Trojan.Generic.9176938_22ac5c7d4f

by malwarelabrobot on April 13th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.9176938 (B) (Emsisoft), Trojan.Generic.9176938 (AdAware)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 22ac5c7d4f24dfea3c622a01ccbc9815
SHA1: 73aeed405c3d64409b48ccfcbe8b707c28cd0b0f
SHA256: 886a6933edb3c717a73cf643f77c2da0d0c8901ce82345388336d048f5e71c33
SSDeep: 3072:JEM78wOrgNfLbeQIEpXLbwREb8YNbRUciRAs6vrQPncSO:J7ouezEVQREItU0cSO
Size: 3873756 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1999-01-10 17:39:13
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:172

The Trojan injects its code into the following process(es):

Rundll32.exe:2020
iexplore.exe:1536

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\rundll32.exe (28498 bytes)
C:\~0002ftd.tmp (37 bytes)
%System%\rundII32.exe (50 bytes)
%System%\msng.exe (28498 bytes)

The process Rundll32.exe:2020 makes changes in the file system.
The Trojan deletes the following file(s):

C:\~0002ftd.tmp (0 bytes)
C:\22ac5c7d4f24dfea3c622a01ccbc9815 (0 bytes)

Registry activity

The process %original file name%.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB DA 1D D5 71 BC 68 F9 12 16 FB 55 45 8E 70 DB"

Dropped PE files

MD5	File path
8ded66389b0753a18f0c52bbd72e484f	c:\WINDOWS\system32\rundII32.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	ZieF.pl

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
	4096	122880	0	0	d41d8cd98f00b204e9800998ecf8427e
	126976	16384	15872	5.4557	93d309fa36e44d38c4f31bfc14f0fec3
.rsrc	143360	225710	225792	3.29383	110fd680f613ccedc20b7e333ee1abb4
dvvehzv	372736	4096	0	0	d41d8cd98f00b204e9800998ecf8427e
.GA	376832	3633152	3631068	0.130643	2bfb35e1094838805d50480c0187219b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://zamenhost.org/?dm=6b2280e30391615dcaa18e533ccb99a9&action=load&blogid=16&siteid=1&t=681085331&back=http://openclose.ir/	5.9.132.236
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://ads.clicksor.com/show.php?nid=1&pid=90910&adtype=&sid=578196
hxxp://ads.clicksor.com/newServing/searchTrack.php?nid=1&sid=578196&random=517127003
hxxp://tr1.myroitracking.com/newServing/tracking_id.php?d=b.yu0123456.com&r=http://b.yu0123456.com/newServing/tracking_id.php?b=1&>ruid=1	199.21.148.123
hxxp://pub.clicksor.net/newServing/js/show.js	199.21.148.17
hxxp://ads.clicksor.com/newServing/tracking_id.php?b=1&UID=14288221702983&TRSTR=1&RTID=
hxxp://ads.clicksor.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[0]&nid=1&pid=90910&sid=578196&spid=&ns=0&nw=1&zone=0&url=http://openclose.ir/&lb=0&ext=0&oe=utf-8&t5889171&txt=openclose.ir \| Laptop and Cellphone Online Shoppin
hxxp://a.clickyab.com/show.js	108.162.203.211
hxxp://a.clickyab.com/ads/?a=4941420762090&width=336&height=280&slot=55921097173&domainname=openclose.ir&loc=http://openclose.ir/	108.162.203.211
hxxp://zamenhost.org/wp-content/uploads/sites/16/2015/01/openclose.png	5.9.132.236
hxxp://a.clickyab.com/ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/	108.162.203.211
hxxp://t.clickyab.com/t.js	5.9.74.78
hxxp://a.clickyab.com/ads/show.php?a=4941420762090&width=336&height=280&slot=55921097173&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41	108.162.203.211
hxxp://zamenhost.org/wp-admin/admin-ajax.php	5.9.132.236
hxxp://a.clickyab.com/ads/show.php?a=4941420762090&width=120&height=240&slot=9338294385&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41	108.162.203.211
hxxp://a.clickyab.com/pixel/show.php?a=4941420762090&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41	108.162.203.211
hxxp://a.clickyab.com/img/clickyab-tiny.png	108.162.203.211
hxxp://a.clickyab.com/ad/336x280/4507543-6.gif	108.162.203.211
hxxp://dms.bamilo.com/i/bg/bamilo-120x240-bg.gif	198.41.186.20
hxxp://dms.bamilo.com/i/cyab-120x240-1428249856.htm	198.41.186.20
hxxp://dms.bamilo.com/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc}	198.41.186.20
hxxp://ads.clicksor.com/newServing/showAd.php?nid=1&pid=90910&adtype=&sid=571014
hxxp://ajax.cloudflare.com.cdn.cloudflare.net/cdn-cgi/nexp/dok3v=7e13c32551/cloudflare.min.js	198.41.214.158
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.4&utms=1&utmn=1091193641&utmhn=dms.bamilo.com&utmcs=utf-8&utmsr=1276x846&utmvp=120x240&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=LG G3 ÙØ±ÙˆØ´ ÙˆÛŒÚ˜Ù‡ Ú¯ÙˆØ´ÛŒ Ù…ÙˆØ¨Ø§ÛŒÙ„&utmhid=1197633715&utmr=0&utmp=/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb=%7Brandom%7D&ct0=%7Bclickurl_enc%7D&utmht=1428822174028&utmac=UA-59001586-1&utmcc=__utma=22938926.1400583208.1428822174.1428822174.1428822174.1;+__utmz=22938926.1428822174.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=1993673938&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~
hxxp://dms.bamilo.com/dm/www/images/2784249050c5b2fd2853903bce1d5d38.gif	198.41.186.20
hxxp://dms.bamilo.com/dm/www/delivery/lg.php?bannerid=555&campaignid=42&zoneid=45&loc=http://dms.bamilo.com/i/cyab-120x240-1428249856.htm&cb=7b3dda5d65	198.41.186.20
hxxp://ads.clicksor.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[1]&nid=1&pid=90910&sid=571014&spid=&ns=0&nw=1&zone=0&url=http://openclose.ir/&lb=0&ext=0&oe=utf-8&t5889171&txt=openclose.ir \| Laptop and Cellphone Online Shoppin
hxxp://dms.bamilo.com/cdn-cgi/pe/bag2?r[]=http://dms.bamilo.com/cdn-cgi/nexp/dok3v=1613a3a185/cloudflare/json.js	198.41.186.20
hxxp://zamenhost.org/wp-content/plugins/connections/vendor/picturefill/picturefill.min.js?ver=2.1.0	5.9.132.236
hxxp://zamenhost.org/wp-content/plugins/wp-rss-multi-importer/css/frontend.css?ver=4.1.1	5.9.132.236
hxxp://zamenhost.org/wp-content/plugins/wp-rss-multi-importer/css/colorbox.css?ver=4.1.1	5.9.132.236
hxxp://zamenhost.org/wp-content/themes/twentyfourteen/js/functions.js?ver=20140616	5.9.132.236
hxxp://zamenhost.org/wp-content/plugins/wp-rss-multi-importer/scripts/jquery.colorbox-min.js?ver=4.1.1	5.9.132.236
hxxp://zamenhost.org/wp-content/plugins/wp-rss-multi-importer/scripts/detect-mobile.js?ver=4.1.1	5.9.132.236
hxxp://zamenhost.org/wp-content/plugins/wp-rss-multi-importer/scripts/show-excerpt.js?ver=4.1.1	5.9.132.236
hxxp://zamenhost.org/wp-content/plugins/wp-rss-multi-importer/css/images/overlay.png	5.9.132.236
hxxp://ads.clicksor.com/newServing/search_banner.php?cb=doLayerBanner&ob=Yesup.clicksor.Code[0]&nid=1&pid=90910&sid=578196&spid=&zone=0&chad=1&oe=utf-8&cs=&memkey=2476c7093d0a51eebc266786164817c5&lb=5&adu=2&image=3&lq=0&qp=YF4lIzP7KC57_CYq_isw91tZYCcoLib8KTLzZl4r_CExeywpfnwgMCAjLSZ7JjQiK3xiWy0tfSUvJv0iLSEjfFVfLS_9&t5287.81031068922
hxxp://a.yesadsrv.com/newServing/banner_frame.php?nid=1&pid=90910&sid=578196&zone=-1&image=3&adtype=14&key=7bd2081f4540a9deb334ddd37796e5bb&c1=#ffffff&c2=#FFFFFF&c3=#000000&c4=#666666	199.21.148.189
hxxp://pub.clicksor.net/newServing/img/banner/header_bg.png	199.21.148.17
hxxp://pub.clicksor.net/newServing/img/banner/question_icon.png	199.21.148.17
hxxp://pub.clicksor.net/newServing/img/banner/footer_bg.png	199.21.148.17
hxxp://pub.clicksor.net/newServing/js/ui.js	199.21.148.17
hxxp://ads.clicksor.com/newServing/links.php?zone=0&chad=1&adu=3&cs=&adtype=0&nid=1&sid=571014&pid=90910&spid=&image=2&memkey=2476c7093d0a51eebc266786164817c5&durl=&lq=0&lb=5&qp=YF4lIzP7KC57_CYq_isw91tZYCcoLn77ITDzZl4r_CExeywpfnwgMCAjLSZ7JjQiK3xiWy0tfSUvJv0iLSEnfFVfLS_9
hxxp://www.abckj123.com/links.php?data=rSe_2/}2-0{)1-$S7XjS[eW_Xf_g$]m^b'.7"}n^b').'6",&5"&serverfile=popdirect&id=clickbanner&subid=24598&tid=1428822178&clater=0&m=127&o=1&c=32767&a=32767&q=8&s=<=&ah=10&al=3&l=english&campaign=&rurl=http://b.yu0123456.com/newServing/clicktrack.php?cpx=cpv&qid=142882217857track&defurl=http://b.yu0123456.com/newServing/cpalinks.php?qid=142882217857track&memkey=2476c7093d0a51eebc266786164817c5&clck_sid=571014&clck_pid=90910	199.21.148.42
hxxp://ads.clicksor.com/newServing/cpalinks.php?qid=142882217857track&memkey=2476c7093d0a51eebc266786164817c5&clck_sid=571014&clck_pid=90910&default=http://informharry.com/default.php?serverfile=popdirect&siteid=clickbanner&subid=24598
hxxp://www.abckj123.com/default.php?serverfile=popdirect&siteid=clickbanner&subid=24598	199.21.148.42
hxxp://www.abckj123.com/close.php	199.21.148.42
hxxp://pub.clicksor.net/newServing/img/banner/close_icon.png	199.21.148.17
hxxp://openclose.zamenhost.org/wp-content/plugins/connections/vendor/picturefill/picturefill.min.js?ver=2.1.0
hxxp://openclose.zamenhost.org/wp-content/uploads/sites/16/2015/01/openclose.png
hxxp://b.yu0123456.com/newServing/links.php?zone=0&chad=1&adu=3&cs=&adtype=0&nid=1&sid=571014&pid=90910&spid=&image=2&memkey=2476c7093d0a51eebc266786164817c5&durl=&lq=0&lb=5&qp=YF4lIzP7KC57_CYq_isw91tZYCcoLn77ITDzZl4r_CExeywpfnwgMCAjLSZ7JjQiK3xiWy0tfSUvJv0iLSEnfFVfLS_9	199.21.148.98
hxxp://p.clickyab.com/pixel/show.php?a=4941420762090&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41	108.162.204.211
hxxp://b.yu0123456.com/newServing/search_banner.php?cb=doLayerBanner&ob=Yesup.clicksor.Code[0]&nid=1&pid=90910&sid=578196&spid=&zone=0&chad=1&oe=utf-8&cs=&memkey=2476c7093d0a51eebc266786164817c5&lb=5&adu=2&image=3&lq=0&qp=YF4lIzP7KC57_CYq_isw91tZYCcoLib8KTLzZl4r_CExeywpfnwgMCAjLSZ7JjQiK3xiWy0tfSUvJv0iLSEjfFVfLS_9&t5287.81031068922	199.21.148.98
hxxp://openclose.ir/wp-content/plugins/wp-rss-multi-importer/css/frontend.css?ver=4.1.1
hxxp://openclose.ir/wp-content/plugins/wp-rss-multi-importer/css/images/overlay.png
hxxp://openclose.ir/wp-content/plugins/wp-rss-multi-importer/css/colorbox.css?ver=4.1.1
hxxp://b.yu0123456.com/newServing/searchTrack.php?nid=1&sid=578196&random=517127003	199.21.148.98
hxxp://b.yu0123456.com/newServing/cpalinks.php?qid=142882217857track&memkey=2476c7093d0a51eebc266786164817c5&clck_sid=571014&clck_pid=90910&default=http://informharry.com/default.php?serverfile=popdirect&siteid=clickbanner&subid=24598	199.21.148.98
hxxp://openclose.ir/wp-admin/admin-ajax.php
hxxp://popunder.paypopup.com/close.php	199.21.148.42
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.4&utms=1&utmn=1091193641&utmhn=dms.bamilo.com&utmcs=utf-8&utmsr=1276x846&utmvp=120x240&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=LG G3 ÙØ±ÙˆØ´ ÙˆÛŒÚ˜Ù‡ Ú¯ÙˆØ´ÛŒ Ù…ÙˆØ¨Ø§ÛŒÙ„&utmhid=1197633715&utmr=0&utmp=/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb=%7Brandom%7D&ct0=%7Bclickurl_enc%7D&utmht=1428822174028&utmac=UA-59001586-1&utmcc=__utma=22938926.1400583208.1428822174.1428822174.1428822174.1;+__utmz=22938926.1428822174.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=1993673938&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~	216.58.209.174
hxxp://openclose.ir/wp-content/plugins/wp-rss-multi-importer/scripts/show-excerpt.js?ver=4.1.1
hxxp://b.yu0123456.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[1]&nid=1&pid=90910&sid=571014&spid=&ns=0&nw=1&zone=0&url=http://openclose.ir/&lb=0&ext=0&oe=utf-8&t5889171&txt=openclose.ir \| Laptop and Cellphone Online Shoppin	199.21.148.98
hxxp://b.yu0123456.com/show.php?nid=1&pid=90910&adtype=&sid=578196	199.21.148.98
hxxp://openclose.ir/wp-content/plugins/wp-rss-multi-importer/scripts/detect-mobile.js?ver=4.1.1
hxxp://ajax.cloudflare.com/cdn-cgi/nexp/dok3v=7e13c32551/cloudflare.min.js	198.41.214.158
hxxp://www.google-analytics.com/ga.js	216.58.209.174
hxxp://static.clickyab.com/ad/336x280/4507543-6.gif	108.162.203.211
hxxp://b.yu0123456.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[0]&nid=1&pid=90910&sid=578196&spid=&ns=0&nw=1&zone=0&url=http://openclose.ir/&lb=0&ext=0&oe=utf-8&t5889171&txt=openclose.ir \| Laptop and Cellphone Online Shoppin	199.21.148.98
hxxp://openclose.ir/wp-content/themes/twentyfourteen/js/functions.js?ver=20140616
hxxp://informharry.com/default.php?serverfile=popdirect&siteid=clickbanner&subid=24598	199.21.148.42
hxxp://openclose.ir/wp-content/plugins/wp-rss-multi-importer/scripts/jquery.colorbox-min.js?ver=4.1.1
hxxp://static.clickyab.com/img/clickyab-tiny.png	108.162.203.211
hxxp://b.yu0123456.com/newServing/tracking_id.php?b=1&UID=14288221702983&TRSTR=1&RTID=	199.21.148.98
stats.g.doubleclick.net	64.233.163.157

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /newServing/cpalinks.php?qid=142882217857track&memkey=2476c7093d0a51eebc266786164817c5&clck_sid=571014&clck_pid=90910&default=http://informharry.com/default.php?serverfile=popdirect&siteid=clickbanner&subid=24598 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b.yu0123456.com

Connection: Keep-Alive

Cookie: TRUID=14288221702983; CKTIME=1428822170


HTTP/1.1 302 Found

Date: Sun, 12 Apr 2015 07:02:59 GMT

Server: Apache/2.4.6 (Fedora)

X-Powered-By: PHP/5.5.6

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Location: hXXp://informharry.com/default.php?serverfile=popdirect&siteid=clickbanner&subid=24598

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8
......................

GET /links.php?data=rSe_2/}*2-0{)1-$S7XjS[eW_Xf_g$]m^b'*.*7"}n^b').'6"*,&5"&serverfile=popdirect&id=clickbanner&subid=24598&tid=1428822178&clater=0&m=127&o=1&c=32767&a=32767&q=8&s=<=&ah=10&al=3&l=english&campaign=&rurl=http://b.yu0123456.com/newServing/clicktrack.php?cpx=cpv&qid=142882217857track&defurl=http://b.yu0123456.com/newServing/cpalinks.php?qid=142882217857track&memkey=2476c7093d0a51eebc266786164817c5&clck_sid=571014&clck_pid=90910 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.abckj123.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:58 GMT

Server: Apache/2.2.8 (Fedora)

X-Powered-By: PHP/5.2.4

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 649

Connection: close

Content-Type: text/html; charset=UTF-8
...........Smo.0...~.CJ.......2uj.n..I.V..d.C..6.M.l.....M.m.@..8.s.E.
7.?,.....L=$..,>.j......t.\.A.2...Z$0'...D.5ZBl.Gkt....x5....e5..0.
'...s....~i...Ys.K^.\..6..lc2..E...s....XiZ.....i...Z....F.].`.q... %.
.....HW..(23)j5.\..L.V..xG...5Y"..... [email protected]%..q.R`T...Z.d..j..
..2.#]M.@M.;)Zl..r.g.e.w(v.d..?.:pO....:...W7... z.......a.g....}..9..
...u..7..5..h/.....m......iB...u#..zmY...m..&S....(l......p..BW......I
cg....:A8.$Gx5(.\.6v'...{..6.:..v}?.}...N...\..w.$..c;.n]....9. ......
O}...^.....2G.o.g....?}.B(..3R@.;.X...X.]_..$U ..^%..z4p...;..B...x...
[.....,.E..J..v?.9.:.m..H.6......Q*...P....S...W*..).WE.=...A..8d.1.,v
du6...o........c........

GET /close.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: popunder.paypopup.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:03:00 GMT

Server: Apache/2.2.11 (Fedora)

X-Powered-By: PHP/5.2.13

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 277

Connection: close

Content-Type: text/html; charset=UTF-8
..........d.=k.0..g...D&..{....9]2.fV.s| KB:'......B..F.....=>....A
........3...?D.s.9....Yw.F.I....pB..[Y..".<..>....K...J ..WM..W.
H2.......R...0FW....m7. .I...\........{..ga<.]..D.Y....!....m{..H.t
....X.....E..C.#..1..P....ClwO.,y..X^...o]j .t.x.5.&8.vx......".......
....=......

GET /newServing/tracking_id.php?d=b.yu0123456.com&r=http://b.yu0123456.com/newServing/tracking_id.php?b=1&>ruid=1 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tr1.myroitracking.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Date: Sun, 12 Apr 2015 07:02:50 GMT

Server: Apache/2.2.22 (Fedora)

X-Powered-By: PHP/5.3.10

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie: TRUID=14288221702983; expires=Tue, 12-May-2015 07:02:50 GMT; path=/; domain=.myroitracking.com

Location: hXXp://b.yu0123456.com/newServing/tracking_id.php?b=1&UID=14288221702983&TRSTR=1&RTID=

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 26

Connection: close

Content-Type: text/html; charset=UTF-8
............................

GET /wp-content/plugins/wp-rss-multi-importer/scripts/show-excerpt.js?ver=4.1.1 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Connection: Keep-Alive

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache

Last-Modified: Sun, 18 Jan 2015 07:44:34 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding,User-Agent

Content-Encoding: gzip

Content-Length: 256

Connection: close

Content-Type: application/javascript
............Qj.!.....;...B.....'Xd.$.V.u.B....#...w....T........|.x~.)
..H.p~.X%h..:.m........v.w.J...............m..`3`..N.FL.2x,[email protected]
l.YI...t.v.\.c9...........f.....o...KQ..2.{.z.dL...tl...~...E.(......#
...'....Q..xIp.P.M........m.|......Z............

GET /pixel/show.php?a=4941420762090&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: p.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: profile=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d1172d36d05d5-WAW

Content-Encoding: gzip

14........................0..HTTP/1.1 200 OK..Date: Sun, 12 Apr 2015 0
7:02:52 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Conn
ection: keep-alive..Vary: Accept-Encoding..Vary: Accept-Encoding..X-Po
wered-By: PHP/5.3.3..Pragma: no-cache..Cache-Control: no-cache..Set-Co
okie: profile=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/..Server
: cloudflare-nginx..CF-RAY: 1d5d1172d36d05d5-WAW..Content-Encoding: gz
ip..14........................0..

GET /wp-content/plugins/wp-rss-multi-importer/css/frontend.css?ver=4.1.1 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Connection: Keep-Alive

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache

Last-Modified: Sun, 18 Jan 2015 07:44:34 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding,User-Agent

Content-Encoding: gzip

Content-Length: 502

Connection: close

Content-Type: text/css
...........T.n.0.}v....a..T..5..<n......Rd..h.r.n..O. ...-*[/$..!E)
_-...{.."......L..*_....... .$...FP.:(.. ..v.....FH....sm.v....Z.v..o.
...qk.1....g.....-.....`?.n.x,a.........._]@.R...d.%gs.......RS A..Jqj
H........n.<6..]0.y...T .[..(eWD\6-a..f.N...........B..k....7.{.:X.
a.`C..;....{..........q...F..[q...]....Lv../.I....TP=.....B....[q]..I.
.$.!kZYy..&d...A_~.5..z.y ... ....QR......<%....^3.R...w.<!q...x
4.S.....P..(...b.......R..Mu..k....%Pg_.st.$.{........r.g'Z.0....)2.^?
.gk...W`BwO...............

GET /default.php?serverfile=popdirect&siteid=clickbanner&subid=24598 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: informharry.com


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:59 GMT

Server: Apache/2.2.8 (Fedora)

X-Powered-By: PHP/5.2.4

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 118

Connection: close

Content-Type: text/html; charset=UTF-8
..........4....0.Cwa...!..6..R..p`{..d.I~..M...L.........O...jN.e..)z.
m......vl..`.......h.`.....#.:x~/........{.;~.....

GET /newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[0]&nid=1&pid=90910&sid=578196&spid=&ns=0&nw=1&zone=0&url=http://openclose.ir/&lb=0&ext=0&oe=utf-8&t5889171&txt=openclose.ir | Laptop and Cellphone Online Shoppin HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b.yu0123456.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:50 GMT

Server: Apache/2.2.22 (Fedora)

X-Powered-By: PHP/5.4.9

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 479

Connection: close

Content-Type: application/x-javascript
...........R]o.0.}..@~.$D1.&......L..}(."d..qbl.C(...wiZ.}....s.......
6.J..3m...n.mPCw...#.G..h.0.....yL.J.1.,.e..MDL|.J..>9q% .um.>..
U...d;...HOj..c;.w..N.I...x.t..z...F.7....[N.....,Eg#.l......H.H.... .
...6....Q....s4...&.......`.*.vE..M.....~..e0.!.f....4S2h.K....;....\}
}....qR...B.!..f.........a..m._..8....o...r.I..?...^...n..u.>.r..&l
t;..~...".<..d.S..J]{.x [email protected] V.Wf.`..oGDo.......W.Scm>
;9..k..N.Iw...m..'.t......).C..b.}......W...wPyR{.K......Y.G.y........
.........

GET /show.php?nid=1&pid=90910&adtype=&sid=578196 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b.yu0123456.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:49 GMT

Server: Apache/2.2.22 (Fedora)

X-Powered-By: PHP/5.4.9

Expires: Sun, 12 Apr 2015 07:12:49 GMT

Last-Modified: Sun, 12 Apr 2015 07:02:49 GMT

Cache-Control: max-age=600

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 695

Connection: close

Content-Type: application/x-javascript
...........T.o.0.~.....&...4I..NS.J{.K.2..2p.7`3..fk...!iITuOCHp...w..
p.....U .....jL....Ha....y~&.H{..L...H...I.......1...|R..%..5........V
I....TW...x.NIn.K6\d^"K*....E..:}.S....i.{...&......Uh.../....'..yCC..
o0......`2.fF.<....4<59Fi.s.Yn...q. ..q.J.-3..,."....D..W.V..7.0
 &v.`%X...U=.m..I.Km.IU.....`....&i.N..[..e..LCT..b.9?......}..L%.{('7
.Av.m.[[email protected] 4..Y..:.\.L...-.UX..e8&i....-.P .L}.~....
......pS....J.)9b.o..\lz46Ms.J...wNG."...ei...'..\c..8.4zU.0......N.n.
.....r.-K...h....^ ...XS.A_t...Nt.P.9....,.Y..&...~4....T)(.M.Mu.d.E.P
..*....*...R\.X..6..}.q.=]-...........<...9;l.w6..5.. ....5.d.#..N.
...t).h..5..l.Gmc..o.p...^.......v.7...[N...p.p?.$..l......D..i....P..
......

GET /wp-content/plugins/wp-rss-multi-importer/scripts/detect-mobile.js?ver=4.1.1 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Connection: Keep-Alive

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache

Last-Modified: Sun, 18 Jan 2015 07:44:34 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding,User-Agent

Content-Encoding: gzip

Content-Length: 1567

Connection: close

Content-Type: application/javascript
...........VQ.............Nl.v...b....`..n,(....E.IIv.......... ......
"H.m......WE.....X......_.y...<j.Y...A..u..t&.....V..Z.....rv......
...Y....)....M2.2...Uz2J.\......W..^......q%..;[email protected]) y\...jK..%
.o.........5N...Bc.........q..U9.7... ..Zg..f...`..^..w}....f. a...a..
\.....m..l.u...nT-.....C....4.G..a..K..Yt.osL....g..f&..3...{.s%q6.w .
.:D.....b................ .........8.........R..u....!.h.|O..r..../...
^.3...35C.!.P..d.D.....g.QT........Z,.Z..]..S.....'.%#1.7J^hL..r.%....
=..j.#.J..J1qU...J..j...*.e..t"U.n..3*)L...sT%s..q.....p{......!w..Xo.
8..N<<..JVt...%/.B[P....M<?,./.\`[email protected]\
.P..G..q9_.W{! ....F.QL..v...H.6t..1DD...Df.]J,.Y..J.3.....BZ...(.CT.7
.m...M.f.-`X....qE.I.Si.S.k..Y..n...?....C^.....kZ....WS.s*......crK.m
.z.C......%!M.wZ....v..j..R#.{W`..Mc.....r1....3.K..]..3......6V^.gp&.
..L~.&].Bp<.Nl........'.IVk........$/.........yi.`V....l.....r....X
l^.o...bKa[......*`Gq/....&oz-........f~j..V.Z.........X....f..<...
....`.lFr7.y..,x-.[.%........t....`.]0..C.\[email protected]!..(
..V ...H_.bC.'....5.l...#......>.;[email protected].,.Z.&a...a..d
.o4....g-.....:Y.Fz......=............4).`.E...8E..4|.9...2\......X.H&
lt;J.....]....9<...:..U..9.L..M.B......c~.../...P....q..).f/9....1.
...CM{2k..`2........6..EJ....d.H....S..bGnmS]..`<V...a...OL}....%]*
......3....{.....G..L.'J...c."[email protected]..#...q
.E..r.<.<.O..........w.s^dw.S....,_z- .~..d...3.?.....A..|..Gq'.
.z.&..N. ..../.9S..... .5../...3I...B.c..9....:..N,...T.t.M...~...<<< skipped >>>

GET /wp-content/plugins/wp-rss-multi-importer/css/images/overlay.png HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Connection: Keep-Alive

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:55 GMT

Server: Apache

Last-Modified: Sun, 18 Jan 2015 07:44:34 GMT

Accept-Ranges: bytes

Content-Length: 182

Vary: User-Agent

Connection: close

Content-Type: image/png

.PNG........IHDR....................0PLTE.............................
...................njv....AIDATx...... ....P6 ......'$....y...u...7$7.
.dI.dI..Ar............*s8."..y....IEND.B`...

GET /pixel/show.php?a=4941420762090&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=336&height=280&slot=55921097173&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: p.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: profile=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d1172d77e05c9-WAW

Content-Encoding: gzip

14........................0......

GET /pixel/show.php?a=4941420762090&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: p.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: profile=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d117457b205c9-WAW

Content-Encoding: gzip

14........................0..HTTP/1.1 200 OK..Date: Sun, 12 Apr 2015 0
7:02:52 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Conn
ection: keep-alive..Vary: Accept-Encoding..Vary: Accept-Encoding..X-Po
wered-By: PHP/5.3.3..Pragma: no-cache..Cache-Control: no-cache..Set-Co
okie: profile=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/..Server
: cloudflare-nginx..CF-RAY: 1d5d117457b205c9-WAW..Content-Encoding: gz
ip..14........................0..

GET /newServing/search_banner.php?cb=doLayerBanner&ob=Yesup.clicksor.Code[0]&nid=1&pid=90910&sid=578196&spid=&zone=0&chad=1&oe=utf-8&cs=&memkey=2476c7093d0a51eebc266786164817c5&lb=5&adu=2&image=3&lq=0&qp=YF4lIzP7KC57_CYq_isw91tZYCcoLib8KTLzZl4r_CExeywpfnwgMCAjLSZ7JjQiK3xiWy0tfSUvJv0iLSEjfFVfLS_9&t5287.81031068922 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b.yu0123456.com

Connection: Keep-Alive

Cookie: TRUID=14288221702983; CKTIME=1428822170


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:56 GMT

Server: Apache/2.2.22 (Fedora)

X-Powered-By: PHP/5.4.9

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 243

Connection: close

Content-Type: application/x-javascript

.............J.0.E...%..0..I..R...s%v....-c...)U|w.l.gs..w...._S..K /.
..v"vy5;.g...._4.....h\W_.........J.en.....urCK...ys.....l..O.....DE..
.....y.x..........K|...:.3.....h....Z .J.Pt.:.$....n...:.......<P..
....l6...&....K)*Q..u{.m.....L........

GET /ad/336x280/4507543-6.gif HTTP/1.1

Accept: */*

Referer: hXXp://a.clickyab.com/ads/show.php?a=4941420762090&width=336&height=280&slot=55921097173&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: image/gif

Content-Length: 44873

Connection: keep-alive

Last-Modified: Wed, 11 Mar 2015 06:57:09 GMT

ETag: "54ffe745-af49"

Expires: Tue, 12 May 2015 07:02:52 GMT

Cache-Control: public, max-age=2592000

CF-Cache-Status: EXPIRED

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1d5d1174741a0afc-WAW
GIF89aP........*.(S...U&&..r....m..(N...........3..'.q*.......u&.....n
.....ns.N...s.*.MQpEI..J.\V.....N..lIH'....u"..1.op..NikJ...mO(.Ls..fo
...... (..S............(.....n,=M..##..K/........H.Q/..P....Oh..m..,.h
r.w.O...pL.j,..q....mx..o....rHpk-..q.....,t..2D ...Sk ..L...K...Qg..)
...........L.FP.Ly..l*....JGkk........P.....m(.....K.....#."m....o..O.
"#........T.P&.JRyw.."..KF....}s...-....k........P../.oxTgJ.Q#oG.g....
).qH.........lUZ......p..GN.................q..k...O.v..Q.......66D..m
q..UUf..k .....gv.K...f!Tf..pK....P...B...m......M.J.."""www633....."C
DD...fff......UUU.........6 .93...D..........."..4..U..3.....!UD?.."..
@..5.._.. .....7wfa.65!3...^YU?""3.....3bwxww_ffw..... ;"3.....>...
......UDV......>UV..3dw]ADUwfw.....7CU8...........|........:..4....
....`............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehi
HzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
dobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <
;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> &
lt;rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1
.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" x
mlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.
did:6231A258A5A3E411A518F3184B5BE231" xmpMM:DocumentID="xmp.did:73DE54
FCC42211E49C78FCD3429BFD55" xmpMM:InstanceID="xmp.iid:73DE54FBC42211E4
9C78FCD3429BFD55" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> 
<xmpMM:DerivedFrom stRef:instanceID="xmp.iid:57EA9CED18C4E4118D<<< skipped >>>

GET /i/bg/bamilo-120x240-bg.gif HTTP/1.1

Accept: */*

Referer: hXXp://a.clickyab.com/ads/show.php?a=4941420762090&width=120&height=240&slot=9338294385&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:53 GMT

Content-Type: image/gif

Content-Length: 3017

Connection: keep-alive

Set-Cookie: __cfduid=d81536d18c6a431b6aa0ec0ecf884bd541428822173; expires=Mon, 11-Apr-16 07:02:53 GMT; path=/; domain=.bamilo.com; HttpOnly

Last-Modified: Sun, 05 Apr 2015 15:49:14 GMT

ETag: "5521597a-bc9"

CF-Cache-Status: HIT

Expires: Sun, 12 Apr 2015 11:02:53 GMT

Cache-Control: public, max-age=14400

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1d5d1175f66805cf-WAW
GIF89ax...........C..A..A..u..D......!..XMP DataXMP<?xpacket begin=
"..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:
ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47
:16        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-r
df-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:Orig
inalDocumentID="xmp.did:d708881c-827d-4441-9fc3-cbfac3495d51" xmpMM:Do
cumentID="xmp.did:4F40D1ACDBAB11E4AC5195FE5A04F7DC" xmpMM:InstanceID="
xmp.iid:4F40D1ABDBAB11E4AC5195FE5A04F7DC" xmp:CreatorTool="Adobe Photo
shop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid
:b711c5db-0331-0442-a99a-e3cb252dded7" stRef:documentID="xmp.did:d7088
81c-827d-4441-9fc3-cbfac3495d51"/> </rdf:Description> </rd
f:RDF> </x:xmpmeta> <?xpacket end="r"?>................
......................................................................
............................................~}|{zyxwvutsrqponmlkjihgfe
dcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%
$#"! .................................!.......,....x......x...0.I..8..
..`(.di.h..l..p,.tm.x..|....pH,....r.l:...tJ.Z...v..z...xL.....z.n....
\N....9.N......]z{v.....Pz|......G.}[email protected] ..............u...
...................................................q..................
.b....^.....3............2...).7......2".....R 'D.H.$...V.#...(...<<< skipped >>>

GET /i/cyab-120x240-1428249856.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/show.php?a=4941420762090&width=120&height=240&slot=9338294385&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive

Cookie: __cfduid=d81536d18c6a431b6aa0ec0ecf884bd541428822173


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:53 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Sun, 05 Apr 2015 16:06:03 GMT

ETag: W/"55215d6b-1d0"

Server: cloudflare-nginx

CF-RAY: 1d5d117726b605cf-WAW

Content-Encoding: gzip
f6...............n.0...>O.*.a.A.0.QV.....48....{$hP.EIy...O.G.h.7.D
]..e..(..^Y#.R..)M\ E..\....r.6il.7...F...........~...~.d.....VxgJ&...
K.w....9\m...;Le6..j.....O.B. 6o.C.45.g...B..0.$....`=...DJ........O. 
\U.4...8..4.m....|....T.BA.!.^...............a.......r......0..
....


GET /dm/www/images/2784249050c5b2fd2853903bce1d5d38.gif HTTP/1.1

Accept: */*

Referer: hXXp://dms.bamilo.com/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc}

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive

Cookie: __cfduid=d925dac0102699d1df9aafba36fd998061428822173; OAID=613df83937539fa870086395374a8009; __utma=22938926.1400583208.1428822174.1428822174.1428822174.1; __utmb=22938926.1.10.1428822174; __utmc=22938926; __utmz=22938926.1428822174.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Content-Type: image/gif

Content-Length: 34146

Connection: keep-alive

Last-Modified: Sat, 11 Apr 2015 13:11:32 GMT

ETag: "55291d84-8562"

CF-Cache-Status: REVALIDATED

Expires: Sun, 12 Apr 2015 11:02:54 GMT

Cache-Control: public, max-age=14400

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1d5d117e284c05cf-WAW
GIF89ax.............GE............Vt..2ll_..q.i...d..u.k..u...-b..!.Fm
k V.o.GIKmos.......l...........R.....RJ.0nX.........e...r.......Eq.(7.
T....Sjy.k.......D......(V.3..oo........2....Bo..........3n.K.....r...
.....L.i.2.2<[email protected]{..W
.,T...............p...YP.................H.......i..Y..I....._Q.......
....\Z]`.......e.....C...........{.....H.446..F.......a....... u..T..k
..~....[..2...D...P...................X.[A........a.........E.....6...
.{..~.24.,......LT..........R....8..$......C..m/..k..........@........
...?~....w..... c.....a........................A.41F..8.5X{.!4...e..4&
gt;F....v.......Hr....._....................!d...@[....;......&,......
.].....IY..............c......K........<L..b.$......`.....J........
....Z...............!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begi
n="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adob
e:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:
44:00        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22
-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="htt
p://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0
/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:Or
iginalDocumentID="xmp.did:24312913-9127-514f-b8e0-e45e5bad50f8" xmpMM:
DocumentID="xmp.did:3D3A3A18E04711E48728A58BF6D57DF5" xmpMM:InstanceID
="xmp.iid:3D3A3A17E04711E48728A58BF6D57DF5" xmp:CreatorTool="Adobe Pho
toshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instance<<< skipped >>>

GET /newServing/links.php?zone=0&chad=1&adu=3&cs=&adtype=0&nid=1&sid=571014&pid=90910&spid=&image=2&memkey=2476c7093d0a51eebc266786164817c5&durl=&lq=0&lb=5&qp=YF4lIzP7KC57_CYq_isw91tZYCcoLn77ITDzZl4r_CExeywpfnwgMCAjLSZ7JjQiK3xiWy0tfSUvJv0iLSEnfFVfLS_9 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b.yu0123456.com

Connection: Keep-Alive

Cookie: TRUID=14288221702983; CKTIME=1428822170


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:58 GMT

Server: Apache/2.2.22 (Fedora)

X-Powered-By: PHP/5.3.10

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Length: 1821

Connection: close

Content-Type: text/html; charset=UTF-8
<!doctype html>.<html>.<head></head>.<body&
gt;.<script type="text/javascript">..function maximizeWindow(wid
th, height) {.  if ( ! /Chrome/i.test(window.navigator.userAgent) ) {.
.  .window.blur();.  }.  .  if (parseInt(navigator.appVersion)>3) {
.    if (navigator.appName=="Netscape") {.      if ( width==0 && heigh
t==0 ) {.        if (self.outerWidth < screen.availWidth) self.oute
rWidth=screen.availWidth;.        if (self.outerHeight < screen.ava
ilHeight) self.outerHeight=screen.availHeight;.      } else {.        
self.outerWidth=parseInt(width);.        self.outerHeight=parseInt(hei
ght);.      }.    } else {.      if ( width==0 && height==0 ) {.      
  self.resizeTo(screen.availWidth 8,screen.availHeight 8);.      } els
e {.        var specWidth=parseInt(width);.        var specHeight=pars
eInt(height);.        if ( specWidth>screen.availWidth ) specWidth=
 screen.availWidth;.         if(specHeight>screen.availHeight) spec
Height= screen.availHeight;.         self.resizeTo(specWidth 20,specHe
ight 8);.      }.    }.  }.}..try {.  maximizeWindow(0, 0);.} catch(e)
{}..    .try{.  if (navigator.appName=="Netscape") {.    if (window.op
ener) {.      window.opener.focus();.    }.  }.} catch(e) {}.   ..wind
ow.location = "http:\/\/VVV.abckj123.com\/links.php?data=rSe_2/}%2
A2-0{)1-$S7XjS[eW_Xf_g$]m^b'*.*7"}n^b%
27).'6"*,&5"&serverfile=popdirect&id=clickbanner&subid=2
4598&tid=1428822178&clater=0&m=127&o=1&c=32767&a=32767&q=8&s=<%3<<< skipped >>>

GET /newServing/banner_frame.php?nid=1&pid=90910&sid=578196&zone=-1&image=3&adtype=14&key=7bd2081f4540a9deb334ddd37796e5bb&c1=#ffffff&c2=#FFFFFF&c3=#000000&c4=#666666 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.yesadsrv.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:56 GMT

Server: Apache/2.2.23 (Fedora)

X-Powered-By: PHP/5.4.17

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=UTF-8
5a8.............WQo.6.~N~.E....D n...<tI..k.b...IP..m..EM...E...().
.&..0..E.x.....%.;}w2...K..R....x...<..?.'[email protected] u..c/.
....-.....`=.t.`._.....p..... ..7..Hh..8.L...t......./...*.NtnEn..u!&l
t;H.Y.Yqe..9.$...6...?..=..(.b.;zr.'<.P.....O..Z}...V.I.._..s..k%..
'...1..L.....f<.\....1<z..1./y.....4)x..|.f_vS.z.`.a.tr...ej.1..
....dB.2;..f.W.. ..C&.T..._vo....t...J..;.|.h.....5)......_.A.J..w..{B
...s.6.[.}.....5v......[.......wA.H...r\h..,.t%..b...0..!..2.e....V2..
..D T...nt..................... b.....x....#q.9_J...Rr..`>.F.r.g...
.0.....W..ofZ..;..}7...2.....-8..T....p...6.c..4>t.....p.....lw.(.~
*.]r.p.*...1.E...7. ..P.[k.1.!qG.f.(..&....mk.l.Js...r...S...6...R&...
I.. .zae..;...9.bf..,.....h....O\.S..C\...CB...IU...O.E........Sw.....
..&..<...?iN...S.%n)..@}..J...n..plS..i.!y...4y....h...q.`-hrv..%s.
.f"./b.8n^#..G...gr.. ..K8...D.<...M.....;....<..1.-...<.....
..6LR..v_..|..U|.H.;....NN_L_.m..x..5.4.Y.)..s6...~.?x~0...<g.X.&..
>h.l.." ..e.......".U8;..??.....`4.{.......3.upx...=C.~..\.?..5V...
/~..(...y....x....bj/p...W....DR`)$3.,\.s\.....x.\.->...^.0#?...8..
wO...m...Af5..0..A.S&q.n..,H.L..!.ra;....U2..=....q.Z..[..5...H,Br...a
......Tk.S..h.1....V.r.(Q.&...H._H.7...<p....i....=....wS..m|......
=g0O...|. #.......Xn ........".......3.Ja.2.T...x.....{...E..{2.9=..x~
.AV..M.n.....&.'.0..D..'..p.....^>..-......x"V..?..I....A...wt!..._
 N.W.t[.....rZ^....f.fH4$..R........R.QN._.%.|..4z2`.....2.w.....ht4..
.G.h.o.h.y.....w.j.......... .......0..<<< skipped >>>

GET /wp-content/themes/twentyfourteen/js/functions.js?ver=20140616 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Connection: Keep-Alive

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache

Last-Modified: Tue, 13 Jan 2015 14:41:51 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding,User-Agent

Content-Encoding: gzip

Content-Length: 1442

Connection: close

Content-Type: application/javascript
...........Wmo.6..,..[..N`I..am.t[......-...6..e..H....K....".J.n...$.
....#S..L.........rB .....i.B ....L......... F.....[ .B...C.Y..X.A..!4
Z;\..z.....K.\ox...r`[email protected]....$.a............m...I.........?.?.L
...W.-%.....^..3%`;&%..p.l1..\z..!f..}.6.cf...'........s.....3o.`2.1SE
{.1.,. *.).......CpS.|.......^c..!4.I...@>..0O.........[.....O....~
*.V..p,K!.Z.6E...-.0.......V...J...p.$~...8.`:...Q...B2k.0|.s_|......@
..$C......G.Z..r........6.\..1.rr.B...g^....]P..;...;PwAK~.;..:.> .
.fS...V....]..zU~.8..\..._...EBr......r..%.....P......[.O...J..]. ....
.._Zg...NI.\b. G.Jd{....O#j...>.........J(X...I..>.?f...;.....j.
.. .;.o.3.....p....pl..C:..Z..Y^...bd.....w.o0\......_k .`s-O..[.}.y:.
.Zd...l..3 ..A.r.j..P......|...b...E..$.qB..Q.Q...Tm.AEj..W.o.... 3..Z
....Z..~0b.....E.c..R..qg....b.o.......Fg.........W..4P.'.E......I.x..
..p~~..D...nPA."......k*....E.8.....R.....%.%.....g../.xh. ..8U.....'O
......C....N.....*Txj..k......."M83....c.. ..e....^=."......J;..4.%.\.
...............}.t.:B.......J5...E.9.1..s.X...y........i`.....N...I..:
d$.........b......p........P9....!......!M8..w....Pi......5.p.@.....|.
.........'p.....Z..O..E..FQ.{..7........: ]...........J...............
.S...U.q6.F...b.R......b...R.z..'...?,..D...~h..o.].....7NP........y.{
...*..Z..N.^r.*.8\.X..YdK8...7.6gX..t.:......4...n.*<...;;.....]..@
......M.A.aM.7.....>.gz>,...l...{.8._&;.$.\)......?.o0.p......vE
... . )...TD.W..U........x9..*..i/R.....d.>.#....s....o....y.....<<< skipped >>>

GET /newServing/showAd.php?nid=1&pid=90910&adtype=&sid=571014 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.clicksor.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:53 GMT

Server: Apache/2.2.22 (Fedora)

X-Powered-By: PHP/5.4.9

Expires: Sun, 12 Apr 2015 07:12:53 GMT

Last-Modified: Sun, 12 Apr 2015 07:02:53 GMT

Cache-Control: max-age=600

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 695

Connection: close

Content-Type: application/x-javascript
...........TKo.0...Wh..&...W...0t([email protected]..[.-y..7[..G.I..Ew.a.&E~"?&
gt;..&#.w5...'....("n.3X3..K^^.'..y.U.A.BnFnZ.t..t.dL.8..L.M.\{.d.F...
r.d.=......k.z.N..%M7..^**.C..r."....e^]...(.vM.N......ed.../..=.g..yC
C..o0.O....`...Z6,..G..,..Fi..`y......W...8.d[.!.i.e\Kd.. QG.V..7.0k.w
1......U...T.4.....n....q..mj.I;..lm V....*..Y..=...6.X [email protected]
m..y.-$].~E...HB9..# `B[.R.}N...y......h1.B.-H.0I..].M..J.g.\,g...N.k.
..5..I1.......m..d|c....i(i...;..... K...SO<.....8.4.....2X...S.._.
A8..{nif.8Bs....Z......?....~....u.a()[email protected])J.R.2
.F.w%.P..4...&J.....K....z..4.W.....:........{g.].`0...&.\.....[.k12\.
...4.O.W.h.'eb..o/p...^.........7....N.Or......dG.W...8.....L.........
...

GET /?dm=6b2280e30391615dcaa18e533ccb99a9&action=load&blogid=16&siteid=1&t=681085331&back=http://openclose.ir/ HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: zamenhost.org

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:48 GMT

Server: Apache

X-Powered-By: PHP/5.4.38

Vary: User-Agent,Accept-Encoding

Content-Encoding: gzip

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8
......................

GET /show.js HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:51 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171; expires=Mon, 11-Apr-16 07:02:51 GMT; path=/; domain=.clickyab.com; HttpOnly

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Server: cloudflare-nginx

CF-RAY: 1d5d116a1d520aea-WAW

Content-Encoding: gzip
212..............A..0...._1.P.xI.=.W....k....D.;be...YB..^d.ll...$....
~......4.@>.2;!.1t1T-.......t..,.,.z.........Z...N....j5.......=...
..g'wP(.....Z...........\:..W.}.?..u0..].F.xn)TW.....C..O>.R .>.
_.).<9...C^....2!....9..bEP`.............)..7TYOF.04ME....R.e......
.m~..>[email protected]..>n6.......M...J..>k.............!.&w..v$[.....9
.....4...l...}R....Z..Y.ca..P....9............../...hL.%....9.T.3.H._.
FZ.'[16..k........!x%...n..0...O[($.6...Xm.c.....1.........q..N...$...
5..........w-2y}V"rO.:..9.k%|....#%.._j..7.....Y|..`6c2...N.........a.
....p........0......


GET /ads/?a=4941420762090&width=336&height=280&slot=55921097173&domainname=openclose.ir&loc=http://openclose.ir/ HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:51 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Sat, 04 Apr 2015 10:11:25 GMT

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1d5d116b5d8c0aea-WAW

Content-Encoding: gzip
76................. .......8....1(!.......*..w:..nZ.....t.9:,..t.0..r.
.X...e..T.t..P.Wi......8.T.L.Fr.....YH...[z..'........59b...W_o.6...?.
K..T.....`...-.:.K.t.0..h.r...J.v3G.}8..h9F.4.X..._...n..S.....>D..
Z.2...}.J.ng.. [email protected]....(B[*Q.rD...*.X..w......n...$".
[email protected]..<D....P.......S...zO.].0.....Z^..!-.)...)3.>..k'S!
Q.[.....~.I.x=.<71.^.s..f..#B.b....Lodn.;.J.....!.q.Sv..H...Uw.0..M
r.k.$..[.,%`3....J.,cK..L1K.tG0..kz/$.N....J.-W\.G..-A.....[..u.z.1Ef{
..5.S|s'..;.e.........IP..u.bq..]. ./..O.g.qY..i..i...c..f0....X...X.G
.Y&v7..\$.S.`.....q%s......`R....q.8..{~..o.fn...Mj-n...I.NL....E.1..J
N....w._........j....`=....:|BU..X..9.....R.9.r...qC,........... .....
e......p.[.{,..O...l.....os.......F8.M...8.`s.N.T......n.n.........4_R
.<.......ZyQ.P...%&...-....*..?......~?.F......\y.v.L...Q....G..<
;px..6..,WX.S.....&,..........j.q..>>........~.....-..4.s....G?S
[email protected].=OG.>RSU][....V!E...p)4.....ge......\.k....7J..Q...8.2.d..3..
y...y.I....4....>.O.....I...\.|...e.U..^...${...K..K{74O..n..j!."..
x.z.#...|l.h....(2.P.4.:T.u1L..K{X..}|(.".....4...^.9...#B.rh.....o.#8
.p[...o.g........<....m..F...L.q...p|....._oCn.EO..c.W*.`.iQ....;..
i.CB..^o....E. [email protected].)..ydo_../`4./.p.T.....
[email protected]...>.HJ..a\.^..~....|wyqsI.$.G?.........i;..Qu
.T..n.....`!......... W)...!R....R......`..F`K.B..U.J...}..RB.........
.A.8........tj......gcx.....5.M.TB.fa.y....%rC.k...S....Z|..I....Y..sd
?..v#3x...F}. .G..bK3Pu....X........$RG.....b]...."........."<.<<< skipped >>>

GET /ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/ HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:51 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Sat, 04 Apr 2015 10:11:16 GMT

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1d5d116c7db80aea-WAW

Content-Encoding: gzip
863.............Y_......O.U..^..s.M..q5.L.M.f.v6W.......5.O.0....Z..2d
.%y......Vw...2......J.G..c...R.....C..8.b..x......F..1.5{..'....Q.".7
Zgw.....G_.t.Dr;..S.g...~O......yo.... SRK@.\...S.w;.n.. lDP....Rx,.h.
v..%.oG>H.Q..T...D...<H.X....fh.v;..$.A..mWLyT.w[&t>.,|......
.<....f)..#.H.&..O......$.RY.S...Pf.....F&R!/........I9.k..0>.^.
[email protected]].S1.S.(v...?.....9.v..n.......?0."M.;T{.....4!.f.O....i.b.
.4g....`l...I*r3qo\......KqAx....z4.|..n...KYN.',...;.......3ct.z....=
S....n....r........8..... .xw}.0...~7..o'8..x....>M.....}..<'...
z.qX.\.-.:.xL).t.v.#N..._..{.Y.m.`.R...O. .L...k...../Tq.J...S..]_[.|Z
[email protected],...3.A).....sX.!WO.....].F.U#....\. .R.=<.~hU
....|.k5..l..Q.^h..=./.a...d1...!6.uM....v.w..=j..Z.s..GMELU|......T..
....F.Qb..h.B........8\.5T.....]..||%V5H;R&.....~.x_$(...F...V.\b.FA..
.R.1o4.7.....b..b.....5zfx.5.{........r..:#UAU=....z....u:...."..Z..6.
2%3.4.C..hX.f..%l.J. ...r.U..(1,G.G..D*..q..pJ...?..&9....&..0|>...
.k.I..I...........^...${....8.S.vB...t..TK.d.n.E..]..k.......4.R.Q.4z.
....&....X..}9f,'...... _z..q.......h........(y8-M..O.W........y.{..Z.
1....g......N........"....@....*...4..W.....4.>!7.^..E,..{f..C..kH{
 .....\..z.....(....\..5%s.........F.C.?..m....... <).....4\,s.5..o
R...."I.....9..../...............8t#=E..22m..?..........f......~.1uD..
LI...A...6A.[[email protected]?.W..J...........d.[5.\!b...N..5p...|.
W.....&..,.h.,l..CtF...!.5Qs.)[email protected]._.L....i........;.....0. .....^.4.U
.eLD2f;.....MI&........L.&4x..9...\"...<[email protected]..\.!..rO<<< skipped >>>

GET /ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/ HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:51 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Sat, 04 Apr 2015 10:11:16 GMT

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1d5d116d2dde0aea-WAW

Content-Encoding: gzip
863.............Y_......O.U..^..s.M..q5.L.M.f.v6W.......5.O.0....Z..2d
.%y......Vw...2......J.G..c...R.....C..8.b..x......F..1.5{..'....Q.".7
Zgw.....G_.t.Dr;..S.g...~O......yo.... SRK@.\...S.w;.n.. lDP....Rx,.h.
v..%.oG>H.Q..T...D...<H.X....fh.v;..$.A..mWLyT.w[&t>.,|......
.<....f)..#.H.&..O......$.RY.S...Pf.....F&R!/........I9.k..0>.^.
[email protected]].S1.S.(v...?.....9.v..n.......?0."M.;T{.....4!.f.O....i.b.
.4g....`l...I*r3qo\......KqAx....z4.|..n...KYN.',...;.......3ct.z....=
S....n....r........8..... .xw}.0...~7..o'8..x....>M.....}..<'...
z.qX.\.-.:.xL).t.v.#N..._..{.Y.m.`.R...O. .L...k...../Tq.J...S..]_[.|Z
[email protected],...3.A).....sX.!WO.....].F.U#....\. .R.=<.~hU
....|.k5..l..Q.^h..=./.a...d1...!6.uM....v.w..=j..Z.s..GMELU|......T..
....F.Qb..h.B........8\.5T.....]..||%V5H;R&.....~.x_$(...F...V.\b.FA..
.R.1o4.7.....b..b.....5zfx.5.{........r..:#UAU=....z....u:...."..Z..6.
2%3.4.C..hX.f..%l.J. ...r.U..(1,G.G..D*..q..pJ...?..&9....&..0|>...
.k.I..I...........^...${....8.S.vB...t..TK.d.n.E..]..k.......4.R.Q.4z.
....&....X..}9f,'...... _z..q.......h........(y8-M..O.W........y.{..Z.
1....g......N........"....@....*...4..W.....4.>!7.^..E,..{f..C..kH{
 .....\..z.....(....\..5%s.........F.C.?..m....... <).....4\,s.5..o
R...."I.....9..../...............8t#=E..22m..?..........f......~.1uD..
LI...A...6A.[[email protected]?.W..J...........d.[5.\!b...N..5p...|.
W.....&..,.h.,l..CtF...!.5Qs.)[email protected]._.L....i........;.....0. .....^.4.U
.eLD2f;.....MI&........L.&4x..9...\"...<[email protected]..\.!..rO<<< skipped >>>

GET /ads/show.php?a=4941420762090&width=120&height=240&slot=9338294385&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: profile=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d11728ee30aea-WAW

Content-Encoding: gzip
[email protected].@Z..#.=Ik>6...
....U....A.we.is.......x...58..V..TX.VK.....}....'*...u............Q&l
t;T.......{...0.`6|...>.u...Q1.Z!....z.B.f...D.........../......G.p
F..U..R.{\..2^i}T.:...O...P$).m..:..5e....j....]......". ..x...h'|n..N
..x.......O.m.-I..........G.@O..??.B5|".C.|...fN)../..3J.\..]M..?.;.I.
?..B..i.No_..f*~....z >.].$..>Zy..-H.;. X..`.3.#..X.]|^.}..Q....
..6H..r.)lE.A...)....#...p.O....{.R..L.>...nO....3m...{..."z..[t..K
.?S^. O.. ....>.LKm.q8.J.5/.i8...EQZy#,>......A..?.j.aK.!g....].
.x.$}.3(.u8we.}....w%ELR.*.S............#.V.......]K......qW.....%N._.
EW.....).........v. ..-z3...........=L.d..$........................2.%
......eU......9.4.n..p..M.....bk[. ..cVK)TW.J.h.P..Y..ul. .=..Ar......
p...........*g....U.v..7...cY.s.....Tk...{[email protected]
....hg.`......0..HTTP/1.1 200 OK..Date: Sun, 12 Apr 2015 07:02:52 GMT.
.Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep
-alive..Vary: Accept-Encoding..Vary: Accept-Encoding..X-Powered-By: PH
P/5.3.3..Pragma: no-cache..Cache-Control: no-cache..Set-Cookie: profil
e=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/..Server: cloudflare
-nginx..CF-RAY: 1d5d11728ee30aea-WAW..Content-Encoding: gzip..318.....
[email protected].@Z..#.=Ik>6.......U...
.A.we.is.......x...58..V..TX.VK.....}....'*...u............Q<T.....
..{...0.`6|...>.u...Q1.Z!....z.B.f...D.........../......G.pF..U..R.
{\..2^i}T.:...O...P$).m..:..5e....j....]......". ..x...h'|n..N..x.<<< skipped >>>

GET /img/clickyab-tiny.png HTTP/1.1

Accept: */*

Referer: hXXp://a.clickyab.com/ads/show.php?a=4941420762090&width=336&height=280&slot=55921097173&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: image/png

Content-Length: 1469

Connection: keep-alive

Cache-Control: public, max-age=2592000

Cf-Bgj: imgq:100

Etag: "537a02be-78d"

Expires: Tue, 12 May 2015 07:02:52 GMT

Last-Modified: Mon, 19 May 2014 13:10:22 GMT

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1d5d117473f80afc-WAW
.PNG........IHDR...B.........9.......IDATX...kLSg...e3sK.,.-[.....!^IE
M...../..DP...1.6.cbb,.K..$.R....G.E....TQi....-V@(......}...3.....a.4
....y......=..B.V.TqV ..A._.k.{.B.......=.(..?.b||\r...!.R...m.~.uGGG 
.9...xu~~....9.|..>..5L82#..$......tYAX,...P..Z.....B.j....3:...C..
......^.|[email protected]$]999...6...=.....c..=w 9....?FD#/.W-&.....@|*.g..
..e....[..(......8...qcH(......%.KQT..M........].C....{mm...r.E......6
.K.DO.....g [email protected].........[.I.T*.R....;.e.....d..T.m.6oSS.......
..W..........3O^.'.F...<p...w...8L>i.}..B...@.....%..........7@t
uu1 ".H...v.kb......2H...Cc\.....oE.C?v..>...l6.4%%.[SS...\.o.*....
........;T..q.8.. B......h.pn....T.....([email protected].
....S........}..MTTThb....{[email protected].~c..D.b..d........O.. ..
UM..k..............k..?Y\....qL......`0X.......~LN.P..,ktxz\.w...S....
6o..(  {..*@.......:M.t..FFF.~.\...j."D"Q7..`...N......;8...!x:..C.o..
..uv...?n1..8...@l.........<..#Gl....c..H.={.8adX.r...S. .].x......
..y....T_TTdD].....t..v;v...........7..sgee1}bg)((0...[O.<i*,,4._.&
gt;.k..W...3.=..~.L...&..yB$67.c..L...zGMo4..........E`.....p......7n.
.nUUU.&...\ii.......<.AZZ..R'*.P....G.......@ ......^yy............
.I.C....m</..v..U.62.F|)...S>.M.........g......5/..p..N.... .x..
..c..-1.,.d...u.7.F.~.......-.i0..mf.........Ri'<...5......}P..*..R
[email protected](...7.V.'.P..kx}.....a........h.:0..^2..F....o.j...>"....../
pZ.7.....b....s........}./..5PH...Go..g.cN.n.1....TNz.y._.s..X...j.x..
iVZ.. ....C.x...X.D"U......IEND.B`.....
<<< skipped >>>

GET /img/clickyab-tiny.png HTTP/1.1

Accept: */*

Referer: hXXp://a.clickyab.com/ads/show.php?a=4941420762090&width=120&height=240&slot=9338294385&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: image/png

Content-Length: 1469

Connection: keep-alive

Cache-Control: public, max-age=2592000

Cf-Bgj: imgq:100

Etag: "537a02be-78d"

Expires: Tue, 12 May 2015 07:02:52 GMT

Last-Modified: Mon, 19 May 2014 13:10:22 GMT

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1d5d1174c4000afc-WAW
.PNG........IHDR...B.........9.......IDATX...kLSg...e3sK.,.-[.....!^IE
M...../..DP...1.6.cbb,.K..$.R....G.E....TQi....-V@(......}...3.....a.4
....y......=..B.V.TqV ..A._.k.{.B.......=.(..?.b||\r...!.R...m.~.uGGG 
.9...xu~~....9.|..>..5L82#..$......tYAX,...P..Z.....B.j....3:...C..
......^.|[email protected]$]999...6...=.....c..=w 9....?FD#/.W-&.....@|*.g..
..e....[..(......8...qcH(......%.KQT..M........].C....{mm...r.E......6
.K.DO.....g [email protected].........[.I.T*.R....;.e.....d..T.m.6oSS.......
..W..........3O^.'.F...<p...w...8L>i.}..B...@.....%..........7@t
uu1 ".H...v.kb......2H...Cc\.....oE.C?v..>...l6.4%%.[SS...\.o.*....
........;T..q.8.. B......h.pn....T.....([email protected].
....S........}..MTTThb....{[email protected].~c..D.b..d........O.. ..
UM..k..............k..?Y\....qL......`0X.......~LN.P..,ktxz\.w...S....
6o..(  {..*@.......:M.t..FFF.~.\...j."D"Q7..`...N......;8...!x:..C.o..
..uv...?n1..8...@l.........<..#Gl....c..H.={.8adX.r...S. .].x......
..y....T_TTdD].....t..v;v...........7..sgee1}bg)((0...[O.<i*,,4._.&
gt;.k..W...3.=..~.L...&..yB$67.c..L...zGMo4..........E`.....p......7n.
.nUUU.&...\ii.......<.AZZ..R'*.P....G.......@ ......^yy............
.I.C....m</..v..U.62.F|)...S>.M.........g......5/..p..N.... .x..
..c..-1.,.d...u.7.F.~.......-.i0..mf.........Ri'<...5......}P..*..R
[email protected](...7.V.'.P..kx}.....a........h.:0..^2..F....o.j...>"....../
pZ.7.....b....s........}./..5PH...Go..g.cN.n.1....TNz.y._.s..X...j.x..
iVZ.. ....C.x...X.D"U......IEND.B`...<<< skipped >>>

GET /t.js HTTP/1.1

Accept: */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=336&height=280&slot=55921097173&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: t.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 12 Apr 2015 07:02:51 GMT

Content-Type: text/javascript

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

Cache-Control: public max-age=94608000

ETag: 04da42786b
1d..var tid = '5f404da42786bb41';..0..HTTP/1.1 200 OK..Server: nginx..
Date: Sun, 12 Apr 2015 07:02:51 GMT..Content-Type: text/javascript..Tr
ansfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.
3.3..Cache-Control: public max-age=94608000..ETag: 04da42786b..1d..var
 tid = '5f404da42786bb41';..0......


GET /t.js HTTP/1.1

Accept: */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-None-Match: 04da42786b

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: t.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: text/javascript

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

Cache-Control: public max-age=94608000

ETag: 04da42786b
1d..var tid = '5f404da42786bb41';..0..HTTP/1.1 200 OK..Server: nginx..
Date: Sun, 12 Apr 2015 07:02:52 GMT..Content-Type: text/javascript..Tr
ansfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.
3.3..Cache-Control: public max-age=94608000..ETag: 04da42786b..1d..var
 tid = '5f404da42786bb41';..0..

GET /newServing/img/banner/header_bg.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pub.clicksor.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Expires: Sun, 12 Apr 2015 08:02:56 GMT

Cache-Control: max-age=3600

Content-Type: image/png

Accept-Ranges: bytes

ETag: "1216007231"

Last-Modified: Wed, 09 Nov 2011 14:55:32 GMT

Content-Length: 2927

Date: Sun, 12 Apr 2015 07:02:56 GMT

Server: yesup httpd 196
.PNG........IHDR.....................pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......<<< skipped >>>

GET /newServing/img/banner/question_icon.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pub.clicksor.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Expires: Sun, 12 Apr 2015 08:02:56 GMT

Cache-Control: max-age=3600

Content-Type: image/png

Accept-Ranges: bytes

ETag: "1421789563"

Last-Modified: Mon, 07 Nov 2011 20:41:36 GMT

Content-Length: 2927

Date: Sun, 12 Apr 2015 07:02:56 GMT

Server: yesup httpd 196
.PNG........IHDR..............B......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......<<< skipped >>>

GET /newServing/img/banner/footer_bg.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pub.clicksor.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Expires: Sun, 12 Apr 2015 08:02:57 GMT

Cache-Control: max-age=3600

Content-Type: image/png

Accept-Ranges: bytes

ETag: "1216007231"

Last-Modified: Wed, 09 Nov 2011 14:55:32 GMT

Content-Length: 2927

Date: Sun, 12 Apr 2015 07:02:57 GMT

Server: yesup httpd 196
.PNG........IHDR.....................pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......<<< skipped >>>

GET /newServing/js/ui.js HTTP/1.1

Accept: */*

Referer: hXXp://a.yesadsrv.com/newServing/banner_frame.php?nid=1&pid=90910&sid=578196&zone=-1&image=3&adtype=14&key=7bd2081f4540a9deb334ddd37796e5bb&c1=#ffffff&c2=#FFFFFF&c3=#000000&c4=#666666

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pub.clicksor.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Last-Modified: Mon, 30 Mar 2015 15:16:56 GMT

ETag: "4081678557"

Content-Type: text/javascript

Expires: Sun, 12 Apr 2015 08:02:57 GMT

Cache-Control: max-age=3600

Accept-Ranges: bytes

Content-Length: 1458

Date: Sun, 12 Apr 2015 07:02:57 GMT

Server: yesup httpd 196
.....h.U...W.o.6.~v.......e7h_.$.V.H.u{X.4(...h.3-..e.m.....E.N.......
....ww..../O.%......G. ..,."5....Bi..$.."...mQ~r2).n....<...`b.s...
.3.L....B..B)...Z.... )!.Y..Zd*.R..B.Zj..$".L...f..WKv%TR...H...i../..
.........<..P.d1.d.....r.....?pu..$.*.).U.H.,M.C)D.j......#tr[..)..
...~s..'t..>...Y#.A...k..V.RaNo.%7..._....."..0L.5P).^[......Tkr...
..[\].57.N....Nv'u..J...H*.,h.qc......."..d..[I...r.. .........6*..o.c
..0..Jy.6....^....c.....C....g.1...IQ.A].A.....c......]..je(.!j....K..
<......6*......../..j......*...-"......-......8...,q..-.*.d..s.2|C.
...D..>.3.#.U.."...B....2../...Z4.P..I....cFG...........P._..:.....
..Y...T.7..y.4.\.5.....!.....jP.0.......m.....z.\.. .V.~i.>.Sc.`...
..N.......S....r3...o..S.LD...S.....t..,7.6...1.>..w...2....#......
....\...>.....p.#X.-.mFZ.....B. ...~W....U..r .X......b.....&T".cJU
[email protected]&....5_..}).0[K=".x...2..A.s...]....GX...:[email protected] ..
n.;...,D.S.>.s.m.R.%.....e|..qT..L..k..\s....Kg...,q.B.......A2D...
.J....[....{...I....u.n.w d.C......Yo..^p...8. ..N7....W.>.......H{
..x.b_...).(=X..-#......\(}.BW0t...I....4f.....k....V)[email protected]@.g..
q..S..weQ <\t!0p.C.B<....<B.5.Gb.T*....v.lH...IDq.....8.....p
{..zH....l......<.&9;..L.}.^..a.w............>..~u.5.[?..F...5&g
t;oQ..w.6...W......."\..T...T).z&.$.5I..n..t8...v..h....>..........
....gda..;$........._.."9.f.H.V.H..4v..pJ....9..].;...N.A\T.L.....L...
\..i.9...q......k...sk.9e{..!.]g...0C......D.;...x..%.Yf'.z..r3...}.yg
H.Q>b.....]co{...`~..|x.LTR.....K..........
<<< skipped >>>

GET /newServing/img/banner/close_icon.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pub.clicksor.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Expires: Sun, 12 Apr 2015 08:03:01 GMT

Cache-Control: max-age=3600

Content-Type: image/png

Accept-Ranges: bytes

ETag: "633260457"

Last-Modified: Mon, 07 Nov 2011 20:41:36 GMT

Content-Length: 1055

Date: Sun, 12 Apr 2015 07:03:01 GMT

Server: yesup httpd 196
.PNG........IHDR..............B......tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:5D
B1E27FFF1911E0AF56A6130D1D69E6" xmpMM:InstanceID="xmp.iid:5DB1E27EFF19
11E0AF56A6130D1D69E6" xmp:CreatorTool="Adobe Photoshop CS5 Windows">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.did:6825E7C410FFE0118D9D
868968E9BB9D" stRef:documentID="xmp.did:6825E7C410FFE0118D9D868968E9BB
9D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>k. .....IDATx.b...?.........'P.l.@..?y.......
.......&(_.M. .,&..bF(^....Y...I0.`x.6E.`...A ....@....&........r....g
V..N....iF.*) 6G.S..U.&...h.....Djz.U...`...<..i.j....IEND.B`.HTTP/
1.1 200 OK..Expires: Sun, 12 Apr 2015 08:03:01 GMT..Cache-Control: max
-age=3600..Content-Type: image/png..Accept-Ranges: bytes..ETag: "63326
0457"..Last-Modified: Mon, 07 Nov 2011 20:41:36 GMT..Content-Length: 1
055..Date: Sun, 12 Apr 2015 07:03:01 GMT..Server: yesup httpd 196...PN
G........IHDR..............B......tEXtSoftware.Adobe ImageReadyq.e<
... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpC<<< skipped >>>

POST /wp-admin/admin-ajax.php HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://openclose.ir/

Accept: */*

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Content-Length: 101

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1

action=gadash_get_frontendwidget_data&gadash_number=2&gadash_optionname=widget_gadash_frontend_widget
HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:51 GMT

Server: Apache

X-Powered-By: PHP/5.4.38

X-Robots-Tag: noindex

X-Content-Type-Options: nosniff

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

X-Frame-Options: SAMEORIGIN

Vary: User-Agent,Accept-Encoding

Content-Encoding: gzip

Content-Length: 23

Connection: close

Content-Type: text/html; charset=UTF-8
...........52..e.........

GET /wp-content/plugins/connections/vendor/picturefill/picturefill.min.js?ver=2.1.0 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.zamenhost.org

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache

Last-Modified: Sun, 15 Feb 2015 20:21:32 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding,User-Agent

Content-Encoding: gzip

Content-Length: 2644

Connection: close

Content-Type: application/javascript
...........Xks.6..._A.[...........q.nv.j..;.85.....9$%.k......,i......
..}..=;.>..^.2J..:.V...;...x..d......yf%u]L=..y].d..qZ'..Ms....."/.
.4Nj......V..l....3...Y.xs^.....u...[....&.rQ..z...z.}s.......Z$oe....
..c.r!.4_..#YV........K......2..hY./?..#.<*....X...vE)y-_eR}.D.&..=
E,.f.z.p..w|.A(....s=..![,............DU..s..h.......UM.p.^...<.n.K
..K.....*.0$8."...Z..Z.ta.uF.F..$...p.k.dY*.z.r..Yq9.vfl.!....."...<
;Z..Hl=...N........!~)......_&R.g...&..)...2.\...21A....X.j....a...8.f
.H..)w.:..zMx..SZ.i..V...^E.<..v....09.iDc.0.....X......T.>..6.l
...l.5ec:c...E\'..4...c..&Xp......Fl...5.q;...]T7..f..7.M.R.........Yr
...y.......O._.K.._..[...B....0."..6.W..4..e....&bZ....6..f.;.8.nJ.K..
...J.....k.V..d=...fx.,......s..d.M.F..v.....{(xG....3.I7..X^.u.!...1.
(.\........X..*]^...K..._.i...1......v.Q...B@....[.q.1.q.;.o6]...X.a.B
&d....P.....&.@G./Y.C..K.."<W.....<|....9...L....:S...>.a....
]...V..7)..B.&....b.R*..:........y.5].....P.rW.u..e..m..0.B.vf.\..}.Oa
1...;..........F ....o.F.$..XP....>...qP..T.....I.........;....P.y.
g:.....xgF..s......(Ps6,..>\......JX.".B..........bJ..#]...?...v..x
..g...vz29b..M...0E...n.{S....!.._.F./....#.......?wC..<.....#..z=i
v..../e>..%.k,.sm..J..$..t:^.{.....Ma9.S2..Ww.=.7 Q..;.>....1...
.o..........[..g..2JK..$.Bgx.i.]/%E^.J....*...} .Q=E.n{.n.>.r...j..
w6.....6...;...C&.!..T..vx..GX{.B..F..'.q.../....U||?... 5/..TD,..W...
.M.4P.............]...d.E..[.o....h.....A.3..h0.B.!..V..... 9*f.o.p.6.
...:...N...d.4..`......t.>....4.._.O_._?&/..._.......{v.... |..<<< skipped >>>

GET /newServing/js/show.js HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pub.clicksor.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Last-Modified: Mon, 30 Mar 2015 15:28:58 GMT

ETag: "1865382501"

Content-Type: text/javascript

Expires: Sun, 12 Apr 2015 08:02:50 GMT

Cache-Control: max-age=3600

Accept-Ranges: bytes

Content-Length: 29487

Date: Sun, 12 Apr 2015 07:02:50 GMT

Server: yesup httpd 196
.....k.U....i{.F.(.Wh....@..... =.l.~N<..s..WV...HB.....X...k.n4.Jr
&s..p=...o..U.U.....-.d..=H.K.1...L.8........U.&...w..}.v..,4<..o.F
.....ll.......*j.@D....`...C..d.<.AM..7.Sq.=.........{ .^........v.
z.6.&..:.V.|%[.vX.|...o........y.}-.....Z...o.c7....5...z....Y..s..c..
[email protected].,9H%.,...CK7."..Qf?t.dJ.. b..o..s.?.._..x.E.$J\...;hV...
...:..'.B..)4.2....y:<;.3..a....7......~6...o.....k...m....#.n..|8Y
.^.p....kw....w{<....]j....4..&..=vz...;.[.y.N."....q..U..Wq#[...F.
&n....3.,........=.#n.N4...;......{...........o.q...Ur.. ;t...k.]..e|6
.......~;4...O..".3{..te.].P.{..4..z.d..w&..TT`.........9...........B.
Y....~1.f.G.Q...\.z...{.gq......?....a.8N.<....|h/..dT.......9..?..
.f0..b..P...On6....R{.M&......,......0.....7...M..Y4oG47o.a...........
...xA_...E..7..w".........cs..v.u......x.......].t.$JV...W.^.....Y....
L.9r}..~G2....e.'(.....{...U.....0......IQ...'...0y.2...$.. ...W...C..
.w.."~.....t.x..9......f.}*f...% ...8......{....f...w.,Z.Q.uS.(..lm<
;...;..;[email protected]....<6.!.B..$\..m.... M..,j.v.....'....u....0.
......f...8...(....*.....=u....Y...I.k......MM..h.L;...C...;....M.>
......qo859...5......t8.|.e....Z.B.....;C8.]s.....]....Q.<F.t1.^%..
..X....L;...y.....C...%..Y),...w...i..A.bE...v......s.;..w.........p.3
).1K...1.>B.....^..#.......q.bo...m..{Q..>.Y.....@<...> T.
.9DL.Uk.........P?..\.fs..^.._.~UPEKt.]..(h.g.th..................a...
J".#....M..$ ..k.F..o 7N.!..w74p.!..s.fDD..4...T.C *..&........H.['..w
.{......[...Wl...>.6L.P[.{,..pW.0.....8..=v........Ef...}...A..<<< skipped >>>

GET /newServing/tracking_id.php?b=1&UID=14288221702983&TRSTR=1&RTID= HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: b.yu0123456.com


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:50 GMT

Server: Apache/2.4.6 (Fedora)

X-Powered-By: PHP/5.5.6

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie: TRUID=14288221702983; expires=Sat, 06-Feb-2016 07:02:50 GMT; Max-Age=25920000; path=/; domain=b.yu0123456.com

Set-Cookie: CKTIME=1428822170; expires=Sat, 06-Feb-2016 07:02:50 GMT; Max-Age=25920000; path=/; domain=b.yu0123456.com

Set-Cookie: RTID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=b.yu0123456.com

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8
......................

GET /newServing/searchTrack.php?nid=1&sid=578196&random=517127003 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b.yu0123456.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:50 GMT

Server: Apache/2.4.6 (Fedora)

X-Powered-By: PHP/5.5.7

Expires: Sun, 12 Apr 2015 06:02:50 GMT

Last-Modified: Sun, 12 Apr 2015 07:02:50 GMT

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 65

Connection: close

Content-Type: text/html; charset=UTF-8
...........QL.O..,HU.(......Q..)@.~..N.O....R....(........g..D.....

GET /i/cyab-120x240-1428249856.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/show.php?a=4941420762090&width=120&height=240&slot=9338294385&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:53 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d925dac0102699d1df9aafba36fd998061428822173; expires=Mon, 11-Apr-16 07:02:53 GMT; path=/; domain=.bamilo.com; HttpOnly

Last-Modified: Sun, 05 Apr 2015 16:06:03 GMT

ETag: W/"55215d6b-1d0"

Server: cloudflare-nginx

CF-RAY: 1d5d1175fee60af6-WAW

Content-Encoding: gzip
f5...............n.0...>O.*.a.A.0.QV.....48....{$hP.EIy...O.G.h.7.D
]..e..(..^Y#.R..)M\ E..\....r.6il.7...F...........~...~.d.....VxgJ&...
K.w....9\m...;Le6..j.....O.B. 6o.C.45.g...B..0.$....`=...DJ........O. 
\U.4...8...m.o......$......9...^.o..........a.......r......0...
...


GET /dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc} HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://dms.bamilo.com/i/cyab-120x240-1428249856.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive

Cookie: __cfduid=d925dac0102699d1df9aafba36fd998061428822173


HTTP/1.1 500 Internal Server Error

Date: Sun, 12 Apr 2015 07:02:53 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.9-1ubuntu4.7

Server: cloudflare-nginx

CF-RAY: 1d5d11780f140af6-WAW

0..HTTP/1.1 500 Internal Server Error..Date: Sun, 12 Apr 2015 07:02:53
 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection:
 keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.7..Server: cloudflare-ng
inx..CF-RAY: 1d5d11780f140af6-WAW..0......

GET /dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc} HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://dms.bamilo.com/i/cyab-120x240-1428249856.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive

Cookie: __cfduid=d925dac0102699d1df9aafba36fd998061428822173


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.9-1ubuntu4.7

Pragma: no-cache

Cache-Control: private, max-age=0, no-cache

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Access-Control-Allow-Origin: *

P3P: CP="CUR ADM OUR NOR STA NID"

Set-Cookie: OAID=613df83937539fa870086395374a8009; expires=Mon, 11-Apr-2016 07:02:53 GMT; Max-Age=31536000; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d117adf520af6-WAW

Content-Encoding: gzip
df.............Qt.w...pU.(..Q..u..tVP....7v..w.qQ.....Q0.3P.)J. .,...K
...w.SWP.())...///. 7../J.......e...e.. ..K)IQ....[X...Wl...CKKK.nu.".
...t[..<u.8.dFjb...MIfIN............ov...p..v...7..n...o.(.l..qc...
.{n...C4qq)(((........1c6..lRMo.0... `N .8v....R..=..=!..;..>..1.l.
.^."..=.{oF...Ck}[email protected]...(<.8...^~<.=.F.....O'.U]...e....=
z.......X...y.Z.1k.X.\.Y".3g.c.>.U.....n...Py...8.v........S.a..n.z
n7.......%..P"..E.r.......QR.E..Bbldj..,P.*.$.....rQ...rkP)...H.1.V.4.
,s.."Sj>X....b..8.............0.......6M.;.....AwpD...i....Hs5.....
.AB....Iy...*Sdf...p.x.:D..........:3fn... .>..p....)W..a.....I.0j.
]............g$...4.......m..D.z... (...|x..y...........f].?.|.~.=....
G..........e...$Au.$.n........140.....N.0...{...v.H...A..q..p.P.xm.4.i
:...;J)...>.`..o.....$AW.=.>:p.....y4...g.....b....~.....JD.7...
.............B..4%....E....8Y..i.!w.8q%.....4?......./...Z...h%.Z..m..
.O...&.>=............B..h/I.fS"..K.....Zp.yE...<..Tv..... "....j
......ur17.%7(.......m....e..:#[email protected].......(c...~....)\3e..1S..
.....g...,g_.......3f9...Wmo.6..._.q.(&..Xu.Za..n...6,..W......... ...
H...-....uw<....{......(..a...4...i._...".99.W.6...H..s..,.........
.6./...\ ..... .....9..<Q.......4r.....\.A_....Y........=-.).. Jw..
F[.u..[.4.......!-"....r..B....wVq...../....s....b....E....&..`p....q.
...P(..i...... ...7^....}D..7..P<.T.wkY._.....w.d.......8...N..E.Z.
o.K.u...[|.....j.%..).WA....u3.Z"?...^.:..J......p....-.n4W....Q...K8.
.ZJ8.....'_..R.........4..22..?.......h7.....P.X.i.....Jtz......9.<<< skipped >>>

GET /dm/www/delivery/lg.php?bannerid=555&campaignid=42&zoneid=45&loc=http://dms.bamilo.com/i/cyab-120x240-1428249856.htm&cb=7b3dda5d65 HTTP/1.1

Accept: */*

Referer: hXXp://dms.bamilo.com/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc}

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive

Cookie: __cfduid=d925dac0102699d1df9aafba36fd998061428822173; OAID=613df83937539fa870086395374a8009; __utma=22938926.1400583208.1428822174.1428822174.1428822174.1; __utmb=22938926.1.10.1428822174; __utmc=22938926; __utmz=22938926.1428822174.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.9-1ubuntu4.7

Pragma: no-cache

Cache-Control: private, max-age=0, no-cache

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Access-Control-Allow-Origin: *

P3P: CP="CUR ADM OUR NOR STA NID"

Set-Cookie: OAID=613df83937539fa870086395374a8009; expires=Mon, 11-Apr-2016 07:02:54 GMT; Max-Age=31536000; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d117e2f9c0af6-WAW
2b..GIF89a.............!.......,...........D..;..0......


GET /cdn-cgi/pe/bag2?r[]=http://dms.bamilo.com/cdn-cgi/nexp/dok3v=1613a3a185/cloudflare/json.js HTTP/1.1

Accept: */*

PE-Token: f4fd1e98cba66278a6e6f0a8c6e2b1ff8b63d766-1428822174-1800

Referer: hXXp://dms.bamilo.com/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc}

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dms.bamilo.com

Connection: Keep-Alive

Cookie: __cfduid=d925dac0102699d1df9aafba36fd998061428822173; OAID=613df83937539fa870086395374a8009; __utma=22938926.1400583208.1428822174.1428822174.1428822174.1; __utmb=22938926.1.10.1428822174; __utmc=22938926; __utmz=22938926.1428822174.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Content-Type: multipart/mixed; boundary="sfpVhiE?H)m(3AZMx/"

Transfer-Encoding: chunked

Connection: keep-alive

Server: cloudflare-nginx

CF-RAY: 1d5d117fefb60af6-WAW

Content-Encoding: gzip
63...............u..K-*....R0.3..r.. I. ...,H.R.-.).,H,*....HM.VH./.KI
,..U*N ...t.....0v....W............c................58....uN..-..R.())
...O.-.KJ.....K...ON..MN...K.(.O..6..5434N4N4.0.O../MI.I,J..*....*....
......15.....\.XRZl.`d`..........22.....(1.8-.H.5/9?%3/.J!)3/.........
...19...k.M..uLO.R064563.i........10......e.g...........15...K8'&g...}
=..y.........1a..B.................^.........16....s-*./.RHK.)N.......
...d6f...e..............Y.s.:..|..P.Q.uCl^..6..f.y0{....p..S~.pB 1..`.
.[-..y...u.R..ju..!.$F..>.X..jFj...`!..D:..n....u..7k!.....u....P.k
...!...........F...F...#C....|VG...=.....@.'..3w.... ......~..6..m....
`:][email protected][..{.\Di....x.DJ....l..B.I._2F.@.,p.4...'.BV,.!..n.f^
[p... y....G.9.l.6_.....x...p..f......h..C....@%....N....h.I..b..QQK..
...#2 ..g.h.$...y/.(M!...F.b.\e......8..$...u....mO..z:.&..Y&.C..SH..{
.....u.5].v8...).^o.u......i........m..:....S.q..(.-.4.u.=.....p..9.:.
AYd;.........??.v[.k4:.^....m.G..v.n.......t..B.....<\a...x..Q... .
..-.1M..[.....Xo..JR".sa#.J0.I.. Qw.<......t.]...7Wj..-9wP.........
s...8a.....d..Vs.N.hqX.!......>[.M.o.W..d..S..(..!k.6&.a.VI...s.m.7
.,.m. ......o7.n.y...i...b.......CQ)g$Z..s.....t....8.K.......M'M...].
#...T.1<;o.....C.J].16........B.....b.Z....!9.......nID.[A...f.i.7.
dK...#.{....&...?T.YG.zf......*...yd..AG50.......ML4j...0c.:R.....#.lm
3..#......H{.$.......a.Y).=cp...:R$.s=..g.~.w..|..$....m..}....lp..8..
....:mh...mw....`w..}..Sn;.fV......N...V"t...D........#....X.<u...g
(....'B......a..ds....LS.V.._...!.L1.......f...O..k.p(..u2...1...|<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 06:04:32 GMT

Expires: Sun, 12 Apr 2015 08:04:32 GMT

Last-Modified: Tue, 31 Mar 2015 19:45:18 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16075

Cache-Control: public, max-age=7200

Age: 3497

Alternate-Protocol: 80:quic,p=0.5
...........}.W........_/.>.!aj..f....--....Y.!MHB.0....o..-'.......
{K..y.....d.Wig.....r.H.P.. ............"..a?..;..P2...C.R.&..e....o.e
x"...e.....[..C.K...G:....de...d.F.,..|.=..Fn..9..//5$X...Co..=..'z2..
.`0..%[email protected]...#.^a.......Kh.'.C.....I.]......tp..:.sO...x..
.8...t0<....\b;=. .z.e>.1..#.v.j......<q...#[email protected]...}H1.C..
.R.5...z..XWb.2.t.......B.....[(i.....P...x.....9.nM...."...^.....c.. 
R......t...Z..q.hl......;.c.....9.@g_.(..n.hO....|......t`.|.)H..Z....
.l..f .j......J...%._.KN......Tf..g.^.b....r.I..z...UK.\^^.m....}..DA/
.......g.A........0.........".c0.....$~I....D#......{...}.=..j...m....
@.....k.?$....J..Q......}.g......~...6.l<]..x...d?.\...w.3].._.X@..
|....}.C..$0.|.53...Q.8.....i.0=Vr.h.........<.a>.....4.:...ttg.
.....f....'.T.`=..........a...oB...Q.q......3N5 ..<....R....4......
....K..I.i#..C..$#i....`Ja..:..z.*...O...?..41.!.w}......T............
.........y..pE^r..n....A..............q..`.i>;........ .).......m..
P61I.jK.nG..Vj......9.....2....Tv. ^. ........OZ....U.9399].).,.p..\..
\YW..j3..H%...........e.c.....[[email protected].=...R...
.]....xz.`.<..7........r1..87.....7.iL}u..Yu;T. X..d.GT L Uy.....q}
......./...=. ..<#u%..4h...mZJ......p.m...,,<..4.,o$..E.a&.-qy9Z
^6i-,@...".6.7.......-f;.`..f.2...?./.S<[email protected].%.|.
.:.J5.Vy...........%5....... ..g.*..v..".......K..e0....H.....n..6a...
q..I..8..:.q1`......Z*'[email protected]... X.1.....
.B.km._.Uzr..2.D..2..n..}8.wu.O....38..}5.c.`.. ....`...MC.....#A[<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.4&utms=1&utmn=1091193641&utmhn=dms.bamilo.com&utmcs=utf-8&utmsr=1276x846&utmvp=120x240&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=LG G3 ÙØ±ÙˆØ´ ÙˆÛŒÚ˜Ù‡ Ú¯ÙˆØ´ÛŒ Ù…ÙˆØ¨Ø§ÛŒÙ„&utmhid=1197633715&utmr=0&utmp=/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb=%7Brandom%7D&ct0=%7Bclickurl_enc%7D&utmht=1428822174028&utmac=UA-59001586-1&utmcc=__utma=22938926.1400583208.1428822174.1428822174.1428822174.1;+__utmz=22938926.1428822174.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=1993673938&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://dms.bamilo.com/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc}

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Location: hXXps://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-59001586-1&cid=1400583208.1428822174&jid=1993673938&_v=5.6.4&z=1091193641

Access-Control-Allow-Origin: *

Date: Sun, 12 Apr 2015 07:02:54 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

Content-Type: text/html; charset=UTF-8

Server: Golfe2

Content-Length: 371

Alternate-Protocol: 80:quic,p=0.5
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://stats.g.doubleclick.net/r/collect?v=1&aip=1
&t=dc&_r=3&tid=UA-59001586-1&cid=1400583208.1428822174
&jid=1993673938&_v=5.6.4&z=1091193641">here</A>..
.</BODY></HTML>..HTTP/1.1 302 Found..Location: hXXps://sta
ts.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-59001586-1&c
id=1400583208.1428822174&jid=1993673938&_v=5.6.4&z=1091193641..Access-
Control-Allow-Origin: *..Date: Sun, 12 Apr 2015 07:02:54 GMT..Pragma: 
no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-ca
che, no-store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:
00 GMT..Content-Type: text/html; charset=UTF-8..Server: Golfe2..Conten
t-Length: 371..Alternate-Protocol: 80:quic,p=0.5..<HTML><HEAD
><meta http-equiv="content-type" content="text/html;charset=utf-
8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.&
lt;H1>302 Moved</H1>.The document has moved.<A HREF="https
://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&a
mp;tid=UA-59001586-1&cid=1400583208.1428822174&jid=1993673938&
amp;_v=5.6.4&z=1091193641">here</A>...</BODY></H
TML>....<<< skipped >>>

GET /newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[1]&nid=1&pid=90910&sid=571014&spid=&ns=0&nw=1&zone=0&url=http://openclose.ir/&lb=0&ext=0&oe=utf-8&t5889171&txt=openclose.ir | Laptop and Cellphone Online Shoppin HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b.yu0123456.com

Connection: Keep-Alive

Cookie: TRUID=14288221702983; CKTIME=1428822170


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache/2.4.6 (Fedora)

X-Powered-By: PHP/5.5.7

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Content-Encoding: gzip

Vary: Accept-Encoding

Content-Length: 490

Connection: close

Content-Type: application/x-javascript
...........R[o.0.~..@~.$Dm.}O.k....).(."d..qc..!.V..;4.....t.......;.O
()........m....L...9...A.............8.X.$,.!q.*I......H.w..D.T..)....
H =...~..>...&.<....z.Q..gGJSFQ.....P"........[N....^.Fj..Ma:)..
...#...(>x.0.{x|.. |z....T0..\=/...f..B`u$KX.`N...].Ko.(..A.y.m..@.
........./.u..=......w..c...:..R........tE~~..hvz..._n..M|u.C^/.......
.......\..~...".<..d7s..H];.x'...ZI..?...J.}..g.qe..,.........". ..
m[cm.9...\M...n..p...K......e.s..]........ggN..:[email protected]....
1J...kJn......

GET /wp-content/plugins/wp-rss-multi-importer/css/colorbox.css?ver=4.1.1 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Connection: Keep-Alive

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache

Last-Modified: Sun, 18 Jan 2015 07:44:34 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding,User-Agent

Content-Encoding: gzip

Content-Length: 1443

Connection: close

Content-Type: text/css
...........W[o.6.~...@$.ri|i....`X....t..a.....#..M.$..5..w.)[.-;.6..2
y..\.sQ.xw.....6o.....;7......X...OB.Y.....b.....c.pO.....r..e0...J...
X&Li.b\:0..ww.;.;.1.8.........`$....0<...rm..ZE|`..;.1....c.RG._ZB%
0....c.QRT5.D...}..J../..Hz.I$..^u./z,.1.\.3?w.0.>.].bo.szD..X.7...
..kE>).1 .......y..\n...;....N.l..P(4.z.CPwT......x..=g.'..B.m...&s
..R[(...H...4...j..Z.I.`..&.N..6...Xa.....I..>..9......Hj..**.`.w..
>..:..Q.._W.V....2......:4..R...ew.s.BB.n..2..q5...$.%...g#..t.....
p...."..>......^{H.w......b.=q......XT.zP.....H....p..~......J..x.0
4z..hl....!.....\........;7..}....V......A..-."/...s...k.5.k.....L...l
...^.vw...J.U..O..1.Y...d.\E.._......2':#...y.O.&.HP2.WN..........^..k
.B*7deq.5.=OM....R.U....Z.z.F.....rS.lL..l...T}....g..O.....n...V.>
/-.. ......FK.h.t.`j....nQ.N.H..D.?... ..Z.-..5.0..j."..*..Z.s.8..-.;}
...m..M..}..&..%......."[email protected].%.n....P..#...96........y^.M.9...*
2!..3.jp.b......).6.n...i........}8.......<..aK.9...O.........QJ...
...B.W...:..pS...xD..............g.>.k...45I:F#"6G).ma.DI....ws}.&.
..".9.G..?...i.U...:x.#$.U..U..vB..-..(.:.S..r...a.7...z9.6.4...F.....
......DD...$......=9!.f.....V..=.....Z.....u..K.;.9.......r....G..D.:.
.8..q(k0z.t...d......!..$".'.[0z......H.).)..1.8.&F..D.>.c.k1=..uM.
..B./.|&.#f.%Dm.. ....k. /.......R)..kK......3."...d..`..F..4.......d-
_.v.r|%.k...6.......U......8...;.NX.2...mkbv...?..Qx...._...g}.i.{.p..
{.G.....8.$..{.z.W./...=_.~.>.w.Hn.Q..=....%C...w...........=_...U.
........<<< skipped >>>

GET /wp-content/plugins/wp-rss-multi-importer/scripts/jquery.colorbox-min.js?ver=4.1.1 HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.ir

Connection: Keep-Alive

Cookie: __utma=156787813.1380702222.1428822170.1428822170.1428822170.1; __utmb=156787813.0.10.1428822170; __utmc=156787813; __utmz=156787813.1428822170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ao_s=1


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Server: Apache

Last-Modified: Sun, 18 Jan 2015 07:44:34 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding,User-Agent

Content-Encoding: gzip

Content-Length: 4594

Connection: close

Content-Type: application/javascript
...........:kw.6..._!.f.d.QR..=.....S.y6q..^..J.D.....e....3...d..9'..
..f0o..h....*W.P.....O..'.N.q..c.....=....Z...\N3.Pi1n..8.[.Y...5...,.
...BZ..5.].^ [email protected]=....b.].x>..h.f...............0..r$"UN........N4
[email protected]..].e.L`.R.Z..b&.............H..?.U...U.6..Uu
&ntR.\.e.jp.AxgW.H..(O..h...q.(.v....mN%..(..Tg\[email protected].
..TgQ..b....t#-*.....aI...I..c..a.....^/....iY........;U..]...V..m..Sq
c....jk.4d.~,.v[Fcq...N...}..O.....<.........d"o.X.wH.Yl.....b.hM.{
.....Dn.........i.>5.W.y:MI6B>.&jTW.O.8......8.i......:..D..#...
......#..].r.n.F...F'`'e...5...........U..DN...^..fa.o..29Qe [email protected].#Y=w
.}t...6......U..A.?F.q2.?.(...[....G..........C&.>..KV...s.`.(.J1I.
..M.....,..-u....X..Y.K ..N.......<...wS.....0B...P..d:.%h..Vz..6( 
W9*..j....\.....Z.U.......4...!p2.g.....D...j..=....P....z..qx...2.f..
r..=Wx. ..cq.'..a..Nr....9.3..~........x$.mL..<W..N.A....@.`.Z.yz{.
.J..\...b1Kk.........0j..........k.=.C,B8..P..).. ....o......@x..&....
.rTk....(..<...a.6~|...0~...........#....a....%F.4dr<...cY.9..a.
FW@.?MTP.P.R.X...>[email protected]'......ye.....mr.X...u.6R
.v.?.....f..I.....5-...u..;..%.....7.,.6/...*..e......3.?c.pv.S.......
[email protected]$........*..2.?.^.-....8.JVp..D..7.0Z.x....{U.....Ea
%..Y..q{....;Q.M...5..o0...).}...p....>?I...)I...wr....D...m..\..)%
(.^...>{q...%........q.......G...\X.}k..5.....k..C......3...drD3.!.
.8?.(.%...qj.H. ;q....?8..,....s...!is..}[email protected].....
.....C.|@;.gx.......BDx...w....j.JL.....9.d<[email protected].<<< skipped >>>

GET /wp-content/uploads/sites/16/2015/01/openclose.png HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: openclose.zamenhost.org

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:50 GMT

Server: Apache

Last-Modified: Tue, 13 Jan 2015 05:57:00 GMT

Accept-Ranges: bytes

Content-Length: 12510

Vary: User-Agent

Connection: close

Content-Type: image/png
.PNG........IHDR..._...`........~....PLTE..\..........................
..........S.,{.?.-.."h..Q.1...H.).:..g.5.&x....'t....C........*.....C.
.Z..p........r..s..s}....Bi{Ue.]x.R..v..&_.R.....B.........._=L....Z..
...L.t-KR*:.../( ...........m....AtRNS................................
.................................0U.... .IDATx...{[email protected].
./...?....o........?..yM...U..U.._....'...#...................\..q>
......{.....C...~....q.....i....o<.. E..,.g.v.....3B"..~x.g...^\.l.
......?,......'..?........_.=.,D..'_l.3.....t.."..........?."....c..Ph
E.2z.E....._..h...Hw ...d2:....t0...{..tR...?z... .k..7t............._
H..,.....w.j..vrB.o........ .C.....<..>....k..f.?...C.[)..]..P6N
....><..\...J.....q..mB:....MW..}..'....{..3)f..8.M].....h!BPK`.
p..G..]jgK...F..2.J.....|h&............?. ...u01$...$[......$.Y.V.....
~r!qil.......|.....7.B.\.6 .....x`.....zo..Gm..2.....:<W.\........v
.s..EtI.|..5D..|....*..`..c.........................J6.....s.".x...j..
...$<G..qO...k.V..]..C.....Q...}a.].$N....5C|U...MS~...e.D.R....k..
..ZG.......)......a....9.~..n..nn.$..z.F.u.._.....C.......f.#A.U.U..r5
U........>}[email protected]/.....*M....}.{4~..........7...>
I.....y.N......./:7#6`.^..V@.{7T...^.....e.T..>H.U...Y.....K.}..>
;..)...........{7h7).Kz.[...a./....v..<I..b}.s.z..=....9J.j.K.\.V..
2~Z......k)n......wgx o..R.|..'.....=.k..Wqx...x.9Ino.z...C...e.Q..~|.
......L0.q...?*. ..A......|[.J%....R....g.Hah....*.}...Y..0...u)i..yP.
....p).=.!..f.n...)......?.{.......t.6..P. .$.n..........2E.?...c.<<< skipped >>>

GET /show.js HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:51 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Server: cloudflare-nginx

CF-RAY: 1d5d116b887c05c3-WAW

Content-Encoding: gzip
212..............A..0...._1.P.xI.=.W....k....D.;be...YB..^d.ll...$....
~......4.@>.2;!.1t1T-.......t..,.,.z.........Z...N....j5.......=...
..g'wP(.....Z...........\:..W.}.?..u0..].F.xn)TW.....C..O>.R .>.
_.).<9...C^....2!....9..bEP`.............)..7TYOF.04ME....R.e......
.m~..>[email protected]..>n6.......M...J..>k.............!.&w..v$[.....9
.....4...l...}R....Z..Y.ca..P....9............../...hL.%....9.T.3.H._.
FZ.'[16..k........!x%...n..0...O[($.6...Xm.c.....1.........q..N...$...
5..........w-2y}V"rO.:..9.k%|....#%.._j..7.....Y|..`6c2...N.........a.
....p........0......


GET /show.js HTTP/1.1

Accept: */*

Referer: hXXp://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:51 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Server: cloudflare-nginx

CF-RAY: 1d5d116c78ae05c3-WAW

Content-Encoding: gzip
212..............A..0...._1.P.xI.=.W....k....D.;be...YB..^d.ll...$....
~......4.@>.2;!.1t1T-.......t..,.,.z.........Z...N....j5.......=...
..g'wP(.....Z...........\:..W.}.?..u0..].F.xn)TW.....C..O>.R .>.
_.).<9...C^....2!....9..bEP`.............)..7TYOF.04ME....R.e......
.m~..>[email protected]..>n6.......M...J..>k.............!.&w..v$[.....9
.....4...l...}R....Z..Y.ca..P....9............../...hL.%....9.T.3.H._.
FZ.'[16..k........!x%...n..0...O[($.6...Xm.c.....1.........q..N...$...
5..........w-2y}V"rO.:..9.k%|....#%.._j..7.....Y|..`6c2...N.........a.
....p........0......


GET /ads/show.php?a=4941420762090&width=336&height=280&slot=55921097173&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=336&height=280&slot=55921097173&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: profile=77521579; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d117219aa05c3-WAW

Content-Encoding: gzip
307.............T]o.6.}.. X.H...R\....-.."...^.2P$%..H..J.....%'......
..~..s...Z....h9a....@."./.....#..p.%V..R.{.T...>B..rD[b{........0.
.s.w%...{.M.;..Za..d...;.#K.o.AQ.Z........1M.. ...?J.>.._.9. ....$.
.Do$.P.p%5...=....^uE.J.........!...da^..o.....\__...G.hTF..n.G_......
...r...6Y.K^....q..y.E.B...f....6......O(..,M..73.WcJ..w....D..0.T.<
;|7..ux..H.j..G.h....f..........;.....`.9vk..A......t?.....D..O.....j.
..a.h...,7........M.%L.}..1.:....K...f&f<..Z}..aQ.v.-....g...^.....
.T.K........$...W9.R.....%r...a.jKfS.Vn..=]...Z..\.k....&..S....YB.x.Y
.;.E...Y......n....$}_bG.....|......#.V.......QI..x[.dF:i&.c ...5..5..
L.&a..WI...../!.A.}.Y..Ks.K.V......v....4b?E5]...n......n,.].O.kX}M...
.a.0......S...Tt..-}f.......z\m. ..._&....Qc.L..!F...x..1.g].8^.`v..,.
./1....U....n...........b......v........a....Q.$.$.....0......


GET /ads/show.php?a=4941420762090&width=120&height=240&slot=9338294385&flash=true&cook=true&loc=http://openclose.ir/&ref=false&tid=5f404da42786bb41 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://a.clickyab.com/ads/?a=4941420762090&width=120&height=240&slot=9338294385&domainname=openclose.ir&loc=http://openclose.ir/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: a.clickyab.com

Connection: Keep-Alive

Cookie: __cfduid=debf519feb06d647c451d64f915be4ebf1428822171


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:52 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Pragma: no-cache

Cache-Control: no-cache

Set-Cookie: profile=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/

Server: cloudflare-nginx

CF-RAY: 1d5d117369f305c3-WAW

Content-Encoding: gzip
[email protected].@Z..#.=Ik>6...
....U....A.we.is.......x...58..V..TX.VK.....}....'*...u............Q&l
t;T.......{...0.`6|...>.u...Q1.Z!....z.B.f...D.........../......G.p
F..U..R.{\..2^i}T.:...O...P$).m..:..5e....j....]......". ..x...h'|n..N
..x.......O.m.-I..........G.@O..??.B5|".C.|...fN)../..3J.\..]M..?.;.I.
?..B..i.No_..f*~....z >.].$..>Zy..-H.;. X..`.3.#..X.]|^.}..Q....
..6H..r.)lE.A...)....#...p.O....{.R..L.>...nO....3m...{..."z..[t..K
.?S^. O.. ....>.LKm.q8.J.5/.i8...EQZy#,>......A..?.j.aK.!g....].
.x.$}.3(.u8we.}....w%ELR.*.S............#.V.......]K......qW.....%N._.
EW.....).........v. ..-z3...........=L.d..$........................2.%
......eU......9.4.n..p..M.....bk[. ..cVK)TW.J.h.P..Y..ul. .=..Ar......
p...........*g....U.v..7...cY.s.....Tk...{[email protected]
....hg.`......0..HTTP/1.1 200 OK..Date: Sun, 12 Apr 2015 07:02:52 GMT.
.Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep
-alive..Vary: Accept-Encoding..Vary: Accept-Encoding..X-Powered-By: PH
P/5.3.3..Pragma: no-cache..Cache-Control: no-cache..Set-Cookie: profil
e=0; expires=Sat, 11-Jul-2015 07:02:52 GMT; path=/..Server: cloudflare
-nginx..CF-RAY: 1d5d117369f305c3-WAW..Content-Encoding: gzip..318.....
[email protected].@Z..#.=Ik>6.......U...
.A.we.is.......x...58..V..TX.VK.....}....'*...u............Q<T.....
..{...0.`6|...>.u...Q1.Z!....z.B.f...D.........../......G.pF..U..R.
{\..2^i}T.:...O...P$).m..:..5e....j....]......". ..x...h'|n..N..x.<<< skipped >>>

GET /cdn-cgi/nexp/dok3v=7e13c32551/cloudflare.min.js HTTP/1.1

Accept: */*

Referer: hXXp://dms.bamilo.com/dm/www/delivery/afr.php?refresh=240&zoneid=45&cb={random}&ct0={clickurl_enc}

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.cloudflare.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 07:02:54 GMT

Content-Type: text/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d960955f42da6b74bdb266f4131637ea21428822174; expires=Mon, 11-Apr-16 07:02:54 GMT; path=/; domain=.cloudflare.com; HttpOnly

Last-Modified: Tue, 31 Mar 2015 22:28:06 GMT

Expires: Mon, 11 Apr 2016 07:02:54 GMT

Cache-Control: public, max-age=31536000

Server: cloudflare-nginx

CF-RAY: 1d5d117d745705cf-WAW

Content-Encoding: gzip
159b.............Z[..6.~?.Bd.` ..Hcg.%...=..s......f\ .J.(RCRs...~.A..
..{j.........5N.qF..|.}..B...d.M...F..z..,FO...........w....F......3U%
y.%..p%....q~.^y.D.y%...\.#.VI..`qp....U.......u>l.Tg.jU.|....L.l|[
..<v....8/.|......$n.I..c......d.r...Y3...q2.>...x,6~......`n.:.
-lqr<....7.4...x.d.S.0.... .....j..Y..B.J..7..<..u......F......4
.pP YHU..\Vr.L..?5q..$..E....{.4..v6{2t..].$.....$<...86{.......\..
.q4.k....-..f8..=.......t.o.......:.)........d....N..(_D\.4..z......&g
t;.. \Cx.s"....4..S....J].O.:.W.l>_g...d. ..J.,l..Vt].(=..<.....
U.....*...v.(........H... .*'r.r...f..E...Co.eT.....E...........j.R. .
I......n.-..T.t.....U.E:..FQR.Ry;.ey.....Z..*).0......4.ng.f.|tt.. ..F
..7..*K..g.z...Z.?<U......'w;.E.VI.qKk.... .tQ.....H..G.NV....-z.4L
L....S..7.*O..S.e'j..f.fw.B.].".K....H..eSJJ...]..r.1..[e...G....0.d.o
.*O....7...c^.8/h...`.-G.....>.......vc.v...G.4V#{=.;...W..G1.6l...
.c.....4.lu.N.....5c?x.}."M.-L2kU.<.k..D...".'...uF.1.P.........\.:
..z2'-Jl..EQ.[>y.......8z..B.Q....Q`.C....8._.m..4....<.zy.#1O.?
..\.,.FG.....R....d.HY.{.1...K......<.Y..$..=.b!g..........<...4
B..........%.A.......AA. .5.l-A.. .3.........6."..H...\..J5.8...... .e
y._..,.#..;..J..`^^'.Z..8(Y...3...Y.,........wM..w.m...:..K........o4.
Q@....^g..A...ln.7...5..E'.Gu.#....;......._.....d.......\...Y.(..W~..
..,.......G..zD.K......#...n...{..&D. ...g.(...wz..U.k..L.........p..)
%..f.R.........8$..p.@G.[.8...|Eg fI.li.aF..wt...N...?.^|H..3;....E...
.ng..$........S.d..&.>}m..1~$=...`.....^&...].p4..k.ow.D....k{5<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Rundll32.exe_2020:

.rsrc

WgM[A V?V5%SM=

x=.UVY5@

a%SbeQ

advapi32.dll

RegOpenKeyExA

RegCloseKey

VBA6.DLL

RegCreateKeyA

shell32.dll

wininet.dll

ShellExecuteA

.text

.data

.tN@2NH

3333333330

333333333333330

.LjR=W

.Jbjx=

^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-

333333333333333

444444444

33333333333333

KERNEL32.DLL

MSVBVM60.DLL

]_L.xR

}..HNA

v'.PR

mFP%s

.ucB^

%Czq3

2007.04.30

Scripting.FileSystemObject

msng.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32.exe

Rundll32.exe

rundII32.exe

RundII32.exe

explorer.exe hXXp://VVV.OpenClose.ir

C:\~0002ftd.tmp

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

iexplore.exe*

firefox.exe*

explorer.exe

Rundll32.exe_2020_rwx_00401000_00022000:

advapi32.dll

RegOpenKeyExA

RegCloseKey

VBA6.DLL

RegCreateKeyA

shell32.dll

wininet.dll

ShellExecuteA

.text

.data

.rsrc

.tN@2NH

2007.04.30

Scripting.FileSystemObject

msng.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

rundll32.exe

Rundll32.exe

rundII32.exe

RundII32.exe

explorer.exe hXXp://VVV.OpenClose.ir

C:\~0002ftd.tmp

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

iexplore.exe*

firefox.exe*

explorer.exe

Rundll32.exe_2020_rwx_00436000_00001000:

KERNEL32.DLL

MSVBVM60.DLL

iexplore.exe_1536:

%?9-*09,*19}*09

.text

.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

hI%Æ

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1536_rwx_00401000_00002000:

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

IExplorer.EXE

browseui.dll

shdocvw.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:172
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%System%\rundll32.exe (28498 bytes)
C:\~0002ftd.tmp (37 bytes)
%System%\rundII32.exe (50 bytes)
%System%\msng.exe (28498 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Generic.9176938_22ac5c7d4f

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Generic.9176938_22ac5c7d4f

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet