w:..v.=.....[..7..)...R..%.......c._&.
.UY..^:h.(.Ga...]:y.9.N.. ..)I.(..0|..l..7.7J..)s..80.T.......~..f.0..
2.,$..?q.j....<.C.R.r-..N5.Z....c%..=B.......?..i(T.....`..9.lA>
...{zg..^P.KG. J.o..i..>.Q../......y..#p...,`...^.E.[./M.|....T
<<< skipped >>>

GET /hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=816163607&si=a610b27b706bb69c6967099c6e5789fb&st=1&v=1.0.62&lv=1&tt=我嗨娱乐平台 HTTP/1.1


Accept: */*
Referer: hXXp://tg.wohai.com/download/download!todownload22.action?sid=14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive
Cookie: HMACCOUNT=AF30599A7B97B45D


HTTP/1.1 200 OK
Cache-Control: private, max-age=0, no-cache
Pragma: no-cache
Content-Type: image/gif
X-Content-Type-Options: nosniff
Connection: Keep-Alive
Content-Length: 43
Date: Sun, 03 Aug 2014 12:41:39 GMT
Server: apache
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: private, max-age=0, no-cache..Pragma: no-cache..Content-Type: ima
ge/gif..X-Content-Type-Options: nosniff..Connection: Keep-Alive..Conte
nt-Length: 43..Date: Sun, 03 Aug 2014 12:41:39 GMT..Server: apache..



GET /stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1570658577 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs9.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /css/base_MIN_11.19.css HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj1.6rooms.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 31 Aug 2014 04:30:02 GMT
Date: Fri, 01 Aug 2014 04:30:02 GMT
Server: ngx_openresty
Content-Type: text/css
Content-Length: 15444
Last-Modified: Fri, 01 Aug 2014 04:28:45 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 1
Age: 1
X-Via: 1.1 bjzw89:80 (Cdn Cache Server V2.0), 1.1 yfdx32:4 (Cdn Cache Server V2.0)
Connection: keep-alive
...........}.n#G.......q...M.Da....n.v....`..$..s..&)U....i.....0.....
..v.b.5.Dd$.*..A.....8q......a..L6....~.l;.^g..,....3Yn.....9T.....7.U
g^W...:t6......;.eg6....C9YV..uvXT..s.o6.|.9,:.....=..q.n[.f..a.}../..
.0.....{.U..]].;?.......c. ..M.c..g.x.............o....f7....w.r..a.y\
....4...j}..?V...!......Y.....C.................$...z.<~.]=.m...!..
rQ.o:{.9.W.z.Z..^&.....$..........i......xU.f..n......M.>T..z.}<
t..ds..P}:..J.h_.\....F>..\.DE.`............7.zv'.>...b..~....i.
.G...S...(.....<{.-.~q8l...O.n1.m6.}1...aZ..rY?U........p..}.S~.Pl.
._e.M...Uy..Y.nW....w..6_n>......al...j.O.U.{.....|..7....o.|Y.{ ..
.....qr.......~y...." _d..n.<-.....U..8....;.E>...]y.7k..|.<.
..............NMGL....v..k.....v.r.Z7..).B.S..k.-'!.{.3.i..{.......yY=
T.Y.h...W..H.A....8........jf..Z0.....H".^.......r........|/.....M....
A.@k.)....x.~.;.Z.`......zY......j}..........M.i..9.....o?..4r...d....
..M7..{..uhN/"...o^....C..?.....2.....fw........I.M....b.....n.5.h9...
<Tw;....y.l..7..G..C.]eOQD.#.z][email protected]'\2..ts.4.....).H=.Y...1s7
..w.ow.........H....=.$c.....5... .4.R.^<.)...._>.o..G0A...j.-.b
.(. .......... #;0.....:~8.....j..^..a...=.U...A.yb.O1...~.7.D..8.....
*........^.~....j..7.....n-?.{.....g..............=...W.^...^...b..F.S
VL......'[email protected]..|.j.o.As.m.'x)..:.W..4._.JM}....
.._....z....^.s).cR#.(........GhT.....j~p:.....}|..Kgw{..L.A...i8.aTVW
..;.k......*.....hx;...!$........~.2.- .....<.y4....z.".F.......L.%
..r..j..V....RO#p.........G.......ca.........O@..^.B.I...Z...G..s&
<<< skipped >>>


GET /xm/novoice-270-200.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 115.236.19.58
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 29 Oct 2013 07:09:30 GMT
Accept-Ranges: bytes
ETag: "ce58bd075d4ce1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:48 GMT
Content-Length: 49855
CWS.F...x...gXTK.0..(  .."APP.,Y......%....!..........H....aD2.$.." 9.
..w.a..=..........y.Z.....U..:......B...!p...A..J.b..U......Q...@w....
.N..{.F.~.....................O...%.......Df......w..'.*.t..... ......
..Y....F......M..-..N.._@FJZVYJ^YFNPZZYFVYVzGz.W.?e{E..~.. ..m5.?..B..
..........._.A..].............w.......=.S......n.p.....n.{.....g/..^..
f..n..{...rrrsr.....??...V..V6.}ll......v^l\?.p.'.P?..{....-D.....r@..
`...u.((%=d.~v......30.abf..{&.!._............a.=.^Y0.....~i..F..B.7d.
.b../...6.q.=.s.S...#..........."...:i|LA..t..9......._..}.z.}l....iE.
=.....w....z'7..,\.".3J........(-..L...r."...O.J.-.I/s#.kG....e.c..>
;7...p.|...g...QD.c.(D.....<.y.........@........@.%......2....h....
..Z-. .....8}..kg..F.RBO...Q ...)6.s......m.8l...~..1......<u...H..
g.\3f..,.T.|.v..Y..39...X...1.7..7...hlmQn.R..2Hm.i.4...8].4..Z... ..J
.{N...&.z. .5.....SU/....:O..1...7...|...P.nf.4.C<..W....._h.......
..#....&.d........&...!X.V..v.'.~%>.1...3o=...)./...g.9...A..70....
..LWQ......aR...FQL.H~n|.L...U[v...w...'.B.6..l.[.=...~{....?r.57.4.S.
....im.e..y#....P...M.%..s..........#....YL...<.|m`...xz.....ix..V.
O.. .a....c......)X8[. ...P..hL.:7. c.6....mzd....b}-q^....`1....zJ9[.
.......O.l....jg......w......hq.|#......R@.  ....!...'ubj.,.L......o.`
.lBn...y.3..32...=...m....Z.|.E...(.)..q_.@w!..a.A.>.........lX.eRJ
`..8e....Ny_\y.Z.W. ...n.K.w0..Pd.}.,.. w.r....D..F.. a...wH93...D..r.
K.au..1.n..,..|.g!Y....%.EXZ\.tvw..y#.ke.[...V........aH....t.jo......
 ."C..^.!7..Ft{..'..4.=hL..%B...3J.......7\`.Byzm.^d...W.....T.1..
<<< skipped >>>


GET /index.html?ad=457980 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Date: Sun, 03 Aug 2014 12:30:48 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=3600
Expires: Sun, 03 Aug 2014 13:30:48 GMT
Content-Type: text/html
X-Cache: MISS from CTS-GD-248-14.fastcdn.com
Age: 644
Content-Length: 6068
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
<!DOCTYPE html>..<html>..<head>..    <meta http-e
quiv="Content-Type" content="text/html; charset=utf-8" />..    <
title>.............................................................
..............</title>..    <meta name="keywords" content="..
......................................................................
..........................xianxia...xxsj..............................
....................................................................."
 />..    <meta name="description" content=".....................
.....................................................6...20...........
......................................................................
................................." />..    <link href="/css/v8/s
_index.css"  type="text/css" rel="stylesheet" />..</head>..&l
t;body>..<div class="wrap">..    <div class="container">
;..        <div class="top">..            <div class="tip">
;..                <a href="/index.shtml" title="............" targ
et="_blank" class="this">............</a> |..                
<a href="hXXp://xx.ztgame.com/download.shtml" title="............" 
target="_blank">............</a>..            </div>.. 
           <a href="hXXp://act.xx.ztgame.com/dzacts/" class="bander
" target="_blank">.........6...20...14.........</a>..        
</div>..        <div class="step clear">..            <
div class="jiantou"></div>..            <dl class="ste
<<< skipped >>>

GET /css/v8/s_index.css HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=457980
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 17047
Date: Sun, 03 Aug 2014 11:59:53 GMT
Content-Type: text/css
Expires: Sun, 03 Aug 2014 12:59:53 GMT
Last-Modified: Tue, 08 Jul 2014 02:28:08 GMT
ETag: "14b8163-4297-4fda5579a3e00"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-248-13.fastcdn.com
F-In-Cache: father-in-cache
Age: 2499
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
@charset "utf-8";../* CSS Document */..html{}body,div,dl,dt,dd,ul,ol,l
i,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blo
ckquote{margin:0;padding:0;}fieldset,img{border:0;}address,caption,cit
e,code,dfn,em,strong,th,var{font-style:normal;font-weight:normal;}li{l
ist-style:none;}caption,th{text-align:left;}h1,h2,h3,h4,h5,h6{font-siz
e:100%;font-weight: bold; color:#000;}q:before,q:after{content:'';}abb
r,acronym {border:0;font-variant:normal;}sup {vertical-align:text-top;
}sub {vertical-align:text-bottom;}input,textarea,select{font-family:in
herit;font-size:inherit;font-weight:inherit;}legend{color:#000;}table 
{font-size:inherit;font:100%;}pre,code,kbd,samp,tt{font-family:monospa
ce;line-height:100%;}a,button{cursor:pointer}strong {font-weight:bold;
}..h1, h2, h3, h4, h5, h6 {font-weight:bold; color:#c0aa98;}..h1, h2, 
h3, h4, h5, h6, p {line-height:1.2em; font-size:100%}..h1{ font-size:2
2px}h2{font-size:14px;}h3, h4, h5, h6{ font-size:12px}..body{ color:#0
00; font-family: Arial,\5FAE\8F6F\96C5\9ED1;font-size:12px; background
:#e1f1e4;}..a{ color:#000;text-decoration:none}..a:hover{ color:#0066c
c; text-decoration:none}..a,a:hover{outline: none;blur:expression(this
.onFocus=this.blur());}...clear:after{ visibility:hidden; display:bloc
k; font-size:0px;content:""; clear:both; height:0px;}..* html .clear {
zoom:1;}..*:first-child html .clear {zoom:1;}...l{ float:left;}...r{ f
loat:right;}...mt5{ margin-top:5px;}...header{max-width:1920px;height:
38px;padding-bottom:1px;background:#000;margin:0 auto;}...header .
<<< skipped >>>

GET /images/v8/s_index/banner/1.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=457980
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 34923
Date: Sun, 03 Aug 2014 12:06:59 GMT
Content-Type: image/jpeg
Expires: Sun, 03 Aug 2014 13:06:59 GMT
Last-Modified: Fri, 13 Jun 2014 11:49:22 GMT
ETag: "14b8103-886b-4fbb644b25480"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-212-39.fastcdn.com
F-In-Cache: father-in-cache
Age: 2077
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
......JFIF.....d.d......Ducky.......=......Adobe.d....................
......................................................................
......................................................................
......................................................................
.........!1.AQ".aq2....B.....R#3...br...CS.4T......$t5Uu6V7.......cs.D
dE.&F..%e'......................!.1AQ.a".q..2....BR...r#3..b..CS4.....
.........?......(......(......(......(......(......(......(......(....
..(......(......(......)....T....i."n......>C$.8<R;O...b.Nl.$.ht
.)>.]..............0p.%.%............#.4......G:.bdb...kU.I...M9.9.
......G$.#y.1.%......S.v|..L.........r...[ .....5.~...eLv...L#[.....k.
I5 ....y*e...3...\L.tO(:U%eIE...5.;O...t(.......{..<.....&..lk...Hb
..y..2q.X............Q.=....3.C....Vm..Sc..7.m..E....|L.F..u/Gt.6.M...
.\.5.4NG..(......(......(......(......(......(......;}[email protected].@....
[email protected][email protected][email protected]*.1'R.$..*.K.Es!.|z..l.....$|\Mk\/....
D.......xZ....z.tS.F6.dr.([email protected]%.$.bA".&....x...
]P.W....uH.l.y.....v.L.N>..dz/D ...&"..$.[...j.HjL.y..Y.K.....$.#U.
.....YZ..j..&K..Lqkp.@......%.../&.D.m.6.o.G... .qJq?...?.C`?.\k..=..9
@..-..4....).(.:G....."K*..R....M.'.....T....AZ..q.........Zt.&._.....
....!.fFu....=........Ci.UD...iW...oBS......|y_...U..!P .....(........
.RvV.RIJ...RA..0.".x.>L..u!8=..76y..Osq..C...5n4......m...B.2VV....
}c.|I....!6.*(q..lG....V.-..>G....cz..~FrLl .%R.%..X...i..E...u..Q.
Ne...-.d.BFH.D.Y.qPV.T..n....H$.>.u..f..C.c.&;.z;.K......,]*J..
<<< skipped >>>

GET /images/v8/s_index/banner/3.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=457980
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 36695
Date: Sun, 03 Aug 2014 11:45:53 GMT
Content-Type: image/jpeg
Expires: Sun, 03 Aug 2014 12:45:53 GMT
Last-Modified: Fri, 13 Jun 2014 11:49:23 GMT
ETag: "d48336-8f57-4fbb644c196c0"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-212-39.fastcdn.com
F-In-Cache: father-in-cache
Age: 3343
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
......JFIF.....d.d......Ducky.......=......Adobe.d....................
......................................................................
......................................................................
......................................................................
........!1.AQ..aq."2...B..Rbr#3......4....S..$..5U....C..d...7..csD%Eu
V'WTte..&6G8......................!1.A.Q.aq.."2.....R...B#3.b.r...c...
S4............?..8.f.*.SH...h..l...1..fV.G.TCG......[>..d......h...
MM.gl.M1:.FN.2.^\......;..fbF....$.........Q.]1.H...b..t.4..L`..4..B.1
[email protected][email protected]....}...d?.c...?..q.4{....Wx.g
r.. .S.....tYI........mf.9.'.........6.V..078_....C"....S\..|..|I]....
X.\...ny.1.oEu91.D.j.j|...cy...gGU..bCV.z.EOo-r.[.^..........W... ,{jD
`.W;.dO.....m;.. .....:.......u..R5........#..f.].T..D.... ...6.o.'.m.
i..r....U.B....,G.5_.N.RJ.z..2....$y.....4F.. w......Q...A61.oQ.2....`
\!cO.`i.j.k}.Z%.H.....,R......x...p.'....]..]u..._.i..L...7...1Q/.....
.......! .[7k.e....mko.V.h.v.J..4...:..t......EW3.sy[....[...Fz"^.(.}.
...]..V....bj......!.....R0..h:.W.u....wM.B..X.......n....)X../@...lp.
9....W.d.....5......pkKAr...46.lMR6.K.*.hT.c).=-d.....k......8.lZ.h...
..#..W.......'..[.bG.{....Z...~Z....O.>..........T.gk..DG.jr.WL...[
.."i...O.Oy.0I,.....j[B...s......5.M.z.,..m.AJS.........O;..]~........
..W)..#p.H.....{...[N....._.o..~f...yw....9s.......,...........N8....O
.v.:....c.'[email protected].}.X...58Et...]R1..WTd..4.hE4...2..t.lA:D. .2........
zN.......6b.n..A /.yr.C.x.Z...X......W..>:a ..M0..x...4.=zc@. .
<<< skipped >>>

GET /images/v8/s_index/banner/4.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=457980
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 298828
Date: Sun, 03 Aug 2014 12:08:51 GMT
Content-Type: image/jpeg
Expires: Sun, 03 Aug 2014 13:08:51 GMT
Last-Modified: Tue, 08 Jul 2014 02:44:13 GMT
ETag: "d48420-48f4c-4fda5911ef940"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-212-18.fastcdn.com
F-In-Cache: father-in-cache
Age: 1965
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
.....pExif..MM.*.............................b...........j.(..........
.1.........r.2...........i....................'.......'.Adobe Photosho
p CS5 Windows.2014:06:17 14:39:33.....................................
...............................................&.(....................
.............:.......H.......H..........Adobe_CM......Adobe.d.........
......................................................................
..................................................................C...
."................?...................................................
.......................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5
....&D.TdE..t6..U.e.....u..F'...............Vfv........7GWgw..........
..............5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.
T..dEU6te......u..F...............Vfv........'7GWgw.................?.
..Hk.M...I.....6.v.U.t..........V..2..b...S.5t{2loU..(.. i`y..m....{7.
g....R.jL.......1E..7.....K...n........q....].,.i.8Dz.z~......g&.....d
.*k...Q.sg..k.v.D..#Q....z..).........{7..L..'..U....F.q.o.[..k..ms?..
.....x.....ji& .F.n...}%k.X~..h.$9..@?...w..Y~.....KZ .~..6..B..H|.>
;-\x..r.<.....9'...k6.5.......O.....l{...}u..c..;[email protected].]^.3
.........}GW[..m.=.,......E.../E.......oM.6i]lqa.z....>...w........
<..<.....q.c.....NL.Gj:W....e.....v...g.a.,..,...d[p....h.....5.
.w.K...r..a.^.O...3".....)h{.c....].R.....W........J...&...g..[..U.]..
.....vfC....Lvzl..-..4]...'.{....#>*...*.1wf..........Xu..).'.....m
..-....,S.....S....2.\.....f...k..V.'..[.qr.u.:...i.....u...v....R
<<< skipped >>>

GET /scripts/jquery.js HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=457980
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 78768
Date: Sun, 03 Aug 2014 12:02:09 GMT
Content-Type: application/javascript
Expires: Sun, 03 Aug 2014 13:02:09 GMT
Last-Modified: Tue, 18 Dec 2012 07:11:30 GMT
ETag: "c6063d-133b0-4d11b34fa8c80"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-248-13.fastcdn.com
F-In-Cache: father-in-cache
Age: 2367
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
/*!.. * jQuery JavaScript Library v1.4.4.. * hXXp://jquery.com/.. *.. 
* Copyright 2010, John Resig.. * Dual licensed under the MIT or GPL Ve
rsion 2 licenses... * hXXp://jquery.org/license.. *.. * Includes Sizzl
e.js.. * hXXp://sizzlejs.com/.. * Copyright 2010, The Dojo Foundation.
. * Released under the MIT, BSD, and GPL Licenses... *.. * Date: Thu N
ov 11 19:04:53 2010 -0500.. */..(function(E,B){function ka(a,b,d){if(d
===B&&a.nodeType===1){d=a.getAttribute("data-" b);if(typeof d==="strin
g"){try{d=d==="true"?true:d==="false"?false:d==="null"?null:!c.isNaN(d
)?parseFloat(d):Ja.test(d)?c.parseJSON(d):d}catch(e){}c.data(a,b,d)}el
se d=B}return d}function U(){return false}function ca(){return true}fu
nction la(a,b,d){d[0].type=a;return c.event.handle.apply(b,d)}function
 Ka(a){var b,d,e,f,h,l,k,o,x,r,A,C=[];f=[];h=c.data(this,this.nodeType
?"events":"__events__");if(typeof h==="function")h=..h.events;if(!(a.l
iveFired===this||!h||!h.live||a.button&&a.type==="click")){if(a.namesp
ace)A=RegExp("(^|\\.)" a.namespace.split(".").join("\\.(?:.*\\.)?") "(
\\.|$)");a.liveFired=this;var J=h.live.slice(0);for(k=0;k<J.length;
k  ){h=J[k];h.origType.replace(X,"")===a.type?f.push(h.selector):J.spl
ice(k--,1)}f=c(a.target).closest(f,a.currentTarget);o=0;for(x=f.length
;o<x;o  ){r=f[o];for(k=0;k<J.length;k  ){h=J[k];if(r.selector===
h.selector&&(!A||A.test(h.namespace))){l=r.elem;e=null;if(h.preType===
"mouseenter"||..h.preType==="mouseleave"){a.type=h.preType;e=c(a.relat
edTarget).closest(h.selector)[0]}if(!e||e!==l)C.push({elem:l,handl
<<< skipped >>>

GET /css/v8/s_index.css HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=314238
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 17047
Date: Sun, 03 Aug 2014 11:59:53 GMT
Content-Type: text/css
Expires: Sun, 03 Aug 2014 12:59:53 GMT
Last-Modified: Tue, 08 Jul 2014 02:28:08 GMT
ETag: "14b8163-4297-4fda5579a3e00"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-248-13.fastcdn.com
F-In-Cache: father-in-cache
Age: 2504
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
@charset "utf-8";../* CSS Document */..html{}body,div,dl,dt,dd,ul,ol,l
i,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blo
ckquote{margin:0;padding:0;}fieldset,img{border:0;}address,caption,cit
e,code,dfn,em,strong,th,var{font-style:normal;font-weight:normal;}li{l
ist-style:none;}caption,th{text-align:left;}h1,h2,h3,h4,h5,h6{font-siz
e:100%;font-weight: bold; color:#000;}q:before,q:after{content:'';}abb
r,acronym {border:0;font-variant:normal;}sup {vertical-align:text-top;
}sub {vertical-align:text-bottom;}input,textarea,select{font-family:in
herit;font-size:inherit;font-weight:inherit;}legend{color:#000;}table 
{font-size:inherit;font:100%;}pre,code,kbd,samp,tt{font-family:monospa
ce;line-height:100%;}a,button{cursor:pointer}strong {font-weight:bold;
}..h1, h2, h3, h4, h5, h6 {font-weight:bold; color:#c0aa98;}..h1, h2, 
h3, h4, h5, h6, p {line-height:1.2em; font-size:100%}..h1{ font-size:2
2px}h2{font-size:14px;}h3, h4, h5, h6{ font-size:12px}..body{ color:#0
00; font-family: Arial,\5FAE\8F6F\96C5\9ED1;font-size:12px; background
:#e1f1e4;}..a{ color:#000;text-decoration:none}..a:hover{ color:#0066c
c; text-decoration:none}..a,a:hover{outline: none;blur:expression(this
.onFocus=this.blur());}...clear:after{ visibility:hidden; display:bloc
k; font-size:0px;content:""; clear:both; height:0px;}..* html .clear {
zoom:1;}..*:first-child html .clear {zoom:1;}...l{ float:left;}...r{ f
loat:right;}...mt5{ margin-top:5px;}...header{max-width:1920px;height:
38px;padding-bottom:1px;background:#000;margin:0 auto;}...header .
<<< skipped >>>

GET /images/v8/s_index/banner/1.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=314238
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 34923
Date: Sun, 03 Aug 2014 12:06:59 GMT
Content-Type: image/jpeg
Expires: Sun, 03 Aug 2014 13:06:59 GMT
Last-Modified: Fri, 13 Jun 2014 11:49:22 GMT
ETag: "14b8103-886b-4fbb644b25480"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-212-39.fastcdn.com
F-In-Cache: father-in-cache
Age: 2081
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
......JFIF.....d.d......Ducky.......=......Adobe.d....................
......................................................................
......................................................................
......................................................................
.........!1.AQ".aq2....B.....R#3...br...CS.4T......$t5Uu6V7.......cs.D
dE.&F..%e'......................!.1AQ.a".q..2....BR...r#3..b..CS4.....
.........?......(......(......(......(......(......(......(......(....
..(......(......(......)....T....i."n......>C$.8<R;O...b.Nl.$.ht
.)>.]..............0p.%.%............#.4......G:.bdb...kU.I...M9.9.
......G$.#y.1.%......S.v|..L.........r...[ .....5.~...eLv...L#[.....k.
I5 ....y*e...3...\L.tO(:U%eIE...5.;O...t(.......{..<.....&..lk...Hb
..y..2q.X............Q.=....3.C....Vm..Sc..7.m..E....|L.F..u/Gt.6.M...
.\.5.4NG..(......(......(......(......(......(......;}[email protected].@....
[email protected][email protected][email protected]*.1'R.$..*.K.Es!.|z..l.....$|\Mk\/....
D.......xZ....z.tS.F6.dr.([email protected]%.$.bA".&....x...
]P.W....uH.l.y.....v.L.N>..dz/D ...&"..$.[...j.HjL.y..Y.K.....$.#U.
.....YZ..j..&K..Lqkp.@......%.../&.D.m.6.o.G... .qJq?...?.C`?.\k..=..9
@..-..4....).(.:G....."K*..R....M.'.....T....AZ..q.........Zt.&._.....
....!.fFu....=........Ci.UD...iW...oBS......|y_...U..!P .....(........
.RvV.RIJ...RA..0.".x.>L..u!8=..76y..Osq..C...5n4......m...B.2VV....
}c.|I....!6.*(q..lG....V.-..>G....cz..~FrLl .%R.%..X...i..E...u..Q.
Ne...-.d.BFH.D.Y.qPV.T..n....H$.>.u..f..C.c.&;.z;.K......,]*J..
<<< skipped >>>

GET /images/v8/s_index/banner/2.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=314238
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 2084980
Date: Sun, 03 Aug 2014 12:03:41 GMT
Content-Type: image/jpeg
Expires: Sun, 03 Aug 2014 13:03:41 GMT
Last-Modified: Fri, 13 Jun 2014 11:49:23 GMT
ETag: "14b8104-1fd074-4fbb644c196c0"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-212-39.fastcdn.com
F-In-Cache: father-in-cache
Age: 2279
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
......Exif..MM.*.............................b...........j.(..........
.1.........r.2...........i....................'.......'.Adobe Photosho
p CS5 Windows.2014:06:13 18:38:25.....................................
...............................................&.(....................
.............X.......H.......H..........Adobe_CM......Adobe.d.........
......................................................................
..................................................................C...
."................?...................................................
.......................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5
....&D.TdE..t6..U.e.....u..F'...............Vfv........7GWgw..........
..............5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.
T..dEU6te......u..F...............Vfv........'7GWgw.................?.
..?Y....f7.......n..d<...~%.....E....~.}f..e.u.W...x;...p......u...
.UZ....I....tgu....3...!..Kv..d5.B.[.........bf.^.....>f.N.j.*.....
.)[email protected].{>.........].#....U...o..u..fS...r
......g........^5Y....v.Z..n.i.....o.oj&:wH$...../..3\:.}y]2.e.cwn....
X....~..i....Gb.O...y.T.. p ...C..=.c..o....}].....^. }......k.GlO...}
..k.....Y....}t...m.c.K.w.c~..!q......G._L.=K.....M.3.;).).=...6......
..g...u/. Xs..f;.!.....W..4........._....y.cm..{Z..Z...Cy-......g.Z.'.
W]..a.:.P...H6Tgw.~.S......=?.........l.........q.{Z.......#......o.Vg
V....m.....d.^....n..Y....w./..]0..s..r-.. H.Z7z.7.....~.O"..K....,...
...:{k}y...K73.-...MS..\.._.'.W..#....~5O.f=[...K..6......QmM..c..
<<< skipped >>>


GET /tools/wt_js/?channel_alias=tgly_14516&js_type=js_1&callback=wt_js_callback HTTP/1.1
Accept: */*
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tg.51.com
Connection: Keep-Alive
Cookie: PHPSESSID=f1ab7affcb84a997a4928d8059db9970; wtids20140803=6nmu; FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|MjAxMDEwMQ==|fHx8|; FO_TUID=SoliXY; foru=140706969015sBzNAc||game; _51usi=Ky2y3G


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Sun, 03 Aug 2014 12:41:39 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
31............ /..*.ON..IJL...V.(..Q.RR.......Vj.......0..HTTP/1.1 200
 OK..Server: nginx/1.4.4..Date: Sun, 03 Aug 2014 12:41:39 GMT..Content
-Type: text/html; charset=gb2312..Transfer-Encoding: chunked..Connecti
on: keep-alive..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control:
 no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragm
a: no-cache..Content-Encoding: gzip..31............ /..*.ON..IJL...V.(
..Q.RR.......Vj.......0..



GET /AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E93C28C20555F6D3950211B08CB2C4F57&Url=&referer=http://VVV.cfmogu.com/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.okm918.com
Connection: Keep-Alive
Cookie: UnionADShowTG=1961


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: UnionADShowTG=1961; expires=Sun, 03-Aug-2014 15:41:06 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:06 GMT
Content-Length: 372
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"~..q3..U.........]{....L>...
7N~..|...E.L/..'.y}..........".Z.?w~.o..x..:..f]..giYM3.7n............
U.*.8}....{..........~...'.G.m}...O>.......;w..nq.e.~...e....hG.2_^
...q.k..S...^..}d`...._......a..'..o.........H?j ..# U..[..w..z..^..Yu
5.#[email protected].......


GET /AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3EEE93164D10FA9E02A75B0DFE9AC2B853&Url=&referer=http://VVV.cfmogu.com/ HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.okm918.com
Connection: Keep-Alive
Cookie: UnionADShowTG=1961


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: UnionADShowTG=1961; expires=Sun, 03-Aug-2014 15:41:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:07 GMT
Content-Length: 372
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"~..q3..U.........]{....L>...
7N~..|...E.L/..'.y}..........".Z.?w~.o..x..:..f]..giYM3.7n............
U.*.8}....{..........~...'.G.m}...O>.......;w..nq.e.~...e....hG.2_^
...q.k..S...^..}d`...._......a..'..o.........H?j ..# U..[..w..z..^..Yu
5.#[email protected].....



GET /game/upload_data/201403/201403181447095327ebeda78ee_1290.swf?v=3&s=7580 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.51img3.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/1.3.37.sa
Content-Type: application/x-shockwave-flash
Content-Length: 11420
Last-Modified: Tue, 18 Mar 2014 06:47:09 GMT
Accept-Ranges: bytes
Cache-Control: max-age=86400
Date: Sun, 03 Aug 2014 08:13:43 GMT
Age: 78541
Powered-By-VeryCDN: HIT from ctc-ty-1-1-c1111, HIT from utn-yz-1-1-c1131
Connection: keep-alive
CWS.ZU..x..\.|TE......9........A.!.....c..D9<I2o&o2#[email protected].../..
..x ........C`.]W..............I..............~...._"Il.$....Y.K.t}.f.
I..o..s/.c.p42yhiQ.P..S..b5....{....'.5yh(.h.X\.l...e.........&...*.5j
$F../.$.....YC.8..'[email protected].....@
......JJG.3..j....X....54.....Y.42..../...#.uZ<4..{`/..nM..A=..F&..
:}J.i...P.|1.].=..`.........CzlJcdq$....M.58...D.......:-R....Sf......
 ....9Z.]:.......$j.8.v"L....c..V.O..k......n3..........<t..1..%C.M
'(>...]..{M..... .2J @Q..Z..........:....I.....?..^...5.K*..jI..kS.
N.;d&eX%>Z..<.F.V.._.mhl.....h.N."RFu....fG..=f5.L.!E5.xC...U...
z">-...G0j~C,....t....wsT..h..>n....#..j.d..`,Z?#......,...R..i.
...i.j...b.z..n..v.hda$.5...3b.h.OH..`o.cz<|.n/.>...X.Q..p.Q.ieb
.~.......[.M.6..!......b..!.f..a.R.....:.qei4\.tK<..t...pM"....1S..
.-..V.`..G...t8}..^.].....xB.F8...D42......6c.......!h.......4.....M..
.....K....N.6.c."...A....."{C...:..A.........M.n....1C.Y..=hV..5....1p
.w....|..B._K`.bVcL?/N....R....'[email protected]:..p...k..eA.....n..#
...5..be.V.5..zF.:.oP..}L]L.E.c$..~......<.....G.....;?..B.huu2$;..
.E.U...F.\.?[...0W.....%...paOz..][...4.NvC4.(...t\tq\..00.N....U....p
..y..F=...JG......=..d.v.6.l.F..5.!.$......x...IT..#....V;.G.#5s.Mz.i.
..k...OD......qS.j....^A.FUS9.:K......q...}.,.`.8.P}......D..0]KhV.2.n
r.....z.&.-..#.S..cp.D:..E#..56.!.e.'K....3.X/........P8....]...l$..P.
....xf/.m..h.9YnF..r....8...e............8.t.....es.H.,...J....c.F...w
..u..5:...hd.......x...'...^{...#i./.G.;k...Zk..T'........u5..i.k.
<<< skipped >>>


GET /img/spreads/af.jpg HTTP/1.1
Accept: */*
Referer: hXXp://tg.wohai.com/download/download!todownload22.action?sid=14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: file.wohai.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 03 Aug 2014 12:41:40 GMT
Content-Type: image/jpeg
Content-Length: 98760
Connection: keep-alive
Server: Apache
Last-Modified: Thu, 10 Jul 2014 09:30:20 GMT
Expires: Sun, 24 Aug 2014 12:39:15 GMT
Cache-Control: max-age=1814400
Accept-Ranges: bytes
Age: 142
Via: http/1.1 fj.fz.cuc02_104_53.goocdn.com (fj.fz.cuc02_104_53.goocdn.com [cHs f ])
.....tExif..MM.*.............................b...........j.(..........
.1.........r.2...........i....................'.......'.Adobe Photosho
p CS6 (Windows).2014:07:10 16:27:16...................................
...#...........................................&.(....................
.............>.......H.......H.........XICC_PROFILE......HLino....m
ntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP 
 ................................................cprt...P...3desc.....
..lwtpt........bkpt........rXYZ........gXYZ...,[email protected]...
T...pdmdd........vued...L....view.......$lumi........meas.......$tech.
..0....rTRC...<....gTRC...<....bTRC...<....text....Copyright 
(c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1.......
.....sRGB IEC61966-2.1................................................
..XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ....
..b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch.....
.......IEC hXXp://VVV.iec.ch..........................................
....desc........IEC 61966-2.1 Default RGB colour space - sRGB.........
...IEC 61966-2.1 Default RGB colour space - sRGB......................
desc.......,Reference Viewing Condition in IEC61966-2.1...........,Ref
erence Viewing Condition in IEC61966-2.1..........................view
.........._...............\.....XYZ .....L.V.P...W..meas..............
..................sig ....CRT curv.......................#.(.-.2.7.;.@
.E.J.O.T.Y.^.c.h.m.r.w.|..........................................
<<< skipped >>>


GET /js/LAB_0.1.js HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj0.6rooms.com
Connection: Keep-Alive

GET /js/LAB_0.1.js HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj0.6rooms.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Tue, 02 Sep 2014 04:14:19 GMT
Date: Sun, 03 Aug 2014 04:14:19 GMT
Server: ngx_openresty
Content-Type: application/x-javascript
Content-Length: 2787
Last-Modified: Tue, 01 Jul 2014 23:47:32 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 46
Age: 1
X-Via: 1.1 bjzw89:80 (Cdn Cache Server V2.0), 1.1 yfdx33:0 (Cdn Cache Server V2.0)
Connection: keep-alive
...........Yis.8.......;..b.rfw...xu..-...$....EA.c..y........$.8....*
".F..........v{...A..~:..Pz. .it.I..J.._..{....EJ_.h.....].......2...`
.Hd..O.]6../.D4^.x.~."...C.M...$CoL..7..!.,..@F..].{qc.....Q.;.>%b(
}/.::........L>."...8.'"......a.-...R.X.3...?..,I-v......^:..9o.u..
.c.........l.C..Y,...... t..s..n..=..u{.S.. . >.~6.Qj..7.l.......G.
....y....P..Lp.....{......S{..T....Sy.....{.....r..m....E7.b..Uw..^.E.
..A.(-0...v...(.T.....*...(..y......'[email protected]},e(..b...V.d...."...V..d.(
..4..`%p..o^...,#.s...`.....ZM...4.$..X.Y.5~.MP...`...K]..........'..i
f.uR...6.D..m..R")]K..:)..2.......`..d.%m.......&....%w..eQ...H...d...
...m.}...4.v......`8.H.Iqmi....!..#..%@D.wn0...)...t.aG*(.....8.V...o.
.y....n...... ...W..w[..a...~s#b.A......?..Q....~.8.,@.I[F...... w...F
p...L........|9_."...........lb...q...F..;B...[$n.u...B41....%./.V..
. IE$...Ry..^..r....T..;r.... .<..;.U2.1..e0.2K......%.......g)F...
b......y.ivK....l...'.........8.../...ugc...L..%.....7....G...P.......
- ....=..I.....hd>....~...F..]C..D....X.e.(.VkiC...gS....n.......G.
.qu:<J.....0.P'........U...;1......d!.._...u....n$2.}..|.......f,DD
...K.-..DD......O,[email protected](.`.....Y.NH....Qp........H{..C..
 `}..J..5.7B?.2..Y...1....U..?..9.......L...s...h& .....C.Hp|.#..Q....
..?W..#nYUUMH...J/[email protected].. .?...'.
........W....Lh.q.....{.g fU..QT...k......J.......~.[....$...9.W..`...
..O.........5.]K.19....@{e..Y.^.V..d....U=..5o..........s@sg..........
..7c<..>..C..h..........QCt.j}.:..7hG....B.lC.9.sB_..5....-.
<<< skipped >>>


GET /js/LAB_0.1.js HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj0.6rooms.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Tue, 02 Sep 2014 04:14:19 GMT
Date: Sun, 03 Aug 2014 04:14:19 GMT
Server: ngx_openresty
Content-Type: application/x-javascript
Content-Length: 2787
Last-Modified: Tue, 01 Jul 2014 23:47:32 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 46
Age: 1
X-Via: 1.1 bjzw89:80 (Cdn Cache Server V2.0), 1.1 yfdx33:0 (Cdn Cache Server V2.0)
Connection: keep-alive
...........Yis.8.......;..b.rfw...xu..-...$....EA.c..y........$.8....*
".F..........v{...A..~:..Pz. .it.I..J.._..{....EJ_.h.....].......2...`
.Hd..O.]6../.D4^.x.~."...C.M...$CoL..7..!.,..@F..].{qc.....Q.;.>%b(
}/.::........L>."...8.'"......a.-...R.X.3...?..,I-v......^:..9o.u..
.c.........l.C..Y,...... t..s..n..=..u{.S.. . >.~6.Qj..7.l.......G.
....y....P..Lp.....{......S{..T....Sy.....{.....r..m....E7.b..Uw..^.E.
..A.(-0...v...(.T.....*...(..y......'[email protected]},e(..b...V.d...."...V..d.(
..4..`%p..o^...,#.s...`.....ZM...4.$..X.Y.5~.MP...`...K]..........'..i
f.uR...6.D..m..R")]K..:)..2.......`..d.%m.......&....%w..eQ...H...d...
...m.}...4.v......`8.H.Iqmi....!..#..%@D.wn0...)...t.aG*(.....8.V...o.
.y....n...... ...W..w[..a...~s#b.A......?..Q....~.8.,@.I[F...... w...F
p...L........|9_."...........lb...q...F..;B...[$n.u...B41....%./.V..
. IE$...Ry..^..r....T..;r.... .<..;.U2.1..e0.2K......%.......g)F...
b......y.ivK....l...'.........8.../...ugc...L..%.....7....G...P.......
- ....=..I.....hd>....~...F..]C..D....X.e.(.VkiC...gS....n.......G.
.qu:<J.....0.P'........U...;1......d!.._...u....n$2.}..|.......f,DD
...K.-..DD......O,[email protected](.`.....Y.NH....Qp........H{..C..
 `}..J..5.7B?.2..Y...1....U..?..9.......L...s...h& .....C.Hp|.#..Q....
..?W..#nYUUMH...J/[email protected].. .?...'.
........W....Lh.q.....{.g fU..QT...k......J.......~.[....$...9.W..`...
..O.........5.]K.19....@{e..Y.^.V..d....U=..5o..........s@sg..........
..7c<..>..C..h..........QCt.j}.:..7hG....B.lC.9.sB_..5....-.
<<< skipped >>>


GET /css/base_MIN_11.19.css HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj1.6rooms.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 31 Aug 2014 04:30:02 GMT
Date: Fri, 01 Aug 2014 04:30:02 GMT
Server: ngx_openresty
Content-Type: text/css
Content-Length: 15444
Last-Modified: Fri, 01 Aug 2014 04:28:45 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 1
Age: 1
X-Via: 1.1 bjzw89:80 (Cdn Cache Server V2.0), 1.1 yfdx32:4 (Cdn Cache Server V2.0)
Connection: keep-alive
...........}.n#G.......q...M.Da....n.v....`..$..s..&)U....i.....0.....
..v.b.5.Dd$.*..A.....8q......a..L6....~.l;.^g..,....3Yn.....9T.....7.U
g^W...:t6......;.eg6....C9YV..uvXT..s.o6.|.9,:.....=..q.n[.f..a.}../..
.0.....{.U..]].;?.......c. ..M.c..g.x.............o....f7....w.r..a.y\
....4...j}..?V...!......Y.....C.................$...z.<~.]=.m...!..
rQ.o:{.9.W.z.Z..^&.....$..........i......xU.f..n......M.>T..z.}<
t..ds..P}:..J.h_.\....F>..\.DE.`............7.zv'.>...b..~....i.
.G...S...(.....<{.-.~q8l...O.n1.m6.}1...aZ..rY?U........p..}.S~.Pl.
._e.M...Uy..Y.nW....w..6_n>......al...j.O.U.{.....|..7....o.|Y.{ ..
.....qr.......~y...." _d..n.<-.....U..8....;.E>...]y.7k..|.<.
..............NMGL....v..k.....v.r.Z7..).B.S..k.-'!.{.3.i..{.......yY=
T.Y.h...W..H.A....8........jf..Z0.....H".^.......r........|/.....M....
A.@k.)....x.~.;.Z.`......zY......j}..........M.i..9.....o?..4r...d....
..M7..{..uhN/"...o^....C..?.....2.....fw........I.M....b.....n.5.h9...
<Tw;....y.l..7..G..C.]eOQD.#.z][email protected]'\2..ts.4.....).H=.Y...1s7
..w.ow.........H....=.$c.....5... .4.R.^<.)...._>.o..G0A...j.-.b
.(. .......... #;0.....:~8.....j..^..a...=.U...A.yb.O1...~.7.D..8.....
*........^.~....j..7.....n-?.{.....g..............=...W.^...^...b..F.S
VL......'[email protected]..|.j.o.As.m.'x)..:.W..4._.JM}....
.._....z....^.s).cR#.(........GhT.....j~p:.....}|..Kgw{..L.A...i8.aTVW
..;.k......*.....hx;...!$........~.2.- .....<.y4....z.".F.......L.%
..r..j..V....RO#p.........G.......ca.........O@..^.B.I...Z...G..s&
<<< skipped >>>


GET /AShow.aspx?AID=9756 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.myzwqwe12.com
Connection: Keep-Alive
Cookie: UnionADShowTG=1711|1961|1933|1805


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: UnionADShowTG=1805; expires=Sun, 03-Aug-2014 15:41:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:06 GMT
Content-Length: 2543
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:m.u.....]=.{ww..x.........w.
-........{.v..vv.......q../*....z.x.{0.V..'/...,.o.Y.z.{..=.l.`../|I.&
lt;|p.._x.n..}z..p...........<x.......wNw...<8...r.........>|
...Ow..<....................~/........O..%.._...~..jQ,......ySO..{.
..X^.{x...i.:?.....Y5]/..qYM.....&....C=.............>..Y..?..=....
!.v..X?}.......Ow..>.{vz..........NOO....t........;{...?.y.........
....|..y.4..?...j......Z..%.g.....R......_.."......BS|.F........f?.nH.
........j1....C:....Z....u...V>.._...c....P...X..*:.iY5.._...g..c.f
<q..~.4...V..~J0..t..^.........f...%........Y~^,..../...2.,.....T..
"?]f.2..I..o..n...S.........W/..>......?g.9..&../h.......i>Y_|A.
H?K...._< ..}Z\F?.Vg....-...z...M.............}q....?..~.zZWe......
.u......}|..M..A..%q=..cE......N....i.fwF....~W.<}...w.....n......?
.3..}...Z ...s..C.S..).........g~F{....c.x...> H..w.......g?.t.....
..|~/.....U..3..y.'.X..g!.....AB.-.6..N.i..ki..ki... d.jk.6.......}.$.
...g.G.pC.....1....l.m....>:/.6...1.(f....g..".Sg...dc.EA,.T....\.3
..y...z.L.[..n\...%u6^-/FM..2I_....}V..;...x...w.U6./..1.....)....T.&)
#.}R...g;w.`....qn...y.~@\.........h.....HM...>..............O..F.T
[email protected].=J.v........C..Q.r...|.zw(Xv..O...j.j.h...G.....a,.X..
v6i.r..q.mG.......b@.>.s.N.uS.....(E......!L..~K....<..G...5..d.
.....B.G...Gdt..Y....%.\..j...g..tv.5..X...P..1w.u....u.....H8Q.7.?...
.2`....w...Kc..u!8.$>..vi)...t>...d..............Q.....p.8K.
<<< skipped >>>


GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1DE2C6588D895ED19146532D57DCED5822914FE61C840909B6&referer=http://VVV.cfmogu.com/&utz=1407051797170 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.okm918.com
Connection: Keep-Alive
Cookie: UnionADShowTG=1961


HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: hXXp://v.6.cn/event/promimg/?src=pming393
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: UnionADShowTG=1961|1983; expires=Sun, 03-Aug-2014 15:41:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:09 GMT
Content-Length: 158
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://v.6.c
n/event/promimg/?src=pming393">here</a>.</h2>..</bod
y></html>....



GET /download/download!todownload22.action?sid=14516 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: tg.wohai.com

GET /download/download!todownload22.action?sid=14516 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: tg.wohai.com


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E6167922DDA5B8F0657FEECCEB0D73C1-n1; Path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Sun, 03 Aug 2014 12:39:54 GMT
2000..............<!DOCTYPE html>..<!--[if lt IE 7]>      
<html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->..&l
t;!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> &l
t;![endif]-->..<!--[if IE 8]>         <html class="no-js l
t-ie9"> <![endif]-->..<!--[if gt IE 8]><!--> <
html class="no-js"> <!--<![endif]-->..<head>..    &l
t;meta charset="utf-8">..    <meta http-equiv="X-UA-Compatible" 
content="IE=edge,chrome=1">..    <title>..................<
;/title>..    <meta name="viewport" content="width=device-width"
>..    <link rel="shortcut icon" href="hXXp://file.wohai.com/img
/icc.ico">..    <style type="text/css">.....clearfix {*zoom: 
1;}.....clearfix:before,.clearfix:after {  display: table; line-height
: 0; content: "";}.....clearfix:after {clear: both;}..   .    html, bu
tton, input, select, textarea {....font: normal 13px/1.5 'Microsoft Ya
hei', Tahoma,'Helvetica Neue', 'Hiragino Sans GB', 'Segoe UI', Arial, 
STHeiti, sans-serif;....color: #222;....}....body{background:#f039cb;m
argin:0px; padding:0px; font-size:12px;text-align: center;background: 
url("hXXp://file.wohai.com/img/spreads/0709body_bg.jpg") #6c3981 cente
r top no-repeat;}.....wrap{margin:0 auto;width:1000px;height: 754px;}.
....bd{position: relative;width: 1000px;height: 475px;}.....ft{positio
n: relative;}.....bd .btn{position: absolute;top:330px;left:543px;heig
ht: 88px;background: url("hXXp://file.wohai.com/img/spreads/bt_gro
<<< skipped >>>


GET /event/promimg/?src=pming393 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: v.6.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 03 Aug 2014 12:47:36 GMT
Date: Sun, 03 Aug 2014 12:39:16 GMT
Server: ngx_openresty
Content-Type: text/html
Content-Length: 6010
Last-Modified: Sun, 03 Aug 2014 12:33:55 GMT
Cache-Control: max-age=500
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 2
Age: 139
X-Via: 1.1 bjzw90:88 (Cdn Cache Server V2.0), 1.1 yfdx32:6 (Cdn Cache Server V2.0)
Connection: keep-alive
...........\{w.......w.*...Z.=lY.-g..)....ss{....4..H.efdc\..Z....BB..
..B^........#.....o..<d....uq..y...g.}.../..25..Ww(..V.|f...V...u;.
.8N#.......T..f.D6.U......k%.].....FT..i..#Sf...Ntz..G."...8.>G...J
..Y....N9......e6t.Y.G....R......D*>....t*=.Q.yu...#3.QjFm.....e...
..f=......Litv..../.......i.V.u.........o.m.........rz...............o
...w.m..o...n.X....>..p.K.......k.>..:.@.*.... .v.....w....7[.].
W..9t.....u..e.._&T.....;....)....f.A.....K.h...^}q..JAq.Q.._8b.A.....
Z.%..ZF.KN..Z....\s/.k-.t/_m........o..~.=.._./..|.=y.....W.....]`....
l...:[email protected]}p.]..}.A..........v.....c.G........n...tO..=r...#.:
7.X]9-..|....r.r.k0!a.Z.X....9.U.bT...U,......r.MG1.8..b.e.F..D,. .U.6
..jY..A1..Q..a>b..Y].....p9.az...f.H...Zzf......,.....m.... .M.m...
.....0j...Q/......,f..U.....{.<8P4.F~`H.T.....TJf.Y._..c....84...[.
....yp`....V.'{..K[.Y......9[-...r..%..fL0...F.1....Ll....P.._.J[..'..
....3[.....y.... ...s>G.=.z.....Y..vE...z...6...l.2."o.3...^....H..
....Nn...h..._.V...D.......D.o^.........................vS....X&.,....
aL .,m.'.m.....Fb......|9.90.....8~..)6..PlA3....S'...^f.."m.%c^1J.H..
..%5...M{....B....#JIs.(.^4.....i.~tF.C3h..0xb.B".......@>B..&*..N.
..IMN`.c.....9e.(9.|d..RE7f N>.........6Z5..d<1.....h.Q......G..
U8.....x^1.hU,..0.......X...[...W...wC........a0g..4..hT.qn...Q.9.Mx..
7..`y.8\j),.W.1.3.....f.Z.ak`t........bM$O4.R|l..^f..`..P.............
.v..t.1...s...u;7...=.}...|.r?.02....D...Nh......'..s.!.60.'...]....N@
.......[........w...&,9.$n.g...&>.^_H..?L..Bg..vP...F....& \...
<<< skipped >>>


GET /css/base_MIN_11.19.css HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj1.6rooms.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 31 Aug 2014 04:30:02 GMT
Date: Fri, 01 Aug 2014 04:30:02 GMT
Server: ngx_openresty
Content-Type: text/css
Content-Length: 15444
Last-Modified: Fri, 01 Aug 2014 04:28:45 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 1
Age: 1
X-Via: 1.1 bjzw89:80 (Cdn Cache Server V2.0), 1.1 yfdx32:4 (Cdn Cache Server V2.0)
Connection: keep-alive
...........}.n#G.......q...M.Da....n.v....`..$..s..&)U....i.....0.....
..v.b.5.Dd$.*..A.....8q......a..L6....~.l;.^g..,....3Yn.....9T.....7.U
g^W...:t6......;.eg6....C9YV..uvXT..s.o6.|.9,:.....=..q.n[.f..a.}../..
.0.....{.U..]].;?.......c. ..M.c..g.x.............o....f7....w.r..a.y\
....4...j}..?V...!......Y.....C.................$...z.<~.]=.m...!..
rQ.o:{.9.W.z.Z..^&.....$..........i......xU.f..n......M.>T..z.}<
t..ds..P}:..J.h_.\....F>..\.DE.`............7.zv'.>...b..~....i.
.G...S...(.....<{.-.~q8l...O.n1.m6.}1...aZ..rY?U........p..}.S~.Pl.
._e.M...Uy..Y.nW....w..6_n>......al...j.O.U.{.....|..7....o.|Y.{ ..
.....qr.......~y...." _d..n.<-.....U..8....;.E>...]y.7k..|.<.
..............NMGL....v..k.....v.r.Z7..).B.S..k.-'!.{.3.i..{.......yY=
T.Y.h...W..H.A....8........jf..Z0.....H".^.......r........|/.....M....
A.@k.)....x.~.;.Z.`......zY......j}..........M.i..9.....o?..4r...d....
..M7..{..uhN/"...o^....C..?.....2.....fw........I.M....b.....n.5.h9...
<Tw;....y.l..7..G..C.]eOQD.#.z][email protected]'\2..ts.4.....).H=.Y...1s7
..w.ow.........H....=.$c.....5... .4.R.^<.)...._>.o..G0A...j.-.b
.(. .......... #;0.....:~8.....j..^..a...=.U...A.yb.O1...~.7.D..8.....
*........^.~....j..7.....n-?.{.....g..............=...W.^...^...b..F.S
VL......'[email protected]..|.j.o.As.m.'x)..:.W..4._.JM}....
.._....z....^.s).cR#.(........GhT.....j~p:.....}|..Kgw{..L.A...i8.aTVW
..;.k......*.....hx;...!$........~.2.- .....<.y4....z.".F.......L.%
..r..j..V....RO#p.........G.......ca.........O@..^.B.I...Z...G..s&
<<< skipped >>>


GET /stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=916191384 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs9.cnzz.com
Connection: Keep-Alive
Cookie: cna= RtlDGPZslwCAbhrJiZ/6hAT


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sun, 03 Aug 2014 12:41:31 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /img/pic1.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.3.0
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 428
Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Expires: Mon, 04 Aug 2014 12:41:30 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
GIF89a.......f..3...33.......................................!..NETSCA
PE2.0.....!..Powered by AFEI.!.......,.............I........08bX....d.
n...CS.3......_..`..H..H\8....)...S.b.UX.....(...r.L....tb]&"......#..
.o.V.a..D..o.V.a..........D..o.V.a..........D...........!.......,.....
........I........08bX....d.n...CS.3......_..`..H..H\8....).:[email protected]...
x ..........D.| .#.u.a....n~D..[....n..........D..[...n..........D....
.......;..



GET /stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1435798481 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs9.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /img5/flashlayer/533138d44ad23/2.swf?v=3 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cdn.51img3.com/game/upload_data/201403/201403181447095327ebeda78ee_1290.swf?v=3&s=7580
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.51img5.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.66
Content-Type: application/x-shockwave-flash
Content-Length: 144447
Last-Modified: Tue, 25 Mar 2014 08:05:40 GMT
Accept-Ranges: bytes
Cache-Control: max-age=86400
Date: Sun, 03 Aug 2014 04:17:23 GMT
Age: 65868
Powered-By-VeryCDN: HIT from ctc-cq-1-2-c1111, HIT from utn-yz-1-1-c1131
Connection: keep-alive
CWS.8...x...eT]K.&.qww.....l..N..q.8!@pw....!................u.w....=.
.c...|.SO.YkU.... ....W.... .......0a..AG.3~..)r7.k[0.KO.....=?.... . 
....9...... ;.;;.....n.d..d..|%L....)...d....%..74.sv.z..7.....hm...&v
F...v6,n..,l..,.x^@.....Nv.jvv..b.P.R..`....vf.`....5..*.3.9...3......
K..........G..........K.................."..U0u241t2...\/1..l...7..p;.
....).o$. .....ZvM...\{gG.?*fb.bjmjcj..~I0...61.7.s.1t.6......."dqc.[.
.[....2..J. ....UI/3SP......./4.I..................M_.........-.....TF
B........K.a.|..-....$.....1Vq6IvVN.).7.o.......&ag.. o..L._..#./6%G.9
.e..g.b.5...._ZM.A..&R.v6.T....l. SB..J..4.._~.................C._lv.;
i..R...0...?_.,......q....6...G$.`;.y'[email protected].<.K.B..c.B........R
2R..._...y. ........F.EBF...y.!".a."##..................Q..^:.h.../Vr.
../..88tr|8.B._..2..._..>:!...zn.`.C.@qCA..@b@@a@<w.._t.@.......
.......k.......FB..............e.S..~e......G..f...]U3..........cb....
.N\.$>.v..ZB..?... 7/......{./.e......]....^||.....K. a~.|.b`R.A..)
;...0.....:..A.F.q....h.J..y...K*[email protected]..................=7........G..
..r..h.S[[email protected]..<..sR
.c.._.T7..|.,....5.a...Za....B...R9y.e0..pegY.g....})...........1"h...
.U.."....a [email protected]).}*...Q.e.....A.....TsH.4.AI.}....U.T.....
<s.y..:.2...0.W.}.6...Mh}..q&..d....e..s..a......3-6......6(p.....7
[email protected]..?..N...3.........^S.7y ."7]2X.I.a...!...=..n...f...........
.n,T...............o=]U] #w'?p..;./........g.P>.<.>..O...i?g.
=....{./H.G.g..w..\..<$.3....2...l..p.... ..........i.l9.^.<
<<< skipped >>>

GET /img5/flashlayer/533138d44ad23/ps.swf?v=3 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://cdn.51img3.com/game/upload_data/201403/201403181447095327ebeda78ee_1290.swf?v=3&s=7580
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.51img5.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/1.3.37.sa
Content-Type: application/x-shockwave-flash
Content-Length: 15920
Last-Modified: Tue, 25 Mar 2014 08:05:40 GMT
Accept-Ranges: bytes
Cache-Control: max-age=86400
Date: Sun, 03 Aug 2014 06:04:46 GMT
Age: 83756
Powered-By-VeryCDN: HIT from ctc-cq-1-2-c1111, HIT from utn-yz-1-1-c1131
Connection: keep-alive
CWS.j[..x..|.XS.....B'.....)..^[email protected] .B..........E..E...^P,(vPQ@T,.
@......y............f..5.Zkf..5;;..B..X..r.p....,......0c..].i..I)....
N=..M.64...2.21`s.............PB?='....OI.P..!.WVz.'!...N....hv..N]}.6
;9..mJ.....f.........F.tC...Y.pX.....f'.;.R4.$Fz<....e..CzF..%...O.
.HHb.L-.l....O\,W.goL72........V.&..t.)tKk:...c.cM}Y\...eL46.....Y...Z
..[.M~n...xs63!6.o5.S.fk..=......_.nr...t:7.......sRY...tv.'...5.G...z
jJ:......j. ......nV.V...&FN.n&FF.....tS 7Ww. .3K...M'.\.1.....8.....S
..6?NB\........X.]]\-...............M.f..........a ....b.s..h.R..t..Sv
..].w.._...t...s./M'...u..........n...Y.;[.........].\'..?;2V......JA.
10....;..1?"45.... f.! ..kK.Qj.f.f.u,.....3RS..b.8.a.~z<;fN.#......
......$..I...\.pjl.......V..f....&.X......m.`..Z.U.O...|}......;....Q.
...........]...>..`.....}..$D%U.E%......Jb..*.t..sC#-%eI-#SSSg..15.
.......v.t.;T..p.LRZZ[UZA[]..H]YNAQ........XYUZ........27662..Gm-L-..~
4....1s.C...A.#.c.g..4.........|.....@ ........F.'..$...%..9y...[...1.
K.wK...%..E..r.H.7$..3..9#..9....P.$...`..../Y........i....]....1:V.$:
.MM.........I.mo......7..zy.z............R}C{...S./....B.....O...6LN.}
...W........}=..}.. .g^5.^3{g...t#..d..e........._..Z....59sy.V-.cv .w
....n.s...{.v'.\p0.j.q.......o..,4.z.....q...f.T......A......'>..Xe
_....|..BM....-..|..p.oY......5....t..G.Qp.......b...M6....f...^..O.g.
...o..>}.rk....g..r2.].....F..>.x......m..H./c.>6#YW..G...]=O
.V.V../*...w......;6VW..j[..R..#.....;.R.|.Q..h.......{.c.........04 w
J~p.........<..i.|.@.~{..<&...6{.)i.......o.....}..LIx..yS..
<<< skipped >>>


GET /js/LAB_0.1.js HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj0.6rooms.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Tue, 02 Sep 2014 04:14:19 GMT
Date: Sun, 03 Aug 2014 04:14:19 GMT
Server: ngx_openresty
Content-Type: application/x-javascript
Content-Length: 2787
Last-Modified: Tue, 01 Jul 2014 23:47:32 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 46
Age: 1
X-Via: 1.1 bjzw89:80 (Cdn Cache Server V2.0), 1.1 yfdx33:0 (Cdn Cache Server V2.0)
Connection: keep-alive
...........Yis.8.......;..b.rfw...xu..-...$....EA.c..y........$.8....*
".F..........v{...A..~:..Pz. .it.I..J.._..{....EJ_.h.....].......2...`
.Hd..O.]6../.D4^.x.~."...C.M...$CoL..7..!.,..@F..].{qc.....Q.;.>%b(
}/.::........L>."...8.'"......a.-...R.X.3...?..,I-v......^:..9o.u..
.c.........l.C..Y,...... t..s..n..=..u{.S.. . >.~6.Qj..7.l.......G.
....y....P..Lp.....{......S{..T....Sy.....{.....r..m....E7.b..Uw..^.E.
..A.(-0...v...(.T.....*...(..y......'[email protected]},e(..b...V.d...."...V..d.(
..4..`%p..o^...,#.s...`.....ZM...4.$..X.Y.5~.MP...`...K]..........'..i
f.uR...6.D..m..R")]K..:)..2.......`..d.%m.......&....%w..eQ...H...d...
...m.}...4.v......`8.H.Iqmi....!..#..%@D.wn0...)...t.aG*(.....8.V...o.
.y....n...... ...W..w[..a...~s#b.A......?..Q....~.8.,@.I[F...... w...F
p...L........|9_."...........lb...q...F..;B...[$n.u...B41....%./.V..
. IE$...Ry..^..r....T..;r.... .<..;.U2.1..e0.2K......%.......g)F...
b......y.ivK....l...'.........8.../...ugc...L..%.....7....G...P.......
- ....=..I.....hd>....~...F..]C..D....X.e.(.VkiC...gS....n.......G.
.qu:<J.....0.P'........U...;1......d!.._...u....n$2.}..|.......f,DD
...K.-..DD......O,[email protected](.`.....Y.NH....Qp........H{..C..
 `}..J..5.7B?.2..Y...1....U..?..9.......L...s...h& .....C.Hp|.#..Q....
..?W..#nYUUMH...J/[email protected].. .?...'.
........W....Lh.q.....{.g fU..QT...k......J.......~.[....$...9.W..`...
..O.........5.]K.19....@{e..Y.^.V..d....U=..5o..........s@sg..........
..7c<..>..C..h..........QCt.j}.:..7hG....B.lC.9.sB_..5....-.
<<< skipped >>>


GET /acpa/webgame/cy.html?from=tgly_14516 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: tg.51.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=f1ab7affcb84a997a4928d8059db9970; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|||; path=/; domain=51.com
Set-Cookie: FO_TUID=SoliXY; path=/; domain=51.com
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|MjAxMDEwMQ==|fHx8|; path=/; domain=51.com
Set-Cookie: wtids20140803=6nmu; expires=Mon, 04-Aug-2014 12:41:30 GMT; path=/; domain=tg.51.com
Set-Cookie: foru=140706969015sBzNAc||game; path=/; domain=.51.com
Content-Encoding: gzip
c72...............n...>...f0j.....6.8.Gc'....#g.. ..j6%6I..n.......
.\.C.A.d1..Y. p.9..S..^..l6..lg9..tU...Wo..:}..../~....XL...w.?{z...t.
{.s].r.D..7..z....\$,L}.G!.t..o..:.">...l...Z.x..;...2qr.| J35W...W
....7. L..<.....t.V.9.s..m.O.`..|..3.j..Q(x(.\.c.*..Y..7BGL'.3fI...
...T...L."....?...O>../....?...?..........o?..'?....O?.75'.|...?...
........q........c.9M.<....rr.4U.U...j......w..X1...oN&,...X1......
.4....7......meJ.\..=....F.\..2..K.,t.8Q.%....z*3Nu...2......N. .ZjN..
 .8A.<`.....H.''j.3Oak..".?T.-..l.=....%..N.....K6erTU..Y._lj..h..?
.H..t.G......L......Q.Lt..}[email protected]{j....a...0.F.pg.....
....Bs#..KQ%5...)K.Q..14Rxs......";K.....n...l'...'....F.....y&.l`....
..FY.pk.|.e[.$.....^0...}.....p...A....(..l..a.].T.(#.......qC..}"..:.
%`s n.00.G...sw..#...FF....~j__..]...#.....Fa...{.P.Z.......@.;.C...`.
...x.D.......$.B.....3w.*....pd.[..:[email protected]..^..
.&..^.[h3'f.3.C..........M$...I...'......*|.')..."...=.... kp7.....$.P
.3=....>a.4..$r3G<[email protected]/ o...:...s"...U.9.l...0..`....
...f..._w....*.fl.....H.a&x-.K/.'C.>....k.6 .!..,."....L'g5...#so..
x.?.=.....qn....d....l...j_!..?.....~V../...tY......vN..U..^..[...r.1W
.h..aE.c.1*,.e....\.&....v=. ..^;Y....m..R..S....Y..&..q..8.......#...
.'M.j...!...'<.. .....d.;.,/k.,J.*.:nr....$.].l..F.-{.....q.C"C]r..
.t.J...%y[....^....QL.a`.....l..<.c?..dTF.......!Hll...^....i..hN.i
...JR/.m......l.P...S..t.F...R...h.F.E..K...P ,[email protected][.I.....I..
m.R.Q.... I..m^.]....4R.BF..| $..qo.baW2.^..,.U8Xo...!...0u.E.....
<<< skipped >>>

GET /stat/pv_stat/?p_k=tst_6nmu_tgly_14516&r=0.22328514849634517 HTTP/1.1


Accept: */*
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tg.51.com
Connection: Keep-Alive
Cookie: PHPSESSID=f1ab7affcb84a997a4928d8059db9970; wtids20140803=6nmu; FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|MjAxMDEwMQ==|fHx8|; FO_TUID=SoliXY; foru=140706969015sBzNAc||game


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Sun, 03 Aug 2014 12:41:34 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
36............ )..)I......&..f5F&.5....5&.5&&f&5.....s&.....0..
....


GET /tools/js_flow_cookie/?channel_alias=tgly_14516&r=0.14722984178657245 HTTP/1.1


Accept: */*
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tg.51.com
Connection: Keep-Alive
Cookie: PHPSESSID=f1ab7affcb84a997a4928d8059db9970; wtids20140803=6nmu; FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|MjAxMDEwMQ==|fHx8|; FO_TUID=SoliXY; foru=140706969015sBzNAc||game; _51usi=Ky2y3G


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Sun, 03 Aug 2014 12:41:38 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: wt_ch_flow=tgly; expires=Mon, 04-Aug-2014 18:41:38 GMT; path=/; domain=51.com
Content-Encoding: gzip
14........................0......


GET /stat/pv_stat/?p_k=swf1_6nmu_tgly_14516&r=0.40592882574853384 HTTP/1.1


Accept: */*
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tg.51.com
Connection: Keep-Alive
Cookie: PHPSESSID=f1ab7affcb84a997a4928d8059db9970; wtids20140803=6nmu; FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|MjAxMDEwMQ==|fHx8|; FO_TUID=SoliXY; foru=140706969015sBzNAc||game; _51usi=Ky2y3G; wt_ch_flow=tgly

GET /stat/pv_stat/?p_k=swf1_6nmu_tgly_14516&r=0.40592882574853384 HTTP/1.1
Accept: */*
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tg.51.com
Connection: Keep-Alive
Cookie: PHPSESSID=f1ab7affcb84a997a4928d8059db9970; wtids20140803=6nmu; FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|MjAxMDEwMQ==|fHx8|; FO_TUID=SoliXY; foru=140706969015sBzNAc||game; _51usi=Ky2y3G; wt_ch_flow=tgly


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Sun, 03 Aug 2014 12:41:42 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
37............ .O3.)I......&..f5F&.5....5&.5&&f&5..<..}'.....0..



GET /act/51wt/html/wtcookie/?r=0.3066260606754981 HTTP/1.1
Accept: */*
Referer: hXXp://tg.51.com/acpa/webgame/cy.html?from=tgly_14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: game.51.com
Connection: Keep-Alive
Cookie: FO_RFLP=|aHR0cDovL3RnLjUxLmNvbS9hY3BhL3dlYmdhbWUvY3kuaHRtbD9mcm9tPXRnbHlfMTQ1MTY=|MjAxMDEwMQ==|fHx8|; FO_TUID=SoliXY; foru=140706969015sBzNAc||game


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Sun, 03 Aug 2014 12:41:36 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=50c9a0d9b5114fe4f334f8a56f01c25f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _51usi=Ky2y3G; path=/; domain=51.com
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: poup_c=-1; expires=Mon, 04-Aug-2014 12:41:36 GMT; path=/; domain=game.51.com
Content-Encoding: gzip
14........................0..



GET /AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E7136586F99B9B7E73C90B1A205C1D7CF&Url=&referer=http://VVV.cfmogu.com/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.okm918.com
Connection: Keep-Alive
Cookie: UnionADShowTG=1961|1935


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: UnionADShowTG=1961|1935; expires=Sun, 03-Aug-2014 15:41:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:07 GMT
Content-Length: 372
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"~..q3..U.........]{....L>...
7N~..|...E.L/..'.y}..........".Z.?w~.o..x..:..f]..giYM3.7n............
U.*.8}....{..........~...'.G.m}...O>.......;w..nq.e.~...e....hG.2_^
...q.k..S...^..}d`...._......a..'..o.........H?j ..# U..[..w..z..^..Yu
5.#[email protected].......


GET /AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E5E719A5E196287AC9BA5124B5F8B91F6&Url=&referer=http://VVV.cfmogu.com/ HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.okm918.com
Connection: Keep-Alive
Cookie: UnionADShowTG=1961


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: UnionADShowTG=1961; expires=Sun, 03-Aug-2014 15:41:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:07 GMT
Content-Length: 372
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"~..q3..U.........]{....L>...
7N~..|...E.L/..'.y}..........".Z.?w~.o..x..:..f]..giYM3.7n............
U.*.8}....{..........~...'.G.m}...O>.......;w..nq.e.~...e....hG.2_^
...q.k..S...^..}d`...._......a..'..o.........H?j ..# U..[..w..z..^..Yu
5.#[email protected].....



GET /stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=126137642 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs9.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1DE2C6588D895ED19185E61A613F19D3F8F76CC11C543A6715&referer=http://VVV.cfmogu.com/&utz=1407051797498 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.okm918.com
Connection: Keep-Alive
Cookie: UnionADShowTG=1961|1983


HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: hXXp://tg.wohai.com/download/download!todownload22.action?sid=14516
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: UnionADShowTG=1961|1983|2080; expires=Sun, 03-Aug-2014 15:41:11 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:11 GMT
Content-Length: 184
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://tg.wo
hai.com/download/download!todownload22.action?sid=14516">here</a
>.</h2>..</body></html>....



GET /app.gif?&cna= RtlDGPZslwCAbhrJiZ/6hAT HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pcookie.cnzz.com
Connection: Keep-Alive
Cookie: cna= RtlDGPZslwCAbhrJiZ/6hAT


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:32 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna= RtlDGPZslwCAbhrJiZ/6hAT; expires=Wed, 31-Jul-24 12:41:32 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;....


GET /app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr HTTP/1.1


Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pcookie.cnzz.com
Connection: Keep-Alive
Cookie: cna= htlDAz/8x8CAbhrJiaB4iAr


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:32 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna= htlDAz/8x8CAbhrJiaB4iAr; expires=Wed, 31-Jul-24 12:41:32 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /registe/embed/fast_reg.jsp?source=xx_site&cssurl=f1e80feafceca9e68264b5bb06ad1e7d6382bea4956b5cf7d3407bc6665d6e5756eb68df5217a1ae&jsurl=f1e80feafceca9e68264b5bb06ad1e7d73f5939c49635bc5704967d1d992469c16fa151123af164b&returntype=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://xx.ztgame.com/index.html?ad=457980
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: reg.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 03 Aug 2014 12:41:34 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=BF6A9BD12158C5010FEB90F36BE4D565.reg6jvm; Path=/registe
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ref_lvs=636165323962326530373266f7107beb7b; Path=/
Content-Encoding: gzip
Set-Cookie: NSC_auhbnf_sfh=ffffffffaf167b4345525d5f4f58455e445a4a427094;expires=Sun, 03-Aug-2014 12:51:54 GMT;path=/;httponly
93c.............Y{o....[..;0lq..X....I...;..k.s..E!P.Z.M.:r).W.p.8q...
.wm.g..H.#il.W\.;q.K#J._....%)R....C..D.g.3......;?y..F8..:u.....s..W.
E..r...S.8~P..5|A./N_.~......d<.M..n.X5tI..K..._..4)..J%^...f^..*V.
V.tv/.q.g\.....Tc...V..Nrbb.ug.HR2`r$UDX...dZ...k.....9..#).b.e..O....
....\q.o.......~.r.}=%2.:tM.....f|..j.S...(..EQ.,.|F4Q>..<g"-.[x
^CV.!.sx...<FULd....K6...4I..R.Df....C....)..x\db..'62.....I.m0B.~.
..3.YlU..._....!...4....%.....N.EH..IsD...Y...*.d*\.....1m....h....iC.
...!.;K...hS.).%.T..<)_-..X.2...Y.$.uZ...'...........:..9wW......_.
.~... .....?...z.....E....Rb.p...3.y...eNU...da`..y$E..I2..4O..Z..D.*.
...H.K....@(...dX.....I..a*.......l....*..y.,i6...l......*....)...M.ax
..0........m....`......5...!..5.f..P.U...]...tg...B.....d]EW$....kLKS?
h .*.F.c.`..4....'.j.....(.....).(..{.....,.C..i..$.......R.tJ...jR...
.%iS.......;..]..i.cPwgIj.....S.t`R.p..x..m@\.....v.8..........!.0..u.
Y.d..`[.$4.N...............7Zl......4>.{.....f.:|..W...Ug..........
2V_.\s.Y.........|....?8kO.........1...\p....P<......9..$.....).A..
j.qE..!=..i~d..o.'\7.*..3.........4%j.1l..a{.:7E[..}....>..#u"..0..
9.oI..j.4i~........u..........n'[email protected]:.....d.7A.&.(
.Y..$NH.r.......0..j......M.d.....G....i61.w!D.\...a......U..*s.[.."ur
(..p(.uv...&.{0{.G.v....Ntv...e"I#.w....e.......5.W.A...S.c.xs[.%.y...
}p.Yz.Vlf.....-."c..5..D{[email protected].).k.w...I......`........-.4a.
....NUt..C..|..e>..O.....;......h.......m./AT.......Zn...z:..B....x
>..J$.#..3............b..Q.;J..r.......'.....B8=.pH..Y..v.....u
<<< skipped >>>

GET /registe/script/jquery.js HTTP/1.1


Accept: */*
Referer: hXXp://reg.ztgame.com/registe/embed/fast_reg.jsp?source=xx_site&cssurl=f1e80feafceca9e68264b5bb06ad1e7d6382bea4956b5cf7d3407bc6665d6e5756eb68df5217a1ae&jsurl=f1e80feafceca9e68264b5bb06ad1e7d73f5939c49635bc5704967d1d992469c16fa151123af164b&returntype=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: reg.ztgame.com
Connection: Keep-Alive
Cookie: JSESSIONID=BF6A9BD12158C5010FEB90F36BE4D565.reg6jvm; uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"; ref_lvs=636165323962326530373266f7107beb7b; NSC_auhbnf_sfh=ffffffffaf167b4345525d5f4f58455e445a4a427094


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 03 Aug 2014 12:41:34 GMT
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Wed, 03 Apr 2013 04:44:46 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Sun, 03 Aug 2014 13:41:34 GMT
Cache-Control: max-age=3600
Content-Encoding: gzip
Set-Cookie: NSC_auhbnf_sfh=ffffffffaf167b4345525d5f4f58455e445a4a427094;expires=Sun, 03-Aug-2014 12:51:55 GMT;path=/;httponly
55e8..............k[.I...}..Q....B.{f.3..z.....6.f.g...u..../.X...oDfV
VI.{...9..<=F......Gd......~..>.}/../...lt.(...f1...T^T....bqW.V
..'.V...U..........fQ(^......^.Mo&...|t..o..qa<.L&.dX....Yaq.....B&
lt;.......y..j8..W........x.......[;./...............](.o....[..T ....
..|4...............'....K._.Ya.-nF..:... .2..~..N]..#.]3l..f..~6)L...i
.jR.MF.".<.o........./.....T~U.|~u........g_.........U..k.9..UB....
T4........].=....u......%V..6.,...b.2...>...8...y...We.L..7..>]N
'..../..Y..-...U..EQ0_.F..@W....$...b........`.|....J.,...4.\..xR...&l
t;.....<...Fv...d..'../..C|..\..nnv ..F$%vq..R.j4...G6.....r9.7-...
.-D.2O...b:K..z.a..N...E}......e...i....Re......W..z..l....{cp?sko?x..
.u..g....F.5K.fmZ...Ol..........Z .6....%)..ixp..b.<hru.....&......
r...E6R..p5........"..=m..v....i.U...T....o..9d(..&.2....!.{..k..(....
2......V.Tn....x.....;........<..osMu.3 .-[.]./..........0........_
........W-|..b...u..X...'..v7.8..f(;.....,..m..f........l.....A....A{.
..hp.cD)....f..Xo.Z.Q.-.,...!.n..j: ...I...V.\....[|.'.Ha .LwgV.......
p.0....G|...v...|...7.r..7.iQP....g..5........C ...1..Pt.\..........[&
gt;..............hr?.gOUr{[email protected]..[..S.].\..,.>z..... 
.kFA." ..Z.e.<ze..B^...C~......%......\......f..Q<.O.g@.........
8.n>._g....8...3.......&..s....IR.loW.;.J.9`....d..%..$.J....x...mE
'_..I...1./.p=p.#.9=.n..y....[w..Zw.e.......bR$B...0`..4.p.....l..Ti#Y
..No..............}.B.N^...h.P)m[.L..F.\M ......*...&.....7.....2...J.
*.R.e.i^-........T..8.......&~..).\..E08Jbk...)M8...|..p~G.,.. $.\
<<< skipped >>>

GET /registe/embed/fast_reg.jsp?source=xx_site&cssurl=f1e80feafceca9e68264b5bb06ad1e7d6382bea4956b5cf7d3407bc6665d6e5756eb68df5217a1ae&jsurl=f1e80feafceca9e68264b5bb06ad1e7d73f5939c49635bc5704967d1d992469c16fa151123af164b&returntype=1 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://xx.ztgame.com/index.html?ad=314238
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: reg.ztgame.com
Connection: Keep-Alive
Cookie: JSESSIONID=BF6A9BD12158C5010FEB90F36BE4D565.reg6jvm; uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"; ref_lvs=636165323962326530373266f7107beb7b; NSC_auhbnf_sfh=ffffffffaf167b4345525d5f4f58455e445a4a427094


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 03 Aug 2014 12:41:37 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ref_lvs=393330343331623034393361203c97c7ad; Path=/
Content-Encoding: gzip
Set-Cookie: NSC_auhbnf_sfh=ffffffffaf167b4345525d5f4f58455e445a4a427094;expires=Sun, 03-Aug-2014 12:51:57 GMT;path=/;httponly
93c.............Y{o....[..;0lq..X....I...;..k.s..E!P.Z.M.:r).W.p.8q...
.wm.g..H.#il.W\.;q.K#J._....%)R....C..D.g.3......;?y..F8..:u.....s..W.
E..r...S.8~P..5|A./N_.~......d<.M..n.X5tI..K..._..4)..J%^...f^..*V.
V.tv/.q.g\.....Tc...V..Nrbb.ug.HR2`r$UDX...dZ...k.....9..#).b.e..O....
....\q.o.......~.r.}=%2.:tM.....f|..j.S...(..EQ.,.|F4Q>..<g"-.[x
^CV.!.sx...<FULd....K6...4I..R.Df....C....)..x\db..'62.....I.m0B.~.
..3.YlU..._....!...4....%.....N.EH..IsD...Y...*.d*\.....1m....h....iC.
...!.;K...hS.).%.T..<)_-..X.2...Y.$.uZ...'...........:..9wW......_.
.~... .....?...z.....E....Rb.p...3.y...eNU...da`..y$E..I2..4O..Z..D.*.
...H.K....@(...dX.....I..a*.......l....*..y.,i6...l......*....)...M.ax
..0........m....`......5...!..5.f..P.U...]...tg...B.....d]EW$....kLKS?
h .*.F.c.`..4....'.j.....(.....).(..{.....,.C..i..$.......R.tJ...jR...
.%iS.......;..]..i.cPwgIj.....S.t`R.p..x..m@\.....v.8..........!.0..u.
Y.d..`[.$4.N...............7Zl......4>.{.....f.:|..W...Ug..........
2V_.\s.Y.........|....?8kO.........1...\p....P<......9..$.....).A..
j.qE..!=..i~d..o.'\7.*..3.........4%j.1l..a{.:7E[..}....>..#u"..0..
9.oI..j.4i~........u..........n'[email protected]:.....d.7A.&.(
.Y..$NH.r.......0..j......M.d.....G....i61.w!D.\...a......U..*s.[.."ur
(..p(.uv...&.{0{.G.v....Ntv...e"I#.w....e.......5.W.A...S.c.xs[.%.y...
}p.Yz.Vlf.....-."c..5..D{[email protected].).k.w...I......`........-.4a.
....NUt..C..|..e>..O.....;......h.......m./AT.......Zn...z:..B....x
>..J$.#..3............b..Q.;J..r.......'.....B8=.pH..Y..v.....u
<<< skipped >>>

GET /registe/script/jquery.js HTTP/1.1


Accept: */*
Referer: hXXp://reg.ztgame.com/registe/embed/fast_reg.jsp?source=xx_site&cssurl=f1e80feafceca9e68264b5bb06ad1e7d6382bea4956b5cf7d3407bc6665d6e5756eb68df5217a1ae&jsurl=f1e80feafceca9e68264b5bb06ad1e7d73f5939c49635bc5704967d1d992469c16fa151123af164b&returntype=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 03 Apr 2013 04:44:46 GMT; length=57254
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: reg.ztgame.com
Connection: Keep-Alive
Cookie: JSESSIONID=BF6A9BD12158C5010FEB90F36BE4D565.reg6jvm; uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"; ref_lvs=393330343331623034393361203c97c7ad; NSC_auhbnf_sfh=ffffffffaf167b4345525d5f4f58455e445a4a427094


HTTP/1.1 304 Not Modified
Server: nginx
Date: Sun, 03 Aug 2014 12:41:37 GMT
Last-Modified: Wed, 03 Apr 2013 04:44:46 GMT
Connection: keep-alive
Expires: Sun, 03 Aug 2014 13:41:37 GMT
Cache-Control: max-age=3600
Set-Cookie: NSC_auhbnf_sfh=ffffffffaf167b4345525d5f4f58455e445a4a427094;expires=Sun, 03-Aug-2014 12:51:58 GMT;path=/;httponly



GET /event/promimg/?src=pming393 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: v.6.cn



.$.9....:......vvY...\...{.O.V;]A....9....P2lD...:s.>....>......
J.T......Nx.xMK.y.:<.n9..B. :9....g.e...!.0....)qJ.6.R..j.Y#..S2..&
gt;.#o.k....t....:. [email protected].....$f3.K..a.9%A.y.._R.u......*|.U
..$.f... t....6.FIyvjjj\..@......_....6.yM.a;....Z&r.9e...4.e..FZT.[..
... ......I.kp.i.{.........Et$..'K9..t\..5m_...uf!.^6.<EHQ0......m.
l..e.%....CB.k..1.0...w[.C.....W.F.6..0Ts8..4bq.^.........5.....>;.
...l.r.D6.Y...&%....%.........:o$.i....g.f*9..&R.T2...KP2w..G-..k....#
..(A.X..*.6F...Q_U.J4..J,.1..ia.I.pb..AUg..S..._........_...%_)..0s...
S.:..ft.O!k.*J.."..........Q....j.....%..p..G.fH..2kUc.~.. [....2.....
.n.[.....\lVs...K F.4.r........(.x\G.....0.....q........;..O`..Z`...~.
..^:.S.]..Y...f..g.t2X.p.;.~ ...}..c.....}Axn..f...lbR..q.s>/.$mz..
..k.F.".N.7.s.L....TN.c..%...&..Kx*.%.?...%....t;l..h....$..}z........
a#.....GYR...........'..a..IK..>..>[email protected]..:.N.....qG1
:....e.......a...4......~A.$.r.._=..M..9.../.0.*!2...JE.k .......^$..b
.'F...w..BKa.M.<..Hn[..#]....`41.sW<6...7.}..NJ225..1.b.........
...q..T.....8...........qi.......%../&.CSw....o..A.X.....y......!:.cHC
.......;.*..U....3...`."..E.....Tv...U..(nS....Q_..'..Tbt,....Y.?4p7O.
[email protected].`...;......_?.p.}.T.....y@g...>b..C(I.g.....
'.Jr...b`.......uN.W.....?..5*........p...8..H*.l..E.M'FzJ.......S../.
Intt,=.N....,vL..<..qD.~p............].....8.^=....\..G.&".H.y.Nr!.
..cW-L..H...g...........Hm.......l...R}..........LeG..dv,.H=-.q,_.>
...{..../..)..*T......k.~.}.....PHx.#E..[ GP..Yc...EEm........tOQ.
<<< skipped >>>


GET /index.html?ad=314238 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Date: Sun, 03 Aug 2014 12:39:24 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=3600
Expires: Sun, 03 Aug 2014 13:39:24 GMT
Content-Type: text/html
X-Cache: MISS from CTS-GD-248-14.fastcdn.com
Age: 128
Content-Length: 6068
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
<!DOCTYPE html>..<html>..<head>..    <meta http-e
quiv="Content-Type" content="text/html; charset=utf-8" />..    <
title>.............................................................
..............</title>..    <meta name="keywords" content="..
......................................................................
..........................xianxia...xxsj..............................
....................................................................."
 />..    <meta name="description" content=".....................
.....................................................6...20...........
......................................................................
................................." />..    <link href="/css/v8/s
_index.css"  type="text/css" rel="stylesheet" />..</head>..&l
t;body>..<div class="wrap">..    <div class="container">
;..        <div class="top">..            <div class="tip">
;..                <a href="/index.shtml" title="............" targ
et="_blank" class="this">............</a> |..                
<a href="hXXp://xx.ztgame.com/download.shtml" title="............" 
target="_blank">............</a>..            </div>.. 
           <a href="hXXp://act.xx.ztgame.com/dzacts/" class="bander
" target="_blank">.........6...20...14.........</a>..        
</div>..        <div class="step clear">..            <
div class="jiantou"></div>..            <dl class="ste
<<< skipped >>>

GET /images/v8/s_index/banner/2.jpg HTTP/1.1


Accept: */*
Referer: hXXp://xx.ztgame.com/index.html?ad=457980
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xx.ztgame.com
Connection: Keep-Alive
Cookie: uniqid=1408032041277004455529; ref=314238; date=2014-08-03 20:41:27; ref_date=2014-08-03 20:41:27; ref_ip="%local server IP%"


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 2084980
Date: Sun, 03 Aug 2014 12:03:41 GMT
Content-Type: image/jpeg
Expires: Sun, 03 Aug 2014 13:03:41 GMT
Last-Modified: Fri, 13 Jun 2014 11:49:23 GMT
ETag: "14b8104-1fd074-4fbb644c196c0"
Cache-Control: max-age=3600
X-Cache: HIT from CTS-GD-212-39.fastcdn.com
F-In-Cache: father-in-cache
Age: 2273
X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com
...ddf......n.]..O. ..e.n.u..:...........c.Y.....9..c_F.(.....b^..T...
k..v..;......-........./..#...v.E64.........E>.{..xc.=.2...s..h....
x...}......Es..../..........S.1.Aa..c].......o..K..lu......3=z.E... .k
....Ck..=;*.........Sc9,..m.M.(.\.'A.........K2n.Y..... ..l...z.....!.
P.&......^....*c...?.....X2.(.}...s].Cv1.E.c.s.{......[.......H... ...
8&OnwCc..........7;.."o...C.u...e..<.&......}.ZK\..w.U_.W....[,....
.5.....1...X.`.n.O.......w.....J..'_...u../z...U..=.....V7s.] .....}..
6...................w..g..0..l.{O.6......qw.l..}O.`..`.V...Z..%..t.v.k
....>.[..w.O...uY.. 5....~....n...........vz{=L^..sz.XvT.R6QY&....7
{k}..].U.c..E.].R.2=....B....A..A:....5.=.}....1..^.......a...{......A
"..C.5..N.......c.......G-Axzo.u.].......I....X..._...h......'H.3..&..
...............nk}...l\../Y}....,...s^.(..4YQe..:....=..^.....y...3...
q.VCkk..uO.1.5...........c../7wJ.......V#rY.h.....km.C.{.7..k..]5.....
[._.~...t....,...F.n[...E..c..2.Ul.........6........cs..X..8...*..m..b
...h. .FG.....^........:O[..K]...SrN#.U....:..*w...n?.........w. M ...
...Q...%.P.<.0........-.Z.M...^>E7..'...g.w.>.....t./....i}..
./.. }... .".z......k.....Uw}...........7:...k.......n......].:.1m.. _
w.m.F.'.$..z...t.....i..eF..[./pv>......^. ..........%.uk....>..
....].."...&...........6..........W.F.M9./=...Z..a%..!.-....b..T...g..
k...pn.O}-..2){j5.u..._^....F.._.,Z._V..~^>.U.k..E...`..x...}n.=f#.
.....$q.B..b H&].?..%..c..{.....T...1.}.......g...^.X..., .&O.....#c=.
.r........_..s..............3.....:.x...Z^..].D.9.qf...C.?..)..o..
<<< skipped >>>


GET /js/LAB_0.1.js HTTP/1.1
Accept: */*
Referer: hXXp://v.6.cn/event/promimg/?src=pming393
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vj0.6rooms.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Tue, 02 Sep 2014 04:14:19 GMT
Date: Sun, 03 Aug 2014 04:14:19 GMT
Server: ngx_openresty
Content-Type: application/x-javascript
Content-Length: 2787
Last-Modified: Tue, 01 Jul 2014 23:47:32 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 46
Age: 1
X-Via: 1.1 bjzw89:80 (Cdn Cache Server V2.0), 1.1 yfdx33:0 (Cdn Cache Server V2.0)
Connection: keep-alive
...........Yis.8.......;..b.rfw...xu..-...$....EA.c..y........$.8....*
".F..........v{...A..~:..Pz. .it.I..J.._..{....EJ_.h.....].......2...`
.Hd..O.]6../.D4^.x.~."...C.M...$CoL..7..!.,..@F..].{qc.....Q.;.>%b(
}/.::........L>."...8.'"......a.-...R.X.3...?..,I-v......^:..9o.u..
.c.........l.C..Y,...... t..s..n..=..u{.S.. . >.~6.Qj..7.l.......G.
....y....P..Lp.....{......S{..T....Sy.....{.....r..m....E7.b..Uw..^.E.
..A.(-0...v...(.T.....*...(..y......'[email protected]},e(..b...V.d...."...V..d.(
..4..`%p..o^...,#.s...`.....ZM...4.$..X.Y.5~.MP...`...K]..........'..i
f.uR...6.D..m..R")]K..:)..2.......`..d.%m.......&....%w..eQ...H...d...
...m.}...4.v......`8.H.Iqmi....!..#..%@D.wn0...)...t.aG*(.....8.V...o.
.y....n...... ...W..w[..a...~s#b.A......?..Q....~.8.,@.I[F...... w...F
p...L........|9_."...........lb...q...F..;B...[$n.u...B41....%./.V..
. IE$...Ry..^..r....T..;r.... .<..;.U2.1..e0.2K......%.......g)F...
b......y.ivK....l...'.........8.../...ugc...L..%.....7....G...P.......
- ....=..I.....hd>....~...F..]C..D....X.e.(.VkiC...gS....n.......G.
.qu:<J.....0.P'........U...;1......d!.._...u....n$2.}..|.......f,DD
...K.-..DD......O,[email protected](.`.....Y.NH....Qp........H{..C..
 `}..J..5.7B?.2..Y...1....U..?..9.......L...s...h& .....C.Hp|.#..Q....
..?W..#nYUUMH...J/[email protected].. .?...'.
........W....Lh.q.....{.g fU..QT...k......J.......~.[....$...9.W..`...
..O.........5.]K.19....@{e..Y.^.V..d....U=..5o..........s@sg..........
..7c<..>..C..h..........QCt.j}.:..7hG....B.lC.9.sB_..5....-.
<<< skipped >>>


GET /img/spreads/0709body_bg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://tg.wohai.com/download/download!todownload22.action?sid=14516
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: file.wohai.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 03 Aug 2014 12:41:40 GMT
Content-Type: image/jpeg
Content-Length: 127839
Connection: keep-alive
Server: Apache
Last-Modified: Tue, 08 Jul 2014 10:00:04 GMT
Expires: Sun, 24 Aug 2014 12:41:23 GMT
Cache-Control: max-age=1814400
Accept-Ranges: bytes
Age: 14
Via: http/1.1 fj.fz.cuc02_104_53.goocdn.com (fj.fz.cuc02_104_53.goocdn.com [cHs f ])
......Exif..II*.................Ducky.......D......Adobe.d............
......................................................................
............................................................... ......
......................................................................
..............!1..A..Q.aq."2T...........BR#S.....r.3c..4t5..bCs$..U.DV
.%u6.d..E..&...7..F'W.......................Q..!1.....Aaq...2R3."r.S..
.....BTb.#4....Cc.$5sD%.............?..|............`[email protected]
............P.@[email protected]....)%.".K.%....y../) 1.3...P*|....x.....
.rU..1........U.&.r.Ck..Z.._|...Zu.x>$\.X..........U.\.N.(J...@O~..
.............z-....L............v.'.\........ ...B.{@M....h...(.-...e.
%.M8.Qg...|^t.U^......U.*....?.V.U.|D.....O...rT..V.|....6......O.qd..
....4..r..30...j......x:......&.....M....|.,..ui..k.&.j.a...H..I....&.
..h..I...`..t.s.X.j..~..g....9....CU.,.',[8M.^..G3......h..Ok...ai..q.
.....|.C..p..u4.R.j.:....E.j.q.........X.ja.z.k/........7.............
....9..S........zK.yLKp......6!).`.j...7........ .M`.9.N.i......>..
9:._...$..))v.L...X>?..%b]V.R.(...d..O.a....:..^.&....|\I0=X.$.uO&A
H.`:....O............)x...B.X.$.z3.n.(.n..../....$.^4......IB3R.....8.
..%..(...6..\....P..*puO...h.(...%.....9..(.......Y.;....J...nO..@#Y..
.B.mA<).*...(....j:.t./IK.UR..}?wn.!er[K.K....4....l[.Tm.....J/....
...|.Ip.U2.-.Ns..j.Rt..(E.We...%z........36j*..r..AI..tr.8<.,s3<
.KW...&.<........;L.S....j2....a...JU..%FV[.......E..W.,....^..D.S.
.H..Em....W"....JRj*8....Q..........:.pJ..w..[PN7..M....Ar..\e)].U
<<< skipped >>>


GET /9.gif?abc=1&rnd=811241341 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
Cookie: atpsida=48b7cf80f0c0e3f1d00905e0_1407069689; cna= RtlDGPZslwCAbhrJiZ/6hAT


HTTP/1.1 302 Found
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: sca=894db8c9; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=48b7cf80f0c0e3f1d00905e0_1407069690; expires=Wed, 31-Jul-24 12:41:30 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna= RtlDGPZslwCAbhrJiZ/6hAT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;....


GET /9.gif?abc=1&rnd=601757883 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
Cookie: atpsida=4e493c8fe13472f8484bb0c3_1407069690; sca=a638eb00; cna= htlDAz/8x8CAbhrJiaB4iAr


HTTP/1.1 302 Found
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: atpsida=4e493c8fe13472f8484bb0c3_1407069690; expires=Wed, 31-Jul-24 12:41:30 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /app.gif?&cna= RtlDGPZslwCAbhrJiZ/6hAT HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna= RtlDGPZslwCAbhrJiZ/6hAT; expires=Wed, 31-Jul-24 12:41:30 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /9.gif?abc=1&rnd=1222734529 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna= htlDAz/8x8CAbhrJiaB4iAr; expires=Wed, 31-Jul-24 12:41:30 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=a638eb00; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=4e493c8fe13472f8484bb0c3_1407069690; expires=Wed, 31-Jul-24 12:41:30 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;....


GET /9.gif?abc=1&rnd=913325146 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
Cookie: atpsida=4e493c8fe13472f8484bb0c3_1407069690; sca=a638eb00; cna= htlDAz/8x8CAbhrJiaB4iAr


HTTP/1.1 302 Found
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: atpsida=4e493c8fe13472f8484bb0c3_1407069690; expires=Wed, 31-Jul-24 12:41:30 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:30 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna= htlDAz/8x8CAbhrJiaB4iAr; expires=Wed, 31-Jul-24 12:41:30 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;....


GET /app.gif?&cna= htlDAz/8x8CAbhrJiaB4iAr HTTP/1.1


Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pcookie.cnzz.com
Connection: Keep-Alive
Cookie: cna= RtlDGPZslwCAbhrJiZ/6hAT


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 03 Aug 2014 12:41:32 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna= htlDAz/8x8CAbhrJiaB4iAr; expires=Wed, 31-Jul-24 12:41:32 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /img5/flashlayer/533138d44ad23/1.swf?v=3 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cdn.51img3.com/game/upload_data/201403/201403181447095327ebeda78ee_1290.swf?v=3&s=7580
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.51img5.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.66
Content-Type: application/x-shockwave-flash
Content-Length: 16588
Last-Modified: Tue, 25 Mar 2014 08:05:40 GMT
Accept-Ranges: bytes
Cache-Control: max-age=86400
Date: Sat, 02 Aug 2014 19:48:27 GMT
Age: 86301
Powered-By-VeryCDN: HIT from ctc-cq-1-2-c1111, HIT from utn-yz-1-1-c1131
Connection: keep-alive
CWS..H..x....\R..?~@1g..../1...{Rii........R..KS...2...hV^.4.o....f.m.
.NMAi.jef.ZS.........{......w.s......~.....u....<..`.!...y#. ..Xn..
....c<....C..&.x.o.6.<.~.'....:.\..................pHIK.E.rHH...
..J..N.$....%&`..#..Sy.66..=.o.?b.R.#w'FE;r..9............y|....KLf$&.
."k[a.{#Sb........ >r/...DG"......w7v. q.....o...........y.. ....At
. ....=..........D."wG.".Kg"......;....uO.....?......N.I..3.........{.
-.....7z_t./.(.eQ..9.1..."y^......Dj.:.rH.M....<....U.F..5.....Y@..
....9..:......o..H.............m.r....-.)...N..o/p.1.n.......6...l....
..e.:.....Wg7o......u....-.;....._.v..H....K....'.8..'u..L..#...F'....
MMN..h....).ZMy...*...........w......v..L..t.[Z.....?E`.1........_0...
../,,t...D.......5b].\".d...{..B.~.-T............2.k.e..,W;....t....Nk
=...v..&v...........n...C.e.Z.......V.l9....m.../\.>.43.X..........
..j......=.....\=<._6.u].a..V.......8.....H....p.......?........l.a
.,..b....c....r..W.$...?......D....g.p...t...!C..........x5i{.....g...
....WR...^[email protected].%.K4!"Yx}<$......*...........7~....=..l.......n..
..6.......>.Sk0...!...M.Z_.=P.:.!,ef...[.W.=9.S.?.1..Uj..;....n.7G)
....3..w.i>.W.^}?........W......}.U..`&.|.)E6.d/.....~d..x~.=.e....
.l.7...x....T......'._Z....]..|.v.h..h.........J....v..?.}C.x....3 ..c
.S.5Z.Q1.2~v....]...y1..2..C;..G)m.....<...Q.;."4.lK\.'UY.....m..T/
.}...t../.wi..9).t.....q.bI.....B.)........v..p.._g...j.Y9......g^L...
..<*.s...].#.B,....m.zF...y..\96.~L...1.......^).....4.x2.cM.41.)M.
.ONoRlj<.....<.LF...O........a....r.TJ}.9/....=q2...Li.I...E
<<< skipped >>>

GET /img5/flashlayer/533138d44ad23/3.swf?v=3 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://cdn.51img3.com/game/upload_data/201403/201403181447095327ebeda78ee_1290.swf?v=3&s=7580
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.51img5.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.66
Content-Type: application/x-shockwave-flash
Content-Length: 40091
Last-Modified: Tue, 25 Mar 2014 08:05:40 GMT
Accept-Ranges: bytes
Cache-Control: max-age=86400
Date: Sun, 03 Aug 2014 09:00:05 GMT
Age: 85600
Powered-By-VeryCDN: HIT from ctc-cq-1-2-c1111, HIT from utn-yz-1-1-c1131
Connection: keep-alive
CWS.U...x...wTTO...d.....$#[email protected]..(Qh$..,((HjP$CCwMw.
.i.7;;;{v..1......~.n..uo..H../[email protected]!.......Q.stV4...>....W.~
R.u...Q............HH)((HHJKHK.aK...{..?........K.r.w.s..p.yCq.......y
y.E.#/...../n..{.$....xd.#!%.)...-....d...3..<U.q..:....Pc?....?V..
'T.LV\.*.}........U..o...iNZ._.iI..b.2b...RW.e..e.D%..%%.C..J.S..)...&
gt;..?U...Q.... .We..:...9.......*I.7........).'...?b...N.N^N...X.K...
........P....ts....x$...s.....$..S......_m..g....!.........N.......>
;N..N..@?.'l...b2...z......NzZ*...nn...:..W5..ikh.h.HIi..KjJiKK^......
.........`..8...4.....C...f.....5...T...k..r....c......V'?..N.:~0/.(..
..;.4........._E......&....*....C....J...Q............o.....U..MB.....
.". .y.k..P).D.R...A.S.{.P.D..'. .N.SB ...?8...&N..&..?......g..O#9q.N
.J."k.Um)....`..e.Q.n.{[email protected]/..F.>....|..A.Hc/..B(.0..rr..
....Jj...XC6Ou..S....a..e.....Wo..I..'...-....>?.^~Bc,..P...f<EM
>...t..\..z......'...q..lED...@...... ..z.?....a%..D.... q.t]...|..
0u...0.e....~."u.L....B.uWN.`B>%_.8[.~..R..].......kNR.Y..x...5r.."
.T......VR.1IE..l...(4EK..Nj..E....;....m..>....DPv.Oe."E1q...yW...
.R=Yqx.yd.<$<n.H.f0Z...2..b9...1.....uR..e.3...[.$.:.#..A...*...
...<'&>Q..A...........n.$A..k%.2.R.%a.K.Y....I...p..._5W.....q,.
.-G..\!...yo. ~N.....u....../?.. ].......8c...1.*$&...S^.Z.P..v...}...
_....#...<.BN.....7...^...>..\.......%.U..?u'/..eu..`T1..V..2.).
........L.......c.....p...|..f..C..Cg....O.9u.......q..V.....p-..'{s..
bE..W\.US.K.E.Tk.6.`f(.}y...y.K........Ul.....RA...x...l`kn...q.Z.
<<< skipped >>>


GET /event/promimg/?src=pming393 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: v.6.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 03 Aug 2014 12:47:36 GMT
Date: Sun, 03 Aug 2014 12:39:16 GMT
Server: ngx_openresty
Content-Type: text/html
Content-Length: 6010
Last-Modified: Sun, 03 Aug 2014 12:33:55 GMT
Cache-Control: max-age=500
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 2
Age: 139
X-Via: 1.1 bjzw90:88 (Cdn Cache Server V2.0), 1.1 yfdx32:6 (Cdn Cache Server V2.0)
Connection: keep-alive
...........\{w.......w.*...Z.=lY.-g..)....ss{....4..H.efdc\..Z....BB..
..B^........#.....o..<d....uq..y...g.}.../..25..Ww(..V.|f...V...u;.
.8N#.......T..f.D6.U......k%.].....FT..i..#Sf...Ntz..G."...8.>G...J
..Y....N9......e6t.Y.G....R......D*>....t*=.Q.yu...#3.QjFm.....e...
..f=......Litv..../.......i.V.u.........o.m.........rz...............o
...w.m..o...n.X....>..p.K.......k.>..:.@.*.... .v.....w....7[.].
W..9t.....u..e.._&T.....;....)....f.A.....K.h...^}q..JAq.Q.._8b.A.....
Z.%..ZF.KN..Z....\s/.k-.t/_m........o..~.=.._./..|.=y.....W.....]`....
l...:[email protected]}p.]..}.A..........v.....c.G........n...tO..=r...#.:
7.X]9-..|....r.r.k0!a.Z.X....9.U.bT...U,......r.MG1.8..b.e.F..D,. .U.6
..jY..A1..Q..a>b..Y].....p9.az...f.H...Zzf......,.....m.... .M.m...
.....0j...Q/......,f..U.....{.<8P4.F~`H.T.....TJf.Y._..c....84...[.
....yp`....V.'{..K[.Y......9[-...r..%..fL0...F.1....Ll....P.._.J[..'..
....3[.....y.... ...s>G.=.z.....Y..vE...z...6...l.2."o.3...^....H..
....Nn...h..._.V...D.......D.o^.........................vS....X&.,....
aL .,m.'.m.....Fb......|9.90.....8~..)6..PlA3....S'...^f.."m.%c^1J.H..
..%5...M{....B....#JIs.(.^4.....i.~tF.C3h..0xb.B".......@>B..&*..N.
..IMN`.c.....9e.(9.|d..RE7f N>.........6Z5..d<1.....h.Q......G..
U8.....x^1.hU,..0.......X...[...W...wC........a0g..4..hT.qn...Q.9.Mx..
7..`y.8\j),.W.1.3.....f.Z.ak`t........bM$O4.R|l..^f..`..P.............
.v..t.1...s...u;7...=.}...|.r?.02....D...Nh......'..s.!.60.'...]....N@
.......[........w...&,9.$n.g...&>.^_H..?L..Bg..vP...F....& \...
<<< skipped >>>


GET /xm/novoice-270-200.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 115.236.19.58
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 29 Oct 2013 07:09:30 GMT
Accept-Ranges: bytes
ETag: "ce58bd075d4ce1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:47 GMT
Content-Length: 49855
CWS.F...x...gXTK.0..(  .."APP.,Y......%....!..........H....aD2.$.." 9.
..w.a..=..........y.Z.....U..:......B...!p...A..J.b..U......Q...@w....
.N..{.F.~.....................O...%.......Df......w..'.*.t..... ......
..Y....F......M..-..N.._@FJZVYJ^YFNPZZYFVYVzGz.W.?e{E..~.. ..m5.?..B..
..........._.A..].............w.......=.S......n.p.....n.{.....g/..^..
f..n..{...rrrsr.....??...V..V6.}ll......v^l\?.p.'.P?..{....-D.....r@..
`...u.((%=d.~v......30.abf..{&.!._............a.=.^Y0.....~i..F..B.7d.
.b../...6.q.=.s.S...#..........."...:i|LA..t..9......._..}.z.}l....iE.
=.....w....z'7..,\.".3J........(-..L...r."...O.J.-.I/s#.kG....e.c..>
;7...p.|...g...QD.c.(D.....<.y.........@........@.%......2....h....
..Z-. .....8}..kg..F.RBO...Q ...)6.s......m.8l...~..1......<u...H..
g.\3f..,.T.|.v..Y..39...X...1.7..7...hlmQn.R..2Hm.i.4...8].4..Z... ..J
.{N...&.z. .5.....SU/....:O..1...7...|...P.nf.4.C<..W....._h.......
..#....&.d........&...!X.V..v.'.~%>.1...3o=...)./...g.9...A..70....
..LWQ......aR...FQL.H~n|.L...U[v...w...'.B.6..l.[.=...~{....?r.57.4.S.
....im.e..y#....P...M.%..s..........#....YL...<.|m`...xz.....ix..V.
O.. .a....c......)X8[. ...P..hL.:7. c.6....mzd....b}-q^....`1....zJ9[.
.......O.l....jg......w......hq.|#......R@.  ....!...'ubj.,.L......o.`
.lBn...y.3..32...=...m....Z.|.E...(.)..q_.@w!..a.A.>.........lX.eRJ
`..8e....Ny_\y.Z.W. ...n.K.w0..Pd.}.,.. w.r....D..F.. a...wH93...D..r.
K.au..1.n..,..|.g!Y....%.EXZ\.tvw..y#.ke.[...V........aH....t.jo......
 ."C..^.!7..Ft{..'..4.=hL..%B...3J.......7\`.Byzm.^d...W.....T.1..
<<< skipped >>>

GET /xm/novoice-270-200.swf HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 115.236.19.58
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 29 Oct 2013 07:09:30 GMT
Accept-Ranges: bytes
ETag: "ce58bd075d4ce1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:49 GMT
Content-Length: 49855
CWS.F...x...gXTK.0..(  .."APP.,Y......%....!..........H....aD2.$.." 9.
..w.a..=..........y.Z.....U..:......B...!p...A..J.b..U......Q...@w....
.N..{.F.~.....................O...%.......Df......w..'.*.t..... ......
..Y....F......M..-..N.._@FJZVYJ^YFNPZZYFVYVzGz.W.?e{E..~.. ..m5.?..B..
..........._.A..].............w.......=.S......n.p.....n.{.....g/..^..
f..n..{...rrrsr.....??...V..V6.}ll......v^l\?.p.'.P?..{....-D.....r@..
`...u.((%=d.~v......30.abf..{&.!._............a.=.^Y0.....~i..F..B.7d.
.b../...6.q.=.s.S...#..........."...:i|LA..t..9......._..}.z.}l....iE.
=.....w....z'7..,\.".3J........(-..L...r."...O.J.-.I/s#.kG....e.c..>
;7...p.|...g...QD.c.(D.....<.y.........@........@.%......2....h....
..Z-. .....8}..kg..F.RBO...Q ...)6.s......m.8l...~..1......<u...H..
g.\3f..,.T.|.v..Y..39...X...1.7..7...hlmQn.R..2Hm.i.4...8].4..Z... ..J
.{N...&.z. .5.....SU/....:O..1...7...|...P.nf.4.C<..W....._h.......
..#....&.d........&...!X.V..v.'.~%>.1...3o=...)./...g.9...A..70....
..LWQ......aR...FQL.H~n|.L...U[v...w...'.B.6..l.[.=...~{....?r.57.4.S.
....im.e..y#....P...M.%..s..........#....YL...<.|m`...xz.....ix..V.
O.. .a....c......)X8[. ...P..hL.:7. c.6....mzd....b}-q^....`1....zJ9[.
.......O.l....jg......w......hq.|#......R@.  ....!...'ubj.,.L......o.`
.lBn...y.3..32...=...m....Z.|.E...(.)..q_.@w!..a.A.>.........lX.eRJ
`..8e....Ny_\y.Z.W. ...n.K.w0..Pd.}.,.. w.r....D..F.. a...wH93...D..r.
K.au..1.n..,..|.g!Y....%.EXZ\.tvw..y#.ke.[...V........aH....t.jo......
 ."C..^.!7..Ft{..'..4.=hL..%B...3J.......7\`.Byzm.^d...W.....T.1..
<<< skipped >>>

GET /xm/novoice-270-200.swf HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 115.236.19.58
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 29 Oct 2013 07:09:30 GMT
Accept-Ranges: bytes
ETag: "ce58bd075d4ce1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:49 GMT
Content-Length: 49855
CWS.F...x...gXTK.0..(  .."APP.,Y......%....!..........H....aD2.$.." 9.
..w.a..=..........y.Z.....U..:......B...!p...A..J.b..U......Q...@w....
.N..{.F.~.....................O...%.......Df......w..'.*.t..... ......
..Y....F......M..-..N.._@FJZVYJ^YFNPZZYFVYVzGz.W.?e{E..~.. ..m5.?..B..
..........._.A..].............w.......=.S......n.p.....n.{.....g/..^..
f..n..{...rrrsr.....??...V..V6.}ll......v^l\?.p.'.P?..{....-D.....r@..
`...u.((%=d.~v......30.abf..{&.!._............a.=.^Y0.....~i..F..B.7d.
.b../...6.q.=.s.S...#..........."...:i|LA..t..9......._..}.z.}l....iE.
=.....w....z'7..,\.".3J........(-..L...r."...O.J.-.I/s#.kG....e.c..>
;7...p.|...g...QD.c.(D.....<.y.........@........@.%......2....h....
..Z-. .....8}..kg..F.RBO...Q ...)6.s......m.8l...~..1......<u...H..
g.\3f..,.T.|.v..Y..39...X...1.7..7...hlmQn.R..2Hm.i.4...8].4..Z... ..J
.{N...&.z. .5.....SU/....:O..1...7...|...P.nf.4.C<..W....._h.......
..#....&.d........&...!X.V..v.'.~%>.1...3o=...)./...g.9...A..70....
..LWQ......aR...FQL.H~n|.L...U[v...w...'.B.6..l.[.=...~{....?r.57.4.S.
....im.e..y#....P...M.%..s..........#....YL...<.|m`...xz.....ix..V.
O.. .a....c......)X8[. ...P..hL.:7. c.6....mzd....b}-q^....`1....zJ9[.
.......O.l....jg......w......hq.|#......R@.  ....!...'ubj.,.L......o.`
.lBn...y.3..32...=...m....Z.|.E...(.)..q_.@w!..a.A.>.........lX.eRJ
`..8e....Ny_\y.Z.W. ...n.K.w0..Pd.}.,.. w.r....D..F.. a...wH93...D..r.
K.au..1.n..,..|.g!Y....%.EXZ\.tvw..y#.ke.[...V........aH....t.jo......
 ."C..^.!7..Ft{..'..4.=hL..%B...3J.......7\`.Byzm.^d...W.....T.1..
<<< skipped >>>


GET /showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E54CE47FAF93D97D66027B30FBBD49D53&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.tuigoo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Wed, 31 Jul 2013 15:22:38 GMT
Accept-Ranges: bytes
ETag: "0b345ca18ece1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:07 GMT
Content-Length: 2942
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...O.<y...<M...L_~....I..
.....wr...7O....o.x...w.7u.l....Yy........m.zt........../..yu..`..e.u.
......GG.q.._......,.g......4...~..6#\..v.....g..T.6_..o.W.G.T....6...
....t..M.~.n...>J..L[.e~.........&..:m..2...EV_..G;.w..D3..U{....eV
...U1k..g.E...M...9}........(.I.../....v...</..m..|N..........V[]T.
....lW?YTM.*......}..-.y.f..g..*}.....1A.C.o..F.....E/...e%s.._....q..
)....*.....g~&....;....u.L...G...=J...../9.%. hG......'.........0&.We.
<?o...W...R....3..M.J.`.W........p._T.9............^..Yu5./..CK^.._
..E`i...j.-....F........e..2[.....f/.:[4...ZV..o...q..4m..{g........~.
D~.........0-............'.p7^?....|.......wR....<........>...U3
..e.L.Un..~.. ...,.Wu...r..............GP.....W.X.K.n...........~.1>
;......|...x.M..\.9..c.!u~..G.......j]..............?)..........}...E.
.......~.6..j..n........Z.]....*........Q:..Y^..Cz)...=.x...%.......J[
.w..~:......n*....fok.]..Y[..l....n..c&...[.}........Y..{.4L[.sR'.Y.. 
......BX.........V.`y.............9..VJ.N....1 z]e5..{..?..Y~.........
W....vF{.....z....3b.k4..T...o/........=..._3....J..U..;$'........>
%.a..;..5...O#=..w.?].....~F..=......M....w......loCJ...~z{...|..g.}..
.W..u8.YsU..y.._..R?..4k..cC..i.....uO"KzaR..[.i.k...;....'....?n|Cg..
....^YU .........*............A._7..*37$.q...<k..............."..c.
....D.......b.i_..n|g.j..$....%7.o..7..c./._7.3%-..w....)f..........=.
....T.....wf9.^......c-No8..O..Ue.>.UE...i.c@/}..o.........O..6
<<< skipped >>>


GET /event/promimg/?src=pming393 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: v.6.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 03 Aug 2014 12:47:36 GMT
Date: Sun, 03 Aug 2014 12:39:16 GMT
Server: ngx_openresty
Content-Type: text/html
Content-Length: 6010
Last-Modified: Sun, 03 Aug 2014 12:33:55 GMT
Cache-Control: max-age=500
Content-Encoding: gzip
Accept-Ranges: bytes
X-HITS: 2
Age: 138
X-Via: 1.1 bjzw90:88 (Cdn Cache Server V2.0), 1.1 yfdx32:6 (Cdn Cache Server V2.0)
Connection: keep-alive
...........\{w.......w.*...Z.=lY.-g..)....ss{....4..H.efdc\..Z....BB..
..B^........#.....o..<d....uq..y...g.}.../..25..Ww(..V.|f...V...u;.
.8N#.......T..f.D6.U......k%.].....FT..i..#Sf...Ntz..G."...8.>G...J
..Y....N9......e6t.Y.G....R......D*>....t*=.Q.yu...#3.QjFm.....e...
..f=......Litv..../.......i.V.u.........o.m.........rz...............o
...w.m..o...n.X....>..p.K.......k.>..:.@.*.... .v.....w....7[.].
W..9t.....u..e.._&T.....;....)....f.A.....K.h...^}q..JAq.Q.._8b.A.....
Z.%..ZF.KN..Z....\s/.k-.t/_m........o..~.=.._./..|.=y.....W.....]`....
l...:[email protected]}p.]..}.A..........v.....c.G........n...tO..=r...#.:
7.X]9-..|....r.r.k0!a.Z.X....9.U.bT...U,......r.MG1.8..b.e.F..D,. .U.6
..jY..A1..Q..a>b..Y].....p9.az...f.H...Zzf......,.....m.... .M.m...
.....0j...Q/......,f..U.....{.<8P4.F~`H.T.....TJf.Y._..c....84...[.
....yp`....V.'{..K[.Y......9[-...r..%..fL0...F.1....Ll....P.._.J[..'..
....3[.....y.... ...s>G.=.z.....Y..vE...z...6...l.2."o.3...^....H..
....Nn...h..._.V...D.......D.o^.........................vS....X&.,....
aL .,m.'.m.....Fb......|9.90.....8~..)6..PlA3....S'...^f.."m.%c^1J.H..
..%5...M{....B....#JIs.(.^4.....i.~tF.C3h..0xb.B".......@>B..&*..N.
..IMN`.c.....9e.(9.|d..RE7f N>.........6Z5..d<1.....h.Q......G..
U8.....x^1.hU,..0.......X...[...W...wC........a0g..4..hT.qn...Q.9.Mx..
7..`y.8\j),.W.1.3.....f.Z.ak`t........bM$O4.R|l..^f..`..P.............
.v..t.1...s...u;7...=.}...|.r?.02....D...Nh......'..s.!.60.'...]....N@
.......[........w...&,9.$n.g...&>.^_H..?L..Bg..vP...F....& \...
<<< skipped >>>


GET /Ä¢¹½Í¼Æ¬.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cfmogu.com
Connection: Keep-Alive
Cookie: CNZZDATA4693566=cnzz_eid=402806039-1407069686-&ntime=1407069686


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:32 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>

GET /Ä¢¹½Í¼Æ¬.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cfmogu.com
Connection: Keep-Alive
Cookie: CNZZDATA4693566=cnzz_eid=402806039-1407069686-&ntime=1407069686


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:33 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>

GET /Ä¢¹½Í¼Æ¬.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cfmogu.com
Connection: Keep-Alive
Cookie: CNZZDATA4693566=cnzz_eid=402806039-1407069686-&ntime=1407069686


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:34 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>

GET /1.htm HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.cfmogu.com
Cache-Control: no-cache
Cookie: CNZZDATA4693566=cnzz_eid=402806039-1407069686-&ntime=1407069686


HTTP/1.1 200 OK
Content-Length: 5
Content-Type: text/html
Last-Modified: Thu, 24 Jul 2014 09:37:35 GMT
Accept-Ranges: bytes
ETag: "a64dcbe622a7cf1:1d43e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:40 GMT
3.3.6..



GET /showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E3EDC15C0529F3E2BF0D5AD113A674B7B&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.tuigoo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Wed, 31 Jul 2013 15:22:38 GMT
Accept-Ranges: bytes
ETag: "0b345ca18ece1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:06 GMT
Content-Length: 2942
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...O.<y...<M...L_~....I..
.....wr...7O....o.x...w.7u.l....Yy........m.zt........../..yu..`..e.u.
......GG.q.._......,.g......4...~..6#\..v.....g..T.6_..o.W.G.T....6...
....t..M.~.n...>J..L[.e~.........&..:m..2...EV_..G;.w..D3..U{....eV
...U1k..g.E...M...9}........(.I.../....v...</..m..|N..........V[]T.
....lW?YTM.*......}..-.y.f..g..*}.....1A.C.o..F.....E/...e%s.._....q..
)....*.....g~&....;....u.L...G...=J...../9.%. hG......'.........0&.We.
<?o...W...R....3..M.J.`.W........p._T.9............^..Yu5./..CK^.._
..E`i...j.-....F........e..2[.....f/.:[4...ZV..o...q..4m..{g........~.
D~.........0-............'.p7^?....|.......wR....<........>...U3
..e.L.Un..~.. ...,.Wu...r..............GP.....W.X.K.n...........~.1>
;......|...x.M..\.9..c.!u~..G.......j]..............?)..........}...E.
.......~.6..j..n........Z.]....*........Q:..Y^..Cz)...=.x...%.......J[
.w..~:......n*....fok.]..Y[..l....n..c&...[.}........Y..{.4L[.sR'.Y.. 
......BX.........V.`y.............9..VJ.N....1 z]e5..{..?..Y~.........
W....vF{.....z....3b.k4..T...o/........=..._3....J..U..;$'........>
%.a..;..5...O#=..w.?].....~F..=......M....w......loCJ...~z{...|..g.}..
.W..u8.YsU..y.._..R?..4k..cC..i.....uO"KzaR..[.i.k...;....'....?n|Cg..
....^YU .........*............A._7..*37$.q...<k..............."..c.
....D.......b.i_..n|g.j..$....%7.o..7..c./._7.3%-..w....)f..........=.
....T.....wf9.^......c-No8..O..Ue.>.UE...i.c@/}..o.........O..6
<<< skipped >>>

GET /showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E053448793B8BCB8181D9A3A313E01F3C&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.cfmogu.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.tuigoo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Wed, 31 Jul 2013 15:22:38 GMT
Accept-Ranges: bytes
ETag: "0b345ca18ece1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 12:41:07 GMT
Content-Length: 2942
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...O.<y...<M...L_~....I..
.....wr...7O....o.x...w.7u.l....Yy........m.zt........../..yu..`..e.u.
......GG.q.._......,.g......4...~..6#\..v.....g..T.6_..o.W.G.T....6...
....t..M.~.n...>J..L[.e~.........&..:m..2...EV_..G;.w..D3..U{....eV
...U1k..g.E...M...9}........(.I.../....v...</..m..|N..........V[]T.
....lW?YTM.*......}..-.y.f..g..*}.....1A.C.o..F.....E/...e%s.._....q..
)....*.....g~&....;....u.L...G...=J...../9.%. hG......'.........0&.We.
<?o...W...R....3..M.J.`.W........p._T.9............^..Yu5./..CK^.._
..E`i...j.-....F........e..2[.....f/.:[4...ZV..o...q..4m..{g........~.
D~.........0-............'.p7^?....|.......wR....<........>...U3
..e.L.Un..~.. ...,.Wu...r..............GP.....W.X.K.n...........~.1>
;......|...x.M..\.9..c.!u~..G.......j]..............?)..........}...E.
.......~.6..j..n........Z.]....*........Q:..Y^..Cz)...=.x...%.......J[
.w..~:......n*....fok.]..Y[..l....n..c&...[.}........Y..{.4L[.sR'.Y.. 
......BX.........V.`y.............9..VJ.N....1 z]e5..{..?..Y~.........
W....vF{.....z....3b.k4..T...o/........=..._3....J..U..;$'........>
%.a..;..5...O#=..w.?].....~F..=......M....w......loCJ...~z{...|..g.}..
.W..u8.YsU..y.._..R?..4k..cC..i.....uO"KzaR..[.i.k...;....'....?n|Cg..
....^YU .........*............A._7..*37$.q...<k..............."..c.
....D.......b.i_..n|g.j..$....%7.o..7..c./._7.3%-..w....)f..........=.
....T.....wf9.^......c-No8..O..Ue.>.UE...i.c@/}..o.........O..6
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_1856:




t$(SSh
~%UVW
u$SShe
kernel32.dll
winmm.dll
gdiplus.dll
user32.dll
shlwapi.dll
ole32.dll
GdiPlus.dll
gdi32.dll
EnumWindows
EnumChildWindows
GdipSetImageAttributesColorKeys
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
GdipSetPenLineJoin
GdipGetPenLineJoin
crossfire.exe
WY.hh<
WY.CE
%System%\drivers\etc\hosts
www.cfmogu.com
127.0.0.1 www.cfyuanji.com
127.0.0.1 www.cfyuanji.net
127.0.0.1 www.cfyuanji.cc
127.0.0.1 cfyuanji.com
127.0.0.1 cfyuanji.net
127.0.0.1 cfyuanji.cc
127.0.0.1 www.cfyalan.com
127.0.0.1 www.cfyalan.net
127.0.0.1 www.cfyalan.cc
127.0.0.1 yy.cfyalan.com
127.0.0.1 cc.cfyalan.com
127.0.0.1 cfyalan.com
127.0.0.1 cfyalan.net
127.0.0.1 cfyalan.cc
127.0.0.1 www.cftianyue.com
127.0.0.1 www.cftianyue.net
127.0.0.1 www.cftianyue.cc
127.0.0.1 cftianyue.com
127.0.0.1 cftianyue.net
127.0.0.1 cftianyue.cc
127.0.0.1 www.cfty.cc
127.0.0.1 cfty.cc
%System%\drivers\etc\
http://www.cfmogu.com/index.html
www.cfmogu.cc
http://www.cfmogu.com/1.htm
[email protected]
smtp.126.com
[email protected]
http://open.baidu.com/special/time/
window.baidu_time(
@Client.exe
\BugTrap.dll
.text
`.rdata
@.data
.rsrc
@.reloc
GetAsyncKeyState
?\lpk.dll0@
s %d. (0x%Xh
%fI64d
bB%U.a
a`y|'".nT
_d.vy'
}>.tex
.UPX0
KERNEL32.DLL
MSVCRT.dll
USER32.dll
lpk.dll
%WinDir%\
[email protected] YY201480
www.cfmogu.com YY201480
d3d9.dll
Mushroomaux experience served (1) Data V3.3.0
.dqH 
(6%SW
%SdRtQ
%X~EW<
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegDeleteKeyA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
WSOCK32.dll
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
dll_1.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
#include "l.chs\afxres.rc" // Standard components
5'5-595O5U5a5w5}5
;";/;;;^;
6!6&6 62696?6
<^=#>*>:>
$0(0,000
0 0$0(0,00040
01\1q1
0"1(1,10141
>">&>*>.>
?(?:?@?`?
0%0u0
tGHt.Ht&
message.txt
MAPI32.DLL
PSAPI.DLL
IMPORTANT
d/d/d d:d:d
%s.bmp
%s%d.bmp
FLT_INVALID_OPERATION
FLT_DENORMAL_OPERAND
EAX=X EBX=X ECX=X EDX=X
ESI=X EDI=X FLG=X
EBP=X ESP=X EIP=X
CS=X DS=X SS=X ES=X FS=X GS=X
Windows NT 3.51
Windows 95
Windows NT 4.0
Windows 98
Windows Me
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
OS Version: %s %s
Build Number: %s
%s_ddd-ddd.%s
error_report
line %s
line %s %s byte(s)
%s() %s byte(s)
cmdline
usermsg
report
This %s was automatically generated
by BugTrap for Win32-x86 on %s
error report
Operating System:
crashdump.dmp
errorlog.%s
UxTheme.dll
reports
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductName
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
x,
hex(x):
dword:x
; Error: cannot open registry key [
Windows Registry Editor Version 5.00
BT01Error Report
"%s" Error Report
wininet.dll
BugTrap-1.3.3661.37713.dmp
DBGHELP.DLL
--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184--
Content-Type: multipart/form-data; boundary=BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184
--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184
Content-Disposition: form-data; name="reportData"; filename="report.dat"
Content-Disposition: form-data; name="reportFileExtension"
http://
%s\TEMP%lu
Unuspported URL scheme
Invalid URL
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
d:\1.
_ERS\BugTrapSrc\BugTrap\Win32\Bin\BugTrap.pdb
PathCreateFromUrlA
UrlIsA
PathIsURLA
HttpEndRequestA
HttpSendRequestExA
HttpOpenRequestA
InternetCrackUrlA
GetConsoleOutputCP
RegEnumKeyExA
BugTrap.dll
BT_ExportRegistryKey
BT_GetReportFilePath
BT_GetReportFormat
BT_GetSupportEMail
BT_GetSupportHost
BT_GetSupportPort
BT_GetSupportURL
BT_SetReportFilePath
BT_SetReportFormat
BT_SetSupportEMail
BT_SetSupportHost
BT_SetSupportPort
BT_SetSupportServer
BT_SetSupportURL
check.avi Video #1
[,|46~=_
O$%C)*>*.?,(6&*8'#2!
$KÜB
)J'1G.JUEFC?WQRQOOOOOOOONNNKKKHHHEEECCC???:::444///   '''$$$
161@1`1~1
6'747 :5:?:`:
:.;4;8;<;@;
2*3034383<3
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
[email protected]
.data
{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}
m%DzS3
CmdQv
Dh.pHu
3.3.0
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HELO %s
AUTH LOGIN
LOGIN
AUTH=LOGIN
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:<%s>
RCPT TO:<%s>
(*.htm;*.html)|*.htm;*.html
www.dywt.com.cn
.PAVCOleException@@
.PAVCOleDispatchException@@
3.3.6
c:\%original file name%.exe
GetWindowsDirectoryA
RegCreateKeyA
oledlg.dll
InternetCanonicalizeUrlA
HttpSendRequestA
HttpQueryInfoA
L.DRJV
%fylP
=A9%XI
3).dR
-ju}\
M,%dq
u%STQ
Vr *.lD
%SCgRQ
'm%uXX{
u9#*û
2@'wk9.DJ$
.Fa|M
.dC ^q
:<%SD;
%CS-y
%dMO^1
a?_%U
m=S
.QN
X!.rJ
A-s}F
F.wwX
T.gWD"*
.psTSP
.iOT"
%UqrqPrR
`%xZ8Z
.Xc.3BDj
c.Gc/
Qb=F.Qz`'
o%DI4
.ed?z
Li.Pb
\o.dS
&k.Ow
&%sT@M
OFB%f
,-p%sb&
/%uw8
#.tsqYm
PT%xB,Y
0.iio0$
o~V.ym
m'.Pyg
--r}p
(*.*)
mscoree.dll
Um den entwicklungsprozess zu unterst?zen wird dieses programm alle n?igen informationen ?er den absturz sammeln. Diese daten k?nen dann an den produktsupport ?ertragen, oder gespeichert werden.
Produktsupport:
To help the development process, this program will try and gather the information about the crash, and the state of your machine at the time of the crash. This data can then be submitted to product support or saved to a file.
Product support site:
http://www.intellesoft.net
BugTrap - software error reporting tool
Operating System
Vorschau der Reportdateien
Preview Report Files
Report senden...
Sending error report
Vorschau der reportdateien.,Fehlerinformationen in eine datei speichern. Eine email an den produktsupport versenden.EEinen automatisch generierten report an den produktsupport versenden..Informationen ?er das betriebssystem anzeigen.6Alle laufenden prozesse und geladenen module anzeigen.
BugTrap"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.
Neowiz Games"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.
Fehlerbericht fertig.7Fehler: konnte den report nicht an den server versenden
Error report complete.,Error: can't send error report to the server
Bild einpassen
1.3.3661.37713

iexplore.exe_1252:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU9ALEH.htm (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGBKRY7.htm (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (372 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (619 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (6789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (19376 bytes)
    %System%\drivers\etc\hosts (1 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic1[1].gif (428 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (247 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (410 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (15394 bytes)
    %Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (668 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (7697 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (330 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (619 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (247 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA5X76IW.htm (976 bytes)
    

    4. 

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now