Trojan.Win32.IEDummy_3231f14f72

by malwarelabrobot on May 21st, 2016 in Malware Descriptions.

Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3231f14f7228912a6c119d6385047431
SHA1: ec239d5a92a2813a372d56e55fc5e0c462ad502e
SHA256: 1d01e3a1a30c4506122755df7bbd640289f6fcc90b607932341213a7f28c0b0e
SSDeep: 1536:PKkwsgFmQz3I2Cx0VCYG8L2wSrfJKz6t6cOrCtF8RfjSh3skpO5s2z:ydFLzbCGVF7SrUz/cOrCtF8Rfj68f5jz
Size: 77824 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: no certificate found
Created at: 2007-11-27 18:48:13
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:928

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 E4 46 2B A5 FB 18 4A 78 66 44 74 1C C8 B0 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger"

"Yahoo Messenger"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: iSergiwa Software - www.sergiwa.com
Product Name: SRT - iSergiwa Software
Product Version: 2.00
Legal Copyright: All rights reserved
Legal Trademarks: Free for personal use ONLY!
Original Filename: SRT.exe
Internal Name: SRT
File Version: 2.00
File Description: A free tool to remove Sohanad virus and friends!
Comments: A free tool to remove Sohanad virus and friends!
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 63464 65536 4.60914 dbdb619d298278ef4ea91ad9d82ccc62
.data 69632 3096 4096 0 620f0b67a91f7f74151bc5be745b7110
.rsrc 73728 2392 4096 1.62887 49c874cbaebac12c5370c6f199b6d5e6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6
hxxp://sedoparking.com/
hxxp://vip1.g5.cachefly.net/js/jquery-1.4.2.min.js
hxxp://sedoparking.com/images/js_preloader.gif
hxxp://sedoparking.com/search/tsc.php?&ses=1463718019f040e932a28694b67f42c5aa3fc6dac5&200=MjMxMDQyOTg1&21=MTk0LjI0Mi45Ni4yMTg=&681=MTQ2MzcxODAxOWYwNDBlOTMyYTI4Njk0YjY3ZjQyYzVhYTNmYzZkYWM1&682=&616=&crc=48ca082ccc3156ee64036354d684be64ce306b9d&cv=1
hxxp://sedoparking.com/search/redirect.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==
hxxp://sedoparking.com/search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==
hxxp://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd 54.88.117.14
hxxp://zd1.november-lax.com/zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=js&browserWidth=0&browserHeight=0&iframeDetected=false 54.88.117.14
hxxp://i4mqv.trackvoluum.com/zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R
hxxp://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70 78.137.119.123
hxxp://www.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133 37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/styles.css 37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/video-js.css 37.220.94.196
hxxp://www.millionaires-blueprint.co/includes/bootstrap.min.css 37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/members.css 37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/font/vjs.eot? 37.220.94.196
hxxp://www.millionaires-blueprint.co/fonts/glyphicons-halflings-regular.eot? 37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/images/speaker.jpg 37.220.94.196
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www.millionaires-blueprint.co/promo-offer/js/jquery-1.9.1.min.js 37.220.94.196
hxxp://splitter.binarypromos.com/api/v1/funnel.min.js?v=1.1&product=millionairesblueprint 104.20.79.100
hxxp://www.millionaires-blueprint.co/promo-offer/js/video.js 37.220.94.196
hxxp://www.millionaires-blueprint.co/includes/exit.js 37.220.94.196
hxxp://c.global-ssl.fastly.net/nr-918.min.js
hxxp://bam.nr-data.net/1/4915dfb183?a=8404545&v=918.2e0ff1d&to=YgFaNUJTC0BYBkFdXFtLbRNZHRVBVghaGVxTAl0TH1sLV1wdG0RbRQ==&rst=2407&ap=53&fe=2219&dc=2219&f=["err","ins"]&at=TkZZQwpJGE4=&jsonp=NREUM.setToken 50.31.164.173
hxxp://ww1.sergiwa.com/search/redirect.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA== 72.52.4.90
hxxp://zd1.zeroredirect11.com/zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=js&browserWidth=0&browserHeight=0&iframeDetected=false 54.88.117.14
hxxp://js-agent.newrelic.com/nr-918.min.js 185.31.17.175
hxxp://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6
hxxp://track.trackbyme.info/zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R 52.28.41.125
hxxp://img.sedoparking.com/js/jquery-1.4.2.min.js 205.234.175.175
hxxp://ww1.sergiwa.com/ 72.52.4.90
hxxp://ww1.sergiwa.com/search/tsc.php?&ses=1463718019f040e932a28694b67f42c5aa3fc6dac5&200=MjMxMDQyOTg1&21=MTk0LjI0Mi45Ni4yMTg=&681=MTQ2MzcxODAxOWYwNDBlOTMyYTI4Njk0YjY3ZjQyYzVhYTNmYzZkYWM1&682=&616=&crc=48ca082ccc3156ee64036354d684be64ce306b9d&cv=1 72.52.4.90
hxxp://www.google-analytics.com/analytics.js 173.194.113.198
hxxp://ww1.sergiwa.com/search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA== 72.52.4.90


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=js&browserWidth=0&browserHeight=0&iframeDetected=false HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: zd1.zeroredirect11.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, pre-check=0, post-check=0
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'
redirected: JS
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 20 May 2016 04:20:19 GMT
Server: ZeroPark-Traffic
36a..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://track.trackbyme.info/zp-redirec
t?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4
&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5
-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-
4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=w
POJS4587E672CUS0RUM8J70&rt=R'">..</head>..<body>...<
script type="text/javascript">....window.location="hXXp://track.tra
ckbyme.info/zp-redirect?target=http://lzy9000.blueprint1.cpa.cli
cksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s
2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J
70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b
462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R";...</script>
..</body>.</html>..0..HTTP/1.1 200 OK..Cache-Control: no-s
tore, no-cache, pre-check=0, post-check=0..content-security-policy: de
fault-src 'self'; script-src 'self' 'unsafe-inline'..x-content-securit
y-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..X-Web
Kit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'..redire
cted: JS..Content-Type: text/html;charset=UTF-8..Transfer-Encoding: ch
unked..Date: Fri, 20 May 2016 04:20:19 GMT..Server: ZeroPark-Traffic..
36a..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://track.trackbyme.info/zp-red
<<< skipped >>>


GET /?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: lzy9000.blueprint1.cpa.clicksure.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.5.21
Cache-Control: no-cache
Location: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
P3P: policyref="hXXp://cpa.clicksure.com/w3c/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OUR SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: laravel_session=1b2e164e2738839563d1a71715084c94c656190e; expires=Fri, 20-May-2016 06:20:21 GMT; Max-Age=7200; path=/; domain=cpa.clicksure.com; httponly
Set-Cookie: campaign_lp_aff_8733603=00f0ba0efbf0ece132ad4117c7903afd01ddf3cd+2016-05-20; expires=Sat, 21-May-2016 04:20:21 GMT; Max-Age=86400; path=/; domain=cpa.clicksure.com; httponly
Set-Cookie: campaign_216183=85ae5b5d7ab7c5e53daee987bbc681b82a945ebc+{"click":1132560031,"tracked":[],"tracked_time":1463718021}; expires=Sun, 19-Jun-2016 04:20:21 GMT; Max-Age=2592000; path=/; domain=cpa.clicksure.com; httponly
X-Cacheable: NO:Not Cacheable
Content-Length: 5205
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:21 GMT
Age: 0
Connection: keep-alive
X-Cache: MISS
Via: WebCelerate
<!DOCTYPE html>.<html>.    <head>.        <meta h
ttp-equiv="Content-Type" content="text/html; charset=utf-8" /><s
cript type="text/javascript">window.NREUM||(NREUM={}),__nr_require=
function(e,t,n){function r(n){if(!t[n]){var o=t[n]={exports:{}};e[n][0
].call(o.exports,function(t){var o=e[n][1][t];return r(o||t)},o,o.expo
rts)}return t[n].exports}if("function"==typeof __nr_require)return __n
r_require;for(var o=0;o<n.length;o  )r(n[o]);return r}({1:[function
(e,t,n){function r(e,t){return function(){o(e,[(new Date).getTime()].c
oncat(a(arguments)),null,t)}}var o=e("handle"),i=e(2),a=e(3);"undefine
d"==typeof window.newrelic&&(newrelic=NREUM);var u=["setPageViewName",
"addPageAction","setCustomAttribute","finished","addToTrace","inlineHi
t"],c=["addPageAction"],f="api-";i(u,function(e,t){newrelic[t]=r(f t,"
api")}),i(c,function(e,t){newrelic[t]=r(f t)}),t.exports=newrelic,newr
elic.noticeError=function(e){"string"==typeof e&&(e=new Error(e)),o("e
rr",[e,(new Date).getTime()])}},{}],2:[function(e,t,n){function r(e,t)
{var n=[],r="",i=0;for(r in e)o.call(e,r)&&(n[i]=t(r,e[r]),i =1);retur
n n}var o=Object.prototype.hasOwnProperty;t.exports=r},{}],3:[function
(e,t,n){function r(e,t,n){t||(t=0),"undefined"==typeof n&&(n=e?e.lengt
h:0);for(var r=-1,o=n-t||0,i=Array(0>o?0:o);  r<o;)i[r]=e[t r];r
eturn i}t.exports=r},{}],ee:[function(e,t,n){function r(){}function o(
e){function t(e){return e&&e instanceof r?e:e?u(e,a,i):i()}function n(
n,r,o){e&&e(n,r,o);for(var i=t(o),a=l(n),u=a.length,c=0;u>c;c  
<<< skipped >>>


GET /nr-918.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js-agent.newrelic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
x-amz-id-2: 6J/6rr52Hu9KiLf5QffVi3DYIBt9QCYHvjGmU7pQQlw2kn8qyqXj3Ko6PcfnW Kxeef2bJCR7 I=
x-amz-request-id: 6F1F1FD74C007491
Last-Modified: Mon, 28 Mar 2016 18:05:52 GMT
ETag: "07fddb3720b5e77e10d486281e40571d"
Content-Type: application/javascript
Server: AmazonS3
Content-Length: 22729
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:23 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-fra1239-FRA
X-Cache: HIT
X-Cache-Hits: 183
X-Timer: S1463718023.806905,VS0,VE0
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var a="function"=
=typeof __nr_require&&__nr_require;if(!i&&a)return a(t,!0);if(o)return
 o(t,!0);throw new Error("Cannot find module '" t "'")}var s=e[t]={exp
orts:{}};n[t][0].call(s.exports,function(e){var o=n[t][1][e];return r(
o||e)},s,s.exports)}return e[t].exports}for(var o="function"==typeof _
_nr_require&&__nr_require,i=0;i<t.length;i  )r(t[i]);return r}({1:[
function(n,e,t){e.exports=function(n,e){return"addEventListener"in win
dow?addEventListener(n,e,!1):"attachEvent"in window?attachEvent("on" n
,e):void 0}},{}],2:[function(n,e,t){function r(n,e,t,r){l("bstAgg",[n,
e,t,r]),p[n]||(p[n]={});var i=p[n][e];return i||(i=p[n][e]={params:t||
{}}),i.metrics=o(r,i.metrics),i}function o(n,e){return e||(e={count:0}
),e.count =1,c(n,function(n,t){e[n]=i(t,e[n])}),e}function i(n,e){retu
rn e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.t*e.t,c:1}),e.c =1,e.t 
=n,e.sos =n*n,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}fun
ction a(n,e){return e?p[n]&&p[n][e]:p[n]}function s(n){for(var e={},t=
"",r=!1,o=0;o<n.length;o  )t=n[o],e[t]=u(p[t]),e[t].length&&(r=!0),
delete p[t];return r?e:null}function u(n){return"object"!=typeof n?[]:
c(n,f)}function f(n,e){return e}var c=n(30),l=n("handle"),p={};e.expor
ts={store:r,take:s,get:a}},{}],3:[function(n,e,t){function r(n,e,t){"s
tring"==typeof e&&("/"!==e.charAt(0)&&(e="/" e),d.customTransaction=(t
||"hXXp://custom.transaction") e)}function o(n,e){var t=e||n;f.store("
cm","finished",{name:"finished"},{time:t-d.offset}),i(n,{name:"fin
<<< skipped >>>


GET /search/tsc.php?&ses=1463718019f040e932a28694b67f42c5aa3fc6dac5&200=MjMxMDQyOTg1&21=MTk0LjI0Mi45Ni4yMTg=&681=MTQ2MzcxODAxOWYwNDBlOTMyYTI4Njk0YjY3ZjQyYzVhYTNmYzZkYWM1&682=&616=&crc=48ca082ccc3156ee64036354d684be64ce306b9d&cv=1 HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://ww1.sergiwa.com/
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ww1.sergiwa.com
Connection: Keep-Alive
Cookie: tu=c6643c217733cb748736e5135c86d86c; NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660


HTTP/1.0 200 OK
Date: Fri, 20 May 2016 04:20:19 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from 440444
nnCoection: close
Connection: Keep-Alive
........................


GET /search/redirect.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA== HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ww1.sergiwa.com
Connection: Keep-Alive
Cookie: tu=c6643c217733cb748736e5135c86d86c; NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660


HTTP/1.0 302 Moved Temporarily
Date: Fri, 20 May 2016 04:20:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7 squeeze28
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 20 May 2016 04:20:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://ww1.sergiwa.com/search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==
Vary: User-Agent,Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Content-Type: text/html
X-Cache: MISS from 190779
Cneonction: close
Connection: Keep-Alive
........................


GET /search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA== HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ww1.sergiwa.com
Connection: Keep-Alive
Cookie: tu=c6643c217733cb748736e5135c86d86c; NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660


HTTP/1.0 302 Moved Temporarily
Date: Fri, 20 May 2016 04:20:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7 squeeze28
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 20 May 2016 04:20:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd
Vary: User-Agent,Accept-Encoding
Content-Encoding: gzip
Content-Length: 185
Content-Type: text/html
X-Cache: MISS from 100825
Cneonction: close
Connection: Keep-Alive
............A.. .....n...kc.8..c..(.."-J....j..n..........m..!k.r.cx&l
t;.$..].....!..e.9...$.....ed...-$.......L~.9&....5...*.....U.$n..{...
.J.Uo.} ..XTY.O(.9.......9H..!HP...J.7|.........HTTP/1.0 302 Moved Tem
porarily..Date: Fri, 20 May 2016 04:20:19 GMT..Server: Apache..X-Power
ed-By: PHP/5.3.3-7 squeeze28..Expires: Mon, 26 Jul 1997 05:00:00 GMT..
Last-Modified: Fri, 20 May 2016 04:20:19 GMT..Cache-Control: no-store,
 no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..
Pragma: no-cache..Location: hXXp://zd1.november-lax.com/zcvisitor/293d
5924-1e42-11e6-b462-12ce168cfdfd..Vary: User-Agent,Accept-Encoding..Co
ntent-Encoding: gzip..Content-Length: 185..Content-Type: text/html..X-
Cache: MISS from 100825..Cneonction: close..Connection: Keep-Alive....
..........A.. .....n...kc.8..c..(.."-J....j..n..........m..!k.r.cx<
.$..].....!..e.9...$.....ed...-$.......L~.9&....5...*.....U.$n..{....J
.Uo.} ..XTY.O(.9.......9H..!HP...J.7|...........
<<< skipped >>>


GET /modules/mydownloads/singlefile.php?cid=2&lid=6 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: en.sergiwa.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Fri, 20 May 2016 04:20:18 GMT
Server: Apache/2.2.15 (Linux)
X-Powered-By: PHP/5.5.35
Location: hXXp://ww1.sergiwa.com
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
...



GET /zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: zd1.november-lax.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, pre-check=0, post-check=0
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 20 May 2016 04:20:19 GMT
Server: ZeroPark-Traffic
3ef..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://zd1.zeroredirect11.com/zcredire
ct?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=meta'">..</
head>..<body>...<script type="text/javascript">....setT
imeout(function () {.....var pageWidth = window.innerWidth ? window.in
nerWidth : (document.documentElement && document.documentElement.clien
tWidth ? document.documentElement.clientWidth : document.getElementsBy
TagName('body')[0].clientWidth);.....var pageHeight = window.innerHeig
ht ? window.innerHeight : (document.documentElement && document.docume
ntElement.clientHeight ? document.documentElement.clientHeight : docum
ent.getElementsByTagName('body')[0].clientHeight);.....var iframeDetec
ted = window.self !== window.top;.....window.location="hXXp://zd1.zero
redirect11.com/zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd
&type=js&browserWidth="   pageWidth  "&browserHeight="   pageHeight  "
&iframeDetected="   iframeDetected;....}, 1);...</script>..</
body>.</html>..0..



GET /1/4915dfb183?a=8404545&v=918.2e0ff1d&to=YgFaNUJTC0BYBkFdXFtLbRNZHRVBVghaGVxTAl0TH1sLV1wdG0RbRQ==&rst=2407&ap=53&fe=2219&dc=2219&f=["err","ins"]&at=TkZZQwpJGE4=&jsonp=NREUM.setToken HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bam.nr-data.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=a5ad3657d0b93b5a;Path=/;Domain=.nr-data.net
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=ISO-8859-1
Content-Length: 57
NREUM.setToken({'stn':0,'err':0,'ins':0,'cap':0,'spa':0})HTTP/1.1 200 
OK..Set-Cookie: JSESSIONID=a5ad3657d0b93b5a;Path=/;Domain=.nr-data.net
..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Content-Type: text/javascrip
t;charset=ISO-8859-1..Content-Length: 57..NREUM.setToken({'stn':0,'err
':0,'ins':0,'cap':0,'spa':0})..



GET /zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: track.trackbyme.info
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, pre-check=0, post-check=0
Date: Fri, 20 May 2016 04:20:20 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: hXXp://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70
Pragma: no-cache
Server: Voluum-Traffic/1.0
Set-Cookie: 99737be6-2ea4-4523-be9f-85692b529ef9-v4=99737be6-2ea4-4523-be9f-85692b529ef9; Domain=track.trackbyme.info; Path=/; HttpOnly
Set-Cookie: voluum-cid-v4={
  "cid" : "wPOJS4587E672CUS0RUM8J70",
  "caid" : "99737be6-2ea4-4523-be9f-85692b529ef9"
}; Domain=track.trackbyme.info; Expires=Sat, 20-May-2017 04:20:20 GMT; Path=/; HttpOnly
X-Robots-Tag: noindex, nofollow
Content-Length: 0
Connection: keep-alive
HTTP/1.1 302 Found..Cache-Control: no-store, no-cache, pre-check=0, po
st-check=0..Date: Fri, 20 May 2016 04:20:20 GMT..Expires: Thu, 01 Jan 
1970 00:00:00 GMT..Location: hXXp://lzy9000.blueprint1.cpa.clicksure.c
om/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5
-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70..Pragma: no-cache..Serv
er: Voluum-Traffic/1.0..Set-Cookie: 99737be6-2ea4-4523-be9f-85692b529e
f9-v4=99737be6-2ea4-4523-be9f-85692b529ef9; Domain=track.trackbyme.inf
o; Path=/; HttpOnly..Set-Cookie: voluum-cid-v4={
  "cid"%2
0: "wPOJS4587E672CUS0RUM8J70",
  "caid" : %2
299737be6-2ea4-4523-be9f-85692b529ef9"
}; Domain=track.trackbyme
.info; Expires=Sat, 20-May-2017 04:20:20 GMT; Path=/; HttpOnly..X-Robo
ts-Tag: noindex, nofollow..Content-Length: 0..Connection: keep-alive..
<<< skipped >>>


GET /api/v1/funnel.min.js?v=1.1&product=millionairesblueprint HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: splitter.binarypromos.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 20 May 2016 04:20:22 GMT
Content-Type: application/javascript
Content-Length: 10294
Connection: keep-alive
Set-Cookie: __cfduid=d5232066c47f627b36d04e2389074ef8a1463718022; expires=Sat, 20-May-17 04:20:22 GMT; path=/; domain=.binarypromos.com; HttpOnly
Last-Modified: Mon, 21 Dec 2015 17:27:52 GMT
ETag: "8b40-5276bcf09ad7d-gzip"
Cache-Control: public, max-age=290304000
Expires: Fri, 01 Aug 2025 04:20:22 GMT
Content-Encoding: gzip
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 2a5cfeeb61e405b5-ARN
...........}k{.H.... l6...FR2........xb;....H.O.-.-..P....~....E..=...
<..}........[...7.........a7...87..|8O|.')..Q..C.. .6.d...=...F..:M
...C.c.-.Q..(.....u...Qm...)..o...k..:..... L7p.0.....'...'.<.a..lt
...8.I..C....`$......v:..!.`./..q.....3.XC#.n).Pt...I.g.......u..._7..
).[[email protected]:.r ..&.... I.<..
.\..:.....7.."......u..O.>pc......|_........%.7....'~.....<2....
..i<;....`.......m......=g.Q.O.,.Pw:@..>.;....~.F:Z..'.7..n...z@
.B7.,...........}.(p..^....HN.a...0,'O..o4=%.5.Q.hP%...2..Oz|...G .lr.
....[.....E...z....}..5..c.....V|..S.....9..|1<0.........@]g.*..4..
.1"......`Y..$...0..f.....6...........:.n....d.2.S.......=,.E....,.:X.
V...eF.p,..|,..2.....v..=c" ....q.$...W........._..Z....H.......H.4I.]
......8..b..(b\.... ...&..q.!?'......... !..i.p....jC.~.#.k......w..pG
[email protected]..%....i...Q...Y..,aj...n#..I.h' ......;
P.d.............gs..!.....k..-r".jeN.... . .Y.J>..$Li.....w....d1..
5.....*.B..f......P.).tB.....ng.dg1....[2.....v..BT..]..<....6....$
q..R.0.5h..)._k..}...Q^V..g...J. .....g........?../....W..W_7...T7...&
gt;....'.......D_..}..}.#...../.I...j=....W.....}.......R_.....n8....&
3....%9...TO..z^;.#v.....^.T.i~.w}...Z....!.~.O.....Z...zn....z.x..z..
.k=b......... .F..o. .j. ....oso.4....o.J....o.dy...[=3.m"6W..N/......
.wz..N.-..4...Vw.wz..NO.wzvx.W{.....G}.^...y..^.........'..?....=;....
'.........;..}._..G....Q......Z\..R.\....Y.$?.Y...fR!...K...{.........
..|^.\....9.\...7..u.s= ...;oJhep=Q...|.....Fu....=./...B....Kr.W.
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ww1.sergiwa.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Date: Fri, 20 May 2016 04:20:18 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7 squeeze29
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 20 May 2016 04:20:18 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tu=c6643c217733cb748736e5135c86d86c; expires=Tue, 31-Dec-2019 23:00:00 GMT; path=/; domain=sergiwa.com; httponly
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_KoCF4Mdr2JMnAS7DASaKopPFXXseO5fU xwzWvHGID7usWBQ9i8yO JspLiVfv5YIpOoVyGqVEzq6qrj5KVDOw==
Vary: User-Agent,Accept-Encoding
Content-Encoding: gzip
Content-Length: 2907
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from 891047
nnCoection: close
Connection: Keep-Alive
Set-Cookie: NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660;path=/;httponly
...........X........_..35]a..V.....(.C....q..........M...fb....".9'.d~
...~..Sg.....L./.._..J..r.$s..k&=y^...._2s.T.....t.r...7.8e.S..k...2..
........L.U4...w........h....$K.s...h.....b...-..1iX.... ...y.]O&.z.fs
Rvs\.O.f....%;...C...q.....Z.Knt)..5..../.g).. .X..l...;.}._..z.qj=.. 
b.r.|N..B..........y.C._>.e.xH...I.....).P....|...N...am..,}8......
.}..."...W ..E..c..V.f.......$<.H.%.^.dy.\J$t.S...aj...|.{H.{.I.K..
...l..h.).MU.F_.?c..l....A.v..z...9......A....n.&....\O.....f*........
.(.I.U.....<@.<&..R..*...H...?\=........MCs.....G..p.N.&...v..&l
t;V..]fm..Iw..S[.8.F...h._rWR=..#`. ..'`.}.i.....H.twm.w......O.....f.
.c....<P..)g. s..<."[email protected]...{.g....k.A.2.aJ........GD..
....y......TKW.1s.Z....%\B:9..2......SR.6R.l....X..).8.%.G....A..4....
...).... ..f...'....=a......3.D....H.[.....^...9.*....BC...$..?.XI.|2.
q` yC....R.sO..6..`.i........4?...8Zy...Z.pf.."........1.j..e....;s...
..f'0..9]....BP.xk.L...].....j(.....<..qr...;U.....jeF.....[m..kB.E
^.4A..sY.I-bI........4r.|g..'v...yg/..=.o..Bv..G...&...`&&o6....C..S. 
.!W;[email protected] .........\.ZZC=....D..K......'{...Wu.
K..S.]...[=ncM.......t.............t}.......l....b._..c....._.........
.........E.....4..J.~3..Q.....n6.W....\.*....5.jRy.*.K.._...#.I.(f.2 .
.:.9.....M.|.([email protected].?....Z.C9...U..4.b...c...............^.k.^
f..%..m...g....i5*..Y......W&...%..Y.F.tfb..*...{..)A-n*..A.U.w...(..%
...`t....I.-.d.Kt.i..%..}fJ.c.....!..I-..1...;*.f..wI.).p..V....O.f%a.
.....z..l,b.z....Dl.....V.......)......t.$.E..b..s=YF........k.-.L
<<< skipped >>>


GET /js/jquery-1.4.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://ww1.sergiwa.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img.sedoparking.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 20 May 2016 04:20:19 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
X-CFHash: "0d658c3f0a7efaa05a6fcee9758231b3"
Last-Modified: Mon, 18 Apr 2016 10:42:48 GMT
X-CF3: M
CF4Age: 0
CF4ttl: 31536000.000
X-CF2: H
Server: CFS 0213
X-CF1: 11696:fB.fra2:cf:cacheA.fra2-v:H
Content-Encoding: gzip
6876..............y_........Y.<n......e......`..*....K.........%...
.s....?-j..%2.....~$'......?8 ...B...A.8(dAaX.......B.0 .....0._..J...
BRX-..G.].J..p..>..|......B..M..-......q....a....?..>=L.O...R...
U..ne<p%Jq.\.......~.t..?*...$.f..?.._...^...a.$ .......u.....nw.0.
..n.U.......2..F..H.T.g]......w........r...........~....k..x.......e..
.....y...?...........QfB...........(./].W....u.})....Z!.Z.......=..Zg.
.J=.......A..'.....[.,..............O{.....>.{.....(....B..KA7.le..
.?.}.q%..O....o.KA.....o....,/L....t.........2..|.......~...o...*...N.
Ui.A.K.<....V...... .... ..J|....u."..;.....A.._...............z.Cj
.J....A.d.^...v..z)....M..~.4v..:.J........N..........T..X.0..........
........M...V..RR.......n.7.Pa.....o.'.R..V...I....J...nL?....u.......
...\....=.r.......`.|.Q..'s.nyF..QiW.........T..W... ....r.........U}^
j......k-z..i...nmT..{..=.....(b.......n<.....{...L.../.)<..R%l.
..Ye.O.5....wzc_..J......}....G:r....5..~X...8T9C.3z.].f.u-....?~.P..V
x......v1.T Q1..^..MP.....6...w..&..,.]5....X....._...R.p....-..vc7..p
..P6...{.....:.......M.......{.V..X.....'[email protected]........{V.X
)....Rq..P,....qg9...a&l0^..n`......z.zj...k...j..M....... ..w}..O'.C.
.~.m......P..2.m..$H.k.O.U(..;.G[%........b.^..u.{.R=*..bY.^..q.F.o..%
..QX. C.Q_pU.Zo.B.?.\....y..T.h..U..A.A...[G..u..Q....J...u. ...O&7.A.
.......A..X`8...A<..S&1.$.e.......b 7. .N.....\.b..).'..[.~... .;..
.._J ...V...".R8Vu.....v..K).^./...|..:.n.}o%>..c..X.,>-.T.Ss...
..)......... .u..v....`.vP....v^tuw..P.-...zaaTb...:.t...[.AG....M
<<< skipped >>>


GET /promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Vary: Accept-Encoding
Set-Cookie: aff=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: clickID=1132560031; expires=Sun, 19-Jun-2016 04:20:38 GMT; path=/
Set-Cookie: clickId=1132560031; expires=Sun, 19-Jun-2016 04:20:38 GMT; path=/
Content-Encoding: gzip
X-Cacheable: YES
Content-Length: 7099
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:21 GMT
Age: 0
Connection: keep-alive
X-Cache: MISS
...........<.v.8....4gW!..%..M2.......i.Iw.Z'."!..E.y....A...e[..$(
Qq:.{69.&q)..^..G{>..e..Y6...v.../.i...o.IM#...5......h../....e..f4
IY..y6i?57.gY....yp......=>.i..Cf...2.......2..(.. ..D.53v.u...*[.c
k.D>_8.W.....Y...Z...r...3...Swu..~..4}z......Ez...._O.?..z.....9J&
gt;'.n..I.yY.# #.D..x7..........^.....>. v..$K...z.A..;r<...wT.)
..b......h..,Op.~w..5...h.U'.T4.....h....O.}......&<.....?...E.l6..
.6.n.Gv...Z...o.#.WY.\...>.!k....d..k.f....^[email protected].
.`.2..)s.,{...e..'!.....q......5.....jY%~.^..{{.....v{.$...i.A.......|
5(J^.a..<..jn....d. .ID.6K......^@4'.......k..&...GKz.W.fX.e^\..../
..7....O.o/....w./..<0B..o...Jk`..dq.../<...a..'.Z...o3.[HB.d...
..^?..".C...-...G..,;..X.A..tK.t....).p...1......e...H'.R...ON&...pie.
 %...4...Im...[.[.....9s.. .nvwg.#..Hc.d3#........."..9...1?.y...Wo]&.
. bnT-.Q.Jre...-...m....K.y..S...O.....U..G._..{=...{..Q .K..A-.H6..w.
...,...q:.VE..^.B.A....0......ML .....m..M.T`...je. .9......C......F..
6h..}..d....R......-5....b..n....O.|m.....i..........6W...G).J....Jc_.
. J.{9..>[email protected]. |.eI....5.S....m..S).O.A...,.b... 
(...............x..h..~....mz..q.}.........\..\..&.....#....O*..DB...]
..P..`.4H..J|P|P.v.T.:...&~.Q..........f.Q ......9.......el.z.=.O.E51.
=.f"8..........-3......P....`.=.6.'%.bO..yu5l.M...M..t..B)...q.kX@e9Ij
.8.L`x..M.,...~..W.M.v..X..........l.5..?. 1x.{#6..H....C&....G~k.W...
..;.za..U.[K...>._.....@......"z.p.l..r{`3.r..y.R.:2.A.....9.~o.$.v
...c..0'...m......9B."b.Z8.\..p......{l[T.)S.....wo_Cfx%.......1..
<<< skipped >>>

GET /promo-offer/css/styles.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 200 OK
Server: nginx
Content-Type: text/css
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 2156
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:21 GMT
Age: 6289
Connection: keep-alive
X-Cache: HIT
body {.    font-family: 'Helvetica', 'Arial', sans-serif;.    text-ali
gn: center;.    line-height: 2em;.    background-color: black;.    col
or: white;.}.body h1 {.    margin: 30px 0 0 0;.    padding: 0;.    lin
e-height: 1em;.}.body h1 strong {.    color: red;.}.body h3 {.    marg
in: 10px 0;.    padding: 0;.    line-height: 1em;.}.body h3 strong {. 
   font-size: 1.7em;.    color: yellow;.}.body h5 {.    margin: 0 0 10
px 0;.    padding: 0;.    font-size: 1em;.    color: white;.}.body h4 
{.    font-size: 1.5em;.    color: yellow;.}.body iframe.wistia_embed 
{.    width: 650px;.    height: 365px;.    margin: 0 auto;.    border:
 none;.}.body .form {.    width: 40%;.    margin: 10px auto;.    paddi
ng: 10px;.    background: #0f0f0f;.    border-radius: 3px;.    -moz-bo
rder-radius: 3px;.    -webkit-border-radius: 3px;.}.body .form h4 {.  
  margin: 0;.    padding: 10px;.    color: #fff;.}.body .form form {. 
   display: block;.}.body .form form input {.    width: 85%;.    margi
n: 10px auto;.    display: block;.}.body .form form input[type="text"]
 {.    padding: 10px;.    border: 3px solid #000;.    border-radius: 6
px;.    -moz-border-radius: 6px;.    -webkit-border-radius: 6px;.    f
ont-size: 1.2em;.    color: #000;.}.body .form form input[type="submit
"] {.    width: 450px;.    height: 98px;.    display: block;.    backg
round: url('../images/register_now_button.png') center no-repeat trans
parent;.    border: 0;.    box-shadow: none;.    text-indent: -10000%;
.}.body .form form input[type="submit"]:hover {.    cursor: pointe
<<< skipped >>>

GET /includes/bootstrap.min.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 200 OK
Server: nginx
Content-Type: text/css
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 122540
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:21 GMT
Age: 6301
Connection: keep-alive
X-Cache: HIT
/*!. * Bootstrap v3.3.5 (hXXp://getbootstrap.com). * Copyright 2011-20
15 Twitter, Inc.. * Licensed under MIT (hXXps://github.com/twbs/bootst
rap/blob/master/LICENSE). *//*! normalize.css v3.0.3 | MIT License | g
ithub.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-
text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,
aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,sec
tion,summary{display:block}audio,canvas,progress,video{display:inline-
block;vertical-align:baseline}audio:not([controls]){display:none;heigh
t:0}[hidden],template{display:none}a{background-color:transparent}a:ac
tive,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{f
ont-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}m
ark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:re
lative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5
em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figur
e{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-
sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,p
re,samp{font-family:monospace,monospace;font-size:1em}button,input,opt
group,select,textarea{margin:0;font:inherit;color:inherit}button{overf
low:visible}button,select{text-transform:none}button,html input[type=b
utton],input[type=reset],input[type=submit]{-webkit-appearance:button;
cursor:pointer}button[disabled],html input[disabled]{cursor:default}bu
tton::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}
<<< skipped >>>

GET /promo-offer/images/speaker.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 200 OK
Server: nginx
Content-Type: image/jpeg
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 1816
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:22 GMT
Age: 6297
Connection: keep-alive
X-Cache: HIT
......Exif..II*.................Ducky.......P.....1hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c01
4 79.156797, 2014/08/20-09:53:02        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh
)" xmpMM:InstanceID="xmp.iid:712A2F87BF4B11E499FB949779439A45" xmpMM:D
ocumentID="xmp.did:712A2F88BF4B11E499FB949779439A45"> <xmpMM:Der
ivedFrom stRef:instanceID="xmp.iid:712A2F85BF4B11E499FB949779439A45" s
tRef:documentID="xmp.did:712A2F86BF4B11E499FB949779439A45"/> </r
df:Description> </rdf:RDF> </x:xmpmeta> <?xpacket en
d="r"?>....Adobe.d.................................................
......................................................................
......................................................................
.................................................!.1.345."2b.T.Qaq..BR
r.............................!1A..Q..a..2..."#............?.(.}..N...
.h^H.W..R.o..P)...y[@Mn...h..sE.x.l..Z.....*t.2.U..~.Yp.H)S~k"...I.R!.
...[.L.DD...a....]..h}....n.e..;[email protected].. ....\...W<
9DL.v.W............8..p.....G...q..m.[..&.6..Q..1...=....B..G$^...0...
[email protected].._:[email protected]...,....g..bl.jFdY....6.
<<< skipped >>>

GET /promo-offer/js/video.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031; _ga=GA1.2.1661237672.1463718029; _gat=1


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/x-javascript
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 117730
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:23 GMT
Age: 6298
Connection: keep-alive
X-Cache: HIT
/*! Video.js v4.12.5 Copyright 2014 Brightcove, Inc. hXXps://github.co
m/videojs/video.js/blob/master/LICENSE */ .(function() {var b=void 0,f
=!0,j=null,l=!1;function m(){return function(){}}function n(a){return 
function(){return this[a]}}function q(a){return function(){return a}}v
ar s;document.createElement("video");document.createElement("audio");d
ocument.createElement("track");.function t(a,c,d){if("string"===typeof
 a){0===a.indexOf("#")&&(a=a.slice(1));if(t.Aa[a])return c&&t.log.warn
('Player "' a '" is already initialised. Options will not be applied.'
),d&&t.Aa[a].I(d),t.Aa[a];a=t.m(a)}if(!a||!a.nodeName)throw new TypeEr
ror("The element or ID supplied is not valid. (videojs)");return a.pla
yer||new t.Player(a,c,d)}var videojs=window.videojs=t;t.ic="4.12";t.vd
="https:"==document.location.protocol?"hXXps://":"hXXp://";t.VERSION="
4.12.5";.t.options={techOrder:["html5","flash"],html5:{},flash:{},widt
h:300,height:150,defaultVolume:0,playbackRates:[],inactivityTimeout:2E
3,children:{mediaLoader:{},posterImage:{},loadingSpinner:{},textTrackD
isplay:{},bigPlayButton:{},controlBar:{},errorDisplay:{},textTrackSett
ings:{}},language:document.getElementsByTagName("html")[0].getAttribut
e("lang")||navigator.languages&&navigator.languages[0]||navigator.If||
navigator.language||"en",languages:{},notSupportedMessage:"No compatib
le source was found for this video."};."GENERATED_CDN_VSN"!==t.ic&&(vi
deojs.options.flash.swf=t.vd "vjs.zencdn.net/" t.ic "/video-js.swf");t
.Jd=function(a,c){t.options.languages[a]=t.options.languages[a]!==
<<< skipped >>>


GET /analytics.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 20 May 2016 04:13:44 GMT
Expires: Fri, 20 May 2016 06:13:44 GMT
Last-Modified: Mon, 09 May 2016 22:17:11 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11491
Age: 398
Cache-Control: public, max-age=7200
...........}is....w....GCF0%.N&#..r....$.......XR.-$.U...u7...2.....T.
[email protected]$.....ox.d].).{.I.........ys]..h......c..h....T[h.Fb,U.{..
8r.u<hwX.............a.....N....!Oz..`.=..s..=.....~.5q0=..w..3pv_.
.z...........?~.|rz................p4....dzs{w.P.onm?{....6~8...h7qq..
..5#.L.......G..x....y.?.F.#u.Hl.o}..qs#.]P.c.#.C..5........k...zMN...
.....SY.:..}...\.....x.....B....".(Jq,.Ia[t..3.A....s.p....s...._...M.
k^s..f..h.#.....t.cAN. ....9.^..=..*.<.."~......#.d|.D.Q..|0pu5.q.~
....../..J./.7.;...x.'.T$...k..GR.._......_X63T-.4..!..W.........bT../
..;^.Tfii..e.....YR.B.../"...z..j..N...j..m_&......w{...H...D8gS...s..
...........x8....O...>..6oLc.....I...."..l...3&..N..?r.K.......D.T.
Z....T.^[email protected]"z...a..z.9..............!..-_...2...rE.8,
,...D......../...JX....c..C.......:;.........O....C../..DUW....5`..u4}
a..H.........pS..<...`.P...Y.......0&lD3`....w..PeC.k...........6VQ
.R..P.`.U.r.d.F...%.$n..;..c.0T..'..9. ....k.S.5...d..i..0.....x...4.i
[email protected].!0G.Z]=%.z.t:@...Y....9..p$.7B@T.
...S...dtZ... .....7g.|.............`P.f\...h..CY........y..n....!H$;.
J...d.0..#..x>.w.......l}..?~.......x.4s.vi[..(9T.~...E_.. VO...O..
.qh.[..A..P..H._...$H..n.`.b.<.8.....o.....q..4.............6r.....
.......i.#4.W|...,.b.'.Wd.;U..;rJ....:PJ`...%.......|v..|...q.o.a .b..
............3|.m..V.6..c<6?..x..%...q......y8P..}.>K.&.x=.c....F
|...rY....>.:,B...K..17.....U..e...x|.......]..U.>......|.....| 
N.%.......d...5.;..^[email protected].].x.L.>.%....z.*.. .Z.zC.
<<< skipped >>>

GET /r/collect?v=1&_v=j43&a=599973280&t=pageview&_s=1&dl=http://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133&ul=en-us&de=utf-8&dt=FREE Access - Millionaire's Blueprint&sd=32-bit&sr=1276x846&vp=263x1320&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=457202612&cid=1661237672.1463718029&tid=UA-66137886-1&_r=1&z=1681974947 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Fri, 20 May 2016 04:20:22 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Fri, 20 May 2016 04:20:22 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /promo-offer/css/video-js.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 200 OK
Server: nginx
Content-Type: text/css
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 27990
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:21 GMT
Age: 6301
Connection: keep-alive
X-Cache: HIT
/*!.Video.js Default Styles (hXXp://videojs.com).Version 4.12.5.Create
 your own skin at hXXp://designer.videojs.com.*/./* SKIN.=============
===================================================================.Th
e main class name for all skin-specific styles. To make your own skin,
.replace all occurrences of 'vjs-default-skin' with a new name. Then a
dd your new.skin name to your video tag instead of the default skin..e
.g. <video class="video-js my-skin-name">.*/..vjs-default-skin {
.  color: #cccccc;.}./* Custom Icon Font.-----------------------------
---------------------------------------------------.The control icons 
are from a custom font. Each icon corresponds to a character.(e.g. "\e
001"). Font icons allow for easy scaling and coloring of icons..*/.@fo
nt-face {.  font-family: 'VideoJS';.  src: url('font/vjs.eot');.  src:
 url('font/vjs.eot?#iefix') format('embedded-opentype'), url('font/vjs
.woff') format('woff'), url('font/vjs.ttf') format('truetype'), url('f
ont/vjs.svg#icomoon') format('svg');.  font-weight: normal;.  font-sty
le: normal;.}./* Base UI Component Classes.---------------------------
-----------------------------------------------------.*/./* Slider - u
sed for Volume bar and Seek bar */..vjs-default-skin .vjs-slider {.  /
* Replace browser focus highlight with handle highlight */.  outline: 
0;.  position: relative;.  cursor: pointer;.  padding: 0;.  /* backgro
und-color-with-alpha */.  background-color: #333333;.  background-colo
r: rgba(51, 51, 51, 0.9);.}..vjs-default-skin .vjs-slider:focus {.
<<< skipped >>>

GET /promo-offer/css/members.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 200 OK
Server: nginx
Content-Type: text/css
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 10570
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:21 GMT
Age: 6295
Connection: keep-alive
X-Cache: HIT
body {.    margin: 0;.    padding: 0 0 100px 0;.    font-family: 'Helv
etica', 'Arial', sans-serif;.    font-weight: normal;.    font-size: 1
4px;.    line-height: 1.5em;.    background-color: #000 !important;.  
  color: #fff !important;.}..body.funnel {.    margin: 0;.    font-fam
ily: 'Helvetica', 'Arial', sans-serif;.    font-weight: normal;.    fo
nt-size: 14px;.    line-height: 1.5em;.    background-color: #000 !imp
ortant;.    color: #fff !important;.    padding: 0 0 20px 0;.}...conta
iner {.    max-width: 960px !important;.    margin: 0 auto;.    paddin
g: 0;.    display: block;.}...container-form-alt {.    max-width: 644p
x;.    margin: 30px auto;.    padding: 20px;.    display: block;.    b
order: 1px solid #d2d2d2;.    border-radius: 6px;.    -webkit-border-r
adius: 6px;.    -moz-border-radius: 6px;.    background: url('../image
s/arrow-bg.jpg') no-repeat;.    background-color: #fff;.    background
-position: 50% 85%;.}...header {.    margin: 20px auto 10px auto;.    
padding: 0 0 20px 0;.    display: block;.    background: url('../image
s/horizontal_rule.png') bottom center no-repeat transparent;.}...heade
r .left,..header .right {.    width: 49%;.    margin: 0;.    padding: 
0;.    display: inline-block;.    vertical-align: middle;.}...intro {.
    display: block;.}...intro h1 {.    font-weight: normal;.    text-a
lign: center;.    line-height: 1.2em;.    font-size:26px;.    margin: 
0 0 10px 0;.}...intro h1 span {.    font-weight: bold;.    color: yell
ow;.}...video {.    display: block;.    margin-top: 15px;.}...vide
<<< skipped >>>

GET /promo-offer/css/font/vjs.eot? HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 404 Not Found
Server: nginx
Content-Type: text/html
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=5, must-revalidate
X-Cacheable: YES
Content-Length: 195
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:21 GMT
Age: 0
Connection: keep-alive
X-Cache: MISS
..........U.=..0..wN.....1.......M...(.?.=......Y.e.,Y.2E.-W./LK.a...r
.../..F.^.vz.l..6.....<..v.o.._.:.v..V...'..!I.U/..8k..d.......X...
]x.......pA.sr.....gM.Ir....D...%M..\X..~Ni..5....P.$.'...HTTP/1.1 404
 Not Found..Server: nginx..Content-Type: text/html..Vary: Accept-Encod
ing..Content-Encoding: gzip..Cache-Control: max-age=5, must-revalidate
..X-Cacheable: YES..Content-Length: 195..Accept-Ranges: bytes..Date: F
ri, 20 May 2016 04:20:21 GMT..Age: 0..Connection: keep-alive..X-Cache:
 MISS............U.=..0..wN.....1.......M...(.?.=......Y.e.,Y.2E.-W./L
K.a...r.../..F.^.vz.l..6.....<..v.o.._.:.v..V...'..!I.U/..8k..d....
...X...]x.......pA.sr.....gM.Ir....D...%M..\X..~Ni..5....P.$.'...t>....


GET /fonts/glyphicons-halflings-regular.eot? HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 404 Not Found
Server: nginx
Content-Type: text/html
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=5, must-revalidate
X-Cacheable: YES
Content-Length: 195
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:22 GMT
Age: 0
Connection: keep-alive
X-Cache: MISS
..........U.=..0..wN.....1.......M...(.?.=......Y.e.,Y.2E.-W./LK.a...r
.../..F.^.vz.l..6.....<..v.o.._.:.v..V...'..!I.U/..8k..d.......X...
]x.......pA.sr.....gM.Ir....D...%M..\X..~Ni..5....P.$.'.......


GET /promo-offer/js/jquery-1.9.1.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/x-javascript
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 111588
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:22 GMT
Age: 6296
Connection: keep-alive
X-Cache: HIT
..../*! jQuery v1.9.1 | (c) 2005, 2012 jQuery Foundation, Inc. | jquer
y.org/license.//@ sourceMappingURL=jquery.min.map.*/.(function (e, t) 
{.    var n, r, i = typeof t, o = e.document, a = e.location, s = e.jQ
uery, u = e.$, l = {}, c = [], p = "1.9.1", f = c.concat, d = c.push, 
h = c.slice, g = c.indexOf, m = l.toString, y = l.hasOwnProperty, v = 
p.trim, b = function (e, t) { return new b.fn.init(e, t, r) }, x = /[ 
-]?(?:\d*\.|)\d (?:[eE][ -]?\d |)/.source, w = /\S /g, T = /^[\s\uFEFF
\xA0] |[\s\uFEFF\xA0] $/g, N = /^(?:(<[\w\W] >)[^>]*|#([\w-]*
))$/, C = /^<(\w )\s*\/?>(?:<\/\1>|)$/, k = /^[\],:{}\s]*$
/, E = /(?:^|:|,)(?:\s*\[) /g, S = /\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/
g, A = /"[^"\\\r\n]*"|true|false|null|-?(?:\d \.|)\d (?:[eE][ -]?\d |)
/g, j = /^-ms-/, D = /-([\da-z])/gi, L = function (e, t) { return t.to
UpperCase() }, H = function (e) { (o.addEventListener || "load" === e.
type || "complete" === o.readyState) && (q(), b.ready()) }, q = functi
on () { o.addEventListener ? (o.removeEventListener("DOMContentLoaded"
, H, !1), e.removeEventListener("load", H, !1)) : (o.detachEvent("onre
adystatechange", H), e.detachEvent("onload", H)) }; b.fn = b.prototype
 = { jquery: p, constructor: b, init: function (e, n, r) { var i, a; i
f (!e) return this; if ("string" == typeof e) { if (i = "<" === e.c
harAt(0) && ">" === e.charAt(e.length - 1) && e.length >= 3 ? [n
ull, e, null] : N.exec(e), !i || !i[1] && n) return !n || n.jquery ? (
n || r).find(e) : this.constructor(n).find(e); if (i[1]) { if (n =
<<< skipped >>>

GET /includes/exit.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millionaires-blueprint.co
Connection: Keep-Alive
Cookie: clickID=1132560031; clickId=1132560031; _ga=GA1.2.1661237672.1463718029; _gat=1


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/x-javascript
Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT
Cache-Control: max-age=7200 public
reset-client-side-age: 1
X-Cacheable: YES
Content-Length: 784
Accept-Ranges: bytes
Date: Fri, 20 May 2016 04:20:23 GMT
Age: 6297
Connection: keep-alive
X-Cache: HIT
(function() {.    setTimeout(function() {.    var _tags = ['button', '
input', 'a', '.btn'], _els, _i, _i2;.    for(_i in _tags) {.        _e
ls = document.getElementsByTagName(_tags[_i]);.        for(_i2 in _els
) {.            if((_tags[_i] == 'input' && _els[_i2].type != 'button'
 && _els[_i2].type != 'submit' && _els[_i2].type != 'image') || _els[_
i2].target == '_blank') continue;.            _els[_i2].onclick = func
tion() {window.onbeforeunload = function(){};}.        }.   }..    win
dow.onbeforeunload = function() {.        setTimeout(function() {.    
        window.onbeforeunload = function() {};.            setTimeout(
function() {.                document.location.href = _exit_url;.     
       }, 500);.        },5);.        return _exit_message;.    }.    
}, 500);.})();HTTP/1.1 200 OK..Server: nginx..Content-Type: applicatio
n/x-javascript..Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT..Cache-Co
ntrol: max-age=7200 public..reset-client-side-age: 1..X-Cacheable: YES
..Content-Length: 784..Accept-Ranges: bytes..Date: Fri, 20 May 2016 04
:20:23 GMT..Age: 6297..Connection: keep-alive..X-Cache: HIT..(function
() {.    setTimeout(function() {.    var _tags = ['button', 'input', '
a', '.btn'], _els, _i, _i2;.    for(_i in _tags) {.        _els = docu
ment.getElementsByTagName(_tags[_i]);.        for(_i2 in _els) {.     
       if((_tags[_i] == 'input' && _els[_i2].type != 'button' && _els[
_i2].type != 'submit' && _els[_i2].type != 'image') || _els[_i2].targe
t == '_blank') continue;.            _els[_i2].onclick = function(
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_928:

.text
`.data
.rsrc
ad:%C
R.eD/
Click to visit iSergiwa Software web site for more free tools
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\system32\MSVBVM60.DLL\3
VBA6.DLL
MSVBVM60.DLL
A*\AE:\1\DATA\MyTopSecret\MyVB\MyPubPros\SRT\SRT 2.0\SRT.vbp
WScript.Shell
\program files\Internet explorer\iexplore hXXp://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6
Software\Microsoft\Windows\CurrentVersion
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Explorer.exe
SSCVIIHOST.exe
blastclnnn.exe
autorun.ini
setting.ini
\program files\Internet explorer\iexplore hXXp://VVV.sergiwa.com
autorun.inf
VVV.sergiwa.com
@*\AE:\1\DATA\MyTopSecret\MyVB\MyPubPros\SRT\SRT 2.0\SRT.vbp
iSergiwa Software - VVV.sergiwa.com
SRT.exe

iexplore.exe_1460:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:928

  2. Delete the original Trojan file.
  3. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe"

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now