Gen.Variant.Symmi.46681_6205e49035

by malwarelabrobot on October 24th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.46681 (B) (Emsisoft), Gen:Variant.Symmi.46681 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6205e490358ccd613d6833c2967cf5f3
SHA1: e477623a1bb746ba244207e7e88baa7dbe531102
SHA256: 5d29b48a2081dd7f2a2fb78ffb59cdbf0edf75e5db89d307c89b96162a31e4f4
SSDeep: 12288:zj8mtkFUHcLmxSl7nYbfxcNpkLdon hRNyONDQKRORYBQwlwK70pF:3IWHcL0knYrxAQdLPyGDQKkCQwlwvb
Size: 1468980 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-09-14 14:00:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

RunDll32.exe:1280
RunDll32.exe:1900

The Trojan injects its code into the following process(es):

%original file name%.exe:1736

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big.ie6[1].css (1642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\fc07[1].swf (1633 bytes)
%System%\drivers\etc\hosts.ics (535 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\Htc4rFwBo9MiiLtTJ52VfJFHA[1].png (1279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\XZLHgNwOWBTV7ks9l0LIq69q4[1].png (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\2[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\SYVqxrdCZZcZKF2eqSMa5ASsE[1].png (379 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.ie[2].css (563 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\L9oVwoGR96dEDhTKmwv9mQ[1].png (1463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\gF8niIgIQ0t6FKXZhJfMaZks[1].png (720 bytes)
%System%\drivers\etc\hosts (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\YJoTPXQ4lyvFxy-YA21NYfeuE[1].png (438 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big[1].css (12446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\fYfY3206UtcGoRhtjWePt8s1s[1].png (336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\_big.uk.templates[1].js (25994 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\i_5cY2K41gNjDw-NvobBPpiw0[1].png (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.icons.ie6[1].css (411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\4wOHp7JmBIaRrlw2H2cx6WyBg[1].png (613 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (202 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big[2].css (13715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\Is8JnxA2G2XZ-WZ2Xde_bMhVU[1].png (429 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\bTH3x-WofUo09diZC73BQiQbg[1].png (1526 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\anti[1].php (533 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\jquery.min[2].js (12777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\sj4YylGvYOLvKGaXOysZ1vn3AZA[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\_big.uk.templates[2].js (30469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\ico-16[1].png (2051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\sBzUHrzXNNmc65s2qEWEZfvtg[1].png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big.ie6[2].css (777 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\logo[1].png (411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\ALv6Jm_Bmg0ny1St-meLdGwtU[1].png (508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\QY6oXmIXtWtWLJK6JwzZJpQAk[1].png (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\kOSsbal6tC_C9WZL6M65ZfUfc[1].png (438 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_ID4xq1duIV8d1zGVIkfTeLlQ[1].png (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\ajax-loader[1].gif (3966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\2hG0eCPmwbgSzQzPLOTCeEZY8[1].png (822 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\epPrmzlEkEFE6HHmLUbNzylAY[1].png (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\GMB2ZfLtSQVjHRbXRfaY3GIO0[1].png (475 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (3034 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\fc07_2[1].htm (1510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\fUi1MQ-aKai27PBlsS3FoeCh8[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (2787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\jquery.min[1].js (11431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.ie[1].css (1642 bytes)
%Documents and Settings%\All Users\Desktop\ÌÅÃÀ×ÈÒ11.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\watch[1].js (36122 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (2070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\yandex[1].htm (1512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\B32OFZsVQcrxvnZgLKMmFmu3U[1].png (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.icons.ie6[2].css (651 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\skc_d[1].png (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\pwwDoBiDac4NZYxGN-R4wD6PA[1].png (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\UzbfvkemSS3OfjF86pijzhjIE[1].png (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\La6qi18Z8LwgnZdsAr1qy1GwCwo[1].gif (43 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big.ie6[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\_big.uk.templates[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\jquery.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.icons.ie6[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.ie[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big[1].css (0 bytes)

Registry activity

The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1410692433"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 EA FF EB 37 A6 9B DA 97 B9 48 AE 87 A9 BA 0C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"

"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cfire"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cfire"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cfiremaster"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cfiremaster"

The process RunDll32.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 7E DC 20 88 D0 4E 62 13 1D 36 8D 88 8D A2 4C"

The process RunDll32.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 9E 6C C4 72 A0 30 03 B6 BB 27 72 13 06 C1 76"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 533 bytes in size. The following strings are added to the hosts file listed below:

9.9.9.9 mobily.pw
9.9.9.9 patron.tweethashcount.com
9.9.9.9 track.ttswebdesign.com
9.9.9.9 grizzl.thewell-beingcompany.com
9.9.9.9 rdp.thewalkinginstitute.com
9.9.9.9 welcome.thesplitscreenphotobooth.com
9.9.9.9 hello.thesplitscreenphotobooth.com
9.9.9.9 welcome.thecraftbarnwales.com
9.9.9.9 hello.sylvanstructures.com
9.9.9.9 remote.sylvanstructures.com
9.9.9.9 wuah.chekc.co.vu
9.9.9.9 canmacar.com
9.9.9.9 www.canmacar.com
9.9.9.9 phaelixe.com
9.9.9.9 nitrous.cf
9.9.9.9 godlikeweapon.pw


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: MS
Product Name: Project1
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: fapcfok.exe
Internal Name: fapcfok
File Version: 1.00
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
4096 916240 61440 5.41695 70a4d1633d8191a6a9cc336b5d7c8bf2
921600 8712 4096 5.54494 9472719f5bfed4c3ff9b09e9c068a092
.rsrc 933888 1385576 1388544 5.54484 5c1ad279f6ccfafcf9a6c53e80d725e4
2322432 81920 10804 5.50418 9b4dce047a133b554176b842632fe78c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://antiweb.zapto.org/ 8.23.224.90
hxxp://googlecode.l.googleusercontent.com/svn/trunk/anti.php
hxxp://yandex.ru/
hxxp://www.yandex.ru/ 213.180.193.3
hxxp://pass.yandex.ru/?retpath=http://www.yandex.ua
hxxp://pass.yandex.com/?retpath=http://www.yandex.ua&session_info=noauth:1414065795.sah^FFFFFFFF.yandexuid^5337164561414065795.yandex_ua:85403.369128.f20677761d4d045c21725e708c1de9b2
hxxp://www.yandex.ru/?ncrnd=966 213.180.193.3
hxxp://yastatic.net/www/2.115/rapido/pages/big/_big.ie.css 178.154.131.216
hxxp://yastatic.net/www/2.115/rapido/pages/big/_big.css 178.154.131.216
hxxp://yastatic.net/www/2.115/rapido/pages/big/_big.ie6.css 178.154.131.216
hxxp://yastatic.net/lego/_/La6qi18Z8LwgnZdsAr1qy1GwCwo.gif 178.154.131.216
hxxp://yastatic.net/jquery/1.8.3/jquery.min.js 178.154.131.216
hxxp://yabs.yandex.ru/count/CAqUTXJ6gTy40002gP0088wrw8v41L6L0fi4Qbg8iSa32mUcXGcAjHU3XW6g0gMM66IGe1y2tf6yq4ba1fE32K6k-XfVLelP5GO5iG6xy-Wuxa6k5g44lj790miN061x2W00
hxxp://yabs.yandex.ru/resource/L9oVwoGR96dEDhTKmwv9mQ.png
hxxp://yastatic.net/www/_/t/Y/UzbfvkemSS3OfjF86pijzhjIE.png 178.154.131.216
hxxp://yastatic.net/www/_/R/6/B32OFZsVQcrxvnZgLKMmFmu3U.png 178.154.131.216
hxxp://yastatic.net/morda-logo/i/logo.png 178.154.131.216
hxxp://yastatic.net/weather/1.1.81/i/icons/30x30/skc_d.png 178.154.131.216
hxxp://yastatic.net/www/_/U/N/2hG0eCPmwbgSzQzPLOTCeEZY8.png 178.154.131.216
hxxp://yastatic.net/www/2.115/rapido/pages/big/_big.uk.templates.js 178.154.131.216
hxxp://yastatic.net/www/2.115/rapido/pages/big/_big.icons.ie6.css 178.154.131.216
hxxp://yastatic.net/www/_/2/4/Htc4rFwBo9MiiLtTJ52VfJFHA.png 178.154.131.216
hxxp://yastatic.net/www/_/U/l/sBzUHrzXNNmc65s2qEWEZfvtg.png 178.154.131.216
hxxp://yastatic.net/www/_/m/R/fUi1MQ-aKai27PBlsS3FoeCh8.png 178.154.131.216
hxxp://yastatic.net/www/_/w/x/SYVqxrdCZZcZKF2eqSMa5ASsE.png 178.154.131.216
hxxp://yastatic.net/www/_/U/E/i_5cY2K41gNjDw-NvobBPpiw0.png 178.154.131.216
hxxp://yastatic.net/www/_/X/9/kOSsbal6tC_C9WZL6M65ZfUfc.png 178.154.131.216
hxxp://yastatic.net/www/_/h/a/YJoTPXQ4lyvFxy-YA21NYfeuE.png 178.154.131.216
hxxp://yastatic.net/www/_/U/y/4wOHp7JmBIaRrlw2H2cx6WyBg.png 178.154.131.216
hxxp://yastatic.net/www/_/F/8/XZLHgNwOWBTV7ks9l0LIq69q4.png 178.154.131.216
hxxp://yastatic.net/www/_/y/x/fYfY3206UtcGoRhtjWePt8s1s.png 178.154.131.216
hxxp://yastatic.net/www/_/u/f/_ID4xq1duIV8d1zGVIkfTeLlQ.png 178.154.131.216
hxxp://yastatic.net/www/_/i/I/ALv6Jm_Bmg0ny1St-meLdGwtU.png 178.154.131.216
hxxp://yastatic.net/www/_/m/z/Is8JnxA2G2XZ-WZ2Xde_bMhVU.png 178.154.131.216
hxxp://yastatic.net/www/_/5/0/GMB2ZfLtSQVjHRbXRfaY3GIO0.png 178.154.131.216
hxxp://yastatic.net/www/_/E/m/QY6oXmIXtWtWLJK6JwzZJpQAk.png 178.154.131.216
hxxp://yastatic.net/www/_/Y/Q/gF8niIgIQ0t6FKXZhJfMaZks.png 178.154.131.216
hxxp://yastatic.net/www/_/6/x/pwwDoBiDac4NZYxGN-R4wD6PA.png 178.154.131.216
hxxp://yastatic.net/www/_/C/T/epPrmzlEkEFE6HHmLUbNzylAY.png 178.154.131.216
hxxp://yastatic.net/social/current/sprites/ico-16.png 178.154.131.216
hxxp://yastatic.net/lego/_/sj4YylGvYOLvKGaXOysZ1vn3AZA.png 178.154.131.216
hxxp://mc.yandex.ru/metrika/watch.js
hxxp://mc.yandex.ru/watch/722545?wmode=5&callback=_ymjsp758632273&page-url=http://www.yandex.ua/?ncrnd=966&ut=noindex&browser-info=j:1:s:1276x846x32:f:11.6.602.168:fpr:216613626101:w:773x409:z:180:i:20141023150328:et:1414065809:en:utf-8:v:580:c:1:jv:5.7:la:en-us:rn:1019842152:hid:649985213:st:1414065809:t:Яндекс
hxxp://yabs.yandex.ru/count/CAqUTaYUBO440000ZhNeZaG5KP6yq4ba1fE32Qxw6bzMYzaL1WMxy-Wuxa6k5g44V0G0=MRlc0fK2cmHgMegr5uE60QMM66I8iSa32mUcXGcGe1y2th41lj790miN061u1G00?wmode=0
hxxp://mc.yandex.ru/watch/722545/1?wmode=5&callback=_ymjsp758632273&page-url=http://www.yandex.ua/?ncrnd=966&ut=noindex&browser-info=j:1:s:1276x846x32:f:11.6.602.168:fpr:216613626101:w:773x409:z:180:i:20141023150328:et:1414065809:en:utf-8:v:580:c:1:jv:5.7:la:en-us:rn:1019842152:hid:649985213:st:1414065809:t:Яндекс
hxxp://yastatic.net/www/_/S/E/bTH3x-WofUo09diZC73BQiQbg.png 178.154.131.216
hxxp://yandexgaua.hit.gemius.pl/redot.gif?id=.FiadjwiP9UYHyKfnAdx9rR2Pw1yqHsEeo4qE539Jrb.d7 89.184.80.21
hxxp://yandexgaua.hit.gemius.pl/__/redot.gif?id=.FiadjwiP9UYHyKfnAdx9rR2Pw1yqHsEeo4qE539Jrb.d7 89.184.80.21
hxxp://kiks.yandex.ru/fu 93.158.134.143
hxxp://kiks.yandex.ru/system/fc07.swf 93.158.134.143
hxxp://awaps.yandex.ru/0/c1/tp9hEQr5hrgBvINUGEeiKEgnSnwlDzIL-Yn8zEWJ49RxeBS-A5ooWqCTeCN3d_tWDVxHcRaZkoi-Ef4UQE2PcLzneOJtPdeaMl4orym2gf G9bS KiDxA45i4eY_teMFdkHPieC4sMtrDPadRyc3YaXPz4iAg27YY6e4cHH2oeRJLRTEu28sUftx5_tvmv60OcTbtUI3UYHHti78s4usDvwV31QgM9XMSIz26lbX0o7xe884pGn4LIv_tWz3VS03OOkLc7ytB0n1v -ebZLZHsCGTIE8ZYsZSisZkh8DSJ1zSPsMvlhXm_X-aIBzSY3qnHus4cyEl0gpRJgjHM77fcA_A_.swf
hxxp://kiks.yandex.ru/system/fc07_2.html 93.158.134.143
hxxp://www.tns-counter.ru/V13a**b177413d15bebe1720fe1ce072d4a689**yandex_ru/ru/CP1251/tmsec=yandex_main/0 194.226.130.228
hxxp://clck.yandex.ru/click/dtype=stred/pid=132/cid=72323/*
hxxp://www.tns-counter.ru/V13b**b177413d15bebe1720fe1ce072d4a689**yandex_ru/ru/CP1251/tmsec=yandex_main/0 194.226.130.228
hxxp://www.red-hack.ru/2.html 188.165.31.18
hxxp://pass.yandex.ua/?retpath=http://www.yandex.ua&session_info=noauth:1414065795.sah^FFFFFFFF.yandexuid^5337164561414065795.yandex_ua:85403.369128.f20677761d4d045c21725e708c1de9b2
hxxp://cfpro00007.googlecode.com/svn/trunk/anti.php
hxxp://yabs.yandex.ua/count/CAqUTXJ6gTy40002gP0088wrw8v41L6L0fi4Qbg8iSa32mUcXGcAjHU3XW6g0gMM66IGe1y2tf6yq4ba1fE32K6k-XfVLelP5GO5iG6xy-Wuxa6k5g44lj790miN061x2W00 87.250.250.91
hxxp://yabs.yandex.ua/count/CAqUTaYUBO440000ZhNeZaG5KP6yq4ba1fE32Qxw6bzMYzaL1WMxy-Wuxa6k5g44V0G0=MRlc0fK2cmHgMegr5uE60QMM66I8iSa32mUcXGcGe1y2th41lj790miN061u1G00?wmode=0 87.250.250.91
hxxp://www.yandex.ua/?ncrnd=966 93.158.134.3
hxxp://yabs.yandex.ua/resource/L9oVwoGR96dEDhTKmwv9mQ.png 87.250.250.91
hxxp://awaps.yandex.ua/0/c1/tp9hEQr5hrgBvINUGEeiKEgnSnwlDzIL-Yn8zEWJ49RxeBS-A5ooWqCTeCN3d_tWDVxHcRaZkoi-Ef4UQE2PcLzneOJtPdeaMl4orym2gf G9bS KiDxA45i4eY_teMFdkHPieC4sMtrDPadRyc3YaXPz4iAg27YY6e4cHH2oeRJLRTEu28sUftx5_tvmv60OcTbtUI3UYHHti78s4usDvwV31QgM9XMSIz26lbX0o7xe884pGn4LIv_tWz3VS03OOkLc7ytB0n1v -ebZLZHsCGTIE8ZYsZSisZkh8DSJ1zSPsMvlhXm_X-aIBzSY3qnHus4cyEl0gpRJgjHM77fcA_A_.swf 77.88.21.131
lh4.googleusercontent.com 173.194.43.108


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /0/c1/tp9hEQr5hrgBvINUGEeiKEgnSnwlDzIL-Yn8zEWJ49RxeBS-A5ooWqCTeCN3d_tWDVxHcRaZkoi-Ef4UQE2PcLzneOJtPdeaMl4orym2gf G9bS KiDxA45i4eY_teMFdkHPieC4sMtrDPadRyc3YaXPz4iAg27YY6e4cHH2oeRJLRTEu28sUftx5_tvmv60OcTbtUI3UYHHti78s4usDvwV31QgM9XMSIz26lbX0o7xe884pGn4LIv_tWz3VS03OOkLc7ytB0n1v -ebZLZHsCGTIE8ZYsZSisZkh8DSJ1zSPsMvlhXm_X-aIBzSY3qnHus4cyEl0gpRJgjHM77fcA_A_.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: awaps.yandex.ua
Connection: Keep-Alive
Cookie: Session_id=noauth:1414065795; yandexuid=5337164561414065795


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Oct 2014 12:03:24 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 52648
Connection: keep-alive
Cache-Control: no-cache, no-store, must-revalidate, max-age=5
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Accept-Ranges: bytes
CWS.r...x...uXU]..>........C...Ii.n.. ). .- .."-..-......o..._..;..
....}]{^..s.'...g<...\[email protected]... .$d...,..5.e.}......g".6....
.....l..l.nO.9....9....X.....N.f>.N.t....-H[.[...x.:;Q....;{z....i.
...of....,....,...}.\.9.8.o........<......D%n..e...m...x...........
......?.[I._.\.....<..mN.A..A.....A.....C..U. .3K3....yX99X.8.99..x
.9.I..d.Tw.....O).].Z..?d.?.OK..........YZ.[9X9Z9y..S..;......n.f..f..
...f...}X.m.-.....X.o. ..w...!.#SQ..O..#._....V..{iwm_. vM wgO7. .8..E
....................[......p ..............(\....R.O@..[Z.!.'/...'..4.
....4.,./....0....e.....6..Z..[.............mM@ZZ...[..K.K.C./k....5g7
.'..z..W..<..<.\R.\..2\......!.q.p..r.H..e.....]h......_].I...._
T....o.............%..K......l|[email protected]....?...-.......p..
P1s........oB@..)..m[..7..\.......%x.....IG..((.........l...n... ..~..
].E`.....o......C..i...|.I|4..s...!.lc...<......lj ....O.....F...W{
..>2/.n.u.....R$..)....:@(.......bH..Iq ....p..1;.!.K....c}9.......
...q.)j.........7A0..e..C.E.K..,.)...=n..n.$..wd$$D$.d.../Tt4.........
........u{rk..U.dDDd.T.T......P....{,.....  "!...}b...p.cED....><
;....}....O.).B.a.J.J...X.F'Y..H..>=..[.:.]b.R....P&f.^.....R.2.r..
.Z.:.z...,,.......{xzy....>......NJNIMK...*,*.)- ..lx..............
`ph|brjzfvn~u....o..7.........._............<........A....CB..D...@
5s%...F#.L,...N...Od.....=......~G...,..*.......:!.w.@......(. .n...6.
.......d..".. .A.. .Sj..Jm.`!B.........>c..ct......K.]d.....`.(.._.
.[^.......=$.k\Y>.H.G.o.....2...9....w..Q...5tt...=.u.....F(...
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yandex.ru
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Thu, 23 Oct 2014 12:03:14 GMT
Location: hXXp://VVV.yandex.ru/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/html; charset=iso-8859-1
Content-Length: 183
..........-.;..@..{~.J/.....yD.T...<.5g. x..{y....|3......1..)..z..
..5b...1........]...e!....b_.`...H......!...^.a.l._.'..!....].....P...
@.L...k.mv.}.{..4...CW.n.P....Bf...*9?.D e....HTTP/1.1 302 Found..Date
: Thu, 23 Oct 2014 12:03:14 GMT..Location: hXXp://VVV.yandex.ru/..Vary
: Accept-Encoding..Content-Encoding: gzip..Content-Type: text/html; ch
arset=iso-8859-1..Content-Length: 183............-.;..@..{~.J/.....yD.
T...<.5g. x..{y....|3......1..)..z....5b...1........]...e!....b_.`.
..H......!...^.a.l._.'..!....][email protected].}.{..4...CW.n.P....B
f...*9?.D e......



GET /2.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.red-hack.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Set-Cookie: xxlplanBAK=R3174120206; path=/; expires=Thu, 23-Oct-2014 13:15:50 GMT
Date: Thu, 23 Oct 2014 12:03:25 GMT
Content-Type: text/html
Content-Length: 571
Connection: keep-alive
Set-Cookie: xxlplan=R1719519349; path=/; expires=Thu, 23-Oct-2014 13:11:17 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
...........R]K.A.}....}...n..Z.,D.P...bA.a..d....d.mR.V..|..}(...J_ .!
%V..._...Y.. )-......{...q~./....]...K2*'O...n...j) O.f..r........e...
U...y...Pg.2..N]g-.K.2.....f.Z........f.c.|Z.BHY..j..W................
6w.j.R.......'.....A..w%{.`CF....D..Q.c...%[email protected].'.*.X.:-..\...I
\5 ^..JF..m.l....5K..?3....X...g..4.........C..e.......a[..4.2.H....:W
K.y..7..?.{..'..?...y....H..lE...9}..<.......~.<...9~..y........
.i#.4.......V..C..{x6..#.......x!.......0.gbO.~..i.F..I.v\bsi:....W..&
lt;................5t..7n.6....K.5.....,.r[.u=.R@.].a;e$......\..(....
.~] ...DF.......Q...HTTP/1.1 200 OK..Set-Cookie: xxlplanBAK=R317412020
6; path=/; expires=Thu, 23-Oct-2014 13:15:50 GMT..Date: Thu, 23 Oct 20
14 12:03:25 GMT..Content-Type: text/html..Content-Length: 571..Connect
ion: keep-alive..Set-Cookie: xxlplan=R1719519349; path=/; expires=Thu,
 23-Oct-2014 13:11:17 GMT..Server: Apache..Accept-Ranges: bytes..Vary:
 Accept-Encoding..Content-Encoding: gzip.............R]K.A.}....}...n.
.Z.,D.P...bA.a..d....d.mR.V..|..}(...J_ .!%V..._...Y.. )-......{...q~.
/....]...K2*'O...n...j) O.f..r........e...U...y...Pg.2..N]g-.K.2.....f
.Z........f.c.|Z.BHY..j..W................6w.j.R.......'.....A..w%{.`C
F....D..Q.c...%[email protected].'.*.X.:-..\...I\5 ^..JF..m.l....5K..?3....X
...g..4.........C..e.......a[..4.2.H....:WK.y..7..?.{..'..?...y....H..
lE...9}..<.......~.<...9~..y.........i#.4.......V..C..{x6..#....
...x!.......0.gbO.~..i.F..I.v\bsi:....W..<................5t..7n.6.
...K.5.....,.r[.u=.R@.].a;e$......\..(.....~] ...DF.......Q.....
<<< skipped >>>


GET /svn/trunk/anti.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: cfpro00007.googlecode.com


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:14 GMT
Server: Apache
Last-Modified: Sun, 07 Sep 2014 02:56:18 GMT
ETag: "35//trunk/anti.php"
Accept-Ranges: bytes
Expires: Thu, 23 Oct 2014 12:06:14 GMT
Cache-Control: public, max-age=180
Content-Length: 533
Content-Type: text/plain
Alternate-Protocol: 80:quic,p=0.01
9.9.9.9 mobily.pw..9.9.9.9 patron.tweethashcount.com..9.9.9.9 track.tt
swebdesign.com..9.9.9.9 grizzl.thewell-beingcompany.com..9.9.9.9 rdp.t
hewalkinginstitute.com..9.9.9.9 welcome.thesplitscreenphotobooth.com..
9.9.9.9 hello.thesplitscreenphotobooth.com..9.9.9.9 welcome.thecraftba
rnwales.com..9.9.9.9 hello.sylvanstructures.com..9.9.9.9 remote.sylvan
structures.com..9.9.9.9 wuah.chekc.co.vu..9.9.9.9 canmacar.com..9.9.9.
9 VVV.canmacar.com..9.9.9.9 phaelixe.com..9.9.9.9 nitrous.cf..9.9.9.9 
godlikeweapon.pw..9.9.9.9 kwi.amulet-am.comHTTP/1.1 200 OK..Date: Thu,
 23 Oct 2014 12:03:14 GMT..Server: Apache..Last-Modified: Sun, 07 Sep 
2014 02:56:18 GMT..ETag: "35//trunk/anti.php"..Accept-Ranges: bytes..E
xpires: Thu, 23 Oct 2014 12:06:14 GMT..Cache-Control: public, max-age=
180..Content-Length: 533..Content-Type: text/plain..Alternate-Protocol
: 80:quic,p=0.01..9.9.9.9 mobily.pw..9.9.9.9 patron.tweethashcount.com
..9.9.9.9 track.ttswebdesign.com..9.9.9.9 grizzl.thewell-beingcompany.
com..9.9.9.9 rdp.thewalkinginstitute.com..9.9.9.9 welcome.thesplitscre
enphotobooth.com..9.9.9.9 hello.thesplitscreenphotobooth.com..9.9.9.9 
welcome.thecraftbarnwales.com..9.9.9.9 hello.sylvanstructures.com..9.9
.9.9 remote.sylvanstructures.com..9.9.9.9 wuah.chekc.co.vu..9.9.9.9 ca
nmacar.com..9.9.9.9 VVV.canmacar.com..9.9.9.9 phaelixe.com..9.9.9.9 ni
trous.cf..9.9.9.9 godlikeweapon.pw..9.9.9.9 kwi.amulet-am.com..
<<< skipped >>>


GET /V13b**b177413d15bebe1720fe1ce072d4a689**yandex_ru/ru/CP1251/tmsec=yandex_main/0 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tns-counter.ru
Connection: Keep-Alive
Cookie: guid=2BD0670A5448EE8CX1414065804


HTTP/1.1 200 OK
Server: tns-counter-0.5.6/1.2.7
Date: Thu, 23 Oct 2014 12:03:25 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-cache=Set-Cookie, max-age=0, proxy-revalidate
GIF89a.............!.......,...........L..;..



GET /?retpath=http://VVV.yandex.ua HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pass.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 23 Oct 2014 12:03:15 GMT
Transfer-Encoding: chunked
Connection: close
P3P: policyref="hXXp://pass.yandex.ru/w3c/p3p.xml", CP="NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI"
Location: hXXp://pass.yandex.ua/?retpath=http://VVV.yandex.ua&session_info=noauth:1414065795.sah^FFFFFFFF.yandexuid^5337164561414065795.yandex_ua:85403.369128.f20677761d4d045c21725e708c1de9b2
Set-Cookie: M__yandex_ua=1414065795/0; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Cache-Control: no-cache, private, no-cache, no-store, must-revalidate, max-age=0
0..



GET /fu HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: kiks.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795


HTTP/1.1 302 Found
Date: Thu, 23 Oct 2014 12:03:24 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Set-Cookie: fuid01=5448ee8c1ea485b9.dFo_ScI9DoaQeWzT8IY25bUs1eX6P5yct36yBy0tA71B9oXGZsXCqqG6ANDbR2Hl9uafsf34d0Iz9yVtVtybBdqgG_2JlGNIO_JvADxmPOQVnkjUeU60pPfWzxBrq5cc; domain=.yandex.ru; path=/; expires=Thu, 23 May 2024 12:03:24 GMT
Location: hXXp://kiks.yandex.ru/system/fc07.swf
Content-Length: 0
....


GET /system/fc07.swf HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: kiks.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795; fuid01=5448ee8c1ea485b9.dFo_ScI9DoaQeWzT8IY25bUs1eX6P5yct36yBy0tA71B9oXGZsXCqqG6ANDbR2Hl9uafsf34d0Iz9yVtVtybBdqgG_2JlGNIO_JvADxmPOQVnkjUeU60pPfWzxBrq5cc


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:24 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Tue, 29 Nov 2011 12:40:22 GMT
Content-Type: application/x-shockwave-flash
Expires: Thu, 30 Oct 2014 12:03:24 GMT
Content-Length: 1633
CWS.....x.}U.o........-R.i.~......\Rv. 2.E.G.".....b.pw(n..e.!.E...z(.
..{..[.....E......MN...!..zS...^nQ.......}...F..e.....B?...Fh.3.K;k...
...Kp.?....R.6..............i.Z..............5#.5...5.,...3..ap.nn.j.'
....#[email protected].>..l0.-.......s..!...].....................
*...S..:6...)...0....n.6.\34.S.."....b.vl..q..:{.;..8.....,p.[....f.n.
vys};...#.,[email protected].?I.e.E.....?....M
o.4........_P.@.....:*........e&..g9..(.U./.5...7.=.... ...v......3...
.....F.......2.7..3..`..3.....c....-7.^.9.~.9..=.....4.v.y.lu>.F..@
..3.*.....^HBF.~J:#.J.._5.2....:..~0........E...[.h|..Y{.x...=~.X....}
...~..r.*..^9.........L..<v.f\0.~..K..wN<.v=....\>.M.y....X:^
...Xb..RhA.c.nh.Z....q...J.'..O.wvZ;.f.Q.. ...^z{............G..'....v
...f..0.J~.E....f....M...38..\...3..#..k<..'!..a........s.eh.~..;f.
-.x.t7..b.9....^i/....F..Zv`9..Zs)n.....x..l.....Q.8o..gF`........zv..
.d.=..xu$b.L.n.C..2.'l.....8.0..\..@.^.t...A/.q"N.........J..!fm...r..
.. .......Kr)y.*.T(.).y. (.Z....zy....^y....Jg.l.?Q(N.SL(.(Q(IPL...J.*
...T.Q%O...(Re.*S.k..)nP.H.]..G..(^.x....7i.m.z......f.O..(....M...~D.
&%m*=..#*=.......AD..0..C.k..H..Xa$%.J.4F$...E(..B2..X..Vd.(.&S....D..
../......4. ?...I.$.i..ZR/..........ZV..W.k.u..ZQo...3..zK}U.S_So.....
..<....7....S.jm.@zY=.K..>..$...Sz....B....C4....z._K.Y...|.M.&g
t;..../g..,2d=..P.W#iG.. '.4.6Q.x..~.....\...QRI......[)I.......b.V...
.....n|z.....ST.......2..0AW.H.....b..o.DI......O8 v.u...P.._...y. ...
...(J.-..O...-...,......A.3.A.hn.s..)lE*..|....|. ......'g..H.=...
<<< skipped >>>

GET /system/fc07_2.html HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: kiks.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795; fuid01=5448ee8c1ea485b9.dFo_ScI9DoaQeWzT8IY25bUs1eX6P5yct36yBy0tA71B9oXGZsXCqqG6ANDbR2Hl9uafsf34d0Iz9yVtVtybBdqgG_2JlGNIO_JvADxmPOQVnkjUeU60pPfWzxBrq5cc


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:24 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Tue, 29 Jul 2014 14:24:01 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 30 Oct 2014 12:03:24 GMT
Content-Length: 1510
<html><body><script type="text/javascript">(function
(){var C=window,Q=document,E=navigator,L=E.userAgent,K=location.href,P
=E.mimeTypes,F=9,G=L&&/gecko\//i.test(L),I=L&&L.indexOf("MSIE")>=0&
&L.indexOf("Win")>=0,A=G?"embed":"object",M="//kiks.yandex.ru/syste
m/fc07.swf",H="application/x-shockwave-flash",B=' classid="clsid:D27CD
B6E-AE6D-11cf-96B8-444553540000"',N=' width="1" height="1" id="ya_fc"'
;C.onerror=function(){return true};C.ya_fc=function(){var T=(P&&P[H])?
P[H].enabledPlugin:0,V=false,S=0;if(T){S=T.description.split("Shockwav
e Flash ")[1];V=(parseInt(S)>=F)}else{if(I){V=false;try{V=new Activ
eXObject("ShockwaveFlash.ShockwaveFlash." F)}catch(U){}}}if(V){if(G){Q
.write("<" A ' src="' M '"' N ' wmode="window" bgcolor="#ffffff" ty
pe="' H '"></' A ">")}else{Q.write((I?"<" A B N ">" D("
movie",M):"<" A N ' type="' H '" data="' M '">')   D("wmode","wi
ndow") D("bgcolor","#ffffff") D("allowScriptAccess","always") "</" 
A ">")}}};C.ya_fc_requestData=function(){var S=Q.getElementById("ya
_fc");try{S.setLocation(O(),J())}catch(T){}};C.ya_fc_setCookie=functio
n(T){var S=new Date();S.setTime(S.getTime() 315360000000);Q.cookie="fu
id01=" T ";expires=" S.toGMTString() ";path=/;domain=" O()};C.ya_fc_ge
tIFrame=function(S){};function D(S,T){return'<param name="' S '" va
lue="' T '" />'}function R(U,T,V){var S=U.match(T);return S&&S[V||1
]||""}function J(){return R(Q.cookie,/fuid01=([^;] )/)}function O(){va
r S=R(K,/\/\/([^\/:] )/);return S&&R(S,/(^|\.)([^\.] \.[^\.] )$/,2
<<< skipped >>>


GET /click/dtype=stred/pid=132/cid=72323/* HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: clck.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795; fuid01=5448ee8c1ea485b9.dFo_ScI9DoaQeWzT8IY25bUs1eX6P5yct36yBy0tA71B9oXGZsXCqqG6ANDbR2Hl9uafsf34d0Iz9yVtVtybBdqgG_2JlGNIO_JvADxmPOQVnkjUeU60pPfWzxBrq5cc


HTTP/1.1 200 Ok
Content-Type: image/gif
Cache-Control: no-cache
Content-Length: 43
GIF89a.............!.......,...........L..;HTTP/1.1 200 Ok..Content-Ty
pe: image/gif..Cache-Control: no-cache..Content-Length: 43..GIF89a....
.........!.......,...........L..;..



GET /V13a**b177413d15bebe1720fe1ce072d4a689**yandex_ru/ru/CP1251/tmsec=yandex_main/0 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tns-counter.ru
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: tns-counter-0.5.6/1.2.7
Date: Thu, 23 Oct 2014 12:03:24 GMT
Content-Type: image/gif
Content-Length: 0
Location: hXXp://VVV.tns-counter.ru/V13b**b177413d15bebe1720fe1ce072d4a689**yandex_ru/ru/CP1251/tmsec=yandex_main/0
Connection: close
Set-Cookie: guid=2BD0670A5448EE8CX1414065804; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.tns-counter.ru; path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-cache=Set-Cookie, max-age=0, proxy-revalidate



GET /www/2.115/rapido/pages/big/_big.ie.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:17 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 22 Oct 2014 12:16:57 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Content-Encoding: gzip
1339.............<.s.8..._....Lf0..B...%.d...l....r.../.vl.H....z..
.....P..juK.V........{.i:D.4.Oo..q..t......e...u......).H._..a......}/
...E...0.. .1....x..~.......N.'.hM['..(..7$...a8....5^i..Y^..x....za0.
..R.......(...:B.......X....5..k;.]...h.%......K^...#WO...p.SyjY>z.
...|..V#......}</uJ.*.Wa....FK.M.....([email protected].$.jC/ .F|<."M....r..
^..>....s..#....9....(8.H...9....V ...K..U=-....}....'.\._....A....
..3..."p...;.........[..m...v.q."M@.........^....%..2......d.b..a..`..
...0..Y....Jf^...c....q........o.......nvaH.c..sP.`.3.f....FuO........
y..m;.;....t<.9l;....).[31...........Uq.......&...*........v..Q....
U.Kw...h).5..i.;..3...;.iY....9`[email protected]&.U..0.."....j=.$..N3.ik.\...I.
m.}..zw.o?.......'....z...x...G>......t...bd..Ip.7....)`U...z...A..
.M...&i<2....q....A.........hRR%y.&q#.R...Be.49.........}....wL..`.
#w=.|05.(.'.;...3a..(...K..S...&..p.....qzJ..(......).....Wj *f..k|.]o
."|dj....icL.BlN..L0(.g..\..q....;..CM?...........``.)._..4FT.t.j.B0.{
.&...Z& .....#.T....`.......3.!h...W.Y.;.r...k....c2.........`.....%.!
\Z....).Xe0.,..I...c...t.c...e....~.SP%.).?b.....eh...&X.....a..J...M.
m......I..U..e..u.....?............._~..4.`....`...... .=4KVL...Y.v...
....y.D"..bUb<.....G(...jj....q..w.!K.S;[email protected].\......
.F.....\ .<.$ecgD..).zo$......Gl.l.3.....p.d....6.....uuE.0.F{vr...
<;>..x..c'..p..9.0-6.l.jL.......cC2.9k..f..;0.Q.......1....R7.2.
.~K8..~....A.d..k.n..4.:*.O...5.5.RPVZq.G..d.sA<....p.....).....^&.
.`*.|.n'..f....i.N=j........k|..H..c6M..$8~....Y.X |g..N...6..o...
<<< skipped >>>

GET /www/2.115/rapido/pages/big/_big.ie6.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:17 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 22 Oct 2014 12:16:57 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Content-Encoding: gzip
1307.............=]...q.^@..%A.....j._X..Y.."......$...!9...=3\..,.N..
.g./[email protected].................\i9.]]]U.]].]...K..&.3\S..n..Gv.g..
SW....gO..22..f...C.6..Kz..........[.o..<...........mm.T.83.3&.....
7....v=.....D...~....'. h..@....{f.>.h#.=.?.ku2.LW.....;......n.%.&
lt;.......'.j... ....,~._.o......%.......$.....(..<..j.&....HB,.`.g
..S{:...I.6h...m..1.&..n.....f.},QW.7NF...V..dj[P...<58F.M...Dg/.Y.
.O&."....4#....)..m.9f..3..#.....6..........X.. .H.Nt.W.^.[.fsA...C.5s
:.....7...V.....g8.....mo.w..s.9d...kL5.(....u.....i...]....x.$.X.y..&
lt;NS.1.d{.k....2.!?.9P....x'N.~.. .S2..q.=.q...#.X..{.....q&(.$./..Y.
.....n.2V.ay.....z.S]........D .o.,.|S.5..A...x.y:......i5[D;..y..L...
.F.p,v..c......J..'P.;..I...wl..z........\7?....=..@}?.N........P.C.{.
....Vc..> J..p*....:~%;..D..=...6}...:l...LL..G...#..KI.rAh...=...7
Z4|.*.H.zBA.*.....L......f.jD.$J.....0.....>.....(..9... .].,Y!0t&g
t;...T.....(.m..=..{.6=?.......8.D2C.4...i.5)..zamz.o....X.:...^.....9
.......wu.......lQ....l.}..E2.XJ.\R...G..J.M.(r<..$ML.U.c.s......I.
...o.........EJ...:...5..L.X......Z...A^5.z.=h.&.......P..".........Q.
(.|.r1..r....*tX.(..DQ....d...y..........Y_.1.B.c}..<k..-.z.X....=.
....2`.|X.....H5`[email protected]..*.........0;W'vP'......s.V.y........
{..|.T.............pw...:Ozv..........[; 3.....I.d.n..t...7.~l....@3..
.,.ky.2.KW(6Y.v..n_X......\...:..w...2X.........)l..oz..qC.....q.`.c&l
t;.a...TO...K.. .>.'k={...@..;..........iCDT....,..p] Z..[#f.>.2
.%.2*...QIL....?..X,(......q(.~....FK..pb..V}.....y".U`..e...(}Nv.
<<< skipped >>>

GET /lego/_/La6qi18Z8LwgnZdsAr1qy1GwCwo.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:18 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
Last-Modified: Thu, 09 Oct 2014 15:38:49 GMT
ETag: "5436ac09-2b"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;....


GET /jquery/1.8.3/jquery.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:18 GMT
Content-Type: application/x-javascript
Content-Length: 32275
Connection: keep-alive
Last-Modified: Tue, 01 Jul 2014 14:12:14 GMT
ETag: "53b2c1be-7e13"
Content-Encoding: gzip
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
...........z.s.8...Wu...M............2y\v/..$..9Y..H....h.P.G..~..HB..
..JYx..~........~h..?.^........../..Y.u.^].b...g./....... .L9.d.....r.
.....73>g..Ds.hy..y.X.<7.Z......$;;.s6...j.=.W8G5..*..1{~.s.....
.C...&X.,m9N2.k....O..d..*!.U.....J.S2... n.Z.....T.....OUgpFb`F...H..
4.c....LG...Uem.{.....d...LgI.cz...yn...&.m.)......-t.._..xa.n....@...
`@........{.N*.S{&..w...y....m.........7..)..9!.%...w......$..3.....p.
.)................q$.K.V-......A.....:......E.S..|.2.T... .....m{.."/^
v:f...q.:..X.t.G....e]....I.p.{.)=.....IT[.=V4. .....0=.C.yH.z..).Dm.N
- ?.dbY<D.....6.T.............`....9i.B%..B....j..ri_.r...CY...5.A.
.l....]..i...MJz)....AY......|...\.-o.2.].Q......38n..\.I.;...$..O.)..
....o.ui.;...0A.H....8.......Xj.m....1E.4......).(.5.*L..D[.h....f.T..
|e`.D_...2....r..c$.53='{.<..y....~...t..~(&.] ..2y@xG).......9?.0.
.j.[.W<^.`.9$.?..v...D...7K......ds. ...o^3>......l........Y...#
BJ....$.(..v.$.r.2.M..a"....h_...t.. fK^.Mm....._2.Gh......u.......V7.
..6(.d...k ..tG|.#1Jm.:....*qcX...>...f.....9.C.\..r..GAj~....RT...
......|V.t.Ms..F.BB.e2...&..R.`\ .)W.i]..8...g....8..$...c....h.a.....
..f.....^b...f..p."..)."T3K..[....'.c..0<..LN..q"...#......_....R._
....".%y.|.F......R...K...36.S..G1.!..hb......I.gf...dn.}....fz.(i..e.
...t......<..h.|....xb9,..H..?9.J......W..=..l.  .G.......#3.?..?p.
d.-zO.$.x.N...M....?......|.........7...).:.-...T....TB.DH...w.~..mp..
..9.L.IR=M> ....AJ..........X.u2.*.Q......LD..#.W..z%$..d..a.=B..#.
..i. {..t.\X..V.M.#....?...VB..*G........,..0..I.H. '....G....^,&.
<<< skipped >>>

GET /www/2.115/rapido/pages/big/_big.uk.templates.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:19 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 22 Oct 2014 12:16:57 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Content-Encoding: gzip
172bf..............{w.H.'...O!..d..Q..........k......:...P&.6..R......
.D.AI.....=....Df"......6.Wi...7~..0.n.%.A.{.....*].........&).u9,...-
...#?...I.u..k*..Uq}....|......BU..*i>..:/..."_?M..j..B/..Um...}.-.
...y.V.?..L.....mV...o6Iu... <..(.~.....j~....n..gY.ibx..P.]....6.^
S.A./..v......R........y...a.....d.U.o...V^...zS]{..;..J..z.@3W.:y....
......._...'=:..]y.GGUM/R1kW<K........;w..F....x.l..i...a\]oT.<h
.....u.-..]...d...........=...o./...{.V.i...h....<&.H.5....i^.jxY.e
[email protected]....).*.. Z.....:.._...I.~O..|......fzQdx.....'..aA0..OG./...... .
.......y.P....i....A..m.U..j..}<..eUmN.I..N... ....6..~...GU*.HT..K
...%v..]....8..4l..*..z.X.KU=.."=.Vt..t^...O../..5....eu.R..RUO....VA.
s..'......5..dAg ......d.Q...e.Z...V.y).9LeZy......K....T .)..........
[email protected]%t....t.P.7&<.... .U....7....c..........h.#]..~..KUV.6..[
o...d..<:X.^....Z....UB;X..,.....f7T.Y.pj...-.w...........*...4....
.d.x..W..P.........[..R.O..Je.....>*<.!.7.st_..T?`(.i..f.\G.....
.'........y..60./...aB .{e1.hP;.....p.>..."._*...!r.....,T.7.......
..j.f..).W.g..."..bHh.x|A....._.8;:"X(..U.T~].....(........l..)...._6.
 ....Q........-....#.!QI|.wj...gy...\....w?.......] .X'sg..........a..
..h2.t.9&.m,M:.>:........%|..~E.]MN#=..5.........*.&...3.r..{|.7>
;X&....1.N......kBl%-u.p....R..'W..e>..>y.......l.g..U........".
...|...........%..=..........=/..f..Wv.C/8~...#.].{U.......#.PGG.f.{.C
......1..w.?~9....{e...S........z....U...~...>.a....h.....Y1:.N..V4
.If/.X...J.......X..l.k0._..U.....J......fP...... ^...*.......dC..
<<< skipped >>>

GET /www/_/2/4/Htc4rFwBo9MiiLtTJ52VfJFHA.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 3440
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-d70"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............V..W...AiCCPICC Profile..H...wTS.....7...
" %..z. .;H..Q.I.P...&vD.F..)VdT..G."cE....b....P..QDE...k...5.....Y..
....g.}...P....tX..4.X....\..........X...ff.G.D....=...H......d..,.P&s
...."7C$...E.6<~&....S...2.....)2.12....."...l... ....&...Y...4...P
..%.....\.%.g.|.e.TI....(....L.0.._..&.l.2E..........9.r...9h..x.g....
Ib....i...f...S.b1 ..M..xL.....0...o.E.%Ym.h......Y..h.....~S.=.z.U.&.
..A..Y.l../[email protected]. ..........l^....'....ls..k. .7...o..
.9.....V;..?.#I.3eE....KD......d......9i...,.......UQ.....h..<.X..d
.......6'..~.k.hu_.}.9P.I..o=.C#.$n?z.}.[.1....h...s.2z.....\.n.LA"S..
..dr%.,....l.....t..4..0.,`...3p.. [email protected]>...A1..v.jp...z
..N.6p.\[email protected]....@..&..*...C
P=.#t...]..... 4...}.....a.......;..G...Dx.......J..>........,._...
@....FX...DB.X$..!k."...E.......H.q.....a.......Y..bVa.bJ0..c.VL..6f.3
....b...X'.?v.6...-.V`.`[.....a.;.......p~..\2n5............&.x.*.....
.s.b|!...........'..Z.k..!. $l$T.........4Q..Ot"..y.\b)...A.I.&N..I.$.
R$)...TIj"]&=&.!..:dGr.Y@^O.$. _%..?P.(&.OJ.EB.N9J.@[email protected].
D}J}/G.3.........k...{%O...w._..'[email protected]...=.IE...b.b.b.b
..5.Q%......O.@...%.!.B..y...M.:.e.0.G7............e%e[.(.......R..0`.
3R.........4......6.i^..)..*n*|.".f.....LUo.....m.O.0j&jaj.j........w.
.._4........z..j...=.........U..4.5..n......4..hZ...Z.Z..^0....Tf%..9.
....-.>...=.c..Xg.N...]..[7A.\.SwBOK/X/_.Q..>Q.....G.[.... .`.A.
......a.a..c#....*.Z.;.8c.q..>.[&...I.I..MS...T`.....k.h&4.5...
<<< skipped >>>

GET /www/_/m/R/fUi1MQ-aKai27PBlsS3FoeCh8.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 1015
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-3f7"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...!...!.....`:2]....sBIT.....O.....pHYs.........B(.x.
...tEXtSoftware.VVV.inkscape.org..<.....PLTE.............@@.......3
3.6(....5 ....< ..x.........................:*.......; ............
....8'.9'.8'.:*......................>-.......; ...................
...SD.......:).9)....?/.......PA.....y................SD.ma..z.......8
'.9(.:).;*.>..^Q.A1.B2.E5.H8.N?.ZL.............L=.QB.......VH.XJ.~s
..u......................l`.ma.qe..........vj.ym.................w....
......................................................................
............................s......BtRNS............."$( GHkkrs{......
....................................N.Y....MIDAT.....6.P......{....Mb.
.. V.........r..-.qn..|......^.X_....?....WV.eQ(...7...C.E}P...c]..I..
 .q.F...>..............*][email protected]
......mfE.... .k.a..<..Y..F..........3mJB.0.g,.L uI..zh...`D. *YE..
....E...~.|..#uf.2......V..7.".c5..e......t.,R..-...r...w.?....zY..|o.
.9....V...:........05.~...........~p.}.......IEND.B`.....


GET /www/_/U/E/i_5cY2K41gNjDw-NvobBPpiw0.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 338
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-152"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............a.~e...ZPLTE.............................
.....................................................................t
RNS......% DJ^j.................\.......IDAT......B....!7.6....7w.....
...QS..=.~......|^Wf@...&I.............`.......A..(P.I.... ..g......e.
.%.z..N.|.l%`......y.................?&4.3........IEND.B`.....


GET /www/_/h/a/YJoTPXQ4lyvFxy-YA21NYfeuE.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 438
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-1b6"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...!...!.....`:2]....PLTE........3$.I.II...... [email protected]..
.(.6.YY.....................).6.XX.....%).7.YY).6.YY).7.XX(.7.XX......
..$.........(.7.YY(.6.XX......(.7.XX..%..g....*tRNS..........99JKMNOPQ
QQRapp.................^a.V....IDAT8......0....$.*..y.....=[..K....`.%
..)..)^=/......._r[............v.....i]..J!J..T.B.....)a...Z..t.....M.
..........wb...?.4.....CbR".."JtBt.(.(../......:.v...Y.B.^.Kf7..k.i/.&
lt;.$..L.....IEND.B`.....


GET /www/_/F/8/XZLHgNwOWBTV7ks9l0LIq69q4.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 239
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-ef"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...!...!........\...'PLTE.............................
..........".N.....tRNS.. @`r......7M.>...kIDAT(.c`...uw.C.Vd.n.....
.Ex..0..A.`.9........."......X.J.......p...."........ N...%.5.<@...
....Z.....0r...=....P.w....IEND.B`.....


GET /www/_/u/f/_ID4xq1duIV8d1zGVIkfTeLlQ.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 671
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-29f"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.6.1..Date: Thu, 23 Oct 2014 12:03:21 
GMT..Content-Type: image/png..Content-Length: 671..Connection: keep-al
ive..Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT..ETag: "5448e495-29f
"..Expires: Thu, 31 Dec 2037 23:55:55 GMT..Cache-Control: max-age=3153
60000..Cache-Control: public..Access-Control-Allow-Origin: *..Accept-R
anges: bytes...PNG........IHDR.............a.~e....sBIT.....O.....pHYs
.........B(.x....tEXtSoftware.VVV.inkscape.org..<.....PLTE.........
......................................................................
......................................................................
......................................................................
.................................*5.....StRNS............&' .1347@DFJO
TUVWZ[\`aswz...............................................b#n....IDAT
....."............Bffd%....w...][email protected]_g...I6.H.:.g?I..*I
...$.\k...&I..m.k.Bs.%I.[Em.n...t..v....'........_r.[.....VR...].8...L
..*..$.s.v.....,@a.=Ir1................."...Y.....IEND.B`.....


GET /www/_/m/z/Is8JnxA2G2XZ-WZ2Xde_bMhVU.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 429
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-1ad"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............V..W....sBIT....|.d.....pHYs.............
...OIDAT8..../Ca....m..Q...w.UZ&.]...HD.6.v.....n6}......lb.{.....Ci..
{O....w.............N.*'...u.u...Z.....H.j......,.F.4T.... .H....@n@..
...8 ..WDP%..R.....].t.c..........v,..z.4..jdnI......f.H.;".g=...>.
ld[...X.b-..jZ.j..'...N.R..Jq...h*4.].m.|?=v. [email protected]>l..)....S
 ....... .O..q..=FF....5\._..R![.37\..H..J..........s".........Z.(.t[.
J......IEND.B`.....


GET /www/_/E/m/QY6oXmIXtWtWLJK6JwzZJpQAk.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 268
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-10c"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............V..W....sBIT....|.d.....pHYs.............
[email protected].|..x!6......0$...Wq/......8C&...]....)|I..l...wZg.s
[email protected].......^.=.y;.hT...4..f......7....<.....W.Kw....')
:.*..._.B....3.`KU.n9u.'.>....sJS......z.RqW.d.......IEND.B`.>....


GET /www/_/6/x/pwwDoBiDac4NZYxGN-R4wD6PA.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 384
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-180"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...............U.....sBIT.....O.....pHYs.........B(.x.
...tEXtSoftware.VVV.inkscape.org..<....cPLTE.......................
......................................................................
.......@~.... tRNS.....'23@DL^fpqs.......................cIDAT....9.. 
.D.....}A....B...0._.d..>K......)..Zyf...`..I&..I.$.............n.U
.....}L......k.~x.c......O......IEND.B`.HTTP/1.1 200 OK..Server: nginx
/1.6.1..Date: Thu, 23 Oct 2014 12:03:22 GMT..Content-Type: image/png..
Content-Length: 384..Connection: keep-alive..Last-Modified: Thu, 23 Oc
t 2014 11:20:53 GMT..ETag: "5448e495-180"..Expires: Thu, 31 Dec 2037 2
3:55:55 GMT..Cache-Control: max-age=315360000..Cache-Control: public..
Access-Control-Allow-Origin: *..Accept-Ranges: bytes...PNG........IHDR
...............U.....sBIT.....O.....pHYs.........B(.x....tEXtSoftware.
VVV.inkscape.org..<....cPLTE.......................................
.............................................................@~.... tR
NS.....'23@DL^fpqs.......................cIDAT....9.. .D.....}A....B..
.0._.d..>K......)..Zyf...`..I&..I.$.............n.U.....}L......k.~
x.c......O......IEND.B`.....


GET /social/current/sprites/ico-16.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 4595
Connection: keep-alive
Last-Modified: Mon, 24 Sep 2012 13:54:33 GMT
ETag: "50606619-11f3"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.6.1..Date: Thu, 23 Oct 2014 12:03:22 
GMT..Content-Type: image/png..Content-Length: 4595..Connection: keep-a
live..Last-Modified: Mon, 24 Sep 2012 13:54:33 GMT..ETag: "50606619-11
f3"..Expires: Thu, 31 Dec 2037 23:55:55 GMT..Cache-Control: max-age=31
5360000..Cache-Control: public..Access-Control-Allow-Origin: *..Accept
-Ranges: bytes...PNG........IHDR..............R.N....tEXtSoftware.Adob
e ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin=".
.." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns
:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:0
0        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf
-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns
.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xml
ns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorT
ool="Adobe Photoshop CS5 Macintosh" xmpMM:InstanceID="xmp.iid:32D27BC4
FE6511E19497AC40F2DC7933" xmpMM:DocumentID="xmp.did:32D27BC5FE6511E194
97AC40F2DC7933"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:61
462FF5FE6411E19497AC40F2DC7933" stRef:documentID="xmp.did:61462FF6FE64
11E19497AC40F2DC7933"/> </rdf:Description> </rdf:RDF> &
lt;/x:xmpmeta> <?xpacket end="r"?>..,....gIDATx...wTTW...dWc6
F.d7............-.`....$bo.........Q..Q.....R....EA...^..).........d..
..w.g..w...........d.O,o.wB.j.....a^b{"Z0m_..]o....=..O,v.b.K....d..5.
....x.Ji...H.k.d.. Pe.g...v..A]Ox....Z.[J...(l9~.B...OH........*..
<<< skipped >>>


GET /count/CAqUTXJ6gTy40002gP0088wrw8v41L6L0fi4Qbg8iSa32mUcXGcAjHU3XW6g0gMM66IGe1y2tf6yq4ba1fE32K6k-XfVLelP5GO5iG6xy-Wuxa6k5g44lj790miN061x2W00 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yabs.yandex.ua
Connection: Keep-Alive
Cookie: Session_id=noauth:1414065795; yandexuid=5337164561414065795


HTTP/1.1 302 Found
Date: Thu, 23 Oct 2014 12:03:18 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Thu, 23 Oct 2014 12:03:18 GMT
Expires: Thu, 23 Oct 2014 12:03:18 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Location: hXXp://yabs.yandex.ua/resource/L9oVwoGR96dEDhTKmwv9mQ.png
Content-Length: 0
....


GET /resource/L9oVwoGR96dEDhTKmwv9mQ.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yabs.yandex.ua
Connection: Keep-Alive
Cookie: Session_id=noauth:1414065795; yandexuid=5337164561414065795


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:18 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Fri, 17 Oct 2014 08:51:08 GMT
Content-Type: image/png
Expires: Thu, 08 Oct 2015 12:03:18 GMT
Content-Length: 7114
.PNG........IHDR...x...Z.....s.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...#iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:3FE646F94BD911E4A9FAEAE
330C400D7" xmpMM:DocumentID="xmp.did:3FE646FA4BD911E4A9FAEAE330C400D7"
> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3FE646F74BD911E4A
9FAEAE330C400D7" stRef:documentID="xmp.did:3FE646F84BD911E4A9FAEAE330C
400D7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&g
t; <?xpacket end="r"?>JIn....=IDATx..]...E.....g.AD......(......
....3V.D.u..P.....>`...X....`..r.. .....q...!.0.qY\ADT..........2..
. .2..{zf.......G....... "D../...y.....o.........jkk.!:....M....z.....
..h..n...C.h........fb.{.1......=C...Y..=.O...:..Ft...F......A.B...h.u
....Q4.x..I0......f..|}W....`OB(..).O9........".zp...mx..!-....5N...b.
B..R}.0H.a...3f....p....-?D......86q.l...(......../..c..`...M...(.H..'
.i.........G...qj..f........I.Z...{.qR....I.b..o._....r...v........0.C
......Vs..8.9.U.Ng...F..N..U.H..&r-....:.R....@,.......| ..5jT!U.....9
..l,[email protected]?:.m..]j%.v.Vr...v
<<< skipped >>>

GET /count/CAqUTaYUBO440000ZhNeZaG5KP6yq4ba1fE32Qxw6bzMYzaL1WMxy-Wuxa6k5g44V0G0=MRlc0fK2cmHgMegr5uE60QMM66I8iSa32mUcXGcGe1y2th41lj790miN061u1G00?wmode=0 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yabs.yandex.ua
Connection: Keep-Alive
Cookie: Session_id=noauth:1414065795; yandexuid=5337164561414065795


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:23 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Thu, 23 Oct 2014 12:03:23 GMT
Expires: Thu, 23 Oct 2014 12:03:23 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: image/gif
Set-Cookie: yabs-frequency=/4/0000000000000000/aJomS70R8G00/; domain=.yandex.ua; path=/; expires=Sat, 31-Jan-2015 12:03:23 GMT
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Date: Thu,
 23 Oct 2014 12:03:23 GMT..Server: Phantom/0.0.0..P3P: CP="NOI DEVa TA
Ia OUR BUS UNI STA"..Last-Modified: Thu, 23 Oct 2014 12:03:23 GMT..Exp
ires: Thu, 23 Oct 2014 12:03:23 GMT..Cache-Control: private, no-cache,
 no-store, must-revalidate, max-age=0..Pragma: no-cache..Content-Type:
 image/gif..Set-Cookie: yabs-frequency=/4/0000000000000000/aJomS70R8G0
0/; domain=.yandex.ua; path=/; expires=Sat, 31-Jan-2015 12:03:23 GMT..
Content-Length: 43..GIF89a.............!.......,...........D..;..



GET /metrika/watch.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mc.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:23 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Wed, 22 Oct 2014 08:44:04 GMT
Content-Type: application/x-javascript
Expires: Thu, 23 Oct 2014 13:03:23 GMT
Content-Length: 57533
...(function(f,d,ba){var ca;function x(a,b){return function(){try{retu
rn a.apply(this,arguments)}catch(c){("string"!=typeof c.message||-1==c
.message.indexOf("NPObject")&&-1==c.message.indexOf("Too much time spe
nt in unload handler"))&&da(c,b)}}}function da(a,b){if(0.01>Math.ra
ndom()){var c=["cp: " b,a.name ": " a.message,"debug: " za,"code: " Ma
,"stack: " a.stack];(new Image).src="//an.yandex.ru/jserr/101500?cnt-c
lass=100&errmsg=" encodeURIComponent(c.join("; ").replace(/\r?\n/g,"\\
n"))}}function M(a,.b,c){return f.setTimeout(x(a,c||"setTimeout"),b)}f
unction w(){for(var a={},b="hash host hostname href pathname port prot
ocol search".split(" "),c=b.length,k=c;k--;)a[b[k]]="";try{for(var h=f
.location,k=c;k--;){var d=b[k];a[d]="" h[d]}}catch(e){A&&(a=A)}return 
a}function lb(a){return a?("" a).replace(/^\s /,"").replace(/\s $/,"")
:""}function Aa(a){return-1!==("" f.navigator.userAgent).toLowerCase()
.search(a)}function na(a){try{delete f[a]}catch(b){f[a]=ba}}function o
a(a){var b=d.createElement("script");.b.type="text/javascript";b.async
=!0;b.src=a;try{var c=d.getElementsByTagName("html")[0];d.getElementsB
yTagName("head")[0]||c.appendChild(d.createElement("head"));var k=d.ge
tElementsByTagName("head")[0];k.insertBefore(b,k.firstChild)}catch(h){
}}function pa(){if(top!=f&&parent==top&&f.postMessage&&!Ya.Metrika_vis
orPlayerOn){Ya.Metrika_visorPlayerOn=!0;var a=d.createElement("div");a
.innerHTML='<iframe name="RemoteIframe" allowtransparency="true" st
yle="position: absolute; left: -999px; top: -999px; width: 1px; he
<<< skipped >>>

GET /watch/722545?wmode=5&callback=_ymjsp758632273&page-url=http://VVV.yandex.ua/?ncrnd=966&ut=noindex&browser-info=j:1:s:1276x846x32:f:11.6.602.168:fpr:216613626101:w:773x409:z:180:i:20141023150328:et:1414065809:en:utf-8:v:580:c:1:jv:5.7:la:en-us:rn:1019842152:hid:649985213:st:1414065809:t:Яндекс HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mc.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795


HTTP/1.1 302 Found
Date: Thu, 23 Oct 2014 12:03:23 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Thu, 23 Oct 2014 12:03:23 GMT
Expires: Thu, 23 Oct 2014 12:03:23 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Location: hXXp://mc.yandex.ru/watch/722545/1?wmode=5&callback=_ymjsp758632273&page-url=http://VVV.yandex.ua/?ncrnd=966&ut=noindex&browser-info=j:1:s:1276x846x32:f:11.6.602.168:fpr:216613626101:w:773x409:z:180:i:20141023150328:et:1414065809:en:utf-8:v:580:c:1:jv:5.7:la:en-us:rn:1019842152:hid:649985213:st:1414065809:t:Яндекс
Set-Cookie: yabs-sid=975899981414065803; path=/
Content-Length: 0
HTTP/1.1 302 Found..Date: Thu, 23 Oct 2014 12:03:23 GMT..Server: Phant
om/0.0.0..P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"..Last-Modified: Thu,
 23 Oct 2014 12:03:23 GMT..Expires: Thu, 23 Oct 2014 12:03:23 GMT..Cac
he-Control: private, no-cache, no-store, must-revalidate, max-age=0..P
ragma: no-cache..Location: hXXp://mc.yandex.ru/watch/722545/1?wmode=5&
callback=_ymjsp758632273&page-url=http://VVV.yandex.ua/?ncrn
d=966&ut=noindex&browser-info=j:1:s:1276x846x32:f:11.6.602
.168:fpr:216613626101:w:773x409:z:180:i:20141023150328
:et:1414065809:en:utf-8:v:580:c:1:jv:5.7:la:en
-us:rn:1019842152:hid:649985213:st:1414065809:t:Я
ндекс..Set-Cookie: yabs-sid=97589998141406580
3; path=/..Content-Length: 0......
<<< skipped >>>

GET /watch/722545/1?wmode=5&callback=_ymjsp758632273&page-url=http://VVV.yandex.ua/?ncrnd=966&ut=noindex&browser-info=j:1:s:1276x846x32:f:11.6.602.168:fpr:216613626101:w:773x409:z:180:i:20141023150328:et:1414065809:en:utf-8:v:580:c:1:jv:5.7:la:en-us:rn:1019842152:hid:649985213:st:1414065809:t:Яндекс HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mc.yandex.ru
Connection: Keep-Alive
Cookie: yandexuid=5337164561414065795; yabs-sid=975899981414065803


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:23 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Thu, 23 Oct 2014 12:03:23 GMT
Expires: Thu, 23 Oct 2014 12:03:23 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: application/javascript
X-Content-Type-Options: nosniff
Content-Length: 75
/**/_ymjsp758632273({webvisor:{date:"2013-11-11 15:23:25",recp:"0.0001
0"}})HTTP/1.1 200 OK..Date: Thu, 23 Oct 2014 12:03:23 GMT..Server: Pha
ntom/0.0.0..P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"..Last-Modified: Th
u, 23 Oct 2014 12:03:23 GMT..Expires: Thu, 23 Oct 2014 12:03:23 GMT..C
ache-Control: private, no-cache, no-store, must-revalidate, max-age=0.
.Pragma: no-cache..Content-Type: application/javascript..X-Content-Typ
e-Options: nosniff..Content-Length: 75../**/_ymjsp758632273({webvisor:
{date:"2013-11-11 15:23:25",recp:"0.00010"}})..



GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.yandex.ru
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: nginx
Date: Thu, 23 Oct 2014 12:03:15 GMT
Content-Length: 0
Connection: close
Cache-Control: no-cache,no-store,max-age=0,must-revalidate
Location: hXXp://pass.yandex.ru/?retpath=http://VVV.yandex.ua
Expires: Thu, 23 Oct 2014 12:03:15 GMT
Last-Modified: Thu, 23 Oct 2014 12:03:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI"
Set-Cookie: yandexuid=5337164561414065795; Expires=Sun, 20-Oct-2024 12:03:15 GMT; Domain=.yandex.ru; Path=/
X-XRDS-Location: hXXp://openid.yandex.ru/server_xrds/



GET /redot.gif?id=.FiadjwiP9UYHyKfnAdx9rR2Pw1yqHsEeo4qE539Jrb.d7 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yandexgaua.hit.gemius.pl
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Date: Thu, 23 Oct 2014 12:03:24 GMT
Expires: Wed, 22 Oct 2014 12:03:24 GMT
Server: GHC
Accept-Ranges: none
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Set-Cookie: Gtest=KlS4HRGGQMQGCXopp1CFxsFIssGMXP8cFRgG; Domain=hit.gemius.pl; Path=/; Expires=Thu, 24 Jan 2019 00:00:00 GMT
P3P: CP="NOI DSP COR NID PSAo OUR IND"
Location: /__/redot.gif?id=.FiadjwiP9UYHyKfnAdx9rR2Pw1yqHsEeo4qE539Jrb.d7
Connection: keep-alive
Keep-Alive: timeout=2
Content-Length: 0
....


GET /__/redot.gif?id=.FiadjwiP9UYHyKfnAdx9rR2Pw1yqHsEeo4qE539Jrb.d7 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yandexgaua.hit.gemius.pl
Connection: Keep-Alive
Cookie: Gtest=KlS4HRGGQMQGCXopp1CFxsFIssGMXP8cFRgG


HTTP/1.1 200 OK
Date: Thu, 23 Oct 2014 12:03:24 GMT
Expires: Wed, 22 Oct 2014 12:03:24 GMT
Server: GHC
Accept-Ranges: none
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Set-Cookie: Gdyn=KlGHDRGGQMQGCXopp1CFxsFIssGMXP8cF86SssX6nsGfGHZNPb2xQjGowOx1G0F6Sssa; Domain=hit.gemius.pl; Path=/; Expires=Thu, 24 Jan 2019 00:00:00 GMT
P3P: CP="NOI DSP COR NID PSAo OUR IND"
Connection: keep-alive
Keep-Alive: timeout=2
Content-Type: image/gif
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Date: Thu,
 23 Oct 2014 12:03:24 GMT..Expires: Wed, 22 Oct 2014 12:03:24 GMT..Ser
ver: GHC..Accept-Ranges: none..Pragma: no-cache..Cache-Control: no-sto
re, no-cache, must-revalidate, max-age=0..Set-Cookie: Gdyn=KlGHDRGGQMQ
GCXopp1CFxsFIssGMXP8cF86SssX6nsGfGHZNPb2xQjGowOx1G0F6Sssa; Domain=hit.
gemius.pl; Path=/; Expires=Thu, 24 Jan 2019 00:00:00 GMT..P3P: CP="NOI
 DSP COR NID PSAo OUR IND"..Connection: keep-alive..Keep-Alive: timeou
t=2..Content-Type: image/gif..Content-Length: 43..GIF89a.............!
.......,...........D..;..



GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: antiweb.zapto.org
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Thu, 23 Oct 2014 12:03:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: hXXp://cfpro00007.googlecode.com/svn/trunk/anti.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /?ncrnd=966 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: Session_id=noauth:1414065795; yandexuid=5337164561414065795
Connection: Keep-Alive
Host: VVV.yandex.ua


HTTP/1.1 200 Ok
Server: nginx
Date: Thu, 23 Oct 2014 12:03:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cache-Control: no-cache,no-store,max-age=0,must-revalidate
Expires: Thu, 23 Oct 2014 12:03:17 GMT
Last-Modified: Thu, 23 Oct 2014 12:03:17 GMT
P3P: policyref="/w3c/p3p.xml", CP="NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI"
X-Frame-Options: DENY
X-XRDS-Location: hXXp://openid.yandex.ru/server_xrds/
Content-Encoding: gzip
4261.............}{s....W......'A..R.EQ"E..=W....@.@7.. ...r.Lf..J...]
;;..lvk.j.X.c...{.._....I.w.._h..Eyf.q.D....q.....}..[[ {O.Wcm........
wU.....@U^..a....m .....rxI.2..f)=[....j.....G3........h...8..t.l.S=-m
..A.......'...~X.?N./'W.^_u.Z...M.....__.j.......j...g........N..^..M.
...N........9i..R..Z..T..n'..tW7:1K.V.j..,Cu0........u..4..m_.....R...
1.f......oc..._.cmKkV..t.fe.R#.O;JY....m.O...A.........=..f ..q...5...
.a.........6...o!...}.........|~x.m.r....V..;....)Cs.=.j.I..L...zHU...
.5...$B.j/.`I*........l.:'....,,........\H.......j9.j.l-2..}..g......P
..:[email protected]'[email protected]}..."u.\[email protected].....
..~.....g...l...H..|...........2.ni.VwLkn.e|`k1....._:T..0.!^..N.a..=.
.......y.....K...,........A......./t.[....J.......4...Z%"b6cZ..k...#*&
lt;.j...."..="`...4..uN.-.Y....Y.a7M..-p.?A..]d.....#[.'...m..m.....d.
{x.0..x..f.z.Iu5.........k....;4.F,.N..=s.Y....4..c.fij...^.i.vj....5.
........z.....;.b.=ph|..*.ul.6...2...60P..,...Mks.*..F2..N{f.}nkz....$
..m....s.m.tKo..T[ ..;.....n{......e..v..|..S......pykX..O.....p....*.
..t}'..X..Z..wh"C..s.._=..........6ul....t...3O_d%x5...n...|._.X.&....
..83.gU.....T..:.~...A..[.4....n...88Ec ..df&.(A.,.pw..........0\.t.-.
W^..2.b}uSs,s.lh..`........(|D...wDAp-../...p-..ak...Q..!Vu./.V<...
004......V|^.*.&>....j.=.J_.'.TS.lg..w.XN..7..L...e2.4.... ..t.}...
..c.........w.F........&.j...P..D.#...7...|......Q.W....K.C.P........n
8sz"...'b..'.K...^.c.....U...L...]...e.......h0....8...3....K...{.H...
.=........#../.^\.?O.0uc..Iu..-1W..]..{.r..H...u........'US...e...
<<< skipped >>>


GET /www/2.115/rapido/pages/big/_big.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:17 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 22 Oct 2014 12:16:57 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Content-Encoding: gzip
c4a7...................0.........,y?.b.....|?..@@DATP....of...VU....9.
.S-B... . 3W.^...}....s{.j..ko.....c.......?.g.y!...ee....F. .i.....M?
G./.......F..c........l..............6.ljO.7..:(.*?...hU.7....{M..F.^~
...'*[..{C.?I.........9[Y.^Mc...../.....s.Z...V...M............8...7d.
...G.5.......mo,~..[.1\..|.k...G...76.v...4,=.....r.^.....T;..Y.P.{.Pj
k..W........b.e.qco....s.um.;.0R....<....l.?".b?.C.....Pu.}.w......
.8j*|.K....;..W..........%...yw//......W....w..........H.b..V.....vo[.
..9.w..[.b......V..X.(..D..&....m....I.d../..s...Y3..I.Qs.].eRU../F. .
...(.....d..`\n........ael......w....>.....E......y......e@... V...
.r2,..t....b..F..w..s&T...TF?3.|...#..n...i....,..........j....~.4.Fw.
.........\-.4....fV........ ......A.L....kk.]y..rDt........&.....n..!.
.~FBB.e...p.."..]..@..|.0....p..G.H.._#.....m..G<..K.."2i......./5Y
}.........@H.._....i....s.=..d...``.d..U.Q......Q..O..n...>.....C.&
gt;V..0..<M..........Q../../6.f...V...?...u.#....To.[...m...b......
.lU.../..;.....!.L..E....W.K;.m..._.7....9... ..........[....o...0...\
j....-._..{..........d...........o.4.l.o8k..M..........5.?.1|I...._C.O
*..RJ....................[....j..u.>.......=...C5..)....e.V.;.yp.K.
$.b.uQz{.... ...6...].{...nl._!P`..mO.....b.....G...k.....\.Qm....B...
......q..3..?...'O....^..u.....?X..Y._.........uS.2..a.W6.x..:...... .
.....U.4.O.V5.9U........$4H.......>..wy.....NK..p.qn......v...i ..r
..u.5U..n..y...gS[.._.....tn..V..:.E\...g....E\@^.....a.....0yp4SS.@..
Xe.uno.o$...,..^...k...IS....2\f..B.G..._..z..x..4D...h..8\As?.F..
<<< skipped >>>

GET /www/_/t/Y/UzbfvkemSS3OfjF86pijzhjIE.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:18 GMT
Content-Type: image/png
Content-Length: 388
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-184"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR....................KIDAT8......Q.....n...../. .......
.... x..O!......$$Be.bf.c....%.....s..............Z...}.C7..4Q.,...s..
.1.J....l.p.p...1.....E..........q....'...... n..79./l`$ux.....\.j.`..
zvs.XI.g.6G.lz..s&.0-.g.........z......0..W.^....)..%.s....qJ.v..~@..&
[email protected]........(..g..\..Lk..(..".......[....."....0./c.^......cK.t
.vKm..%.1...b..2.....x./'.....IEND.B`.....


GET /www/_/R/6/B32OFZsVQcrxvnZgLKMmFmu3U.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:18 GMT
Content-Type: image/png
Content-Length: 184
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-b8"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR................a....IDAT8.c...?.:...Dc..@.&h@III7E..$
...v...^.l.@X^^...k..........}y..a.......'.Qd@ooo...@(.edd...D|.xyym..
.#.Y....4....ld'$..2]s#......}.!....IEND.B`.....


GET /morda-logo/i/logo.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:18 GMT
Content-Type: image/png
Content-Length: 3729
Connection: keep-alive
Last-Modified: Wed, 15 Oct 2014 08:34:32 GMT
ETag: "543e3198-e91"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.6.1..Date: Thu, 23 Oct 2014 12:03:18 
GMT..Content-Type: image/png..Content-Length: 3729..Connection: keep-a
live..Last-Modified: Wed, 15 Oct 2014 08:34:32 GMT..ETag: "543e3198-e9
1"..Expires: Thu, 31 Dec 2037 23:55:55 GMT..Cache-Control: max-age=315
360000..Cache-Control: public..Access-Control-Allow-Origin: *..Accept-
Ranges: bytes...PNG........IHDR.......x.....V......XIDATx....l....G...
........J...Ay.2)$...K...GI...LS....&%r..y..... .......P)).d. N.).@..%
.......Z.3..xX..;..ww...~.........3gfgEss.`...n....b1.,...b..Yt....~*U
)U-uJ..E[.....d.....X....b.a....A....9.>d...(A......3..r. .H.9.yUj.
T.M'.d....C.i.\&..(..Af......g..q.GV0.lq....... ..S.....r.A...B.4.{d..
A...'..i... s...9...o....'.Z.E.r%.r...W0.lQ.|.....\...l...Ox...2[[email protected].
.F. sg.A......?g.....t..R.-...ri.A.P..Z.>..{..Z&.A.Z...&.iR..\.$...
Cp.J...H....%..KC..8.#.5#......2.<|)....h.......8.w^j..:..:.u).F...
...;..7^.#.v.#.h. ONcg....D...4n.Rf...V..y..1:J}`X..j.a..<..S.1.68.
K>[email protected]. [email protected]^..6..yOT w...@. ..4..
I.....iD.*8.?...0......;.R.c..(..T.T)......bT#{...<[email protected]....
9...5.  O./..;...&.}...L..ad.:..)...;R...m5.(.1|...E.25.sc.A......c.K&
gt;@~....g7....B.G..}....H...-fy..........o.....-....5..z...H.}..y....
#..t]P....O...\.,uH.7..G......a..&....#.C....G..f......#.'..1.v.Mt....
.0.'..1.`...[.!.^3......a.s.G.K.2&.... RnWRF.t.r.y....$u.."....F....k\
..wH.#.B......\..[.,[email protected]$.....A=.>..........2.... oA>.
. e./.  }K.h....9kq.)?,`.<...Q>...#F.......0h.5D.8.T...Q7f..
<<< skipped >>>

GET /weather/1.1.81/i/icons/30x30/skc_d.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:19 GMT
Content-Type: image/png
Content-Length: 585
Connection: keep-alive
Last-Modified: Tue, 13 Nov 2012 13:07:43 GMT
ETag: "50a2461f-249"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............;0......IDATx....G,Q....w...{.^..,@ .....
 .(.....vM.A..J(...."P.j#.J...$-....Z....c."<...7..wf.........n.=..
...!w..............HjY#..Z.}.gqp..-s..M.6.4.Cq.h.\q.A*.....l.6..6b]...
..;...........N-o........lo.~0k....S..xQV....0"..C.......<..u..<
..*vA..[..<.....r...........n.5=..Y..U[........nd.(.d.[.d.5I...z...
..b4T|.;Eq)X........Z.....<...0...B.6k.....*v.%Op.Z...,[w.ZZysM...;
.....(....K..).T1.....ruu.G.J..[T..pL^8H4Z..H...z........j.X....@....\
..x....}.........N.X....:........}(.s.Yn.<vB^....J a.{.b#.@./...H_.
....|...H.lK.V.>....;....5~........IEND.B`.....


GET /www/_/U/N/2hG0eCPmwbgSzQzPLOTCeEZY8.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:19 GMT
Content-Type: image/png
Content-Length: 3631
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-e2f"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.......8.....(..H....tEXtSoftware.Adobe ImageReadyq.e&
lt;...#iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:CFA4935B13E711E49184C3B
40A965389" xmpMM:DocumentID="xmp.did:CFA4935C13E711E49184C3B40A965389"
> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFA4935913E711E49
184C3B40A965389" stRef:documentID="xmp.did:CFA4935A13E711E49184C3B40A9
65389"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&g
t; <?xpacket end="r"?> .......IDATx......X...O9.9UuWO5...@H0j...
.i..r........'[email protected].'...S..=].T\..Z.....rg....a...
....9.5.>~......[.>{.{..........|.......`.._....z.'.?........~.Q
p.....Hsl..J....1.?......,[?..j!=oZ....an.]z...Q.D...F.....w......hu$=
ot..s{<.......:.?.{. .9..*<..0......5{.1...x*..q..a....h...X....
.$nVOj.m.g....%q..1..<.r.b..n.w..4"n^..0......Xj...n..s....$nV/.}Y.
..f.0#.....h:...0.'n.6Bf/*.`._.)...fQP...0.....(O-.c.5C.0&`-_.g^.}F.an
.Ik..z..%..//..\..,O.gny......[.......,....:#..-.c...$...hWxf......8Za
..1.m.yC.vU.........O...<EYp.3...h....C.|.....l.........;n..%O.
<<< skipped >>>

GET /www/2.115/rapido/pages/big/_big.icons.ie6.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 22 Oct 2014 12:16:57 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Content-Encoding: gzip
95f..............M..H......g".[.....P.......Q|..E.B.......;.......#..!
#..7...C.nIA.........n...)._......U.0,... ...~.P.../;S.a...,..D..s....
..m.U...S.....^#.....a.!..o..A.u..s..#v.$t.r}.c......$...V..O...!.....
.....?.....o...TSc.......!..{a.....;..g.....S......n&\N....J.t.~......
.,...w..,.Sux.<1.u...Stb.z......?5r.f@=.E.s....ZpZ.....Gx#A.0 C...z
j..4.....7..23...}.[.........`?5.8..~.],..x....uF.Y>"C$(D7 ...D.4(R
..m....dx.W..W\.w.....Sc......o..M3zP{fc.z....&..G...m.-F..R..P".|.V.\
..J........\.x..U...Ee..6J..iN........5a.K4y..QA6.W..U.=..|u.o.;.)....
...}.O..oPu....;.2..z..Je..{%...8.g.....E.\.\M....CQB..rV..&P...S..c..
..Z.;.........pG.....8...}..n ..".C.FcV8..H.....H^T..?yK|.:.....]...9$
........ h.Q..lj......!...z..<..OXuE.f.-1.y=.....q...lf...b....c!..
..#.....7.....~D..(.....k..?........'..d...D...Lo..,...6.F....>F...
....z.t.c.....U.u...}..~K......o..b...7....;[email protected]
k_'..(F;..!z3&C.]W... P.yq\..%x...$...P=nu..$..8y.)....sz.V.v5./iv...h
1.1A...6..."P.*V_.......h..S.i....y.....d1./Z=..`y....jj...j(..@.*X.h.
.Sc...c>.c.t...n..z....b./.RD..<....H;\...}.#z.=F{ekM.......W4G.
8`.M.d...T4#[email protected].. .W.v.-...P.k.`)..........C........
..7s"]....(.]S..t...k..#.X.......C.F8y.W..3...}...O..O...qh.kN*...an&g
t;..snz...#..&?..Tv.......[.1...kD..f........Am~..0.>i..d.w.-Q...v'
X/x...h.p{r.../(...`#.....<..~.........!m......e...........a...p?.n
.F%.)?..tJ..._......3..v3....j...A..L....0..[..(77.-.\4..?d..J........
~..Y.B.O..h.....X]ww..R..P...%.!....=9z.n.k.U....g.e>.s..R.q...
<<< skipped >>>

GET /www/_/U/l/sBzUHrzXNNmc65s2qEWEZfvtg.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 978
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-3d2"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR................v....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Macintosh" xmpMM:InstanceID="xmp.iid:E5FA95829B5C11E1B863C064
5BC4C2AB" xmpMM:DocumentID="xmp.did:E5FA95839B5C11E1B863C0645BC4C2AB"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E5FA95809B5C11E1B8
63C0645BC4C2AB" stRef:documentID="xmp.did:E5FA95819B5C11E1B863C0645BC4
C2AB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..d....FIDATx.bd``..by....Lt...f./......L.t
..h..9..b!..o..#..........@,@... ..7e.{za.]....IEND.B`.....


GET /www/_/w/x/SYVqxrdCZZcZKF2eqSMa5ASsE.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 379
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-17b"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............V..W....sBIT....|.d.....pHYs.............
[email protected].%t...P..[.9x..n.8|..y..w...Yi.
..Gx.O.....s.......Z..c..}..A3..X.v...f....V$...S.^.?.Q.;.Z.....'6....
..... ......(..HP.3...`/....R7.B.XK..L..)...>.d..2J....o......a..c.
N..[...8....x.........Ub?.Y.A9'......d%...........Z........5..%...M.c.
...V{..d.../.F>@........IEND.B`.....


GET /www/_/X/9/kOSsbal6tC_C9WZL6M65ZfUfc.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 438
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-1b6"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...!...!.....`:2]....PLTE.............................
......................................................................
........................................;h....-tRNS...........#/=?JKMN
OPQR^ghy|}................1.p.....IDAT8......0...[..UP.<."...i0..5.
.....$.kn.?...eM..m.o.a.7.m...#...k..,...`[email protected]..
[email protected].,]JT.`U...)......X..ID.^......8..B....n.e..|..........&
lt;.....#..O....IEND.B`.....


GET /www/_/U/y/4wOHp7JmBIaRrlw2H2cx6WyBg.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 613
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-265"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...!...!.....`:2]....PLTE.............. ..$.. ........
......................................................................
......................................................................
......................................................................
..............<.....StRNS............... )*,-/17;?CIJKLMOQUW[krswy~
.........................................G./.....IDAT.....V.P....#bG..
(.-......b/.....gn"`...7..._.,[email protected]..#n..*X...
N#....'C.~.`B......4.....9....C.\@...mQ...g...t\S-..>...6....HU..".
...2"u.?.u{?.1.A.@d*.wqw.c%.c.....1....jg;A.n......IEND.B`.....


GET /www/_/y/x/fYfY3206UtcGoRhtjWePt8s1s.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:21 GMT
Content-Type: image/png
Content-Length: 336
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-150"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...!...!.....`:2]...cPLTE.............................
......................................................................
....... tRNS.....$*8<=>@Zl....................M....|IDAT8...... 
.C............r.../..9.....n..X..C .J.a....m"".K..8.........A...3.....
..6.......TKl.~`...TN.x.F...........R...umG...g .~....IEND.B`.HTTP/1.1
 200 OK..Server: nginx/1.6.1..Date: Thu, 23 Oct 2014 12:03:21 GMT..Con
tent-Type: image/png..Content-Length: 336..Connection: keep-alive..Las
t-Modified: Thu, 23 Oct 2014 11:20:53 GMT..ETag: "5448e495-150"..Expir
es: Thu, 31 Dec 2037 23:55:55 GMT..Cache-Control: max-age=315360000..C
ache-Control: public..Access-Control-Allow-Origin: *..Accept-Ranges: b
ytes...PNG........IHDR...!...!.....`:2]...cPLTE.......................
......................................................................
............. tRNS.....$*8<=>@Zl....................M....|IDAT8.
..... .C............r.../..9.....n..X..C .J.a....m"".K..8.........A...
3.......6.......TKl.~`...TN.x.F...........R...umG...g .~....IEND.B`.font>....


GET /www/_/i/I/ALv6Jm_Bmg0ny1St-meLdGwtU.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 508
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-1fc"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............V..W....sBIT....|.d.....pHYs.............
....IDAT8....K.Q....3.ZC..lw..Z...\4...].~B..k.....NAAT.(.Fa6*.v!...v.
d.........u.>.w.........hv.......=.q..8.Z...>n.....eN...o.n4..4x
F....EPO....J.9........m...`<..e.&.....$D ..f..M5..KF........m..P.&
lt;;((yG...._.a....# ......!. ......Z.. ......Xm..JlG..Ag'].. ..(.(...
l..~|.R..Lm.*....,.R.U"<.1U55......`r=.U...ry.....k..Q......F3}....
c .&4..t.Rn0n-.3|....:.D4..K3kg........4....f............D8I....~....=
.fh..q.....].;.....0C....IEND.B`.....


GET /www/_/5/0/GMB2ZfLtSQVjHRbXRfaY3GIO0.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 475
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-1db"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............a.~e....sBIT.....O.....pHYs.........B(.x.
...tEXtSoftware.VVV.inkscape.org..<.....PLTE.......................
......................................................................
.........................................................z.y....1tRNS.
.......... ".036>EW\^_hv.........................m?&...zIDAT..]....
@.../[$..ad...._.......e...i.GZ..R<R.G.%I.A...6.....}.#m....-k.y.&.
...V..G.X*:...hQ.........cC.......dy.'..0.......v.......IEND.B`.>....


GET /www/_/Y/Q/gF8niIgIQ0t6FKXZhJfMaZks.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 720
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-2d0"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............;mG.....sBIT....|.d.....pHYs.............
...rIDAT8.uS1hSQ.=.|...f.. B. X*. ..:.S...XPph.....P.-("M.....8.H..B..
.X.8.\.....b.A..s..o.....8..w.y..Rkzz. .......A....4...-.r.......F...R
.,..$..l....MU.....aU].<.......).....I..q|}jj.G.e.V..EQED...w.-l.$.
.$'.s..`ff.[D.Dd..|..xqK.R.\S.k....}.M..>.|.....sss.766.H.....U.B2.
...8.bf.. 8.l6;N. ...[.777....p.../...H..p..;..@...("#f......2.......m
...@;.8A.|....Fv...Pm..9w.-.1.WU.7...._....t.l._"....<....P.X|..4U.
gG...$..$............if.....,.H...N.......-..p.V...T6.W.V.L..V.......r
....EQ%M..........DQ4.`.9.R. ...f....s...Z...........)....g.T*...PD...
. ....(..I.U.3.bq.HMq..G[..}...Gz...`W.b..j&..(......dwvv.....8..=$..h
..;.^.k...I..........IEND.B`.....


GET /www/_/C/T/epPrmzlEkEFE6HHmLUbNzylAY.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 252
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-fc"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR.............a.~e...HPLTE...U..Im.M..\|.Yy.W|.Wz.[}.Yx
.Wz.Xz.Yz.X{.Zz.Yy.Yz.Yz.Yz.Yz.Yy.Yz.Yz.Yz../8.....tRNS....'(),-HIZ...
..........(....LIDAT....[[email protected]"....M)..?..IU.E...j.)n..a..qQcr...N
....K\..1w...9...vR.{ .A..........IEND.B`.....


GET /lego/_/sj4YylGvYOLvKGaXOysZ1vn3AZA.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yandex.ua/?ncrnd=966
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:22 GMT
Content-Type: image/png
Content-Length: 1081
Connection: keep-alive
Last-Modified: Thu, 09 Oct 2014 15:38:39 GMT
ETag: "5436abff-439"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.6.1..Date: Thu, 23 Oct 2014 12:03:22 
GMT..Content-Type: image/png..Content-Length: 1081..Connection: keep-a
live..Last-Modified: Thu, 09 Oct 2014 15:38:39 GMT..ETag: "5436abff-43
9"..Expires: Thu, 31 Dec 2037 23:55:55 GMT..Cache-Control: max-age=315
360000..Cache-Control: public..Access-Control-Allow-Origin: *..Accept-
Ranges: bytes...PNG........IHDR.......9.......pg....PLTE..............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...................0.C....2tRNS........!.......N..Q...................
.........{[email protected]>...HIDAT8...gO.A..
.Q....w.z.....D.....b....v......[.2...'..N...2...)..A.Q....u..D.7.i.&.
h..Iij....j.XIik.t..i.t.b.......,...e.H..y.........Q.I......3..6AJ..9.
T.)... .I............T..A/..aT.v.b\jH...,........ (w.X...tX...3`c....-
.j;.vl..l..G......8.NX.i......p..p.'...p....%...ps ..........}..bxt..J
....y)....c......!.................k,mc*%....%tEXtdate:create.2012-04-
26T17:01:56 03:00..z....%tEXtdate:modify.2012-04-26T17:01:56 03:00}...
....tEXtSoftware.Adobe ImageReadyq.e<....IEND.B`..PNG........IHDR..
.....9.......pg....PLTE...........................................
<<< skipped >>>

GET /www/_/S/E/bTH3x-WofUo09diZC73BQiQbg.png HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yastatic.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 23 Oct 2014 12:03:24 GMT
Content-Type: image/png
Content-Length: 3786
Connection: keep-alive
Last-Modified: Thu, 23 Oct 2014 11:20:53 GMT
ETag: "5448e495-eca"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...$..........._N...CiCCPICC profile..x..SwX...>..e
.VB....l.."#[email protected]....(.gA..Z.U\8.....}z......
......y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$.
.....P&W. ...".....R...T.......S.d.....ly|B"......I>...............
...(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0....
_p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l..
...k.o">!.........N..._....p...u.k.[..V.h..][email protected].<
......%b..0..>[email protected][email protected]..#......)..4.\
,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y..
.....@ ...........\...L....D..*.A..............a.D@.$.<.B........A.
T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q".
.r...Bj.]H#.-r.9.\@.... [email protected].]...k....=.....K.u
t.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#..
..W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i
.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/
S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L...
...T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..
RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f
..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....
u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'
.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a...
.....E..J.6.....|...M....V>VyV.V..I.\.,.m.WlP.W...:........v.m.
<<< skipped >>>


GET /?retpath=http://VVV.yandex.ua&session_info=noauth:1414065795.sah^FFFFFFFF.yandexuid^5337164561414065795.yandex_ua:85403.369128.f20677761d4d045c21725e708c1de9b2 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pass.yandex.ua


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 23 Oct 2014 12:03:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
P3P: policyref="hXXp://pass.yandex.ru/w3c/p3p.xml", CP="NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI"
Location: hXXp://VVV.yandex.ua/?ncrnd=966
Set-Cookie: L=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: Session_id=noauth:1414065795; domain=.yandex.ua; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT; HttpOnly
Set-Cookie: YX_SEARCHPREFS=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: fyandex=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: my=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: yandex_gid=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: yandex_login=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: yandex_mail=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: yandexmarket=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: yandexuid=5337164561414065795; domain=.yandex.ua; path=/; expires=Wed, 23 Oct 2024 12:03:16 GMT
Set-Cookie: yp=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: ys=; domain=.yandex.ua; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Cache-Control: no-cache, private, no-cache, no-store, must-revalidate, max-age=0
0..
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







RunDll32.exe_1280:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

RunDll32.exe_1900:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    RunDll32.exe:1280
    RunDll32.exe:1900
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big.ie6[1].css (1642 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\fc07[1].swf (1633 bytes)
    %System%\drivers\etc\hosts.ics (535 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\Htc4rFwBo9MiiLtTJ52VfJFHA[1].png (1279 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\XZLHgNwOWBTV7ks9l0LIq69q4[1].png (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\2[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\SYVqxrdCZZcZKF2eqSMa5ASsE[1].png (379 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.ie[2].css (563 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\L9oVwoGR96dEDhTKmwv9mQ[1].png (1463 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\gF8niIgIQ0t6FKXZhJfMaZks[1].png (720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\YJoTPXQ4lyvFxy-YA21NYfeuE[1].png (438 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big[1].css (12446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\fYfY3206UtcGoRhtjWePt8s1s[1].png (336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\_big.uk.templates[1].js (25994 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\i_5cY2K41gNjDw-NvobBPpiw0[1].png (338 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.icons.ie6[1].css (411 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\4wOHp7JmBIaRrlw2H2cx6WyBg[1].png (613 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (202 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (8160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big[2].css (13715 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\Is8JnxA2G2XZ-WZ2Xde_bMhVU[1].png (429 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\bTH3x-WofUo09diZC73BQiQbg[1].png (1526 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\anti[1].php (533 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\jquery.min[2].js (12777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\sj4YylGvYOLvKGaXOysZ1vn3AZA[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\_big.uk.templates[2].js (30469 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\ico-16[1].png (2051 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\sBzUHrzXNNmc65s2qEWEZfvtg[1].png (978 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_big.ie6[2].css (777 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (467 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\logo[1].png (411 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\ALv6Jm_Bmg0ny1St-meLdGwtU[1].png (508 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\QY6oXmIXtWtWLJK6JwzZJpQAk[1].png (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\kOSsbal6tC_C9WZL6M65ZfUfc[1].png (438 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\_ID4xq1duIV8d1zGVIkfTeLlQ[1].png (671 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\ajax-loader[1].gif (3966 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\2hG0eCPmwbgSzQzPLOTCeEZY8[1].png (822 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\epPrmzlEkEFE6HHmLUbNzylAY[1].png (252 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\GMB2ZfLtSQVjHRbXRfaY3GIO0[1].png (475 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (3034 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\fc07_2[1].htm (1510 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\fUi1MQ-aKai27PBlsS3FoeCh8[1].png (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (2787 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\jquery.min[1].js (11431 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.ie[1].css (1642 bytes)
    %Documents and Settings%\All Users\Desktop\ÌÅÃÀ×ÈÒ11.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IMOOAFEK\watch[1].js (36122 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (2070 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\yandex[1].htm (1512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\B32OFZsVQcrxvnZgLKMmFmu3U[1].png (184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V250UGS4\_big.icons.ie6[2].css (651 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\skc_d[1].png (585 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2WRT9QD\pwwDoBiDac4NZYxGN-R4wD6PA[1].png (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\UzbfvkemSS3OfjF86pijzhjIE[1].png (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NLD600WS\La6qi18Z8LwgnZdsAr1qy1GwCwo[1].gif (43 bytes)
    

    4. 

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now