Sample_d1b6794992

by malwarelabrobot on December 19th, 2014 in Malware Descriptions.

GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: d1b67949929ac3d4f6d50720a1759012
SHA1: 7ce80262d54193186f908206efbafa098ae740ee
SHA256: 517de8266b2bf936f5966b269df7050e5aa8e9dcd3aab47b1aa886acb5d2ae49
SSDeep: 98304:jahVFk1Pr3EnKInR1S/VEKY2jA0CqTDk4h7W 78I6/O3xYeSOwqDNgUxqS7w2nxc:wzktFyRUVEKY2juUNMt/O3bRB/dZ
Size: 6606311 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UnknownSFXArchiveIDSKA32, BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Worm creates the following process(es):

TPAutoConnSvc.exe:1776
flash.exe:1596
%original file name%.exe:1868
The Great Lake.exe:1188
regsvr32.exe:3680
wallpaper.exe:3756
is-GCI02.tmp:3728

The Worm injects its code into the following process(es):

swfplayer.exe:2352
swfplayer.exe:2312

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process flash.exe:1596 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\Flash9b.ocx (43265 bytes)

The process %original file name%.exe:1868 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-SFJRC.tmp\is-GCI02.tmp (1405 bytes)

The process The Great Lake.exe:1188 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\info.ini (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\flash.exe (350 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\product_preview (1523 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\sysinfo.exe (151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\splash (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\swfplayer.exe (1277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper_tray.ico (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\product (1523 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\product.ico (1764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\settings.jpg (980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.dll (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\empty (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\settings (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\enable_product_sound (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\text_en.ini (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\disable_product_sound (2 bytes)
C:\Windows\SysWOW64\Flash9b.ocx (522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper_loader (549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.exe (196 bytes)

The process regsvr32.exe:3680 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\SysWOW64\Flash9b.ocx (146 bytes)

The process wallpaper.exe:3756 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.dll (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\swfplayer.exe (49 bytes)

The process is-GCI02.tmp:3728 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\Uninstall The Great Lake.lnk (2 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-G59LQ.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Desktop Membership.url (198 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\New Products.url (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QNRQU.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-UEHRE.tmp (6912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QNRQU.tmp\_isetup\_setup64.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Wallpaper The Great Lake.lnk (1 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\unins000.dat (2508 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\News Archive.url (171 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\unins000.exe (712 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-S9MP4.tmp (53570 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\Run The Great Lake.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\Desktop Membership.url (198 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\The Great Lake.exe (1018 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-J2JEG.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Site EleFun Desktops.url (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QNRQU.tmp\_isetup\_RegDLL.tmp (3 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,LetterÃ‚Â¶40,40,2086,2712, 5,2159,3556,LegalÃ‚Â¶40,40,2086,3474, 9,2100,2970,A4Ã‚Â¶39,39,2032,2890, 7,1842,2667,ExecutiveÃ‚Â¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)Ã‚Â¶40,40,2086,3220, 11,1480,2100,A5Ã‚Â¶39,39,1408,2020, 70,1050,1480,A6Ã‚Â¶39,39,975,1399, 13,1820,2570,B5 (JIS)Ã‚Â¶39,39,1747,2490, 264,1950,2700,16K 195x270Ã‚Â¶39,39,1882,2620, 263,1840,2600,16K 184x260Ã‚Â¶39,39,1761,2520, 257,1970,2730,16K 197x273Ã‚Â¶39,39,1896,2650, 43,1000,1480,Japanese PostcardÃ‚Â¶39,39,921,1399, 82,1480,2000,Double Japan Postcard RotatedÃ‚Â¶39,39,1408,1919, 20,1046,2413,Envelope #10Ã‚Â¶40,40,975,2331, 37,983,1905,Envelope MonarchÃ‚Â¶40,40,907,1823, 34,1760,2500,Envelope B5Ã‚Â¶39,39,1693,2420, 28,1620,2290,Envelope C5Ã‚Â¶39,39,1544,2209, 27,1100,2200,Envelope DLÃ‚Â¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process swfplayer.exe:2352 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\EleFun Multimedia\swfplayer\V1.0\Settings]
"crc" = "F0 F8 89 62 E7 83 A0 0E 28 20 20 0A DE C4 C5 46"
"Options" = "12 00 00 00 45 00 6C 00 65 00 66 00 75 00 6E 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKCU\Software\EleFun Desktops\The Great Lake Wallpaper]
"language_index" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process swfplayer.exe:2312 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

The process The Great Lake.exe:1188 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\EleFun Desktops]
"SystemFolder" = "C:\Windows\system32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

The process regsvr32.exe:3680 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\Flash9b.ocx"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"Extension" = ".spl"

[HKCR\FlashProp.FlashProp.1]
"(Default)" = "FlashProp Class"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
"(Default)" = "Macromedia Flash Paper"

[HKCR\ShockwaveFlash.ShockwaveFlash]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"8.0" = "33"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.9"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.1]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
"(Default)" = "C:\Windows\SysWow64\"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"9.0" = "28"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\FlashFactory.FlashFactory.1]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.8]
"(Default)" = "Shockwave Flash Object"

[HKCR\FlashFactory.FlashFactory\CurVer]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCR\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\Flash9b.ocx"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\Flash9b.ocx"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\.mfp]
"(Default)" = "MacromediaFlashPaper.MacromediaFlashPaper"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\FlashProp.FlashProp.1\CLSID]
"(Default)" = "{1171A62F-05D2-11D1-83FC-00A0C9089C5A}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"(Default)" = "Shockwave Flash"

[HKCR\.spl]
"Content Type" = "application/futuresplash"

[HKCR\FlashProp.FlashProp]
"(Default)" = "FlashProp Class"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
"(Default)" = "C:\Windows\SysWow64\Flash9b.ocx"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKCR\.swf]
"Content Type" = "application/x-shockwave-flash"

[HKCR\FlashFactory.FlashFactory.1\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"6.0" = "88"

[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCR\ShockwaveFlash.ShockwaveFlash.6]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\SysWow64\Flash9b.ocx, 1"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\ShockwaveFlash.ShockwaveFlash.3]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\ShockwaveFlash.ShockwaveFlash.7]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\FlashFactory.FlashFactory]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.5]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\SysWow64\Flash9b.ocx, 1"

[HKCR\ShockwaveFlash.ShockwaveFlash.9]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.sol]
"Content Type" = "text/plain"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"Extension" = ".swf"

[HKCR\.sor]
"Content Type" = "text/plain"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer\SafeVersions]
"7.0" = "65"

[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.9"

[HKCR\FlashProp.FlashProp\CurVer]
"(Default)" = "FlashProp.FlashProp.1"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.swf]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\.spl]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.4]
"(Default)" = "Shockwave Flash Object"

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "FlashFactory.FlashFactory"

[HKCR\.mfp]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\FlashFactory.FlashFactory\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
"(Default)" = "FlashProp Class"

The Worm deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]

The process wallpaper.exe:3756 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\EleFun Desktops\Wallpaper Player]
"WindowHandle" = "16 03 0D 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Amazing3DAquariumWallpaper" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"EleFunAnimatedWallpaper" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.exe STARTUP"

The Worm deletes the following value(s) in system registry:

The process is-GCI02.tmp:3728 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ENW3139F-4DD5-81C6-2F0E-624AC34560110}_is1]
"Inno Setup: Selected Tasks" = "desktopicon"
"Inno Setup: App Path" = "%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake"
"Inno Setup: Icon Group" = "EleFun Desktops\Animated Wallpapers\The Great Lake"
"UninstallString" = "%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\unins000.exe"
"DisplayName" = "The Great Lake"
"Inno Setup: Setup Version" = "5.1.13"
"URLInfoAbout" = "http://www.elefun-desktops.com"
"URLUpdateInfo" = "http://www.elefun-desktops.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ENW3139F-4DD5-81C6-2F0E-624AC34560110}_is1]
"Publisher" = "EleFun Desktops"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF" = "01 00 00 00 00 00 00 00 D4 69 5D 03 76 1A D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ENW3139F-4DD5-81C6-2F0E-624AC34560110}_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ENW3139F-4DD5-81C6-2F0E-624AC34560110}_is1]
"HelpLink" = "http://www.elefun-desktops.com"
"InstallLocation" = "%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\"
"QuietUninstallString" = "%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\unins000.exe /SILENT"
"InstallDate" = "20141218"
"NoRepair" = "1"

[HKLM\SOFTWARE\Wow6432Node\EleFun Desktops\The Great Lake Wallpaper]
"language_index" = "0"

The Worm deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
72920973b2c9301b47ba26b18501e102	c:\Program Files (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\The Great Lake.exe
dc27867907109d2edd4b04f7db802c33	c:\Program Files (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\unins000.exe
f3b3ee66ca76c94510555abe9d00a353	c:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\Flash9b.ocx
2520208faed1e76583d71361e676eb0e	c:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\flash.exe
0933cc89f5ecb3e2b424d5e012bf94c9	c:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\swfplayer.exe
e7426a129d335389add77aa35c32296b	c:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\sysinfo.exe
e7ba14c4aacece99765276b1be9c7e2e	c:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.dll
cbdb39d8fe2e6d09291c891edb9295c7	c:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.exe
f3b3ee66ca76c94510555abe9d00a353	c:\Windows\SysWOW64\Flash9b.ocx
f3b3ee66ca76c94510555abe9d00a353	c:\Windows\System32\Flash9b.ocx

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: EleFun Desktops
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: The Great Lake - Full Version Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	36848	36864	4.56726	083e077c314dfe6832fadef9f8dbac29
DATA	40960	584	1024	1.88293	7b967885fdd6cf034d6bbacee6d60fd9
BSS	45056	3640	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	49152	2384	2560	3.07153	bd5bdc394dd9459844ea032b48349bc1
.tls	53248	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	57344	24	512	0.138011	d293bf8d4ebe9826d58e1d27c25fe4b6
.reloc	61440	2216	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	65536	36832	36864	3.24144	fcf6131b8c7c983259e977d89c2d42a2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://elefun-desktops.com/installs/The Great Lake_wallpaper_full
hxxp://elefun-desktops.com/offers-show-1227196368/Membership
hxxp://elefun-desktops.com/modules/general/tmpl/default/javascript.js
hxxp://elefun-desktops.com/modules/general/tmpl/default/style-sheet.css
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/spacer.gif
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/top_h1_header_right.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/logo.jpg
hxxp://pagead46.l.doubleclick.net/pagead/show_ads.js
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGEleFunDesktops.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/ButtonMembershipEnter.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/top2_bg_right.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/top2_bg.jpg
hxxp://www.google.com/coop/cse/brand?form=cse-search-box&lang=en	173.194.113.212
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/IconScreensavers.jpg
hxxp://www.google.com/fusion/add.gif	173.194.113.212
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/IconWallpapers.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandBlueTitleLeft.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/IconSmall0.jpg
hxxp://elefun-desktops.com/sys_data/img/products/ad_Pharaohs_Gallery.jpg
hxxp://elefun-desktops.com/sys_data/img/products/ad_Night_of_Reflections.jpg
hxxp://elefun-desktops.com/sys_data/img/products/ss_Underwater_Clock.jpg
hxxp://a943.g.akamai.net/us.yimg.com/i/us/my/addtomyyahoo4.gif
hxxp://elefun-desktops.com/sys_data/img/products/ss_Babylon_Gates.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/IconSmall1.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandGreenTitleLeft.jpg
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/IconSmallWallpaper.gif
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/IconSmallScreensaver.gif
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandOrangeTitleLeft.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGbodytop.jpg
hxxp://elefun-desktops.com/modules/promo/tmpl/default/images/screen_small_en.jpg
hxxp://elefun-desktops.com/modules/promo/tmpl/default/images/Untitled-1_03.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandarchive.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/ButtonSubscribeLHOk.jpg
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.1&utms=1&utmn=644796950&utmhn=www.elefun-desktops.com&utmcs=utf-8&utmsr=1716x901&utmvp=1716x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=EleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop themes&utmhid=1608851308&utmr=-&utmp=/offers-show-1227196368/Membership&utmht=1418874740907&utmac=UA-927919-3&utmcc=__utma=1.668409717.1418874741.1418874741.1418874741.1;+__utmz=1.1418874741.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=1343724813&utmredir=1&utmu=DhAAAAAAAAAAAAAAAAAAAAAE~
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGmembershiplogin.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/top_h1_header_left.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/top1_bg.jpg
hxxp://pagead46.l.doubleclick.net/pagead/js/r20141209/r20141212/show_ads_impl.js
hxxp://www.google.com/cse/intl/en/images/google_custom_search_watermark.gif	173.194.113.212
hxxp://www.gstatic.com/pub-config/ca-pub-0884532287246801.js	173.194.113.223
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandBlueTitleRight.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandGreenTitleRight.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGGrayMenu.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandOrangeTitleRight.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandtitle.jpg
hxxp://counter.yadro.ru/hit?t26.1;r;s171690124;uhttp://www.elefun-desktops.com/offers-show-1227196368/Membership;iЖжEleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop the;0.1374597159806235	88.212.196.104
hxxp://pagead46.l.doubleclick.net/pagead/html/r20141209/r20141212/zrt_lookup.html
hxxp://counter.yadro.ru/hit?q;t26.1;r;s171690124;uhttp://www.elefun-desktops.com/offers-show-1227196368/Membership;iЖжEleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop the;0.1374597159806235	88.212.196.104
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/bgDownloadProductList.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/bgInfoProductList.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/bgOrderProductList.jpg
hxxp://elefun-desktops.com/modules/general/tmpl/default/images/bottom.jpg
hxxp://pagead46.l.doubleclick.net/pagead/osd.js
hxxp://pagead46.l.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://www.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://www.elefun-desktops.com&dtd=225
hxxp://pagead46.l.doubleclick.net/pagead/js/r20141209/r20141212/expansion_embed.js
hxxp://pagead46.l.doubleclick.net/simgad/3083507136474604452
hxxp://pagead46.l.doubleclick.net/pagead/js/r20141209/r20110914/abg.js
hxxp://pagead46.l.doubleclick.net/pagead/images/ad_choices_i.png
hxxp://pagead46.l.doubleclick.net/pagead/images/ad_choices_en.png
hxxp://pagead46.l.doubleclick.net/pagead/drt/s?v=r20120211
hxxp://pagead46.l.doubleclick.net/bg/As1rs6ZBldneBCLw2AxLEKkOIlt-mIA122l0HUMtT-g.js
hxxp://elefun-desktops.com/favicon.ico
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f86c1d729ad77f65
hxxp://e6845.ce.akamaiedge.net/crls/secureca.crl
hxxp://pagead46.l.doubleclick.net/activeview?id=osdim&avi=BGstodU-SVP6lDcKtigbMuICIBgCdh8uo1wEAABABOAHIAQLIA8EEoAYCqBOAAQ&ti=1&adk=2506318246&p=187,486,277,1214&tos=1211,0,0,0,0&mtos=1211,1211,1211,1211,1211&rs=1&ht=0&tfs=238&tls=1449&fp=client=ca-pub-0884532287246801&url=http%3A%2F%2Fwww.elefun-desktops.com%2Foffers-show-1227196368%2FMembership&correlator=2660386479433&eid=317150304&oid=3&afp=&output=html&slotname=7839509899&flash=0&dt=1418874740945&adx=486&ady=187&ifi=1&tdl=487&abd=2-0-4&r=u&bs=1700,804&bos=1724,865&ps=1716,1474&ss=1716,901&tt=1012&pt=440&deb=1-1-1-5-6-5&tvt=1214&iframe_loc=http://www.elefun-desktops.com/offers-show-1227196368/Membership&is=728,90&uc=4
hxxp://e8218.ce.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6dg==
hxxp://www-google-analytics.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAWXeLAc38Ey
hxxp://www-google-analytics.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHj3S83xBK9k
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b00cc72c3b8bcef8
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=
hxxp://hostedocsp.globalsign.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://www.elefun-desktops.com/sys_data/img/products/ss_Underwater_Clock.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/bgInfoProductList.jpg	37.195.64.159
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b00cc72c3b8bcef8	88.221.132.207
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f86c1d729ad77f65	88.221.132.207
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandarchive.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/favicon.ico	37.195.64.159
hxxp://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211	173.194.113.218
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGmembershiplogin.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGbodytop.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandOrangeTitleLeft.jpg	37.195.64.159
hxxp://www.google-analytics.com/ga.js	173.194.113.201
hxxp://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=	108.162.232.198
hxxp://www.elefun-desktops.com/sys_data/img/products/ad_Night_of_Reflections.jpg	37.195.64.159
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHj3S83xBK9k	173.194.113.192
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGGrayMenu.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandGreenTitleRight.jpg	37.195.64.159
hxxp://pagead2.googlesyndication.com/pagead/osd.js	173.194.113.217
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/spacer.gif	37.195.64.159
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAWXeLAc38Ey	173.194.113.192
hxxp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://www.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://www.elefun-desktops.com&dtd=225	173.194.113.218
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.175
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandBlueTitleLeft.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/bgOrderProductList.jpg	37.195.64.159
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/IconSmallWallpaper.gif	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGEleFunDesktops.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/ButtonSubscribeLHOk.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/top_h1_header_left.jpg	37.195.64.159
hxxp://pagead2.googlesyndication.com/pagead/images/ad_choices_en.png	173.194.113.217
hxxp://www.elefun-desktops.com/sys_data/img/products/ss_Babylon_Gates.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandtitle.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/IconWallpapers.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/bottom.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandOrangeTitleRight.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/installs/The Great Lake_wallpaper_full	37.195.64.159
hxxp://www.elefun-desktops.com/sys_data/img/products/ad_Pharaohs_Gallery.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/top1_bg.jpg	37.195.64.159
hxxp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo4.gif	88.221.132.161
hxxp://www.elefun-desktops.com/modules/promo/tmpl/default/images/Untitled-1_03.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/bgDownloadProductList.jpg	37.195.64.159
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.175
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/javascript.js	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/top2_bg.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/promo/tmpl/default/images/screen_small_en.jpg	37.195.64.159
hxxp://pagead2.googlesyndication.com/pagead/images/ad_choices_i.png	173.194.113.217
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6dg==	23.43.139.27
hxxp://pagead2.googlesyndication.com/pagead/show_ads.js	173.194.113.217
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/IconSmallScreensaver.gif	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandGreenTitleLeft.jpg	37.195.64.159
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.175
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.175
hxxp://pagead2.googlesyndication.com/pagead/js/r20141209/r20141212/expansion_embed.js	173.194.113.217
hxxp://pagead2.googlesyndication.com/pagead/js/r20141209/r20110914/abg.js	173.194.113.217
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/IconSmall0.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/BGlefthandBlueTitleRight.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/IconScreensavers.jpg	37.195.64.159
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://pagead2.googlesyndication.com/pagead/js/r20141209/r20141212/show_ads_impl.js	173.194.113.217
hxxp://crl.geotrust.com/crls/secureca.crl	23.43.133.163
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/ButtonMembershipEnter.jpg	37.195.64.159
hxxp://pagead2.googlesyndication.com/simgad/3083507136474604452	173.194.113.217
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/IconSmall1.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/top_h1_header_right.jpg	37.195.64.159
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/logo.jpg	37.195.64.159
hxxp://pagead2.googlesyndication.com/bg/As1rs6ZBldneBCLw2AxLEKkOIlt-mIA122l0HUMtT-g.js	173.194.113.217
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/style-sheet.css	37.195.64.159
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=	93.184.220.20
hxxp://googleads.g.doubleclick.net/pagead/html/r20141209/r20141212/zrt_lookup.html	173.194.113.218
hxxp://buttons.googlesyndication.com/fusion/add.gif	173.194.113.210
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://www.elefun-desktops.com/modules/general/tmpl/default/images/top2_bg_right.jpg	37.195.64.159
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.1&utms=1&utmn=644796950&utmhn=www.elefun-desktops.com&utmcs=utf-8&utmsr=1716x901&utmvp=1716x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=EleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop themes&utmhid=1608851308&utmr=-&utmp=/offers-show-1227196368/Membership&utmht=1418874740907&utmac=UA-927919-3&utmcc=__utma=1.668409717.1418874741.1418874741.1418874741.1;+__utmz=1.1418874741.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=1343724813&utmredir=1&utmu=DhAAAAAAAAAAAAAAAAAAAAAE~	173.194.113.201
hxxp://www.elefun-desktops.com/offers-show-1227196368/Membership	37.195.64.159
ieonline.microsoft.com	204.79.197.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 18 Dec 2014 03:53:21 GMT

Last-Modified: Tue, 16 Dec 2014 18:51:02 GMT

Server: ECS (ams/D1C2)

X-Cache: HIT

Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..2014121
6094607Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
..'.G....20141203203011Z....20150303203511Z0...*.H...............n...(
F.....Wq;......w.e.I~5.,...([email protected]...[[email protected]%$R2
.......0..B..&TKa.S...P..D.&g.~,Y.([email protected]......
.C.@K.=.6..1...q7..Z.%....5..3.XPAG...{..Lk..\H...DI.. ..<. ..`.!..
..I..0..C.}~....;'VI..J.p....SN.(.....$E=z....0...0...0...........'..0
...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust
1"0 ..U....Baltimore CyberTrust Root0...140122184236Z..150122184140Z0G
1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-201
10.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..
I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h
8GM..*.4.MP..../[email protected].
...$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.
>.O....G.A........0..0... .....0......0...U.......0.0...U..........
.0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l
.uZ..k.F..^|A.Tb0...*.H.............. .p.)...09W..Z.......]....}.:..Vr
.....c..U..:V^.O.....<...b*5.c.\.fF./....5'.>./ iS..R0..)..*.!..
q.h.T..ul.}&.......`.1".~.U....rB.BR.s..x..o..Y.......).4:.[.9.=....x.
..'.f..\ [email protected]:J!.hRH..!z2DtL.s2.r.....Yi~..E..AzO..i.."N.$j
...b...o..i."{(3....<<< skipped >>>

GET /modules/general/tmpl/default/images/top_h1_header_right.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0686-24f-4e321e9e47c10"

Accept-Ranges: bytes

Content-Length: 591

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................;.........
....`.................................................................
!..1Q..A2$...............................?..N...]..&.q....g..*&C...7..
...{...u......P..)......KB.bF 1.......>...~....M.4\..m[....a...t.H%
r......`f..$..j...Zk.d..2.,_......d'%v.....!....6U/n.[...[p.B.........
6.d.$.$....FC.8 .....2.x.3~.m>.".V..q.R.!f..{.. ...9\[email protected].
[.^.E3..........(..........`0.......`.......


GET /modules/general/tmpl/default/images/ButtonMembershipEnter.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c068e-45c-4e321e9dad368"

Accept-Ranges: bytes

Content-Length: 1116

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................P.........
......................................................................
.........!Q...1A.."R.a$.q.23..C....................!..b#..1Qa...q.."..
..........?..u))[email protected]{.h.9..4........o...f...].....Q.u
........)8.....~.............D9.3]#.O...=..2...D%...4..--..HuD...T../M
.>....t.F,.fD..[ql...H%a...Z...p..m...);j..$...Fbdj..\...B..RJ.I.0.
B.f..F..,~?Kmq.C..i.Z.u......d[..7..J...r.%.O..5: ..m.G.'Q..!..!...&#.
.),g...v..4.#...M).u.EZl..S..c....).Q\SO...-'....U.R.....Q]..k..qN....
n/.XRRT..6...,q8..@W.._.......x.tNaq.......L..i-f.....\K............&4
...rK.....[}._.uSdq u.h2..XCW%I.~..E.H..0.o....cVq...vU._.6..wT.C7B.j;
.,es.d!..<d..F...L`.>.'e.x..-.mQ4...K......X....7cOS.. .....e..s
d....oe....jt..t ^.....jd)..u...J.Y.B..I8.*.ID:a....}qN....._.P#.s30..
.....R..!Y.f....H..U.[.c....1.i....n..l........L.Lb.AoL}.G...[.1[ ..&g
t;.#..S-....[..v..|....V.-...H..T.t. dI...\Z?..;..........uV....4..<
;_..N..;;.#c......


GET /modules/general/tmpl/default/images/IconScreensavers.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c067d-342-4e321e9df01b8"

Accept-Ranges: bytes

Content-Length: 834

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................0.&.........
......................................................................
........!AQ..1a."2.q....b..#........................!1A.Q".#..........
....?....P..@(.........(. ......<Z..)k!(H%J=.......... z.Hq........
..R.#.....1....V.)...~..... ....mN......1r...-)..n. )R.V[ .V...W..0_..
.Z....?.9L....0....Z...(.3..u.......Jn8(.....%..y..4:#.t.KK..........Y
.....E.X....4...r..rl.]........yf...[7...O..sT.&..>..W.t...S...0.Fj
..c`..q.C..Z.g......j..9....x.<...<......i.~..K...K..W..}.mc.B..
'.MMJ.....j..n.y.-......a.P.|.m...........n?.q.............0.._3...o..
..\..dOI:...r.i..HS.Z[-.......{.*.4.........m............qy.ow\G.V.J..
..P..@.......


GET /sys_data/img/products/ss_Babylon_Gates.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Tue, 06 Aug 2013 05:41:37 GMT

ETag: "1c6fc9-9dd2-4e340e0e5c001"

Accept-Ranges: bytes

Content-Length: 40402

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:A7A8F52DFE5A11E2B4C498
2BD49F65B2" xmpMM:InstanceID="xmp.iid:A7A8F52CFE5A11E2B4C4982BD49F65B2
" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedF
rom stRef:instanceID="A88E2EAC41344369BE6D720E0D0D7438" stRef:document
ID="A88E2EAC41344369BE6D720E0D0D7438"/> </rdf:Description> &l
t;/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...&Adobe.d
...............#...8...at.............................................
......................................................................
...............................[......................................
.................................................. .!1.0".@A2#3.PB4$..
...................!.1A.Qaq"2.......BRb...r#3. 0..C.....@S.$4.........
[email protected] `aPp.."Q....................!1A.Qaq. .......0.@......
...........vOeP*.t.jG.t..4g....,...^.....k...H@@HHJ$$u..."j..=4L.e.{C.
..=../T.Oi..$(..n ...s......l.zU..>.g..Z>..u..C.~...7..z3.x<.
.S..e.0.M1...Y..<...eK.j.#....H1..............xx.l.5..$....X..g<<< skipped >>>

GET /modules/general/tmpl/default/images/BGlefthandtitle.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0674-231-4e321e9dcea90"

Accept-Ranges: bytes

Content-Length: 561

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....i.................................................................
.....S1....!r..4..................................?....#..V9..>GUD)
~|...R...U....:.!K..uTB....../...Q._.#....>GUD)~|...R...U....:.!K..
uTB..=.....w"..az......8..l..A::..Us...].r.....w....?].],.h...........
......@.~w.N.;&v.....#.6DV..sU.v.....7~.& ...u....B..............g..#.
!.1.xl....HTTP/1.0 200 OK..Date: Thu, 18 Dec 2014 03:49:02 GMT..Server
: Apache/2.2.15 (CentOS)..Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT
..ETag: "1c0674-231-4e321e9dcea90"..Accept-Ranges: bytes..Content-Leng
th: 561..Content-Type: image/jpeg..X-Cache: MISS from localhost..X-Cac
he-Lookup: MISS from localhost:3128..Via: 1.0 localhost (squid/3.1.22)
..Connection: keep-alive........JFIF.....d.d......Ducky.......<....
..Adobe.d.............................................................
......................................................................
..............................i.......................................
...............................S1....!r..4............................
......?....#..V9..>GUD)~|...R...U....:.!K..uTB....../...Q._.#....&g
t;GUD)~|...R...U....:.!K..uTB..=.....w"..az......8..l..A::..Us...].r..
...w....?].],.h.................@.~w.N.;&v.....#.6DV..sU.v.....7~.& ..
.u....B..............g..#.!.1.xl......<<< skipped >>>

GET /installs/The Great Lake_wallpaper_full HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 302 Moved Temporarily

Date: Thu, 18 Dec 2014 03:49:00 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Expires: Sat, 1 Jan 2005 06:00:00 GMT

Last-Modified: Thu, 18 Dec 2014 03:49:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Content-Type: text/html; charset=UTF-8

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"."htt
p://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<T
ITLE>EleFun Desktops: free Animated Wallpapers, Animated Screensave
rs, 3D desktop themes</TITLE>.<meta http-equiv="Content-Type"
 content="text/html; charset=UTF-8">.<META NAME="TITLE" CONTENT=
"EleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D 
desktop themes">.<META NAME="DESCRIPTION" CONTENT="EleFun Deskto
ps is a world-wide leader in the production of Animated Wallpapers and
 Animated Screensavers for the PC desktops. Our huge collection includ
es: free screensavers and animated themes, holiday and season screen s
avers, 3D Aquarium, Animals">.<META NAME="KEYWORDS" CONTENT="scr
eensavers, screen saver, screensaver, screen savers, free screensavers
, wallpaper, animated wallpaper, free screen savers, desktop, aquarium
, 3d screensavers, 3D wallpapers, animated screensaver, animated scree
n savers, free screen saver, animated screensavers, aquarium screensav
er, halloween screensavers, christmas screensavers, 3d aquarium, ,
 animated, desktops, elefun, screensavers, wallpapers, christmas, orde
r, screen, users, themes, desktop,">.<META NAME="OWNER" CONTENT=
"[email protected]">.<META NAME="AUTHOR" CONTENT="Shub
eikin Dmitriy">.<META HTTP-EQUIV="CHARSET" CONTENT="utf-8">.&
lt;META HTTP-EQUIV="CONTENT-LANGUAGE" CONTENT="English">.<META N
AME="RATING" CONTENT="General">.<META NAME="REVISIT-AFTER" C<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

ETag: "a2f3ff97eeecf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:52:53 GMT

Connection: keep-alive

....

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT

ETag: "3e1c83923e1cf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:52:53 GMT

Connection: keep-alive

....

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT

ETag: "58cddbea90dfcf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:52:53 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Sat, 04 Oct 2014 05:06:12 GMT..ETag: "58cddbea90dfcf1:0"..Cach
e-Control: max-age=900..Date: Thu, 18 Dec 2014 03:52:53 GMT..Connectio
n: keep-alive..

GET /pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.elefun-desktops.com&dtd=225 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: googleads.g.doubleclick.net

DNT: 1

Connection: Keep-Alive

Cookie: id=caebd6253000002||t=1384780400|et=730|cs=002213fd480c4c2631f7c541a4


HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Content-Type: text/html; charset=UTF-8

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Date: Thu, 18 Dec 2014 03:52:21 GMT

Server: cafe

Cache-Control: private

Content-Length: 27901

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002
............i{.H.(......qK....Y..6.....?.....$........Z...9....33]XJ..
..eD.........k.=....5..c..?l.......!U..ts?sz.....?J...)..;^.7..o...t3.
......O......"o.....g}.[#.J..Q.9&n.P.v..[j.N..M...[9.tZ....L..TU.....o
..x>qt.Vw].!..?r.........Jx...`;..R.............c.tb.......A.......
.D.Z.}Kd.......g..L.^.!.l......0r...qLCX..z......BG....4..Tl.D.!.B..Q`
.........s..7.Y...P....C...S....OuF.G.)..0.@@..j...5..zJ..R.*...j..2.X
...8.m.u].].y.[.L......R......3.SK..V.....T...`..A..`.D........$;...n.
.F2..\5.Pb...o... -...UH...........(.......-...II..6..[Ioc.."k8a.#F...
....<..x..2r|5q3..(U.2.ij..?W...=K.K^.../E*V......*v...KO...L......
.L...?.....T........V0.M].$h...R.`$...-........./.....o..q.c.J..c@\...
....K5.-D..0.D.B....*.. ....n...Uu..K....*.Q...|A..........M...:-... .
=O.."...'...{..H.....8.m.l.VL.D....T.....S.U.gIy..g.....K..d..T.R{5@[#
.cSQ.....'.`vfr(.Cj....s.X#U}:U.L.....H..5.%[..X..............2....F..
...~.5,....h....0..8.I.p.zj................T....B....i..gA%U-. ..L@...
_..D..B..A.4K..rI.................{T..$W.......J.4.a4..p..|.1]..y.D...
h.|..r.A.*[email protected]:..<...~}Q...7].u..I...k..-...,..h.m..}..H x.N
.?2?`../uCRtL%v.V^.....a.r..N].`...C.z./..p.......0...|..gI.o........p
.A....$.0.cJ2.....y.........U.N$....$V..k...".O.6.@W"z.J..y.,1,e.i](..
.(z6<I?!Ki*....1..b_...PP.".M....R..ZW.A.F....4.......j....t.~.5[dd
..t.... wK...C....e.(A.9..;..cm...<^.2.p.`...=...).B4y.V.&.,...\.f.
....)...I".&....$Y......../.........@n>..x..........V.,".c..4......
...e$U..]..T....%e...6.D...Hn.....}B...R...|..-..\v.k[r.&...4G1..6<<< skipped >>>

GET /pagead/drt/s?v=r20120211 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.elefun-desktops.com&dtd=225

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: googleads.g.doubleclick.net

DNT: 1

Connection: Keep-Alive

Cookie: id=caebd6253000002||t=1384780400|et=730|cs=002213fd480c4c2631f7c541a4


HTTP/1.1 200 OK

X-Frame-Options: ALLOWALL

Content-Type: text/html; charset=UTF-8

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Date: Thu, 18 Dec 2014 03:43:19 GMT

Server: safe

Content-Length: 145

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=3600

Age: 542

Alternate-Protocol: 80:quic,p=0.002
..........%....0.Ew...]....h..F....x.$-....o..=..9..t..g{.Kwk.}..k]e.f
k....$...-...<o....RxzyZ...ML..bwX.).g.#..r..2....,U.....Q......M./
6PzR....HTTP/1.1 200 OK..X-Frame-Options: ALLOWALL..Content-Type: text
/html; charset=UTF-8..X-Content-Type-Options: nosniff..Content-Encodin
g: gzip..Date: Thu, 18 Dec 2014 03:43:19 GMT..Server: safe..Content-Le
ngth: 145..X-XSS-Protection: 1; mode=block..Cache-Control: public, max
-age=3600..Age: 542..Alternate-Protocol: 80:quic,p=0.002............%.
...0.Ew...]....h..F....x.$-....o..=..9..t..g{.Kwk.}..k]e.fk....$...-..
.<o....RxzyZ...ML..bwX.).g.#..r..2....,U.....Q......M./6PzR......

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com


HTTP/1.1 200 OK

Server: Apache

ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"

Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT

Date: Thu, 18 Dec 2014 03:56:27 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: A
pache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modif
ied: Wed, 24 Sep 2014 00:15:16 GMT..Date: Thu, 18 Dec 2014 03:56:27 GM
T..Content-Length: 933..Connection: keep-alive..Content-Type: applicat
ion/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSig
n, Inc.1705..U....Class 3 Public Primary Certification Authority..1409
22000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!..
...A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0
!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715

<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.0

VTag: 438246244800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:56:32 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b([email protected]... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@...

GET /hit?t26.1;r;s1716*901*24;uhttp://VVV.elefun-desktops.com/offers-show-1227196368/Membership;iЖжEleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop the;0.1374597159806235 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: counter.yadro.ru

DNT: 1

Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily

Date: Thu, 18 Dec 2014 03:52:21 GMT

Server: 0W/0.8c

Content-Type: text/html

Location: hXXp://counter.yadro.ru/hit?q;t26.1;r;s1716*901*24;uhttp://VVV.elefun-desktops.com/offers-show-1227196368/Membership;iЖжEleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop the;0.1374597159806235

Content-Length: 32

Expires: Tue, 17 Dec 2013 21:00:00 GMT

Pragma: no-cache

Cache-control: no-cache

P3P: policyref="/w3c/p3p.xml", CP="UNI"

Set-Cookie: FTID=1Kaazr3tWqbI1Kaazr; path=/; expires=Thu, 17 Dec 2015 21:00:00 GMT; domain=.yadro.ru
<html><body>Moved</body></html>.....


GET /hit?q;t26.1;r;s1716*901*24;uhttp://VVV.elefun-desktops.com/offers-show-1227196368/Membership;iЖжEleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop the;0.1374597159806235 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: counter.yadro.ru

DNT: 1

Connection: Keep-Alive

Cookie: FTID=1Kaazr3tWqbI1Kaazr


HTTP/1.1 200 OK

Date: Thu, 18 Dec 2014 03:52:21 GMT

Server: 0W/0.8c

Connection: Close

Content-Type: image/gif

Content-Length: 133

Expires: Tue, 17 Dec 2013 21:00:00 GMT

Pragma: no-cache

Cache-control: no-cache

P3P: policyref="/w3c/p3p.xml", CP="UNI"

Set-Cookie: VID=25hvGj1AdYrI1Kaazr; path=/; expires=Thu, 17 Dec 2015 21:00:00 GMT; domain=.yadro.ru
GIF89aX............!.......,....X.....\......_.......g...Hr`..d3...cl.
[email protected]*.....5..A...........G..;..

GET /modules/general/tmpl/default/images/IconSmall0.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0675-21d-4e321e9dd11a0"

Accept-Ranges: bytes

Content-Length: 541

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....q.................................................................
...1.".AQ..a2BR#.......................!.1.".Q............?..L.8......
.\....M. q..q.`...N-...Y....?.4q4~...e..._..ok...=8........<g_MF.yf
..3......jQKE#Fl.....5..Q..P.H........w..>(]DQ....)..H6Pn.\... W...
.)._' . g.....8!.P....2...,.'.q.T.j.s./$.s.V.,$.......@........
.

GET /modules/general/tmpl/default/images/BGlefthandGreenTitleLeft.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0693-1a5-4e321e9e1c4c0"

Accept-Ranges: bytes

Content-Length: 421

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....c...............................................................1A
...!QR.......................1A.............?..w...J..Da.b.s&..U.. b"T
..J.....T..W......wg_t~c...X....5...R.....v)-.J....o. ...G.".x....,..e
g.......

GET /modules/general/tmpl/default/images/BGlefthandOrangeTitleLeft.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0696-1b5-4e321e9e35ee8"

Accept-Ranges: bytes

Content-Length: 437

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....f................................................................1
..!AQR.........................!..q............?.....>O.~ ....)M. .
.)6ß.......).W....L*k4....s|..J...!..vlO....S..Qs..}.F...8.OKF...Y..
.....R.).iP..V.F..T A......

GET /modules/promo/tmpl/default/images/Untitled-1_03.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 08:53:55 GMT

ETag: "1c0aff-4c5-4e31b54ee0550"

Accept-Ranges: bytes

Content-Length: 1221

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................p.........
....o.................................................................
.!....1.ª"2Q..3q..RS.#................................?..k.Z....$f&l
t;..PO.t.z:........"q.1.oM]Z*.<.*". ..!w.o..t.X....h..F..5.mG...M.^
wdty.t]...`..m.O.f.E.....[K!.Xx#.i.........x.E^...6{.. .K:.\.... ".f..
cw..X.|..~..M....p&..?RI."\X....T.....V.U./.O....jwOo..G.......IY....E
..$.'...x..4...X.w`..&...."....X..Y..."o.......$...u0c,...............
.S.Rx..\F.A...#&...._7..S......y.Fy...}....h4..0.jB.XT..9..0..*px.C.]O
......O.G.W..K..](... .].(.....L.^..$,...........=..N.u..b..B.....*...
[email protected]...."v.#...0'.o.......{w.j....<3..e.H..C
....z...1....:.Z...M.gi..D..W.. $\..-Iq..H.d.8..$.......;.b.-S......Ux
.`........V_.....8>...vV.B.&.-|.J...%p\Z.(.D................rV.Hq..
.Sl}.qx..@JeIA2.\1....7......G.]...*..^|..;L*J..!;I....._.....a.s..VpB
J.n...J8...$...^..d.....sp...=Whb...\..X.d.M....q..o........m...CwA.U.
...d..Q~{..M.OP=7?..~......._...............=...O@{...........=...:z..
.t.............=...O@{......9=A.<..c..[n~.........
<<< skipped >>>

GET /modules/general/tmpl/default/images/top1_bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0682-107c-4e321e9e19db0"

Accept-Ranges: bytes

Content-Length: 4220

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
.........................................................."...........
......................................................................
....a..S.....!..1A.Q"2q...B..3...Rr.c.4C.%...................Q........
!A.aq."C.1............?......yM.%......=.*.....Q..<../#...2.r.:....
.....N.'x.p..^.6..9..zl..s8v..X..'=..d......z...9... ..... .7...F...x.
p..^..6Nz7..;.3.oJ....s..6A.9.;zW.o.............c~l..oM.w.c......d..zl
..s8v..X..'=..d......z...9... ..... .7...F...x.0..^..6Nz7..;.3.oJ....s
..6A.9.;zW.o.............c~l..oM.w.c................a...c~l..oM.w.c...
...d..zl..s.v..X..'=..d......z...9... ..... .7...F...x.p..^..6Nz7..;.3
.oJ....s..6A.9.;zW.o.........a...c~l..oM.w.g......d..zl..s.v..X..'=..d
......z...9... ..... .7...F...x.0..^..6Nz7..;.3.oJ....s..6A.9.;zW.o...
..........c~l..oM.w.c......d..zl..s.v..X..'=..d......z...9... ..... .7
...F...x.0..^..6Nz7..;.3.oJ....s..6A.9.;zW.o.............c~l..oM.w.c..
....d..zl..s8v..X..'=..d......z...9... ..... .7...F...x.0..^..6Nz7..;.
1.oJ....s..6A.9.;zW.o.........a...c~l..oM.w.g......d..zl..s8v..X..'=..
d......z...9... ..... .7...F...x.p..^..6Nz7..;.3.oJ....s..6A.9.;zW.o..
.......a...c~l..oM.w.g......d..zl..s.v..X..'=..d......z...9... ..... .
7...F...x.p..^..6Nz7..;.1.oJ....s..6A.9.;zW.o.............c~l..oM.w.c.
.....d..zl..s.v..X..'=..d......z...9... ..... .7...F...x.0..^..6Nz7..;
.3.oJ....s..6A.9.;zW.o.........a...c~l..oM.w.g......d..zl..s.v..X.<<< skipped >>>

GET /modules/general/tmpl/default/images/BGGrayMenu.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c066a-16c-4e321e9da0460"

Accept-Ranges: bytes

Content-Length: 364

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....P.........................................................q.2.....
.........................?....W ............................ .........
.....................

GET /modules/general/tmpl/default/images/bgDownloadProductList.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c066d-1f6-4e321e9da94e8"

Accept-Ranges: bytes

Content-Length: 502

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................p.........
....`................................................................T
.A.1."..45$..............................?..\f7.'e.......W:6...z..W...
.m...b.p[[email protected]/g..P.......l.. ....(..........{8-........m....^.N
.l.. ....(.........O.......ac.....QS..Q.....{.J.`....@...|. ..I...}.$.
:..............HTTP/1.0 200 OK..Date: Thu, 18 Dec 2014 03:49:02 GMT..S
erver: Apache/2.2.15 (CentOS)..Last-Modified: Sun, 04 Aug 2013 16:45:0
3 GMT..ETag: "1c066d-1f6-4e321e9da94e8"..Accept-Ranges: bytes..Content
-Length: 502..Content-Type: image/jpeg..X-Cache: MISS from localhost..
X-Cache-Lookup: MISS from localhost:3128..Via: 1.0 localhost (squid/3.
1.22)..Connection: keep-alive........JFIF.....d.d......Ducky.......<
;......Adobe.d........................................................
......................................................................
.....................p.............`..................................
..............................T.A.1."..45$............................
..?..\f7.'e.......W:6...z..W....m...b.p[[email protected]/g..P.......l.. ...
.(..........{8-........m....^.N.l.. ....(.........O.......ac.....QS..Q
.....{.J.`....@...|. ..I...}.$.:................

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=349085, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT

Expires: Mon, 22 Dec 2014 04:54:07 GMT

Date: Thu, 18 Dec 2014 03:56:27 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201412
15045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. 
..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.
mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....
[email protected]....)>..Z..`$.p9.E..p...y..;4.n
^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|....
.Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U..
..VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisig
n.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140
428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 20
04 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.
....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l
.....f..;]s!.\"v...|....][email protected]. ..W..
..n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....&l
t;..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%.
.0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E..
..0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.sym
cb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>
q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..w
o......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..<<< skipped >>>

GET /offers-show-1227196368/Membership HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:01 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Expires: Sat, 1 Jan 2005 06:00:00 GMT

Last-Modified: Thu, 18 Dec 2014 03:49:01 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html; charset=UTF-8

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"."htt
p://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<T
ITLE>EleFun Desktops: free Animated Wallpapers, Animated Screensave
rs, 3D desktop themes</TITLE>.<meta http-equiv="Content-Type"
 content="text/html; charset=UTF-8">.<META NAME="TITLE" CONTENT=
"EleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D 
desktop themes">.<META NAME="DESCRIPTION" CONTENT="EleFun Deskto
ps is a world-wide leader in the production of Animated Wallpapers and
 Animated Screensavers for the PC desktops. Our huge collection includ
es: free screensavers and animated themes, holiday and season screen s
avers, 3D Aquarium, Animals">.<META NAME="KEYWORDS" CONTENT="scr
eensavers, screen saver, screensaver, screen savers, free screensavers
, wallpaper, animated wallpaper, free screen savers, desktop, aquarium
, 3d screensavers, 3D wallpapers, animated screensaver, animated scree
n savers, free screen saver, animated screensavers, aquarium screensav
er, halloween screensavers, christmas screensavers, 3d aquarium,animat
ed, elefun, desktops,  , screensavers, wallpapers, desktop, order,
 membership, download, christmas,">.<META NAME="OWNER" CONTENT="
[email protected]">.<META NAME="AUTHOR" CONTENT="Shube
ikin Dmitriy">.<META HTTP-EQUIV="CHARSET" CONTENT="utf-8">.&l
t;META HTTP-EQUIV="CONTENT-LANGUAGE" CONTENT="English">.<META NA
ME="RATING" CONTENT="General">.<META NAME="REVISIT-AFTER" CO<<< skipped >>>

GET /modules/general/tmpl/default/style-sheet.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive



elvetica, sans-serif;...font-size: 12px;...font-weight: normal;...colo
r: #747474;...font-style: normal;...line-height: normal;...text-transf
orm: none;...font-variant: normal;...text-decoration: none;...text-ali
gn: justify;...vertical-align: top;..}...newsDate {.font-family: Arial
, Helvetica, sans-serif;...font-size: 12px;...font-weight: bold;...col
or: #555555;...word-spacing: normal;...letter-spacing: normal;...text-
align: left;...vertical-align: top;...white-space: normal;...display: 
inline;...width: 100%;...height: 19px;..}...newsReadMore {.font-family
: Arial, Helvetica, sans-serif;...font-size: 10px;...font-style: norma
l;...line-height: normal;...font-weight: bold;...font-variant: normal;
...text-transform: none;...color: #7CA2BA;...word-spacing: normal;...l
etter-spacing: normal;...text-align: left;...vertical-align: top;...he
ight: 20px;...text-decoration: none;..}...rightHandTitle {.font-family
: Arial, Helvetica, sans-serif;...font-size: 10px;...font-style: norma
l;...line-height: normal;...font-weight: bold;...font-variant: normal;
...text-transform: uppercase;...text-decoration: none;...height: 17px;
...margin: 0px;...padding: 0px;...color: #FFFFFF;...margin-top: 0px;..
.margin-right: 0px;...margin-bottom: 0px;...margin-left: 0px;...paddin
g-top: 0px;...padding-right: 0px;...padding-bottom: 0px;...padding-lef
t: 0px;...visibility: visible;...text-align: left;...vertical-align: m
iddle;..}...productTextCustom {.font-family: Arial, Helvetica, sans-se
rif;...color: #7D7D7C;...font-size: 12px;...font-style: normal;...<<< skipped >>>

GET /sys_data/img/products/ad_Night_of_Reflections.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Tue, 06 Aug 2013 05:41:36 GMT

ETag: "1c6f7c-42c1-4e340e0d88549"

Accept-Ranges: bytes

Content-Length: 17089

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:99B9E6E2FE5A11E2AAA594
B165B804A9" xmpMM:InstanceID="xmp.iid:99B9E6E1FE5A11E2AAA594B165B804A9
" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedF
rom stRef:instanceID="51835FEB2E96DDA253C5FAB7FC7FDBE8" stRef:document
ID="51835FEB2E96DDA253C5FAB7FC7FDBE8"/> </rdf:Description> &l
t;/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...&Adobe.d
.......................(...B..........................................
......................................................................
...............................[......................................
................................................. 1A..@!"0P2.B.`3.p#C.
.....................!A. 1..0@a.."Qq..P.2B...Rb.#3.r.C................
.P....`p.!1Aq.....................!.1A [email protected]
.([email protected]!.h..(...A....b.Q.....BYD!.74.f...VU.P...&.K`.*.z.T .
q..>.J.B......Q.A....ld..Q..'SFi.m.;...Avf.(...,X.8.....,U.e.QD..pr
...=.YBu=...&.[<.g...H...a.(p .#-....W.@..,....pR......(X5.<<<< skipped >>>

GET /modules/general/tmpl/default/images/IconSmallWallpaper.gif HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c06ad-e3-4e321e9e24d78"

Accept-Ranges: bytes

Content-Length: 227

Content-Type: image/gif

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
GIF89a...............x...............t.e|.n...p.a}.ps.dn._......t.f...
...z.m......|.o...k.\f.V...............!.......,..........` '.di...el.
B.&.. ..&c...2CM..m...lC.....F...7..D6....D....6....].7.ul)..e..i)....
.{2....2...).#!.;....


GET /modules/promo/tmpl/default/images/screen_small_en.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 08:53:55 GMT

ETag: "1c0afd-39f9-4e31b54edede0"

Accept-Ranges: bytes

Content-Length: 14841

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......d......Adobe.d....................
......................................................................
.........................................................l............
......................................................................
.................!..1".AQ.#3aq.B...2%............................!1.A"
.Qaq2...#.....BRb...3..CS.$............?.......).S..)LR..1Jb..).S..)LR
..1Jb..).S..)LR..1Jb..).S..)LR..1Jb..).S..)LR..1Jb..).S..)LR..1Jb..).S
..)[email protected].>..z....y......>.9......z.X.kl'.[...,.*...X
@..8r....'l8..Z..T![7L.....b.N..M..............J..mQM.&.A..../v=.j..T.
7.u..=p.Q.....u.8..j.....d.......t.G.*...T.)..1{L:..F...m.6.n..q$h...n
.....]1Jb..).S..)LR..1Jb....5.P~.U3....#..,......0?CR.._....j....,....
G>b.d|.)...:k:.U.S....t."..U...u.......;...Q..n.....Rm.||(.G.......
..Z.-......3x.....u.n.8!...$...f..d........$S(t)..z.Q.f^K.9.......6S.X
......u.LR.G.Y....S.;q....V....x..x.Hl*.=..oUj....(.......l ,..^:..ubH
.h,.y...|.I8.'*..m..m.:U...}..e}.t..i...E..h.....Cu.kV..Yh..e.n..5X)yW
.Q..vW.@.....%...je#...6.bw....1..sm..*....w./....:LI....6....F!..o.P.
.v...{...U..U..N.....>A......;.(5T..b....6h.H..b.*x.`(....eb.z....4
....Z.?..C....|.i..O.j}.}o..5.\}.M.....`%.t...'..S...Q..Ig.!..Ig....lg
..!*v........&.........=...>.[......1Jb..).S..)LR..H..........-7ZBG
NAk |....D.rx....h.I.K.R.......G....c......_FD...v....{.......H.y>.
t.6S. .b....M..5....KY..9..._ J......QAW............3&A/.n.|....EJc.L&
...O;J%.Bw..=.....0Sl;zKc..z...*-.......t;....x....bR}.KX.....iUa.<<< skipped >>>

GET /modules/general/tmpl/default/images/top_h1_header_left.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0651-316-4e321e9d541a0"

Accept-Ranges: bytes

Content-Length: 790

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................U.........
....k.................................................................
!..AQa"1q..2#....BR.................................?..H..............
....m. o..x..v ....bf"...Ou..m..n.......Y.#......e......f.....x.<nr
...&.-..'..F.m9yQ..o..................................................
..........0.8l.......#.....n....$Lh.."g.8.._f.o..Y37..4.5..S......Oy[n
.6.'.[..1.1.. ....?.o..6,.k...U)>.DP..'6L.;.L.[.&&g..1_............
..................................-..r.F.}......N...Wf.x:.......4....^
.a.y.b..^[email protected].'.s..]~.Ts.|^...i...l....4S....0.......
.................................

GET /modules/general/tmpl/default/images/BGlefthandBlueTitleRight.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0699-1b7-4e321e9e508b0"

Accept-Ranges: bytes

Content-Length: 439

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................u.........
....Z.................................................................
S.12...............................?..F.!.....*.U.;..N.6...N.....u....
...7...D)..$.!M..'Q.o.I:.S{.I.B...N.....u.......7...D)..$.!T..........
...................?......

GET /modules/general/tmpl/default/images/bottom.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c067f-d0a-4e321e9df5b90"

Accept-Ranges: bytes

Content-Length: 3338

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<.....C........................
......................#....!!!..$'$ &. ! ...C........... ...          
                                        ..........."..................
..........................................}........!1A..Qa."q.2....#B.
..R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz........
......................................................................
................................................w.......!1..AQ.aq."2..
.B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.
......................................................................
.............?...Q..5...h....q....gm..y....].'.E..>.zt...6...y.;;X.
........y.3...Q....Oc..~..sOl..j6.......}.w........{z..=...y......>
....k..{.v.oS...?.5.c..Vg....k..j.c....w4.....l..j.._.T}...=.;........
.....y.3...Q.....0....sOl..j6.........G........{z..=...y......>....
k..j.c....w4.........Y.j..9..A..0..s.^..`..;.Pym...:....U....L..q...A.
...0............,<Q..Ij.....Y.T.&...[$}.zU.vC|.........Os~.c..'..;c
<nj....Z!........q.rOz#F....FjC.R>......X....j..Q.k..6]Ec\n.T.Po
b.... ...WsqF.......f,O&...>.Z...{y.5.....d~.....T.....O...{z..=...
y......>....k..j.c....w4.....d~..>....k..j.c....w4.....l..j.._.T
}...=.;.............y.3...Q.....0....sOl..j6.........G........{z..=...
y......>....k..j.c....w4.....l..j.._.T}...=.;.............y.3...Q..
...0....sOl..j6.........G........{z..=...y......>....k......{z..=..
.y......>....k..j.c....w4.....l..j.._.T}...=.;.............y.3.<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 18 Dec 2014 03:47:33 GMT

Expires: Thu, 18 Dec 2014 05:47:33 GMT

Last-Modified: Thu, 13 Nov 2014 21:10:00 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16068

Age: 287

Cache-Control: public, max-age=7200

Alternate-Protocol: 80:quic,p=0.002
...........}kW.:..w~....c...pk..f....--..M..dY.!Wb.KK.o.gF.-'..9...vob
{t..Fs..O.".........9..@.#......?... e!...qg.I...A"..N_.').x.I........
.I.Dr6}...|$].B..X...`...Ao.. .fQ.....x8..\..8....a..0............{...
a}x.W|..:l..}.. ...u4....#.%O.AO....k.N[..a....&....tx..;.....'..:.N!y
..Gg....9..a...7....cH>.bw...0..a.a..p5.1d.o|4.=8l.1&.D..,.X.5f..`.
..s.....[....&p:.H.........x......A.9h#.^..>.  ...:...N...,H.1...;.
....b..&a.;....o;.b......v.....N.wr..... ...z.......o..,Wjj8......j.r.
/.Y..RI.6.(........T....Dq....l.0.c.[1.o..h.R....ju..........,;...i...
.^.....T....|tV.L....;..i^S...-q........[Wup...~.......}.r .W.x..{-...
Cd..k.V....A..^;.n...?.N...^.|..bc{.._...h.w=...f..}.U}...|...........
[..62...Q....Cw.EV1..>..`..Q.cC.`..0...\v.:.'.....L.$.1.\O.C.......
.B..A^2b..<..%....A%|.E...@N:I*.Y5.A.F.."h..... .^Y)|..L.2D...pqYc.
......@..#Y(...J..#w...S.....70.. .;...Y....3..k.........@....&c..J.;.
...Q....R5.M...x.=`.<.f.U....C.{..>....{...t.....i>..Yk..@e..
v.Cf5........o`.Z..V.....V)..9.....^u...X.....}.N.O....~...-......D..V
.2o.F.......,Le.."J9.....k...r...#.w.i.!.......oe...a..QA.u.......4.X.
...{5...Vs..t.0. ...n<..j.y...`-^....uBtf.Gu. S[[.YU...T.._.lP.....
(o@=1.-N....?....V>&."...'..d..:.sS..Kq....].UySz5..3..$.<.{..".
%.Iar\Y.WVt\....;[email protected])....x.7k..T..Di..T....
..q..4.5..h....N...... T;.T5SB=.f0.....k............Vh..E.b...Dz....V.
...u....5...F...A...CX7.e..R9.....Ym5..e|......5..-..]W.u..H...m..J.5k
..nT...t!...._|.{<I..!F...j{..-..........).s~g.j....$T.-!.....Z<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.1&utms=1&utmn=644796950&utmhn=VVV.elefun-desktops.com&utmcs=utf-8&utmsr=1716x901&utmvp=1716x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=EleFun Desktops: free Animated Wallpapers, Animated Screensavers, 3D desktop themes&utmhid=1608851308&utmr=-&utmp=/offers-show-1227196368/Membership&utmht=1418874740907&utmac=UA-927919-3&utmcc=__utma=1.668409717.1418874741.1418874741.1418874741.1;+__utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=1343724813&utmredir=1&utmu=DhAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Thu, 18 Dec 2014 03:52:20 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.002

GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Thu, 18 Dec 2014 03:52:20 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..Alternate-Protocol: 80:quic,p=0.002..GIF89a......
.......,...........D..;..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=493019, public, no-transform, must-revalidate

Last-Modified: Tue, 16 Dec 2014 20:49:17 GMT

Expires: Tue, 23 Dec 2014 20:49:17 GMT

Date: Thu, 18 Dec 2014 03:56:27 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2014121
6204917Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20141216204917Z....20141223204917Z0...*.H........
..........8*.6....l...7.y.......P.j..(.V"L........]/.o%.P..A.Z.Etv...C
.....{......BC|R..tD..T. ....IbA......`...7..`....).. |Q\.....|~...U..
z,m.@...).`.Z.8.Trky. ..r...TUg.h*....Z.&......,8r.../.2..,E....V..D..
}'.]....8Lt...........}Jc..s{..|.!..b_.^..._..E`.......0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=508856, public, no-transform, must-revalidate

Last-Modified: Wed, 17 Dec 2014 01:14:37 GMT

Expires: Wed, 24 Dec 2014 01:14:37 GMT

Date: Thu, 18 Dec 2014 03:56:27 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
7011437Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20141217011437Z....20141224011437Z0...*.H........
[email protected].[k.2......."7..".m...".=....z.C.........(....F-Q\#.....P..
...;.....":W.......'(........3...r.....OB..............JV5...7X.*..QM.
...Uf...6.....g.p.#....98..&...<.......I.@.|../!.qT.....W..qB..o.x.
^(..3.#....}.....o...Lq...Y.~...X.\.?......~..opF.u......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6dg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1363

content-transfer-encoding: binary

Cache-Control: max-age=451357, public, no-transform, must-revalidate

Last-Modified: Tue, 16 Dec 2014 09:14:19 GMT

Expires: Tue, 23 Dec 2014 09:14:19 GMT

Date: Thu, 18 Dec 2014 03:52:22 GMT

Connection: keep-alive
0..O......H0..D.. .....0.....50..10......7).nj./P(.3.\\.;.B....2014121
6091419Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:v....20141216091419Z....20141223091419Z0...*.H............
.;......Fm8.....|U....}..ax......"..n.L..gB.......wF,...b.G=./$.......
.Q.'.`.........9...(...O..&.Dzd..&j...z.5o.}..T....,.A...v..(...%.B..-
"...h..K...M.>....i......6.......;..~..XoRk..(\..q..;ZJ...b...d....
Z&.5..i..b%z..H....!^.<........,\. &d.L.."..J...n.....0...0..}0..e.
.......:}0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U
....GeoTrust Global CA0...141201130534Z..151216130534Z02100...U...'Geo
Trust Global CA TGV OCSP Responder 30.."0...*.H.............0.........
...\.hpc..J.a.j-.t......F`Aw...)L.YE.2..~..-...2.Y(.".CZ.w..T..Y. syd.
....x..YE..<....lwv.:J.76>U....uF.a.|8N.. ..1p...`f.X...B>x..
............6..m.&...'..W.plK....[.m.V..h..lI.........?~.....>.|'..
..o...A!.Pm.*.N ...<.....3...*|.x._..1..m.W<*....._S............
.0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... ..
.....0...U...........0...U.......0.0!..U....0...0.1.0...U....TGV-B-283
0...*.H.............~....2!...V..0...Y....L..k....z}~a.3Y.x..dS.L...Dk
$a...nR9_......B......m....Y....U.5....'.....<{....v&=.2].....j*.r(
7...=..w.I...z....\.#.J.ac.....I.[.[....6.X....0...g.3d...z.i.H..f...v
.....\.....^.N..1.J<.)`Z.....4.-.E..n.E.~t....v.e.T...?. ......i..%
....<<< skipped >>>

GET /modules/general/tmpl/default/javascript.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 08:53:45 GMT

ETag: "1c064c-12ef-4e31b545ad5a0"

Accept-Ranges: bytes

Content-Length: 4847

Content-Type: text/javascript

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
function getCookie(name) {...var cookie = " "   document.cookie;...var
 search = " "   name   "=";...var setStr = null;...var offset = 0;...v
ar end = 0;...if (cookie.length > 0) {....offset = cookie.indexOf(s
earch);....if (offset != -1) {.....offset  = search.length;.....end = 
cookie.indexOf(";", offset).....if (end == -1) {......end = cookie.len
gth;.....}.....setStr = unescape(cookie.substring(offset, end));....}.
..}...return(setStr);..}..../*****************************************
******..* Sticky Note script- . Dynamic Drive DHTML code library (VVV.
dynamicdrive.com)..* Visit DynamicDrive.com for hundreds of DHTML scri
pts..* This notice must stay intact for legal use..* Go to hXXp://VVV.
dynamicdrive.com/ for full source code..******************************
*****************/..//Specify display mode. 3 possible values are:..//
1) "always"- This makes the fade-in box load each time the page is dis
played..//2) "oncepersession"- This uses cookies to display the fade-i
n box only once per browser session..//3) integer (ie: 5)- Finally, yo
u can specify an integer to display the box randomly via a frequency o
f 1/integer.....// For example, 2 would display the box about (1/2) 50
% of the time the page loads...var displaymode="always"..var enablefad
e="no" //("yes" to enable fade in effect, "no" to disable)..var autohi
debox=["yes", 50] //Automatically hide box after x seconds? [yes/no, i
f_yes_hide_after_seconds]..var showonscroll="yes" //Should box remain 
visible even when user scrolls page? ("yes"/"no)..var IEfadelength<<< skipped >>>

GET /modules/general/tmpl/default/images/top2_bg_right.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0659-2cf-4e321e9d6a900"

Accept-Ranges: bytes

Content-Length: 719

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................u...........
......................................................................
......1..A"..E!Q2....aq..BRr#3C%..'....................A...#..D...."R.
.C............?..J.".".".1....v.......pV;j...%.=..9.[>....;...,.B.Z
.....z..V.V..uc...g:Em...3'.\._0..L`.xfN....a ........s.|[email protected]..".
...c.;.2p%.E...$..w.d.K.......fLk.. & hkw9...?F...R.g.a...9/.k...J`P.l
.ogEn...|P..... ejz.d...m......ZF.?...O(.!.Cr.|....'..B....5..vZ...X..
..0....PG..o:.e...&..Ns........"<....l.....w....i...qi.....vEN.....
.......<1Cw%..m.....~.I.........

GET /modules/general/tmpl/default/images/IconWallpapers.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c06a6-348-4e321e9df8688"

Accept-Ranges: bytes

Content-Length: 840

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................0.&.........
......................................................................
........!1..".AQq.2.c.a..b..#......................!...1A.Q.#.........
...?..M.P..P..P. ...s4.#...v.B0w..y.W.^..._.8. ......M..G*..(...{.....
o..Q.[)u..t.$..d......../......C..g.b#.9..d2....{j......YN..fS...O....
?p..6.TG.....JB.TJo...s..h...<[.-.....z.D.B,}.|!m.G...)'......ZT...
./!3.[.S.:5..H).iUG...k.....}..LV...$%.4..lz.h.'..[..T.%..h`zN.g...F..
.uJ."...Ra......q........z.:........X........g/....[..-.....p.9....R@[
...I.....<..j.2j..2..q.......a(...%.I..O..._.=..'......7).(M....>
;.....lWV[......l_.}z....^~5.tFm..]..../...yW2n.'.q....Bu^.<7......
..O<j..F...(.......


GET /sys_data/img/products/ss_Underwater_Clock.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Tue, 06 Aug 2013 05:41:38 GMT

ETag: "1c702e-9b64-4e340e0f446c1"

Accept-Ranges: bytes

Content-Length: 39780

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:BA059195FE5A11E295D3C1
9A8C94B561" xmpMM:InstanceID="xmp.iid:BA059194FE5A11E295D3C19A8C94B561
" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedF
rom stRef:instanceID="51E6BA97A97D9F195353C14779C6D46C" stRef:document
ID="51E6BA97A97D9F195353C14779C6D46C"/> </rdf:Description> &l
t;/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...&Adobe.d
...............!...7j.._4...b.........................................
......................................................................
...............................[......................................
................................................. .0!.@1".A#23PB$.....
.................!.1AQ.a"2.q.B....R#...b3. ...C.r..S$0.c.4............
.......!....................!1A.Qaq. [email protected]..
....7Sn........W4.;..._$.1b....Q..`.j}..........{;^d....x...<....7Y
..5.H...b\.~.....jv...1.5...;..\.f.|.....=.z...".i..B.%3.E.f....x...`.
.4.4...?,.^S.Jt......](|.....s....R{........>*.kz.K.....:.Q5...<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:03 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 09:11:25 GMT

ETag: "c53e5-9f6-4e31b9383b800"

Accept-Ranges: bytes

Content-Length: 2550

Content-Type: image/vnd.microsoft.icon

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

..............h...&......... .h.......(....... ...........@...........
........................".......................N.....................
..........................................................j... .......
....W.......................................................Z.........
..........,...........................z...............................
....f.......................................(...A...........}.........
|...............................................0...t.................
........@...........].........!.................b...B.................
..-................._.........H.......................D...............
....=...................2...H.......................S.................
......O...........A.......~...........)...................?...2.......
......................................................................
..........................................................@w@.........
......................................................................
......................................................................
.............................m...R...m..`i....P.`i.....3.........3....
...........3...............B.3................................xyz{.|}~
........hijklmnopqrstuvw..]^_`ab.c..defgQ.FRS.TUVWXYQZ[\B.CDEFGHIJKLMN
OP3.456789:;<=>?@A&'().* ,-../012..... !"#.$%...................
......................................................................
............................(....... ..... .....@.....................
..........................?...2...................................

<<< skipped >>>

GET /us.yimg.com/i/us/my/addtomyyahoo4.gif HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: us.i1.yimg.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 765

Content-Type: image/gif

ETag: "YM:1:a7bd8e41-25b9-44bf-917e-b7efec483bac0004ce780c98c874"

Last-Modified: Wed, 14 Nov 2012 17:41:49 GMT

Server: ATS

x-ysws-request-id: 253ccbd3-d45e-4536-9eab-35c12c2b146e

x-ysws-visited-replicas: gops.use44.mobstor.vip.bf1.yahoo.com

Cache-Control: public, max-age=286647262

Expires: Wed, 17 Jan 2024 20:06:42 GMT

Date: Thu, 18 Dec 2014 03:52:20 GMT

Connection: keep-alive
GIF89a[....6..>..@..$.....P..>.............. ..>.....0.......
lll....`.....Q..p.....%.!_.d.........Q.```..."`.......wwwAw.....Q.....
..c.....Bx.Bw....%K.......UUU{...P.fff................................
....!.....6.,....[[email protected],....r.d.h..tJ.Z...v......xL.p..4....Q....
..1..ZJ...{..1.Sl52..b....2%.yT..R..5.R.......5.~}X.1..V...11..5..._..
a.2.5,..a.zQ.0...05)0..0"R..R....Q....Q1.5.........5.......`(...5$....
.h.......tXv...).b..... .....A...Z5&..Va.....L.W...E..,.Aa..f0.!......
[email protected])...[HB1JJ9.R.K.#J.2A....&f.06%...0N.."B..*..F99..8..-....
.....M 0.._).d`..h.W.....P...............(.0 " [1.8.5...q....u.....1..
...0F7-.4.....(..XU.....kE........i.....1.!..MVJ..Q6.............t.-.[
,...Q...U.V..La.}......\ @..>....%ha..\....6.... ....6.`..(....,...
.0....;HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 765..Con
tent-Type: image/gif..ETag: "YM:1:a7bd8e41-25b9-44bf-917e-b7efec483bac
0004ce780c98c874"..Last-Modified: Wed, 14 Nov 2012 17:41:49 GMT..Serve
r: ATS..x-ysws-request-id: 253ccbd3-d45e-4536-9eab-35c12c2b146e..x-ysw
s-visited-replicas: gops.use44.mobstor.vip.bf1.yahoo.com..Cache-Contro
l: public, max-age=286647262..Expires: Wed, 17 Jan 2024 20:06:42 GMT..
Date: Thu, 18 Dec 2014 03:52:20 GMT..Connection: keep-alive..GIF89a[..
..6..>..@..$.....P..>.............. ..>.....0.......lll....`.
....Q..p.....%.!_.d.........Q.```..."`.......wwwAw.....Q.......c.....B
x.Bw....%K.......UUU{...P.fff....................................!....
.6.,....[[email protected],....r.d.h..tJ.Z...v......xL.p..4....Q......1..<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=368600, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT

Expires: Mon, 22 Dec 2014 10:19:02 GMT

Date: Thu, 18 Dec 2014 03:56:33 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
5101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20141215101902Z....20141222101902Z0...*.H........
.....A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e..
.....m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s.
..V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....
'...l..e....b.(q..CH. .........T.M.d.:[email protected]!..-,....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

GET /pagead/show_ads.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 17505132066848985518

Date: Thu, 18 Dec 2014 03:41:07 GMT

Expires: Thu, 18 Dec 2014 04:41:07 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 7529

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=3600

Age: 673

Alternate-Protocol: 80:quic,p=0.002
...........\ys.F.._...KQ.....5...v..I|.g.......".@...".....N..f_.....\
===}.......B....I `..OM.Y..U....XD^.[..k.}!.Lc.6..>....i.C..=O.~k$"
[%...E........Z.E.8LA.q.e......Y.......kI.&...W?t..)0q..r...$:..z....-
...[..".e.v[[....P..a.......Z.h,...uz..E...}..7...L3viS".*.}...e...O(.
T.B..k.....C...X..D......4X...C).{c.u&3m.1..F5...8..y....<...0K....
..J....It.:M.(.%....q.. n.L2D..R:....!..(...'.?.oX..Va:..,..c.r...h7..
..;.j......,Y.E.........}..]...^..;.u.3.J.......l>rx..2..........Cq
...g...D.._...5]5..g1OR.*.xF.<..O...x_...|....q..7.Mc..mz.g.J...f".
Y...Q.o..c......r..[..]?.v.....x747.~6...>.v...=S.....m.,.]....n..3
v&.)..]<..t...<..s....x../..o.].oC</8..5..f.......;.p`..-....
A.o...MkD..K.X......#..Vi..X6;<..6..!..D...4O.gD#......E...}.N._...
#)....<[email protected]../.._..>||..g.n.!...a....%4.c.B\0...~.......B.R
.t..6."b..r....D.t,...d...'...H....Z.6.D.. ..r......W.(....S..v.-...R.
...-......nw.6ji....K..|.gH...U..b.B-;....c...E...x9.C.p.t........J.[.
......4Q"..;B...<..t<:.u...z.....h.`t.v....>......gj?..-.>
.,l=..LZ....f..b...O...)..WL.....q&../.':..@H!.............3,.K..Ki...
...x.8....,.r........{....'.M...7...~W.=.......i.............GO>z..
$=.......3....M..|._.H;....iGh8.`.l._...|=..m~..K..9..Z.....<}w....
.\..t..zQ"..LM.....7.9..$$..Ba...9Tj~c^.....dGu.%.l`....-.XX..c..Y..J.
.G.w...t...^...~..P$.]..A)...*.......\vi...0.../[email protected]"...
.z{.!..1..I.{:.7....l.H...U1b... q..Vi.m..c>.o.o..RN`.L.L......@...
<.<....8..%.mKt:..7..>[email protected]...).<.tm?.>{....<<< skipped >>>

GET /pagead/js/r20141209/r20141212/show_ads_impl.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 14148960368062276995

Date: Thu, 18 Dec 2014 03:52:21 GMT

Expires: Thu, 18 Dec 2014 03:52:21 GMT

Cache-Control: private, max-age=1209600

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 49924

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002
............g{...0...B..u...%.....l..W..d'Nl-=l*.ZD.%......$X..}.s..w.
...m0.......Y.<.._...0.g.~.Fv......l>....}.P^.mg..G..\.....)..A.
.k%..<.[,..s[n.G..^.J.S.5.i.2[,...a.Z.3.Vg<.1.[Ni........c..~g..
.e..)#.5.....]........k.d..U...yNbpN...NF...y..S..)..*.1..=......'k...
..y..;...wtm.~...f...A....}..d.M........hV:..U"2.\...l.[.L..1.Y....i..
-y.`.mQ.ny.._.#.....x.5..D6...Z...F...L!$..M.6..A.?.|m=N....U...I0.=..
u.8.:.....'...L3.....XL>.....,...P....Cr..e0......!.E1..([email protected]
...d..m(&..}.".,..DJ.R.\...(.G..x..~.....).....e.T.d......P.p2.m......
...'..8.%g2.<.N...g...k8..0S.lIX.u......B}:..C[g{?*'.....i.(./[email protected]
.a.r..)...Qy.J.......y...pD..f......L..M....si.....S...YY_..! .(A0x...
.9..CP..>l.j.1.r..S..\...}O...2m..j.]..%`u..d..r.#=.t..8K..}....h..
Xd...'../.,{&:.k..9'.....%...-C..O,/.....p:..TD..{..1%o...t...S.......
.5.u.iq.v.......m...m.2[....F..r..(.....Y..[.%.).....6.]..3...........
..s.3...> ..{..........8.A..R.T....Ey...`...[.Y.b...es....8^.....~8
..?....f.xW2^.._.li.w.my.].hT_l.i.-..R..S.:3.......iSnA[.%t....K.m...6
.A.=$..e.\......g......&..Q. N9.?....|..{.``.b..8..T.......S..S>E.A
.4..w.,..s...\(ub.....'.6.{..T.0m..`.D.h...,].M.....v...d.....|..31_21
7.....o..!}..d/......C.Ni...x.......%.<....|x_..3.p.....NU.8](.]...
........x......28.z..}....B.N..j^.(E7.fn.4...@.[....wON.U\D_/..L.....f
s.dVd..e..3.X...u0n0S....MD.0..|...c....S..S\...<....J.!w.c....'..f
.....F:.~&w<.L........_j/....g.~....dMNJ&...l.t.x..I.........l.~...
............%.~._..>.....7..k/[[l......j...CL..uX......_..0.V.i<<< skipped >>>

GET /pagead/osd.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 9604784682434440633

Date: Thu, 18 Dec 2014 03:41:03 GMT

Expires: Thu, 18 Dec 2014 04:41:03 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 18569

X-XSS-Protection: 1; mode=block

Age: 678

Cache-Control: public, max-age=3600

Alternate-Protocol: 80:quic,p=0.002
............yW...8.?...tq.F..:..5.R...h..!.K..$%S3.i..g....,'........Y
[{...M...3....k1Z...vg...6B.X.%\T..ng.{U/`)....Z.._O....*oer..:..|..|.
s{.L.D.`.._FI. ..I{s..<....l..A.....z.I.k......B6.......P.x.b....1.
..r....... .!.......4.....'..`...H....LG}O......R!:.z..AQ...h0.`....l2
..[.Dt.P.5.B.`.s...n.......VHF..T.....b9.....8o.Oe......cq..yW,4t(G...
....#.w!..Fy.....`uplk_..7....G..k..M.........;..:.?.4..`Sm"X..V.b..'.
L..%e.,.8.....`......5..6,......q./...t ....,..wl...e}Y.;.8........gni
.&...%.V=.U1.vg........`...1.![....!.I{4.Y?...R.........&........T..3Y
.....%`....A..j.'X.....V t..f.X.u%.3 .6]..)7[...Grss..qW..@~P...=.....
..\O.)....af.y}...s...9j....j..w.{...s.....t.......c).Q".{SX....h,_t.b
.o....D...>.....=..Z(T.m.o|.^..A....j.!x...o.tM..xz...y.n..)......h
$...&....]..1......S.Q.7..f,.3.\...Y2....[...c.`..F... `...sq9....fen]
..[..`v_......P.....4..&.....pb...r-..)z..`.r.......;)K.t%.3L.*K....r.
.L.s:(-.....c.....,..m.....2.(.........!....|...)|.....9|...!|.XpN.y..
...._.m..jy..4).5..&..;.&.E......2~,&.jO.....L...Z...b.ln....U.....,..
.(........d..v.{..ez?......y-.....Q:.b'.O.....x.%..&;..*.[.G......hQ..
... .I..'.)T....=N...?.1..k....I.u.....c..l...`<..`q...6....X.,....
4Ke/nl.C.4n........r4x....a.{^../.........)-:...q......T]..~]v..}.P...
..../.......{Qi...........qyIU{....^.....D....Bp..h......]"..*~..`. q.
[email protected]...*[email protected]:g..}...1W...3OF35\..c..!,.S...A.n{$.
..R.7.SU...N3.Q.he.w..2i.p./ ......OM. j......b.~...)mbX....}`N.B(64..
......c.?.?.......(.j2..'.jKN>P.O.;.ch.l..6.....w..V../.e.!.(8.<<< skipped >>>

GET /pagead/js/r20141209/r20141212/expansion_embed.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 15330149891054740749

Date: Wed, 17 Dec 2014 17:12:24 GMT

Expires: Wed, 31 Dec 2014 17:12:24 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 51194

X-XSS-Protection: 1; mode=block

Age: 38397

Cache-Control: public, max-age=1209600

Alternate-Protocol: 80:quic,p=0.002
...........}iW....w~.hr.)n...,R.?.%...%.....l...m......zQ.$2......V.Ku
Uum.f..x...]......Y/.t.cv.........Q..n.Mf.sa...s...y}<.u'.Sw. ..\l/
.{,.b..t....^7s....\....^D...7Nge/......EFG..)...E/..a:.fy..;..2.'N.F.
....g.....c,.2..GOt.p.p.b.=j.S....8....h0.`....p2......z....T.`.K.....
a$..M..*F..ROON..:JG...T.....3?....4......sq....\..0.M.....p:.Q...Ug..
h...k3c.vC...pe.......M.#R[.L..q.d..D8T][email protected]...)9.. ._....C..%U.HyA.
B....%...M..aU.c.1..........IU9c}.\.....Se...A.a.33W{.:..s....?=..7...
.i.C'.........\85......>..G......}....6...k.."....n..p.{ty=.c....0.
.....rM..9.M:.....h.......]On.X.$.Cj..1..y.U....~..W._....R.}..rj1Kt.\
..l..r..b..L.miAnCu...q%..g..s..j..zu.L.......{.....pI...K.B..r<.&g
t;....=.o..5.[v8....nT...;..Q\Q.....]..'i.?..z*-m....b...W..$.,.{A|.8.
.g......>..a<..'OO...`m...s:.....n.......\.s.F^ 9M...OB.A_>%.
..=....fc$.q..a...fx..J.FA\..L.......x2...r...^c.A.rZ...n..-,y.*\..J.1
.........y..N..5....|.B....I$..FO....u.s..83..a..J......:^..>O.s..5
.1......<.sM.......5......[x...y..  .K.o..^.$\..n...C,#..{b9...q8..
.........t...........~....r..(...ItJ.Yo......N<.......c..b.....aP..
=}...[8.Ch!=....h...{&]...."$.r.$....X...J.O...\.\..1o...R.....{.....7
&...u.:..........H....VL.o..nU.<.... 3G...S[...l|.....'...b.9......
.M..t<.y...D.<......G.\.r..3.....Q..oJ...toRU.m..=.nW.....X.....
.*.....#..m....g..F..w.....8.[........7...............w....b..s.?O....
.....lf.......3I.1ws.3.~jdEvV&..5.p.y.X.N.........|.M.t...._....'.8.&L
....A.^....{v..........6..... .P...~'".^yOO..$...].pMd.X...`x...D.<<< skipped >>>

GET /simgad/3083507136474604452 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.elefun-desktops.com&dtd=225

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Thu, 27 Nov 2014 09:35:45 GMT

Date: Tue, 09 Dec 2014 04:59:01 GMT

Expires: Wed, 09 Dec 2015 04:59:01 GMT

Access-Control-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 28502

X-XSS-Protection: 1; mode=block

Age: 773600

Cache-Control: public, max-age=31536000

Alternate-Protocol: 80:quic,p=0.002
......Exif..II*.................Ducky.......A.....*hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c01
4 79.151481, 2013/03/13-12:09:15        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpM
M:InstanceID="xmp.iid:47C6D35E22CA11E49AEBEFA297227D38" xmpMM:Document
ID="xmp.did:47C6D35F22CA11E49AEBEFA297227D38"> <xmpMM:DerivedFro
m stRef:instanceID="xmp.iid:47C6D35C22CA11E49AEBEFA297227D38" stRef:do
cumentID="xmp.did:47C6D35D22CA11E49AEBEFA297227D38"/> </rdf:Desc
ription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&
gt;....Adobe.d........................................................
......................................................................
...................Z..................................................
.............................................!1.A".Qaq.....2B#..V....T
U....Rr.S.$tb..34...5E.Cs...%'7.d.&.......................!..1A..R.Qa.
"...S..q..2........T..B.#.4&.br.3C5.$.D%............?...R....x.......q
.?..OO:..\..,.2..k.NRs..s........3<A.....h......O...~#..}.5.... ..3
....._v.ny~.H......>.W..[._.R.?3<A.....h......O...~#..}.5.... ..
3....._v.ny~.H......>.W..[._.R.?3<A.....h......O...~#..}.5..<<< skipped >>>

GET /pagead/images/ad_choices_en.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.elefun-desktops.com&dtd=225

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: image/png

ETag: 3514261995661079078

Date: Thu, 18 Dec 2014 03:48:58 GMT

Expires: Fri, 19 Dec 2014 03:48:58 GMT

X-Content-Type-Options: nosniff

Server: cafe

Content-Length: 776

X-XSS-Protection: 1; mode=block

Age: 203

Cache-Control: public, max-age=86400

Alternate-Protocol: 80:quic,p=0.002
.PNG........IHDR...M...........B.....IDATX....k.A.........O..?..'..C..
"z........"A.j.9Y....Z..-.DwMm.66.vKCmk.H*.._.[...t......._o.|..7.....
.J{bt....-..w....l..-..=`R.M/[email protected]".5...........
w6.}......p1/.N..\....6.}....n~l...#C.Kh.w..wk.9.....d...d........9.:.
..m'<MB;..r..W......x...8_.Ro..mA.wa.,e;@.....J..:.....a|*..BI.h.7.
 .gb...~.g.4.u..[........v...c....7.........Xn".H..P...C..F...../.....
WB..].O.~........6x.L.:hU.5...]_..cN.M.......$......Ss.......<..Nhj
........!..u...a..T..i.!...Rm......M`g.zEB..K.\...0$..J5$......A.m.GB.
u..^...W......~...1..=.7..q...L...7...v,H)6......g.E.M.Ak'<.[....u.
.X.va....................^....O...0.oAn@&\y......{rH........"..04..\[w
....R.}e.[...}.....h.w.$...N|......Ao2.4.~O.u....?...Q....z..h...._...
(V.....IEND.B`.....


GET /bg/As1rs6ZBldneBCLw2AxLEKkOIlt-mIA122l0HUMtT-g.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.elefun-desktops.com&dtd=225

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript

Last-Modified: Tue, 02 Dec 2014 17:50:02 GMT

Date: Mon, 15 Dec 2014 15:21:04 GMT

Expires: Tue, 15 Dec 2015 15:21:04 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 5719

X-XSS-Protection: 1; mode=block

Age: 217877

Cache-Control: public, max-age=31536000

Alternate-Protocol: 80:quic,p=0.002
.............{.......<.....6.....c{.).....4..c.....ft.....{.k.u...\
.....U.&......S......*.~S.D.....Y.. ..>_.N.T..../{..`.&;k.,......G.
.:H............o..I.Mf.M~. .....ieL/..e.R.9K.qL/....A.X.M...].&a.I}...
).q..,.e7sA..|NN}.3..2M*....n...}..\....h@C*...qg1.'.m9..!....9.$.p...
....wA:.g.U.f[..UG`..f...N,.q..j.`...&..&.#.c...c.....1......s.....laI
~NF..p..Q.Sk...Af1......W&.".I.0.>DQ..X..m.Wr..T..?`.qCY'....I2v...
....j...I.....E`V.x.T9.DEB.VV..."[email protected]..<]..."
.~.......&..m....j..|w....?..Sm.2\......[Q.,O. .9.p... c.......u.....]
9....y6K..!H....B.,."}8.I.]........~Q....fYk....:*j..?.W.g..7.H.....Pt
..t....s..w_.{z.J...[.............G.K../.....?..w..E#X...N8......q..xf
. }%.v.I....A..E...p.).#...&4.)]J....}..>$.'j...4`z..'N*.1..}....|q
~..7..U....cjY.la....x.^.,r...m...u...kzM)....F.:...`0..@[4.....{ .'..
...>?....>.G,j.a..o..p.4JY.8...j....!].L...v@.....>...:."....
-.]..ov%..&....m.*...Yj.X[..2`jT^...M......('...5.Y...9.!.sv..(}..m..{
....s.6...O.Q..9:...t.I..>b.C.:..'..R8..tN....c......9..u....AY|.R}
..c|p.{g..{.X.....>::>9}....?..x................`8....E<Mf..t
.-.....h....~.......r....3..G..t.8=.?L...)N.i...S.h.....%k.x...$.p...x
~...'.n....l0.]...a..U^...0..8...:!.n.......^.2..[.v.....r.Z]{...V.V..
 j....C.6..1.4...e.....P..e...&...`.,..4.....c.1........e..N.....]..}.
.'..`.:..( ...).k.M{....&.[..\......F*b.C.x...\.M3C.]..M._f.,Q.E..... 
......8 Vt.l4Z...*..........F...^^....di..K5....`........%_.x..4.2}h..
\.V p...$.....FMgp.......q.Q:.j...^.......f...dLh6..K....-....-...<<< skipped >>>

GET /activeview?id=osdim&avi=BGstodU-SVP6lDcKtigbMuICIBgCdh8uo1wEAABABOAHIAQLIA8EEoAYCqBOAAQ&ti=1&adk=2506318246&p=187,486,277,1214&tos=1211,0,0,0,0&mtos=1211,1211,1211,1211,1211&rs=1&ht=0&tfs=238&tls=1449&fp=client=ca-pub-0884532287246801&url=http%3A%2F%2FVVV.elefun-desktops.com%2Foffers-show-1227196368%2FMembership&correlator=2660386479433&eid=317150304&oid=3&afp=&output=html&slotname=7839509899&flash=0&dt=1418874740945&adx=486&ady=187&ifi=1&tdl=487&abd=2-0-4&r=u&bs=1700,804&bos=1724,865&ps=1716,1474&ss=1716,901&tt=1012&pt=440&deb=1-1-1-5-6-5&tvt=1214&iframe_loc=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&is=728,90&uc=4 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.
HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Access-Control-Allow-Origin: *

Content-Type: image/gif

Date: Thu, 18 Dec 2014 03:52:22 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

X-Content-Type-Options: nosniff

Server: cafe

Content-Length: 42

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002

GIF89a.............!.......,...........D.;HTTP/1.1 200 OK..P3P: policy
ref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA 
PSD IVA IVD OTP OUR OTR IND OTC"..Access-Control-Allow-Origin: *..Cont
ent-Type: image/gif..Date: Thu, 18 Dec 2014 03:52:22 GMT..Pragma: no-c
ache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache,
 must-revalidate..X-Content-Type-Options: nosniff..Server: cafe..Conte
nt-Length: 42..X-XSS-Protection: 1; mode=block..Alternate-Protocol: 80
:quic,p=0.002..GIF89a.............!.......,...........D.;..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com



~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<
.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H.
............P.j.EA .\.w.ur.....1........]^.....rG....8..Q..d.j..t....H
...9.i......=s..;(oq.A.....A.......5w......s..=.....4......Q....kR..&l
t;.Qcx.....4..|b..^..e=.......41.^.?.Stn...i....L.G..:W...8 .Wq.......
.5..NK.lmg<q.6~(.*.......}[email protected].:....80|N..

GET /coop/cse/brand?form=cse-search-box&lang=en HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 17 Dec 2014 02:56:44 GMT

Expires: Fri, 19 Dec 2014 02:56:44 GMT

Content-Type: text/javascript; charset=UTF-8

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: pfe

Content-Length: 1129

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 89736

Cache-Control: public, max-age=172800

Alternate-Protocol: 80:quic,p=0.002
[email protected]..'Y.L.$e;X......I..@.....
{...7"5..~...6.b9..L......0......M..T...X...D.x.ye.........P.>..$.G
....#.....;.k..8.....xS.....*[email protected]`.P.  GDo.
.......&./.,..#/......[.U.7...4J...rh...#[email protected]..|a..&
lt;e...O)#............].s..rvu4.l...0>....G..W..Gj. .)E...B.;H}...{
.i..=C.....A.&..\...v...$.......]w.D.N.Y.`..&.F....b'...Q..f..z..{.{..
F...-V.0.g...R..bo]!zKt.[s.V...[.Yc....K]W..[@.v.D>Z2.#...M.0.f/5(.
S]..6.h.....m&k...M.>....d.J$..^...,'.........}=3..F...gY......6,..
.Z\ip..5.G;'8...TI-s.n..%.0..J*[email protected].#....s...#.m..6....
~.....P.r........8..^.>V06X..1.g\......u..K..5.t.....1.._......n.B.
.....8...=5...XdW..j..2...*...WI0...)7..........x...#.,Po..#N.......a7
.L.{.[.....P..s.go....V.C..\...FU.......?..2...#y.^..}X.P.u.g...=.. ..
.q....|..M.......F.c..]C.`...N..........s).f|..&...p.SW......g).....u.
..u..w.....T..Kv^...U.....&K.D.........E<z..........T.a.%.e..=>8
.........T....".....K...#...."M.tY(........a...5mn.Ja*:A..*[email protected].
.....FU.X-.... .....DA.?....EC....~%..~.4.f...9..].Q.J.F!'.....tvt5_O.
.|~..j2~..(F #..a....................
<<< skipped >>>

GET /cse/intl/en/images/google_custom_search_watermark.gif HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Wed, 08 Feb 2012 18:07:38 GMT

Date: Wed, 17 Dec 2014 02:46:16 GMT

Expires: Fri, 19 Dec 2014 02:46:16 GMT

X-Content-Type-Options: nosniff

Server: pfe

Content-Length: 2024

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 90364

Cache-Control: public, max-age=172800

Alternate-Protocol: 80:quic,p=0.002
GIF89aw...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!..XMP DataXMP<?xpac
ket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns
:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/0
2/12-17:32:00        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/19
99/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xm
p="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/
1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" 
xmp:CreatorTool="Adobe Photoshop CS5 Macintosh" xmpMM:InstanceID="xmp.
iid:9ECF1E2B459411E1981CECE3D05E7624" xmpMM:DocumentID="xmp.did:9ECF1E
2C459411E1981CECE3D05E7624"> <xmpMM:DerivedFrom stRef:instanceID
="xmp.iid:69F7EFF4455511E1981CECE3D05E7624" stRef:documentID="xmp.did:
9ECF1E2A459411E1981CECE3D05E7624"/> </rdf:Description> </r
df:RDF> </x:xmpmeta> <?xpacket end="r"?>...............
......................................................................
.............................................~}|{zyxwvutsrqponmlkjihgf
edcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&
%$#"! .................................!.......,....w...@.........<<< skipped >>>

GET /fusion/add.gif HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: buttons.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT

Date: Thu, 18 Dec 2014 03:52:20 GMT

Expires: Thu, 18 Dec 2014 03:52:20 GMT

Cache-Control: private, max-age=31536000

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 2068

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.002
GIF89ah......'..`u..............$/.....B.....0.....g...3..............
.r...g..............:....X..=lU..........B........\...4f...>...s...
....t.y..k................Gl.....}.................;r.................
.....p..............t..d.......i...........f............u......k......
. 9Y..........................C..............n........................
......................................................................
...................................................................|..
..........Y...&g............ c........8....~<`..D................k.
.n....^k.....5t....Y.......................v.....{..O...............w.
.................:......b..{...........M..W..... .......pO.^_H...p....
.'Y......1..........................4.Y.:Cp......h.....!.G............
.................!.......,....h..........B......*\......#[email protected]<
;..... C.....E.(1TpT.G..R".......i.......}@%H.2...O..dy....R.".....!Dd
[email protected]...|x...2f.....y....JG...x!....7..I.G'P
}..v...N.*........[Q.Z...O&7n.0..G..>|..R4G..Do.......<_.|.... 5
.....xpJ....P..1M.8q..L..K...Q8..Ft........*.rd..... [email protected]......#...E.
.|..\x..W.c.....Q'.?...R..|.X.2..Yd9If.P)....T..^{=.R.@..`....b.......
M01[-.,..'.*bI*.....[.a%.y.........f......S..,....0E....E..>....PC9
AE3..gE....@,`..E=d`s.'d(p.1L$....P.....1.,.... ...F.V..E#...j>c.2F
 j...a..m.&.4.0.......;.t..D....-40Z{.Xq.,U.R...XpA.d.fD.m,!.m...G.s0.
..*.`A[[email protected]{h,S...0PE$u.q...\.
........8..:..1........-.F.......J(H c.........Q,.....s"e~....-...<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com


HTTP/1.1 200 OK

Date: Thu, 18 Dec 2014 03:53:21 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=d8e4a3f7ff625ed3f50800c624bb3948c1418874801; expires=Fri, 18-Dec-15 03:53:21 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Tue, 16 Dec 2014 22:10:03 GMT

Expires: Mon, 22 Dec 2014 03:53:20 GMT

ETag: "60fab6421fedec14660baa3e5d30c79cff97684c"

Cache-Control: public, max-age=345599

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 19a869b8780905db-WAW
0..........0..... .....0......0...0..........<.|[email protected]|..2014
1216221003Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z..w...d..\.-....w.....20141216221003Z....20141220221003Z."0 0..
. .....0......20131216221003Z0...*.H.............1..O.zw.Z.....6....T.
.......y....X..p'....M.j.q.0......~....G...<. -a.~....5v/z.V..N...(
.....3....R..#...#".}.....{...Z..p.5.`...}..{..w...0....A.C....,EoN...
...-.w............MP.*.0.....<..6....!..I.t.QC....N....T.2..)H...z&
.cp..8..v.q..... .N.......x..(.....0...0...0..........Z..UGx.`..p.{...
.UG0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redm
ond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....M
icrosoft IT SSL SHA20...141023182829Z..150106182829Z0!1.0...U....Shoul
d be ignore by CA0.."0...*.H.............0...........&!(..$.K...."=f..
..x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q.......
....bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*....
...x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O
.....<5:......r.....]..A.5........0..0...U..........<.|7...@N6p.
I.e|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0... ...
....0... .....7....0.0... .......0... .....0......0...*.H.............
G...`./%.9...K........5.c....<.0....zV...uRkj..%..&99....GPr.......
.kkfA{}{z..Vz0.S'.j.R...d.0...'........!.3......h8?.v..[FH0 \..q...x..
)T^^1..p....4.rZ.w.EF.....wI._E...-. .;........4....?.H......U~q?..*.!
?.d.).FE.a$......H^wV.6..\s...q^D......Y..>......#..C...s-...e.<<< skipped >>>

GET /modules/general/tmpl/default/images/logo.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0681-cbd-4e321e9e114f8"

Accept-Ranges: bytes

Content-Length: 3261

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................u.Z.........
......................................................................
............!1AQaq...2..."BRbr#......3ST.....Cc..5....................
....!1Q.Aa...."B.q..R..2.#..............?..S@(..gV.K.k..f',Q....~z..?q
...9q|...;]..zW....r...].........8....u{....-../.~...........gE..6....
.6(..<..5#...e..sZ.....fU.J.i..V.E....3..TbM..&.p..J...F&.....M.a.X
P...\.n.A......._..._..3.....8.P....w.s...}.tg>Z=[u.$=...`9.......m
.y.8.]..........m.R.....F.....V.2.D....EIa.fRxyG/.....uK.O..V\z...S_%.
.Ko....c.|...6 ).~/..d.........b....T ...O.......s..X..ph.V&J... ..[i#
_i...........e.e..7..@LP..@[email protected]....~y...{...p...1..<
;s..I..*.PY.)i...".$.\)...T.e..........Jk.......[..J?.l4z.....Y]#....;
3.J...$.[......%V~.g>_.....8.f8.4.Crj,'.(......-%.......kV.........
...8....W.V.jW:m..s{[email protected].
.r|.......{*.pT^...&.o'.86k..@a...~2 -...@a[.c............j.......@<
;.....c...g...\.....u.?-Em...8./5..Y(...j...#f..#o..(.T...i.E.0Q~\=...
.......\[email protected]._V....R....e5.P7.,-d....s.1.~
.2.O.W.f........j.k;.e.g{F..f.dS.<.0..0..cTVi....t..&..v..L...w*..6
.qh..........i.j..&.2Q@(...........m..w...>].G.HG3.W..:jZk..Cu.#...
.F.v.......QI...9.? &=]-.F...n....E].... .......(c.c..UQ... 9..i`.....
....%..Q.H..V...6........I.O.M...._C.o*..6g....s`..........4.FQ.. <<< skipped >>>

GET /modules/general/tmpl/default/images/top2_bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0688-81c-4e321e9e5b878"

Accept-Ranges: bytes

Content-Length: 2076

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
......................................................................
.......c...'.!1A..Qa..q.."2b.#d..B...$....C4Te....................#...
1a.!A...."b............?..R... .....Xg....6. .....h...<.r.\gQ....Gm
...e...m..bz/f.4..s.-N._>....8.....................................
&..g..:I.....l.f....G."v...pe1\..ju...L.m..bA..::......$.m..aI..tw..TO
......)...Hv..3.z-#,...F......]7.h..l..b....7....-6..Z.EG16.. \..0.S..
........................k=.d.Z:..\.op.jV..%.S<...~J.!.m..<......
..).....;.r.Y...f.K...\..{...._.{...9.z.....P~.s.Z...6..dMh.i.Q=i{..'.
..q._G..~~\zz.I.s\.r \..j.TS..ph................................/0..RK
{W...F..\.;.ID.Z.^."..o.Q..k...&.B.'.N.!.e.n...*F....3................
sQ..T...B....lS.-}......R..~.R.....-.t..*..*.- ..%._.Z.....x.<..Z@.
................................9b..#...m"...'.........3.?.y.~~..{.q. 
.N..../.=......... .?iy4.WX.S..].t&.<KE.x................q[5..hn.Ut
.y..;N..<}.w.y{2-?.?V..K.....9.#.k.{....o...G={3'..y"<n_i.....O*
.Z..~...Z.S.*l...9...T..)0.h.....................................b.H.9
._.%..IR.....o.L....%L..k..TX.6.......s.(.7U.j....Z..qO6yh............
...............;..6b..W.&....nD...tR_.L.Q.{.......66...z..........p.4V
.(.\[email protected]...=.. _$o...s?..{....... ..O......c.x...1*.... ..?.9...
)|.....gvo..Q.....6.....wcEc..C\8q..,.U..V|...e]....or..].=%..;...<<< skipped >>>

GET /modules/general/tmpl/default/images/BGlefthandBlueTitleLeft.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c068f-1a5-4e321e9dfad98"

Accept-Ranges: bytes

Content-Length: 421

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....c.................................................................
1...!AQR.......................A............?.........a.}lA..2.l..(:T.
....S..KzO.[y....c.Y....)..Sp..I..*z......V..u%v....4MgF/&..)G.4=J,...
.3......

GET /modules/general/tmpl/default/images/IconSmall1.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c066c-1f9-4e321e9da6dd8"

Accept-Ranges: bytes

Content-Length: 505

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....f.................................................................
.Q...1Aa........................!q1............?......G..so..d'....7..
.}.Y>.t:...W.uN....Y.m)..Y.yh2].#.c.r8\RKKJ.HRI*..kX...........L..t
.G....2.[L...Q31.~/...*.-.y.W.D...,.R..Z..6..c...1..`..6.. ....RM.cKLx
S:..1S(....}.s...@.......

GET /modules/general/tmpl/default/images/IconSmallScreensaver.gif HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0653-da-4e321e9d59f60"

Accept-Ranges: bytes

Content-Length: 218

Content-Type: image/gif

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
GIF89a.....................................z.................{........
..................x..s.................!.......,..........W '.di...el.
...Y.f.....a...&v..4....)n...L...~6..)..~.ei:u2.$M........k;. '.#..9$.
.)...!.;....


GET /modules/general/tmpl/default/images/BGbodytop.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c069c-44a-4e321e9e6a6c0"

Accept-Ranges: bytes

Content-Length: 1098

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................".{.........
......................................................................
..........!1AQq...a..".#.Bbr...5.....................1..!AQa..R.......
.....?................................................<J..&U....Y%.
.59.I..Rr....Z....{]j.I.e../g...b n.ClZ..;.....G3;.........Z..f.......
.I..L......m......c...>...........N.1......h.=.V......p3c...]....I.
.....x.s.xH)@.........................................W.[ ..\..g......
.V...NrP.\.....o..8....d....T....W....6._w..|....=.....2..t....k:z..gV
....d..........W..W..`..../[email protected])..Y8..T..........o_
q/.z...E..vM..WBV/.....<.\s.7..1..{...5^b...O..._.K....;Y..6.g7.F.]
..\l.ju.k.....4z%......................................A...mF...;....S
..|......<u..r..}.n...4)...-d.d...=y..<G.8..&............L.j....
...D....s/1....p.s.......\.....g.|..)8.L.I....j)M.K.......r...........
..................................................................nt>....

GET /modules/general/tmpl/default/images/ButtonSubscribeLHOk.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0670-234-4e321e9dbae28"

Accept-Ranges: bytes

Content-Length: 564

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................$.........
....t.................................................................
!..1."....Qq2B.d&.Aa...#S.$4D5F..............................?.....x..
Nd..5m..P8......X.4......s2pgL...':0.b.wx.X..{......\...6.G...?....v..
.j.gmA.L.Qoj.z>t.W._....M..<.y.4..Y...k..l..y.{ua.mD.9./Uc8uH2..
m.p}B:....m.";..a....7../........L.94..................}.... .....`<
;=...r..d...u.......

GET /modules/general/tmpl/default/images/BGlefthandOrangeTitleRight.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0665-1d4-4e321e9d90a60"

Accept-Ranges: bytes

Content-Length: 468

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................u.........
....]................................................................R
...q2....................Q............?..#9..J........=...M...v..u..3.
..N.W.a.[..j..;ky:.^..mo'Q..0....5zf....F.L........v..u..3...N.W.a.[..
j..;ky:.^..mo'Q..1S..............T.K...................

GET /modules/general/tmpl/default/images/bgOrderProductList.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c06a3-1ae-4e321e9ddf430"

Accept-Ranges: bytes

Content-Length: 430

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................-.........
....k...............................................................!1
.2...4.AQs.a."Bb.3C..E..............................?..&.)q..e........
....[.......Wj.....1W|.q.@DK..#..y.....F.v.T.7w..Z.3....x........9..J.
[email protected]/1.0 200 OK..Date: Thu, 18 Dec 2014 03:49:02 GMT..Ser
ver: Apache/2.2.15 (CentOS)..Last-Modified: Sun, 04 Aug 2013 16:45:03 
GMT..ETag: "1c06a3-1ae-4e321e9ddf430"..Accept-Ranges: bytes..Content-L
ength: 430..Content-Type: image/jpeg..X-Cache: MISS from localhost..X-
Cache-Lookup: MISS from localhost:3128..Via: 1.0 localhost (squid/3.1.
22)..Connection: keep-alive........JFIF.....d.d......Ducky.......<.
.....Adobe.d..........................................................
......................................................................
...................-.............k....................................
...........................!1.2...4.AQs.a."Bb.3C..E...................
...........?..&.)q..e............[.......Wj.....1W|.q.@DK..#..y.....F.
v.T.7w..Z.3....x........9..J..g..=V.Ck@.....

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?b00cc72c3b8bcef8 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Thu, 18 Dec 2014 03:52:53 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....<<< skipped >>>

GET /pub-config/ca-pub-0884532287246801.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.gstatic.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Type: text/javascript

Last-Modified: Wed, 17 Dec 2014 15:47:27 GMT

Date: Wed, 17 Dec 2014 22:43:17 GMT

Expires: Thu, 18 Dec 2014 10:43:17 GMT

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: sffe

Content-Length: 109

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=43200

Age: 18544

Alternate-Protocol: 80:quic,p=0.002

...........H..O.I.O,..K.O..K.LW.U(..K./..&YS.P]......[P..k`aabjlddandb
fa`....^.T\..........d...S.Zk.../..l...HTTP/1.1 200 OK..Vary: Accept-E
ncoding..Content-Type: text/javascript..Last-Modified: Wed, 17 Dec 201
4 15:47:27 GMT..Date: Wed, 17 Dec 2014 22:43:17 GMT..Expires: Thu, 18 
Dec 2014 10:43:17 GMT..X-Content-Type-Options: nosniff..Content-Encodi
ng: gzip..Server: sffe..Content-Length: 109..X-XSS-Protection: 1; mode
=block..Cache-Control: public, max-age=43200..Age: 18544..Alternate-Pr
otocol: 80:quic,p=0.002.............H..O.I.O,..K.O..K.LW.U(..K./..&YS.
P]......[P..k`aabjlddandbfa`....^.T\..........d...S.Zk.../..l.....

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com


HTTP/1.1 200 OK

Server: Apache

ETag: "9872464df9cf3e431f02d5be8de67e54:1418873424"

Last-Modified: Thu, 18 Dec 2014 03:30:24 GMT

Date: Thu, 18 Dec 2014 03:52:22 GMT

Content-Length: 966

Connection: keep-alive

Content-Type: application/pkix-crl

0...0.. 0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equ
ifax Secure Certificate Authority..141218032300Z..141228032300Z0...0..
..X...140427081922Z0....v...140618150003Z0........140429180917Z0......
..140709194633Z0........140416233935Z0........140521155053Z0.....)..14
0617185515Z0....Bf..120627171053Z0.....3..020515130611Z0........140811
090836Z0.....#..140606204021Z0........100729164439Z0....x...1405072040
01Z0........140606222139Z0....%...020514181157Z0....S...140423105438Z0
........120627171058Z0........140725020038Z0........100729164732Z0....
M\..140430000442Z0.....-..140617185011Z0....V...140624123102Z0....t6..
140425041720Z0........120627171025Z0........100301134531Z0........1406
18143256Z0........120627171017Z0.....>..140711125531Z0....[...10073
0213120Z0........120627171058Z0....j...140226123519Z0...*.H...........
.wN.$WI(...A..,.....&h..bnGW.(.y3a{:2..E_q..I.i........".6...P~dvT'..T
...Q..._..[.mq.........yi..i.lv2......U*...F..U..D...;[email protected]/1.1 20
0 OK..Server: Apache..ETag: "9872464df9cf3e431f02d5be8de67e54:14188734
24"..Last-Modified: Thu, 18 Dec 2014 03:30:24 GMT..Date: Thu, 18 Dec 2
014 03:52:22 GMT..Content-Length: 966..Connection: keep-alive..Content
-Type: application/pkix-crl..0...0.. 0...*.H........0N1.0...U....US1.0
...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..141218
032300Z..141228032300Z0...0....X...140427081922Z0....v...140618150003Z
0........140429180917Z0........140709194633Z0........140416233935Z0...
.....140521155053Z0.....)..140617185515Z0....Bf..120627171053Z0...

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f86c1d729ad77f65 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Thu, 18 Dec 2014 03:52:22 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Thu, 18 Dec 2014 03:52:22 GMT..Conn
ection: keep-alive..

GET /pagead/js/r20141209/r20110914/abg.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.elefun-desktops.com&dtd=225

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 4058474734652203665

Date: Wed, 17 Dec 2014 17:12:24 GMT

Expires: Wed, 31 Dec 2014 17:12:24 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 13641

X-XSS-Protection: 1; mode=block

Age: 38397

Cache-Control: public, max-age=1209600

Alternate-Protocol: 80:quic,p=0.002
...........}i[.:..w~Ep...'$...\..P(..r......i........d.K(.9.}...b-...h
4..........n<..A....a.=4...,f.<..Yy...C] k.....9.4...7..ze..wO.A
....jL...VD`.j.......;~.*l........v3...2d.x|...B..m.............&..NLG
%.x`eOI0..~8....|...O...=...&..K.F.\;...A...vS.......Pa@.`.o......"..`
...^..0.Yi.#B"....%.S..A..Xg9.N.A.wUvY..u.......v..n.@.#k..%..........
...H.".k...7.=..f..(....S.Q.P.......>`......l~..qd...ND. !|Ipn.(...
$D..$.^...._.....X...F@...*.$..F..=1....`Cji....Y..R.. }b6...t.-GJ....
.......lp....!...(9CE..Yf..Ap[.......-nF........a........"..!..23....V
.j.#.!xsL/...4.f2....S$21.fd...Z.T..../Ug.eF.W7.....@wz,l...7........I
...rP..m..{,....v<.pQD.....:m.e.........8l...k.$SbHD..)e7.36..a0...
..j......Uo.....SZ4.k{.....u],.....b......Q...9w.R...4.......T.....g..
.?......9.......?....;Vi..Q.....i.8...}....a.Qi...z.b5.........c.6..}.
.Q.z3.. t'........*....".......\./2....li#....R...R...K.L.....A..|7...
..|..W..../.;./..`........^4...QZ.%.M.^....[..*..&...D_eF...%...~5..NU
....}.S.F.][email protected].....].....q=.yI7../...b.e...?c..ls........W5....:O.
.f. 0....b.=..........u......[..E...[....fjW..%,...............s..5.Q.
.........R..,..c..=.0...y.7.........z6.-.9[5..ca......'.....i....{fk..
 .....w,..B{x,-.Q...4... ....*S.v.p.:#(.I......1..6...oW-?k.}....b...9
.N..k......iD.s..X..{[email protected]>e._>.....J.8.n.ir.V0xU..qg..$
....K#..r...4..?......t-..8...F...H.rxk.$|{...o...r...z.0............:
.ng...5..(....8Lj*[email protected].!.X.....2. ......WW...
`Q^M.}.....c#8.f...4p.bX\...l.t......f=.X...vp.d...c.|.......z@.#h<<< skipped >>>

GET /pagead/images/ad_choices_i.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0884532287246801&output=html&h=90&slotname=7839509899&adk=2506318246&w=728&lmt=1418874541&flash=0&url=http://VVV.elefun-desktops.com/offers-show-1227196368/Membership&dt=1418874740945&bpp=22&bdt=735&shv=r20141209&cbv=r20141212&saldr=sa&correlator=2660386479433&frm=20&ga_vid=2104447498.1418874741&ga_sid=1418874741&ga_hid=1608851308&ga_fc=0&u_tz=120&u_his=1&u_java=1&u_h=901&u_w=1716&u_ah=857&u_aw=1716&u_cd=24&u_nplug=0&u_nmime=0&dff=times new roman&dfs=10&adx=486&ady=187&biw=1700&bih=804&eid=317150304&oid=3&rx=0&eae=0&fc=8&docm=10&brdim=0,53,-4,-4,1716,,1724,865,1716,804&vis=1&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=qLRz9rAmJn&p=http://VVV.elefun-desktops.com&dtd=225

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: pagead2.googlesyndication.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: image/png

ETag: 14036706360268997840

Date: Thu, 18 Dec 2014 03:49:50 GMT

Expires: Fri, 19 Dec 2014 03:49:50 GMT

X-Content-Type-Options: nosniff

Server: cafe

Content-Length: 365

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400

Age: 151

Alternate-Protocol: 80:quic,p=0.002
.PNG........IHDR..............D.,...4IDAT8.c....fja.l.l...eXw.....W(6.
d.2.|..Y..k......w..#..[..8B.a3..>.,....{.8..../}...l...^........}.
..4.$.....G.~.$....^.A.....2..Ig..&..{_....f...'.......f A..o<..b..
....{.wA....`..^|[email protected].~9......q..i.!&.........0[.....~... .zHB..
~.3z.#......s.o...}...........#..t.x#.a...}[email protected]...."R.@.
.......I.....IEND.B`.HTTP/1.1 200 OK..P3P: policyref="hXXp://VVV.googl
eadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR O
TR IND OTC"..Content-Type: image/png..ETag: 14036706360268997840..Date
: Thu, 18 Dec 2014 03:49:50 GMT..Expires: Fri, 19 Dec 2014 03:49:50 GM
T..X-Content-Type-Options: nosniff..Server: cafe..Content-Length: 365.
.X-XSS-Protection: 1; mode=block..Cache-Control: public, max-age=86400
..Age: 151..Alternate-Protocol: 80:quic,p=0.002...PNG........IHDR.....
.........D.,...4IDAT8.c....fja.l.l...eXw.....W(6.d.2.|..Y..k......w..#
..[..8B.a3..>.,....{.8..../}...l...^........}...4.$.....G.~.$....^.
A.....2..Ig..&..{_....f...'.......f A..o<..b......{.wA....`..^|t..a
[email protected].~9......q..i.!&.........0[.....~... .zHB..~.3z.#......s.o...}..
.........#..t.x#.a...}[email protected]...."[email protected]`.
..<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com


HTTP/1.1 200 OK

Date: Thu, 18 Dec 2014 03:53:22 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=dc9dbd41c579956ba127ca5ad82c0e8411418874802; expires=Fri, 18-Dec-15 03:53:22 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Tue, 16 Dec 2014 22:10:03 GMT

Expires: Mon, 22 Dec 2014 03:53:21 GMT

ETag: "60fab6421fedec14660baa3e5d30c79cff97684c"

Cache-Control: public, max-age=345599

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 19a869b8caa30afc-WAW
0..........0..... .....0......0...0..........<.|[email protected]|..2014
1216221003Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z..w...d..\.-....w.....20141216221003Z....20141220221003Z."0 0..
. .....0......20131216221003Z0...*.H.............1..O.zw.Z.....6....T.
.......y....X..p'....M.j.q.0......~....G...<. -a.~....5v/z.V..N...(
.....3....R..#...#".}.....{...Z..p.5.`...}..{..w...0....A.C....,EoN...
...-.w............MP.*.0.....<..6....!..I.t.QC....N....T.2..)H...z&
.cp..8..v.q..... .N.......x..(.....0...0...0..........Z..UGx.`..p.{...
.UG0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redm
ond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....M
icrosoft IT SSL SHA20...141023182829Z..150106182829Z0!1.0...U....Shoul
d be ignore by CA0.."0...*.H.............0...........&!(..$.K...."=f..
..x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q.......
....bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*....
...x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O
.....<5:......r.....]..A.5........0..0...U..........<.|7...@N6p.
I.e|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0... ...
....0... .....7....0.0... .......0... .....0......0...*.H.............
G...`./%.9...K........5.c....<.0....zV...uRkj..%..&99....GPr.......
.kkfA{}{z..Vz0.S'.j.R...d.0...'........!.3......h8?.v..[FH0 \..q...x..
)T^^1..p....4.rZ.w.EF.....wI._E...-. .;........4....?.H......U~q?..*.!
?.d.).FE.a$......H^wV.6..\s...q^D......Y..>......#..C...s-...e.<<< skipped >>>

GET /modules/general/tmpl/default/images/spacer.gif HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0650-2b-4e321e9d51a90"

Accept-Ranges: bytes

Content-Length: 43

Content-Type: image/gif

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

GIF89a.............!.......,...........D..;....

GET /modules/general/tmpl/default/images/BGEleFunDesktops.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c069e-27de-4e321e9e7e710"

Accept-Ranges: bytes

Content-Length: 10206

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................X.y.........
......................................................................
..........!..1AQ..aq"2.....B..Rr#3..b....C...TtU...Ss.457.....%6......
................!1Q.A...aq"2..3.......B.Rb.#............?.....BB..D)$[
...D........`......Bb....H=...P..t&.Ki^....@xs..........>;.j...Uhh.
4.@..@..@..@..@..@..@..@..@..@..@[email protected]..#T.-EJ7&.R;.........=h..
(..(..(..(..(..(..(.....[N.....{..{...=L.@...[.oR4.;....1...M.....n=..
.FS.}~.C(B. _].ESz......PUeQ.3..r..<..Q!!.....U..4e=.4e...l_!y.a..j
a!k/%..M.....w...-.}O!....f.....G...7...._{r......:....\.^.......r.00.
<..KfC..%..%..*..KI....wQ......0tu#.\.o.4..5.mW.CFC.....s....r1..2.
QB\.,mQI.IP.;.U.......*.B.L(..(...d|.b.VN98..;.E*-.okkk_.......-..(q..
.7....L.~...H.....V....'..<U.ti1.GC..K..7!....A.CT4'\...B.(...d93.y
t..YJ......;..9..?..#n.r)..MGR.U..y.C..GnD.)-...;....?...9dBw.UY)P&..i
......@'..8......9....'T...q...m=S..@*.P...b.a@u@..@[email protected] .
...h......g..<.Lr..Mn...x.C.......R..h..r..=._"...O......b<w..-.
.`.$...I...(K.T..|...S*......"...v7..q.M..d.Y...e.4.Z..,}=.....%....7b
ll=.{(.*J.E....A.3.7......Y/....p.....^f-.......m;[..J{....Z...}M=Xj..
.Y,t..P.3)( (....=/..T.5,.I)'.)~V..p.`%\....c......i..`...1.r...-x0..,
....K.O[..4.'...n\~....ro.....9N.3....).N>.i....{...@..=..H..$.>
<N...$....3*4_6 .).0.#.........R....M.}7....&............5.j...<<< skipped >>>

GET /sys_data/img/products/ad_Pharaohs_Gallery.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Tue, 06 Aug 2013 05:41:36 GMT

ETag: "1c6f81-86d6-4e340e0d93ce1"

Accept-Ranges: bytes

Content-Length: 34518

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:9A9E9BE8FE5A11E2991ED2
0FD3B49CAF" xmpMM:InstanceID="xmp.iid:9A9E9BE7FE5A11E2991ED20FD3B49CAF
" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedF
rom stRef:instanceID="6E308B28F489545F757AC33DEE62AD4D" stRef:document
ID="6E308B28F489545F757AC33DEE62AD4D"/> </rdf:Description> &l
t;/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...&Adobe.d
................(..2z..T..............................................
......................................................................
...............................[......................................
.................................................... !.01@"#.A23$45P%B
`p.DE......................!.1A.Q"2aq..B.3.....Rr#...b... .s...CS.@.$`
.c.4..................P..!..0@1 `Aap.......................!1A.Qaq....
.. .0..@P`.................00 a.."....c..... @..... @.....C.......h`@.
0..0&.l......4...... @......H..8Z......Pc... .Q...........008.$Y...n$.
h... [email protected] .[gSI....00 ``@[email protected] @....!5...... p@.$.... ..i.<<< skipped >>>

GET /modules/general/tmpl/default/images/BGlefthandarchive.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0690-2e6-4e321e9e03268"

Accept-Ranges: bytes

Content-Length: 742

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
......................................................................
....m.................................................................
.....R.!1..s5Q2..4A"B#................................?..J........:...
.S.0...1m...!g).|........96.r.C..M.....s.lw t:........96.r.C..M.....s.
lw t:........96.r..X.w...03....~...a,J(.?,.,.4..........xE...._.z.....
X?v.g.i.)..dx.......,3vv.PQ.L.u..G.\.*..&....!FW.G7q.q.q4....A..1B:..w
..0....$.(...../.N/......A.h.....E..Z....B.X.8.&b3;7.3......T...R.%d./
.q....<.\...#/.....K.....E.3.A.1..a...".7......9.A...Es......!.}._W
..m.    .......(,P.........Es......!.}._W..m. ......

GET /modules/general/tmpl/default/images/BGmembershiplogin.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0694-a2e-4e321e9e28fe0"

Accept-Ranges: bytes

Content-Length: 2606

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................X. .........
......................................................................
.........Qa...R..S..!.1A.s4D...."q.2r3..B#.........................1!.
AQa.".q................?...,XP......F....T.'..d.H....{.**.^.[5]r....4i
....Q...Q...Q...Q...Q...Q...Q...Q...q9...9...9...9...9...9...9...9...9
...9...9...9...9...9...9...9...9...9...9...9...9...9...9...93.Q....s..
kb.UW-.f..W.G....t.S.q]..<8..k........<..Y5.5.D.....b..K[w...S..
.=.{...VbkS...E.Vb(...E...,..Qef". 1.YY....E.Vb(...E...,..Qef". 1.YY..
..E.Vb(...E...,..Qef". 1.YY....E.Vb(...NYY..l..Qef". 1.YY...g...I..D..
.qS...:...........OJ[.[..*. .......]j{mK,..&....~...$....g..A....MQ.k.
..D..j.08_^...*n#]..(....?....Z..DMk..?...de.VF.S....3.RTVq.r..3.PY.}.
.8..Ag..(,.>...g.......q.r..3.PY.}..8..Ag..(,.>...g...8..Ag..(,.
>...g......Qg..(,.>...g...8..E.q.r..3.QE.g...8..Ag..(,.>..=..
4G....=..kZ.......H.t..].nY.i..".sb=....3..........gv6FS..i..N1s.]....
._Q..O%.p=.=..`)Lt.8..TV9|UX.[..".2{Q4.@;...M)...'..Jd....D....2{Q4.@;
...M)...'..Jd....D....2{Q4.@;...M)...'..Jd....D....2{Q4.@;...M)...'..J
d....D....2{Q4.@;...M)...'..Jd....D....2{Q4.@;...M)...'..Jd....D....2{
Q4.@;...M)...'..Jd....D....2{Q4.@;...M)...'..Jd...mD...z.......k}x...$
...}G..<....l.P................................./.....y/...........
............................_5..n.._.....@&.......................<<< skipped >>>

GET /modules/general/tmpl/default/images/BGlefthandGreenTitleRight.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:04 GMT

ETag: "1c0697-1b4-4e321e9e39598"

Accept-Ranges: bytes

Content-Length: 436

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................u.........
....Y................................................................S
.Q2...............................?..Fs..K.~/.J....'QJmwI:.Sk.I.R.].N.
....u...t...6...E)..$.)M..'QJmwI:.Sk.I.R.].N.....u...t...P............
...T...................

GET /modules/general/tmpl/default/images/bgInfoProductList.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.elefun-desktops.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=1.668409717.1418874741.1418874741.1418874741.1; __utmb=1.1.10.1418874741; __utmc=1; __utmz=1.1418874741.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.0 200 OK

Date: Thu, 18 Dec 2014 03:49:02 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 04 Aug 2013 16:45:03 GMT

ETag: "1c0660-185-4e321e9d7e950"

Accept-Ranges: bytes

Content-Length: 389

Content-Type: image/jpeg

X-Cache: MISS from localhost

X-Cache-Lookup: MISS from localhost:3128

Via: 1.0 localhost (squid/3.1.22)

Connection: keep-alive

......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
............................................................).........
....a.................................................................
!..1Qq.B...5..............................?......wy(.....H....AI}X..EU
.7...'0&......Z....Wtif....pp8..~.........HTTP/1.0 200 OK..Date: Thu, 
18 Dec 2014 03:49:02 GMT..Server: Apache/2.2.15 (CentOS)..Last-Modifie
d: Sun, 04 Aug 2013 16:45:03 GMT..ETag: "1c0660-185-4e321e9d7e950"..Ac
cept-Ranges: bytes..Content-Length: 389..Content-Type: image/jpeg..X-C
ache: MISS from localhost..X-Cache-Lookup: MISS from localhost:3128..V
ia: 1.0 localhost (squid/3.1.22)..Connection: keep-alive........JFIF..
...d.d......Ducky.......<......Adobe.d.............................
......................................................................
................................................).............a.......
..........................................................!..1Qq.B...5
..............................?......wy(.....H....AI}X..EU.7...'0&....
..Z....Wtif....pp8..~...........

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 18 Dec 2014 03:53:21 GMT

Last-Modified: Tue, 16 Dec 2014 18:51:02 GMT

Server: ECS (ams/D1C2)

X-Cache: HIT

Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..2014121
6094607Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
..'.G....20141203203011Z....20150303203511Z0...*.H...............n...(
F.....Wq;......w.e.I~5.,...([email protected]...[[email protected]%$R2
.......0..B..&TKa.S...P..D.&g.~,Y.([email protected]......
.C.@K.=.6..1...q7..Z.%....5..3.XPAG...{..Lk..\H...DI.. ..<. ..`.!..
..I..0..C.}~....;'VI..J.p....SN.(.....$E=z....0...0...0...........'..0
...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust
1"0 ..U....Baltimore CyberTrust Root0...140122184236Z..150122184140Z0G
1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-201
10.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..
I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h
8GM..*.4.MP..../[email protected].
...$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.
>.O....G.A........0..0... .....0......0...U.......0.0...U..........
.0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l
.uZ..k.F..^|A.Tb0...*.H.............. .p.)...09W..Z.......]....}.:..Vr
.....c..U..:V^.O.....<...b*5.c.\.fF./....5'.>./ iS..R0..)..*.!..
q.h.T..ul.}&.......`.1".~.U....rB.BR.s..x..o..Y.......).4:.[.9.=....x.
..'.f..\ [email protected]:J!.hRH..!z2DtL.s2.r.....Yi~..E..AzO..i.."N.$j
...b...o..i."{(3....<<< skipped >>>

GET /pagead/html/r20141209/r20141212/zrt_lookup.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.elefun-desktops.com/offers-show-1227196368/Membership

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: googleads.g.doubleclick.net

DNT: 1

Connection: Keep-Alive

Cookie: id=caebd6253000002||t=1384780400|et=730|cs=002213fd480c4c2631f7c541a4


HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Content-Type: text/html; charset=UTF-8

ETag: 8281997907193036559

Date: Wed, 17 Dec 2014 17:12:24 GMT

Expires: Wed, 31 Dec 2014 17:12:24 GMT

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: cafe

Content-Length: 5099

X-XSS-Protection: 1; mode=block

Age: 38397

Cache-Control: public, max-age=1209600

Alternate-Protocol: 80:quic,p=0.002
...........;.w...... z}.UT..~..(.n.~l.6.t..^`sd[....mB....f$..@.{?.9..
....f<..q{...?....Yc....#..S.z.)..^[.yIp....Hr......2..<.q....s.
H.(..'....^LS..<]J....2?....#k...|......ic...4c.^......v!.qC...E...
.s..Ga.0.oc.g..}.{.....2_.1.8 ...{u..jx.......i.'.....<.....(.\....
...4....(..l...."GA..$^.=...x$;.q.O.M....i,.r.]...............38X.....
...E.a....$...}A.A.....Ix......FF.l..x.0...BZK(.....N......a. 2.<-e
>W.U....en>...8.X.......}....g/.....Etky..]..fMI.G7.%.iM...i...]
.i..9^A.w...yz.I......h6.....-.....T.i.(....8I.p~.q.T.Y#...?.|....M.&g
t;=...j..4.... J....;.s..G].9..G....T......'N......e......P.UL*m.A....
...4:....x.(.........p.u.Ij!x..c..4...A.\D...mY.<_d}g.....6..1l;...
0hY}.^.c...O..<..dle.0n<[email protected][& j.y..Jt.....Q.7.....J..~M
|.I...n...%M.....FtF.u.....$...})......#N.~..h.........6......._...8.m
cx!....21.G.g.hyZ...x..V j......x.IWro..Z#...lP.\^.}...S..H...).[F..&.
.2......=0........v[..z.8.c... ......k....6..."[email protected].&..*g.J=.K
[email protected]`..)..P1.NP7......1p.....2@..*"...N....GTQ...
...g.Y<[email protected] ...=...$..M....3..Y..X1#ZI...V..B.-......4...
.1w7..@..=...)(y.....l...ka.M...pohU.:CZa..!:..s..6...*[z...........#.
....n...1.........i..._>....N.Ac.....4..>.'.:......s.w6...^..?..
...-H.F.,o..;]ZxD.^.=.A;[email protected]@.4....D};..W['...O.>!...
...6g..a....n.`j..d...........=..........T~^.,..k.....Z.$.TXR......H..
".y....}.s.>.....k...0O..x.5...K.vTa9.8..._..h.....I..*|^..E.p.....
a...h._..V3...\P./.... ....Q.E..$..E8^r%.2....$..|x.,./..h..O.BGf.<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAWXeLAc38Ey HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Wed, 17 Dec 2014 21:03:29 GMT

Expires: Sun, 21 Dec 2014 21:03:29 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 24534

Cache-Control: public, max-age=345600

Alternate-Protocol: 80:quic,p=0.002
0..........0..... .....0......0...0......J......h.v....b..Z./..2014121
7190216Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
...x....2....20141217190216Z....20141224190216Z0...*.H................
.. r....]O./.0...j,.M.<....~..8...{.ch.C2.rl..$d.wY............!l..
i......v.e.z.-E.b..K ...S~ZZ..h.u.w..^...^.G....J.-./.J .'HCJ.E.3...sP
.~.....j.`e ...... 6..f66.`v..U-).V2[_.hLC.J...)Vl....lG.V.?...b.R.o..
..R;[email protected].."..Z.......t..j%K^0..HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Wed, 17 Dec 2014 21:03:29 GMT.
.Expires: Sun, 21 Dec 2014 21:03:29 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Age: 24534..Cache-Control: public, max-age=345600..Alternate-P
rotocol: 80:quic,p=0.002..0..........0..... .....0......0...0......J..
....h.v....b..Z./..20141217190216Z0k0i0A0... ..........j.....p.I.#z...
(~d..J......h.v....b..Z./....x....2....20141217190216Z....201412241902
16Z0...*.H.................. r....]O./.0...j,.M.<....~..8...{.ch.C2
.rl..$d.wY............!l..i......v.e.z.-E.b..K ...S~ZZ..h.u.w..^...^.G
....J.-./.J .'HCJ.E.3...sP.~.....j.`e ...... 6..f66.`v..U-).V2[_.hLC.J
...)Vl....lG.V.?...b.R.o....R;[email protected].."..Z.......t..j%K^0
......
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHj3S83xBK9k HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Mon, 15 Dec 2014 07:45:43 GMT

Expires: Fri, 19 Dec 2014 07:45:43 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 245200

Cache-Control: public, max-age=345600

Alternate-Protocol: 80:quic,p=0.002
0..........0..... .....0......0...0......J......h.v....b..Z./..2014121
5010635Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.x.K....d....20141215010635Z....20141222010635Z0...*.H.............2.d
qW.q..... 0..ay..q...6.zF.2..b.28T.:...{..'2...^........L..1cQ.B.{....
.....q..%D...?....bI.".......ZF|....O...o".n.E.Z..*H....NL.B....4..}..
..x4B..,..........ey.Oug...........|.I..[B...V.C..ac"c}..T.......Y6\B.
lv.d.>.yBZ.WN...h.l7........J...>*0..h.u.=.HTTP/1.1 200 OK..Cont
ent-Type: application/ocsp-response..Date: Mon, 15 Dec 2014 07:45:43 G
MT..Expires: Fri, 19 Dec 2014 07:45:43 GMT..Server: ocsp_responder..Co
ntent-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: S
AMEORIGIN..Age: 245200..Cache-Control: public, max-age=345600..Alterna
te-Protocol: 80:quic,p=0.002..0..........0..... .....0......0...0.....
.J......h.v....b..Z./..20141215010635Z0k0i0A0... ..........j.....p.I.#
z...(~d..J......h.v....b..Z./..x.K....d....20141215010635Z....20141222
010635Z0...*.H.............2.dqW.q..... 0..ay..q...6.zF.2..b.28T.:...{
..'2...^........L..1cQ.B.{.........q..%D...?....bI.".......ZF|....O...
o".n.E.Z..*H....NL.B....4..}....x4B..,..........ey.Oug...........|.I..
[B...V.C..ac"c}..T.......Y6\B.lv.d.>.yBZ.WN...h.l7........J...>*
0..h.u.=...<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

IEXPLORE.EXE_3708:

.text

`.data

.idata

.rsrc

@.reloc

u\j.Xf9

j.Xf9

USER32.dll

api-ms-win-downlevel-shell32-l1-1-0.dll

IEFRAME.dll

SHELL32.dll

iexplore.pdb

api-ms-win-downlevel-shlwapi-l1-1-0.dll

iertutil.dll

api-ms-win-downlevel-advapi32-l1-1-0.dll

KERNEL32.dll

msvcrt.dll

_wcmdln

_amsg_exit

RegOpenKeyExW

RegCloseKey

<!-- Note: This manifest needs to be kept in sync with iexplore.exe.manifest -->

<assemblyIdentity version="5.1.0.0"

name="Microsoft.InternetExplorer"

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

KEYW

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

imm32.dll

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

Kernel32.dll

"%s" %s

kernel32.dll

IEXPLORE.EXE

{00000000-0000-0000-0000-000000000000}

\\?\Volume

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Browseui_Tabs_Tearoff_BetweenWindows_TabProc

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

Shdocvw_BaseBrowser_FireEvent_BeforeScriptExecute

IMTravelLogMVC_TravelURL

10.00.9200.16521 (win8_gdr_soc_ie.130216-2100)

Windows

10.00.9200.16521

wallpaper.exe_3756:

.text

`.rdata

@.data

.rsrc

\swfplayer.exe"

\swfplayer.exe

\info.ini

"%s" "STARTUP"

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

KERNEL32.DLL

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

operator

kernel32.dll

GetProcessWindowStation

USER32.DLL

WS2_32.dll

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

Wallpaper.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.exe

swfplayer.exe_2352:

.text

`.rdata

@.data

.rsrc

u2SSShY

1SSShY

8SSSSSh

uDPW

SSSSSh

.PWuF

YYu.VW

%uWVW

.FG;}

Ht.Ht!

]`uk9UDt%9U(ua9UDt

.QPWR

.tgPV

FTPjK

FtPj;

C.PjRVj

u.hl^U

u.VV3

L$XSSh

uùr

.SSSSSSh4

HHCTRL.OCX

\\.\REGMON

\\.\REGVXD

1.1.3

SWFKit.BK

kernel32.dll

shlwapi.dll

comctl32.dll

------%s will be expired on d-d-d------

------%s will be expired after %d days after installed!------

f%d_%s

function f%d_%s() { return _call('%s', arguments);}

comdlg32.dll

urlmon.dll

user32.dll

%sX%d.cab

"%s" /Q /S

%sX%d.tmp

Failed to initialize the WIndows Socket!

%d%% Free

Physical memory available to Windows:

%d KB

0xX

SCRNSAVE.EXE

SYSTEM.INI

hXXp://VVV.swfbuddy.com

TOPURL

TWAIN_32.DLL

.main

oleaut32.dll

Src: %s

Line:%d Error:%d Scode:%x

%s\DefaultIcon

%s\shell\open\%s

windowShape

$EKHOTKEY

$KPDISABLEWINDOWKEYS

hotKey

exitKeys

keyPress

expiryMsg

~paste01.bmp

windowSize

cmdItems

cmdLine

join

%s.%s

%s.%d

msgBox

winio.sys

\\.\PhysicalDrive%d

\\.\Scsi%d:

FtpGetFileSize

FtpRenameFileA

FtpDeleteFileA

FtpRemoveDirectoryA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpFindFirstFileA

wininet.dll

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

_InetFtp_

@F_%u

.tiff

.jpeg

VVV.swfkit.com

onGetUrl

openFtp

getHttpFileHeader

getHttpFileStatus

getHttpFileLastModifiedTime

getHttpFileSize

getUrl

{X-X-X-XX-XXXXXX}

_FFish_MCI_%d

errorMsg

sendCmdString

 OK %d %s

%d %s

UIDL %d

TOP %d %d

RETR %d

 OK %d %d

%d %d

LIST %d

DELE %d

password

port

RegKey

key not found

deleteKey

getSubkeyNames

\StringFileInfo\X\SpecialBuild

\StringFileInfo\X\productVersion

\StringFileInfo\X\ProductName

\StringFileInfo\X\PrivateBuild

\StringFileInfo\X\OriginalFilename

\StringFileInfo\X\LegalTrademarks

\StringFileInfo\X\LegalCopyright

\StringFileInfo\X\InternalName

\StringFileInfo\X\FileVersion

\StringFileInfo\X\FileDescription

\StringFileInfo\X\CompanyName

\StringFileInfo\X\Comments

Shell32.dll

software\microsoft\windows\currentversion

windows

findExecutable

windowStyle

URLShortcut

Microsoft Windows Millennium Edition

Microsoft Windows 98

Microsoft Windows 95

%s (Build %d)

Service Pack 6a (Build %d)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

%d.%d

Web Edition

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003,

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 "R2"

Windows Server "Longhorn"

Windows Vista

getWindowsByName

windowState

getExeName

processMsg

- deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetOpenUrlA

InternetCanonicalizeUrlA

illegal character '%s%c%c'

illegal unicode character '%s%c%c%c%c'

unterminated %s constant

unknown escape sequence '%c%c'

ECMAScript don't allow line terminators in %s constants

syntax error: %s

invalid alias name of the imported function

inflate 1.1.3 Copyright 1995-1998 Mark Adler

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

RST%d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

Obtained EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC index %d

Unsupported color conversion request

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

IDCT output block size %d not supported

Invalid component ID %d in SOS

Bogus message code %d

%ld%c

dllimport

import

export

?456789:;<=

!"#$%&'()* ,-./0123

attachment %d

====_SWFKIT_MAIL_PART_%X.%X.%X_====

Content-Transfer-Encoding: %s

Content-Type: %s; charset="%s"

Content-Type: %s; name="%s"

Content-Disposition: attachment; filename="%s"

Content-ID: <%s>

--%s--

boundary="%s"

X-Priority: %d

X-Mailer: SWFKit.FFish

Date: %s

Subject: =?%s?B?

Bcc: %s

Cc: %s

Reply-To: %s

To: %s

From: %s

boundary="%s";

login

AUTH PLAIN %s

AUTH LOGIN

%s %s

MAIL FROM:<%s>

HELO %s

EHLO %s

can't connect to the smtp server

PASS %s

USER %s

@F_%d

Reply from %d.%d.%d.%d: bytes=%d time=%dms TTL=%d

Unkown host %s

ICMP.DLL

Reply from %s: bytes=%d time=%dms TTL=%d icmp_seq=%u

Pinging %s [%s]: with %d bytes of data:

1.2.5

0123456789ABCDEFlibpng error: %s

libpng error: %s, offset=%d

libpng error no. %s: %s

libpng warning: %s

libpng warning no. %s: %s

NULL row buffer for row %ld, pass %d

Unknown zTXt compression type %d

Incomplete compressed datastream in %s chunk

Data error in compressed datastream in %s chunk

Buffer error in compressed datastream in %s chunk

'7gamma = (%d/100000)

gx=%f, gy=%f, bx=%f, by=%f

wx=%f, wy=%f, rx=%f, ry=%f

incorrect gamma=(%d/100000)

?iTXt chunk not supported.

Unknown compression type %d

zero length keyword

keyword length must be 1 - 79 characters

Zero length keyword

extra interior spaces removed from keyword

leading spaces removed from keyword

trailing spaces removed from keyword

invalid keyword character 0xX

Empty keyword in tEXt chunk

Empty keyword in zTXt chunk

Empty keyword in iCCP chunk

Empty keyword in sPLT chunk

white_x=%f, white_y=%f

.yMax

.xMax

.yMin

.xMin

inetmib1.dll

SYSTEM\CurrentControlSet\Services\VxD\MSTCP

SYSTEM\CurrentControlSet\Services\Tcpip\parameters

SYSTEM\CurrentControlSet\Services\Tcpip\parameters\Transient

%s compression support is not configured

Compression algorithm does not support random access

Compression scheme %u %s encoding is not implemented

%s %s encoding is not implemented

%s %s encoding is no longer implemented due to Unisys patent enforcement

Compression scheme %u %s decoding is not implemented

%s %s decoding is not implemented

%s: Invalid InkNames value; expecting %d names, found %d

%f: Bad value for "%s"

%s: Invalid %stag "%s" (not supported by codec)

%ld: Bad value for "%s"

Nonstandard tile length %d, convert file

Nonstandard tile width %d, convert file

%d: Bad value for "%s"

Bad value %ld for "%s" tag ignored

%s: Cannot modify tag "%s" while writing

%s: Unknown %stag %u

%s: Error fetching directory count

%s: Error fetching directory link

Internal error, unknown tag 0x%x

No space %s

TIFF directory is missing required "%s" field

incorrect count for field "%s" (%lu, expecting %lu); tag ignored

Error fetching data for field "%s"

%s: Rational with zero denominator (num = %lu)

Cannot read TIFF_ANY type %d for field "%s"

Cannot handle different per-sample values for field "%s"

Bogus "%s" field, ignoring and calculating from imagelength

TIFF directory is missing required "%s" field, calculating from imagelength

unknown field with tag %d (0x%x) ignored

wrong data type %d for "%s"; tag ignored

Error writing data for field "%s"

%s: Error writing SubIFD directory link

A"%s": Information lost writing value (%g) as (unsigned) RATIONAL

DumpModeDecode: Not enough data for scanline %d

%s: Bad code word at scanline %d (x %lu)

%s: Uncompressed data (not supported) at scanline %d (x %lu)

%s: %s at scanline %d (got %lu, expected %lu)

%s: Premature EOF at scanline %d (x %lu)

%s: No space for Group 3/4 reference line

%s: No space for Group 3/4 run arrays

Fax SubAddress: %s

(%u = 0x%x)

%suncompressed data

%sEOL padding

%s2-d encoding

%s: No space for state block

Sorry, can not handle YCbCr images with %s=%d

Sorry, LogL data must have %s=%d

Sorry, can not handle LogLuv images with %s=%d

Sorry, LogLuv data must have %s=%d or %d

Sorry, can not handle image with %s=%d

Sorry, can not handle separated image with %s=%d

Sorry, can not handle RGB image with %s=%d

Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d

Missing needed %s tag

Sorry, can not image with %d-bit samples

LogL16Decode: Not enough data at row %d (short %d pixels)

LogLuvDecode24: Not enough data at row %d (short %d pixels)

LogLuvDecode32: Not enough data at row %d (short %d pixels)

?%s: No space for SGILog translation buffer

No support for converting user data format to LogL

No support for converting user data format to LogLuv

Inappropriate photometric interpretation %d for SGILog compression; %s

SGILog compression supported only for %s, or raw data

Unknown data format %d for LogLuv compression

Unknown encoding %d for LogLuv compression

%s: No space for LogLuv state block

LZWDecode: Bogus encoding, loop in the code table; scanline %d

LZWDecode: Not enough data at scanline %d (short %d bytes)

LZWDecode: Strip %d not terminated with EOI code

LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)

"%s": Bad mode

Not a TIFF file, bad version number %d (0x%x)

Not a TIFF file, bad magic number %d (0x%x)

%s: Out of memory (TIFF structure)

PackBitsDecode: discarding %d bytes to avoid buffer overrun

Horizontal differencing "Predictor" not supported with %d-bit samples

"Predictor" value %d not supported

%u (0x%x)

%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu

%s: Read error at scanline %lu; got %lu bytes, expected %lu

%s: Seek error at scanline %lu, strip %lu

%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu

%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu

%s: Seek error at row %ld, col %ld, tile %ld

%s: No space for data buffer at scanline %ld

%s: Data buffer too small to hold strip %lu

%s: Read error on strip %lu; got %lu bytes, expected %lu

%s: Data buffer too small to hold tile %ld

%u: Sample out of range, max %u

ThunderDecode: %s data at scanline %ld (%lu != %lu)

Sample %d out of range, max %u

LIBTIFF, Version 3.5.7

%s: Cannot open

%s Warning

%s Error

%s: Write error at scanline %lu

%s: Seek error at scanline %lu

%s: %s

%s: zlib error: %s

%s: Not enough data at scanline %d (short %d bytes)

%s: Decoding error at scanline %d, %s

%s: Encoder error: %s

Runtime error: %s

Warning: unknown method "%s"

Warning: invalid index for operator []

hook break %d

Warning: can't set property "%s" with a wrong type

Warning: using undefined property "%s"

Warning: using undefined variable "%s"

CNotSupportedException

COMCTL32.DLL

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

hhctrl.ocx

commctrl_DragListMsg

CCmdTarget

CHotKeyCtrl

msctls_hotkey32

GDI32.DLL

MSWHEEL_ROLLMSG

File%d

ntdll.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

%s.dll

CMDIChildWnd

CMDIFrameWnd

ddeexec

%s\ShellNew

%s\shell\printto\%s

%s\shell\print\%s

MSH_SCROLL_LINES_MSG

MSH_WHEELSUPPORT_MSG

olepro32.dll

ole32.dll

mscoree.dll

?#%X.y

Please contact the application's support team for more information.

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

portuguese-brazilian

GetProcessWindowStation

0123456789

right-curly-bracket

left-curly-bracket

OLEAUT32.dll

OLEACC.dll

WINMM.dll

WSOCK32.dll

VERSION.dll

GetWindowsDirectoryA

CreatePipe

GetProcessHeaps

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyNameTextA

MapVirtualKeyA

EnumThreadWindows

ExitWindowsEx

EnumWindows

EnumChildWindows

CreateDialogIndirectParamA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegQueryInfoKeyA

RegDeleteKeyA

RegEnumKeyA

RegCreateKeyA

ADVAPI32.dll

ShellExecuteA

FindExecutableA

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

.PAVCFileException@@

.PAVCObject@@

.PAVCException@@

.PAVCTopBaseException@@

.PAVCZipException@@

This executable file was created by an UNREGISTERED copy of SWFKit!

.PAVCOleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCNotSupportedException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.?AVCHotKeyCtrl@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AVCStatusCmdUI@@

.?AVCMDIFrameWnd@@

.?AVCMDIChildWnd@@

.PAVCOleDispatchException@@

zcÁ

c:\users\"%CurrentUserName%"\appdata\local\microsoft\windows\temporary internet files

install_flash_player_active_x.exe

empty.swf

C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\swfplayer.exe

5L.uhH

/.LzC

d.rbg

%S<^(

stdole2.tlbWWW

bstrMsgW

Created by MIDL version 6.00.0347 at Thu Aug 30 16:09:49 2007

<property id="%d">

<property id="%s">

<number>%d</number>

<string>%s</string>

<invoke name="%s" returntype="xml"><arguments>

%s:%s. See also: %s.

%s %s d d:d:d GMT% 04d %s%sd B.C.

%s %s d d:d:d GMT% 04d %s%sd

%s, d %s d d:d:d GMT B.C.

%s, d %s d d:d:d GMT

x%s.%s

%s.length

[object Inet.Ftp]

[object RegKey]

d[object URLShortcut]

[object Sound.playback]

[object Sound.recording]

<SUP>%s</SUP>

<SUB>%s</SUB>

<STRIKE>%s</STRIKE>

<SMALL>%s</SMALL>

<A HREF="%s">%s</A>

<I>%s</I>

<FONT SIZE="%s">%s</FONT>

<FONT COLOR="%s">%s</FONT>

<TT>%s</TT>

<B>%s</B>

<BLINK>%s</BLINK>

<BIG>%s</BIG>

<A NAME="%s">%s</A>

;/?:@&= $,#

accKeyboardShortcut

SUPPORT

Key Press

Disable Windows keys

Exit Keys

HotKey1

Custom Hot Key

%s Registration

Please enter your name, a serial number and a registration code to register %s.

Enter the World Wide Web location (URL) or specify the local file you would like to open.

WEBSITE

Port :

Prj.Document

Invalid projector window size!Invalid projector window position5Flash (*.swf,*.spl)|*.swf;*.spl|All Files (*.*)|*.*||

%s has expired!D%s

Press Register button to register %s, press OK button to exit.

'This copy of program is licensed to: %s

Serial Number: %s

Replace%Select the entire document

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Page %u

Pages %u-%u

Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

swfplayer.exe

swfplayer.exe_2312:

.text

`.rdata

@.data

.rsrc

u2SSShY

1SSShY

8SSSSSh

uDPW

SSSSSh

.PWuF

YYu.VW

%uWVW

.FG;}

Ht.Ht!

]`uk9UDt%9U(ua9UDt

.QPWR

.tgPV

FTPjK

FtPj;

C.PjRVj

u.hl^U

u.VV3

L$XSSh

uùr

.SSSSSSh4

HHCTRL.OCX

\\.\REGMON

\\.\REGVXD

1.1.3

SWFKit.BK

kernel32.dll

shlwapi.dll

comctl32.dll

------%s will be expired on d-d-d------

------%s will be expired after %d days after installed!------

f%d_%s

function f%d_%s() { return _call('%s', arguments);}

comdlg32.dll

urlmon.dll

user32.dll

%sX%d.cab

"%s" /Q /S

%sX%d.tmp

Failed to initialize the WIndows Socket!

%d%% Free

Physical memory available to Windows:

%d KB

0xX

SCRNSAVE.EXE

SYSTEM.INI

hXXp://VVV.swfbuddy.com

TOPURL

TWAIN_32.DLL

.main

oleaut32.dll

Src: %s

Line:%d Error:%d Scode:%x

%s\DefaultIcon

%s\shell\open\%s

windowShape

$EKHOTKEY

$KPDISABLEWINDOWKEYS

hotKey

exitKeys

keyPress

expiryMsg

~paste01.bmp

windowSize

cmdItems

cmdLine

join

%s.%s

%s.%d

msgBox

winio.sys

\\.\PhysicalDrive%d

\\.\Scsi%d:

FtpGetFileSize

FtpRenameFileA

FtpDeleteFileA

FtpRemoveDirectoryA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpFindFirstFileA

wininet.dll

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

_InetFtp_

@F_%u

.tiff

.jpeg

VVV.swfkit.com

onGetUrl

openFtp

getHttpFileHeader

getHttpFileStatus

getHttpFileLastModifiedTime

getHttpFileSize

getUrl

{X-X-X-XX-XXXXXX}

_FFish_MCI_%d

errorMsg

sendCmdString

 OK %d %s

%d %s

UIDL %d

TOP %d %d

RETR %d

 OK %d %d

%d %d

LIST %d

DELE %d

password

port

RegKey

key not found

deleteKey

getSubkeyNames

\StringFileInfo\X\SpecialBuild

\StringFileInfo\X\productVersion

\StringFileInfo\X\ProductName

\StringFileInfo\X\PrivateBuild

\StringFileInfo\X\OriginalFilename

\StringFileInfo\X\LegalTrademarks

\StringFileInfo\X\LegalCopyright

\StringFileInfo\X\InternalName

\StringFileInfo\X\FileVersion

\StringFileInfo\X\FileDescription

\StringFileInfo\X\CompanyName

\StringFileInfo\X\Comments

Shell32.dll

software\microsoft\windows\currentversion

windows

findExecutable

windowStyle

URLShortcut

Microsoft Windows Millennium Edition

Microsoft Windows 98

Microsoft Windows 95

%s (Build %d)

Service Pack 6a (Build %d)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

%d.%d

Web Edition

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003,

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 "R2"

Windows Server "Longhorn"

Windows Vista

getWindowsByName

windowState

getExeName

processMsg

- deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetOpenUrlA

InternetCanonicalizeUrlA

illegal character '%s%c%c'

illegal unicode character '%s%c%c%c%c'

unterminated %s constant

unknown escape sequence '%c%c'

ECMAScript don't allow line terminators in %s constants

syntax error: %s

invalid alias name of the imported function

inflate 1.1.3 Copyright 1995-1998 Mark Adler

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

RST%d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

Obtained EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC index %d

Unsupported color conversion request

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

IDCT output block size %d not supported

Invalid component ID %d in SOS

Bogus message code %d

%ld%c

dllimport

import

export

?456789:;<=

!"#$%&'()* ,-./0123

attachment %d

====_SWFKIT_MAIL_PART_%X.%X.%X_====

Content-Transfer-Encoding: %s

Content-Type: %s; charset="%s"

Content-Type: %s; name="%s"

Content-Disposition: attachment; filename="%s"

Content-ID: <%s>

--%s--

boundary="%s"

X-Priority: %d

X-Mailer: SWFKit.FFish

Date: %s

Subject: =?%s?B?

Bcc: %s

Cc: %s

Reply-To: %s

To: %s

From: %s

boundary="%s";

login

AUTH PLAIN %s

AUTH LOGIN

%s %s

MAIL FROM:<%s>

HELO %s

EHLO %s

can't connect to the smtp server

PASS %s

USER %s

@F_%d

Reply from %d.%d.%d.%d: bytes=%d time=%dms TTL=%d

Unkown host %s

ICMP.DLL

Reply from %s: bytes=%d time=%dms TTL=%d icmp_seq=%u

Pinging %s [%s]: with %d bytes of data:

1.2.5

0123456789ABCDEFlibpng error: %s

libpng error: %s, offset=%d

libpng error no. %s: %s

libpng warning: %s

libpng warning no. %s: %s

NULL row buffer for row %ld, pass %d

Unknown zTXt compression type %d

Incomplete compressed datastream in %s chunk

Data error in compressed datastream in %s chunk

Buffer error in compressed datastream in %s chunk

'7gamma = (%d/100000)

gx=%f, gy=%f, bx=%f, by=%f

wx=%f, wy=%f, rx=%f, ry=%f

incorrect gamma=(%d/100000)

?iTXt chunk not supported.

Unknown compression type %d

zero length keyword

keyword length must be 1 - 79 characters

Zero length keyword

extra interior spaces removed from keyword

leading spaces removed from keyword

trailing spaces removed from keyword

invalid keyword character 0xX

Empty keyword in tEXt chunk

Empty keyword in zTXt chunk

Empty keyword in iCCP chunk

Empty keyword in sPLT chunk

white_x=%f, white_y=%f

.yMax

.xMax

.yMin

.xMin

inetmib1.dll

SYSTEM\CurrentControlSet\Services\VxD\MSTCP

SYSTEM\CurrentControlSet\Services\Tcpip\parameters

SYSTEM\CurrentControlSet\Services\Tcpip\parameters\Transient

%s compression support is not configured

Compression algorithm does not support random access

Compression scheme %u %s encoding is not implemented

%s %s encoding is not implemented

%s %s encoding is no longer implemented due to Unisys patent enforcement

Compression scheme %u %s decoding is not implemented

%s %s decoding is not implemented

%s: Invalid InkNames value; expecting %d names, found %d

%f: Bad value for "%s"

%s: Invalid %stag "%s" (not supported by codec)

%ld: Bad value for "%s"

Nonstandard tile length %d, convert file

Nonstandard tile width %d, convert file

%d: Bad value for "%s"

Bad value %ld for "%s" tag ignored

%s: Cannot modify tag "%s" while writing

%s: Unknown %stag %u

%s: Error fetching directory count

%s: Error fetching directory link

Internal error, unknown tag 0x%x

No space %s

TIFF directory is missing required "%s" field

incorrect count for field "%s" (%lu, expecting %lu); tag ignored

Error fetching data for field "%s"

%s: Rational with zero denominator (num = %lu)

Cannot read TIFF_ANY type %d for field "%s"

Cannot handle different per-sample values for field "%s"

Bogus "%s" field, ignoring and calculating from imagelength

TIFF directory is missing required "%s" field, calculating from imagelength

unknown field with tag %d (0x%x) ignored

wrong data type %d for "%s"; tag ignored

Error writing data for field "%s"

%s: Error writing SubIFD directory link

A"%s": Information lost writing value (%g) as (unsigned) RATIONAL

DumpModeDecode: Not enough data for scanline %d

%s: Bad code word at scanline %d (x %lu)

%s: Uncompressed data (not supported) at scanline %d (x %lu)

%s: %s at scanline %d (got %lu, expected %lu)

%s: Premature EOF at scanline %d (x %lu)

%s: No space for Group 3/4 reference line

%s: No space for Group 3/4 run arrays

Fax SubAddress: %s

(%u = 0x%x)

%suncompressed data

%sEOL padding

%s2-d encoding

%s: No space for state block

Sorry, can not handle YCbCr images with %s=%d

Sorry, LogL data must have %s=%d

Sorry, can not handle LogLuv images with %s=%d

Sorry, LogLuv data must have %s=%d or %d

Sorry, can not handle image with %s=%d

Sorry, can not handle separated image with %s=%d

Sorry, can not handle RGB image with %s=%d

Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d

Missing needed %s tag

Sorry, can not image with %d-bit samples

LogL16Decode: Not enough data at row %d (short %d pixels)

LogLuvDecode24: Not enough data at row %d (short %d pixels)

LogLuvDecode32: Not enough data at row %d (short %d pixels)

?%s: No space for SGILog translation buffer

No support for converting user data format to LogL

No support for converting user data format to LogLuv

Inappropriate photometric interpretation %d for SGILog compression; %s

SGILog compression supported only for %s, or raw data

Unknown data format %d for LogLuv compression

Unknown encoding %d for LogLuv compression

%s: No space for LogLuv state block

LZWDecode: Bogus encoding, loop in the code table; scanline %d

LZWDecode: Not enough data at scanline %d (short %d bytes)

LZWDecode: Strip %d not terminated with EOI code

LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)

"%s": Bad mode

Not a TIFF file, bad version number %d (0x%x)

Not a TIFF file, bad magic number %d (0x%x)

%s: Out of memory (TIFF structure)

PackBitsDecode: discarding %d bytes to avoid buffer overrun

Horizontal differencing "Predictor" not supported with %d-bit samples

"Predictor" value %d not supported

%u (0x%x)

%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu

%s: Read error at scanline %lu; got %lu bytes, expected %lu

%s: Seek error at scanline %lu, strip %lu

%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu

%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu

%s: Seek error at row %ld, col %ld, tile %ld

%s: No space for data buffer at scanline %ld

%s: Data buffer too small to hold strip %lu

%s: Read error on strip %lu; got %lu bytes, expected %lu

%s: Data buffer too small to hold tile %ld

%u: Sample out of range, max %u

ThunderDecode: %s data at scanline %ld (%lu != %lu)

Sample %d out of range, max %u

LIBTIFF, Version 3.5.7

%s: Cannot open

%s Warning

%s Error

%s: Write error at scanline %lu

%s: Seek error at scanline %lu

%s: %s

%s: zlib error: %s

%s: Not enough data at scanline %d (short %d bytes)

%s: Decoding error at scanline %d, %s

%s: Encoder error: %s

Runtime error: %s

Warning: unknown method "%s"

Warning: invalid index for operator []

hook break %d

Warning: can't set property "%s" with a wrong type

Warning: using undefined property "%s"

Warning: using undefined variable "%s"

CNotSupportedException

COMCTL32.DLL

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

hhctrl.ocx

commctrl_DragListMsg

CCmdTarget

CHotKeyCtrl

msctls_hotkey32

GDI32.DLL

MSWHEEL_ROLLMSG

File%d

ntdll.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

%s.dll

CMDIChildWnd

CMDIFrameWnd

ddeexec

%s\ShellNew

%s\shell\printto\%s

%s\shell\print\%s

MSH_SCROLL_LINES_MSG

MSH_WHEELSUPPORT_MSG

olepro32.dll

ole32.dll

mscoree.dll

?#%X.y

Please contact the application's support team for more information.

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

portuguese-brazilian

GetProcessWindowStation

0123456789

right-curly-bracket

left-curly-bracket

OLEAUT32.dll

OLEACC.dll

WINMM.dll

WSOCK32.dll

VERSION.dll

GetWindowsDirectoryA

CreatePipe

GetProcessHeaps

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyNameTextA

MapVirtualKeyA

EnumThreadWindows

ExitWindowsEx

EnumWindows

EnumChildWindows

CreateDialogIndirectParamA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegQueryInfoKeyA

RegDeleteKeyA

RegEnumKeyA

RegCreateKeyA

ADVAPI32.dll

ShellExecuteA

FindExecutableA

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

.PAVCFileException@@

.PAVCObject@@

.PAVCException@@

.PAVCTopBaseException@@

.PAVCZipException@@

This executable file was created by an UNREGISTERED copy of SWFKit!

.PAVCOleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCNotSupportedException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.?AVCHotKeyCtrl@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AVCStatusCmdUI@@

.?AVCMDIFrameWnd@@

.?AVCMDIChildWnd@@

.PAVCOleDispatchException@@

zcÁ

c:\users\"%CurrentUserName%"\appdata\local\microsoft\windows\temporary internet files

install_flash_player_active_x.exe

empty.swf

C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\swfplayer.exe

5L.uhH

/.LzC

d.rbg

%S<^(

stdole2.tlbWWW

bstrMsgW

Created by MIDL version 6.00.0347 at Thu Aug 30 16:09:49 2007

<property id="%d">

<property id="%s">

<number>%d</number>

<string>%s</string>

<invoke name="%s" returntype="xml"><arguments>

%s:%s. See also: %s.

%s %s d d:d:d GMT% 04d %s%sd B.C.

%s %s d d:d:d GMT% 04d %s%sd

%s, d %s d d:d:d GMT B.C.

%s, d %s d d:d:d GMT

x%s.%s

%s.length

[object Inet.Ftp]

[object RegKey]

d[object URLShortcut]

[object Sound.playback]

[object Sound.recording]

<SUP>%s</SUP>

<SUB>%s</SUB>

<STRIKE>%s</STRIKE>

<SMALL>%s</SMALL>

<A HREF="%s">%s</A>

<I>%s</I>

<FONT SIZE="%s">%s</FONT>

<FONT COLOR="%s">%s</FONT>

<TT>%s</TT>

<B>%s</B>

<BLINK>%s</BLINK>

<BIG>%s</BIG>

<A NAME="%s">%s</A>

;/?:@&= $,#

accKeyboardShortcut

SUPPORT

Key Press

Disable Windows keys

Exit Keys

HotKey1

Custom Hot Key

%s Registration

Please enter your name, a serial number and a registration code to register %s.

Enter the World Wide Web location (URL) or specify the local file you would like to open.

WEBSITE

Port :

Prj.Document

Invalid projector window size!Invalid projector window position5Flash (*.swf,*.spl)|*.swf;*.spl|All Files (*.*)|*.*||

%s has expired!D%s

Press Register button to register %s, press OK button to exit.

'This copy of program is licensed to: %s

Serial Number: %s

Replace%Select the entire document

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Page %u

Pages %u-%u

Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

swfplayer.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

TPAutoConnSvc.exe:1776
flash.exe:1596
%original file name%.exe:1868
The Great Lake.exe:1188
regsvr32.exe:3680
wallpaper.exe:3756
is-GCI02.tmp:3728
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:

C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\Flash9b.ocx (43265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-SFJRC.tmp\is-GCI02.tmp (1405 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\info.ini (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\flash.exe (350 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\product_preview (1523 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\sysinfo.exe (151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\splash (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\swfplayer.exe (1277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper_tray.ico (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\product.ico (1764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\settings.jpg (980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.dll (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\empty (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\enable_product_sound (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\text_en.ini (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\disable_product_sound (2 bytes)
C:\Windows\SysWOW64\Flash9b.ocx (522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper_loader (549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.exe (196 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\Uninstall The Great Lake.lnk (2 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-G59LQ.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Desktop Membership.url (198 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\New Products.url (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QNRQU.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-UEHRE.tmp (6912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QNRQU.tmp\_isetup\_setup64.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Wallpaper The Great Lake.lnk (1 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\unins000.dat (2508 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\News Archive.url (171 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\unins000.exe (712 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-S9MP4.tmp (53570 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\Run The Great Lake.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EleFun Desktops\Animated Wallpapers\The Great Lake\Desktop Membership.url (198 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\The Great Lake.exe (1018 bytes)
%Program Files% (x86)\EleFun Desktops\Animated Wallpapers\The Great Lake\is-J2JEG.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Site EleFun Desktops.url (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QNRQU.tmp\_isetup\_RegDLL.tmp (3 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Amazing3DAquariumWallpaper" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"EleFunAnimatedWallpaper" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\elefundesktops\thegreatlake_wallpaper\wallpaper.exe STARTUP"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Sample_d1b6794992

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Sample_d1b6794992

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet