Gen.Variant.Kazy.146618_a1c3adcb6e – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1156

Mutexes

The following mutexes were created/opened:

RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexfolohadlobos

File activity

The process %original file name%.exe:1156 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@onebox[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hknetmail[1].txt (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (190 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4everdreams[1].htm (10 bytes)
%Documents and Settings%\%current user%\folohadlobos.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tampabay[1].txt (171 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\goldcockerelbooks.co[1].htm (79 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zdnetmail[1].htm (2225 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1156 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "43 E8 02 1B 34 4D 66 0C 25 3E 57 70 16 2F 48 61"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 D4 84 DE 40 D2 AB C9 1E 0D DC BC 0D 54 22 3B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"folohadloboszap" = "6D 13 2C 45 5E 77 90 36 4F 68 81 9A 40 59 72 8B"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"folohadlobos" = "%Documents and Settings%\%current user%\folohadlobos.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hknetmail[1].txt (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (190 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4everdreams[1].htm (10 bytes)
%Documents and Settings%\%current user%\folohadlobos.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tampabay[1].txt (171 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\goldcockerelbooks.co[1].htm (79 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zdnetmail[1].htm (2225 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"folohadlobos" = "%Documents and Settings%\%current user%\folohadlobos.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: tttttt Corporation
Product Name: HD Player
Product Version: 9.00.00.4503
Legal Copyright: (c) tttttt Corporation. All rights reserved.
Legal Trademarks:
Original Filename: migrate.exe
Internal Name: migrate.exe
File Version: 9.00.00.4503 (xpsp.080413-0845)
File Description: MLS Migrate DLL
Comments:
Language: Language Neutral

Company Name: tttttt CorporationProduct Name: HD Player Product Version: 9.00.00.4503Legal Copyright: (c) tttttt Corporation. All rights reserved.Legal Trademarks: Original Filename: migrate.exeInternal Name: migrate.exeFile Version: 9.00.00.4503 (xpsp.080413-0845)File Description: MLS Migrate DLLComments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	8123	8192	1.95528	bdf9ff571cb715841f3070eab9b48bd6
.rdata	12288	79294	79360	4.18728	2e28b00638373d261901f903a9b718bb
.data	94208	20156	20480	0.023306	b123c4225fd7ea8ee80aedde87c66661
.rdata2	114688	1000	1024	0	0f343b0931126a20f133d67c2b018a3b
.data3	118784	626	1024	2.41596	c09c50076d33f36b4c69df5193709373
.rsrc	122880	960	1024	2.18771	2e5d23bf9177dca909a71f49bd7d990c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://udel.edu/?ptrxcz_KMOQTVXZbdgikmprtwy02469BDFHJL
hxxp://bellsouth.com/	139.76.134.15
hxxp://mtv.com/	206.220.43.92
hxxp://jotmail.com/?ptrxcz_qsuwy02468ACEGILNPRTVXZbdfhjlo	64.4.6.233
hxxp://jotmail.com/?ptrxcz_qsuwz13579BEGIKMORTVXZbdgikmpr	64.4.6.233
hxxp://love.com/?ptrxcz_358ACEGILNPRTVXacegikoMOQRTVWY	64.12.79.57
hxxp://allstream.net/	207.245.244.133
hxxp://laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP
hxxp://talktalk.net/
hxxp://surewest.net/?ptrxcz_DFHJMOQSUWYacegjloqsuwy13579BD
hxxp://job-index.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL
hxxp://yahoo.com.au/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG
hxxp://ministryofsound.net/?ptrxcz_XZcegikmprtvx02468ACEGILNPRTVX	185.26.230.129
hxxp://bodybuilders.com/	206.207.84.93
hxxp://goldcockerelbooks.co.uk/	76.73.3.122
hxxp://posten.se/	147.14.11.241
hxxp://onebox.com/
hxxp://sprintmail.com/	209.86.93.136
hxxp://sympatico.ca/?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578
hxxp://tahoo.com/?ptrxcz_TVYacegikmprtvxz1468ACEGIKMOQS	116.212.117.220
hxxp://start.no/?ptrxcz_Zbdfhkmprtvxz1368ACEGIKMORTVXZ	193.200.235.71
hxxp://zdnetmail.com/	216.239.120.238
hxxp://microtek.com/?ptrxcz_acegikoqsuwy02468ACEGIKMOQSUWY
hxxp://yahoo.gr/	77.238.184.150
hxxp://love.com/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl	64.12.79.57
hxxp://mtv.com/?ptrxcz_rtvxz1368ACEGIKMOQSUWYacegikmp	206.220.43.92
hxxp://actuslendlease.com/
hxxp://tampabay.com/	54.235.118.206
hxxp://tahoo.com/	116.212.117.220
hxxp://midway.edu/?ptrxcz_dfikmprtwy02479BDFHJMOQSUWYbdf
hxxp://sunolg.org/	178.79.190.156
hxxp://bailliegifford.com/?ptrxcz_oqsuwz13579BDFHKMOQSUWYacehjlo	80.75.68.131
hxxp://nifty.ne.jp/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY
hxxp://hknetmail.com/
hxxp://merck.com/?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf	155.91.16.2
hxxp://mchsi.com/	64.8.70.102
hxxp://crosspaths.net/	162.39.145.20
hxxp://jotmail.com/?ptrxcz_jmprtvy02468ADFHJLNQSUWYacfhjl	64.4.6.233
hxxp://dr.dk/	159.20.6.38
hxxp://ohiou.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ
hxxp://wa-net.com/?ptrxcz_VYbdgilpruwz1469CEHJMORTWZbegj	96.127.156.202
hxxp://aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
care2.com	63.146.170.87
frisurf.no	153.110.239.145
croeso.com	104.28.0.49
aol.com.com	54.201.82.69
pba.com	216.145.1.21
knology.net	64.29.151.81
bluewin.com	195.186.196.90
starpower.net	207.172.157.182
virginia.edu	128.143.22.36
yahoo.com.hk	77.238.184.150
roadrunner.com	24.28.199.168
ig.com.br	54.208.23.82
atkearney.com	4.26.46.40
zdnetonebox.com	216.239.120.238
cablelan.net	50.21.229.37
entel.cl	200.12.171.52
tellmeimcute.com	176.74.176.186
markbrent.com	50.63.127.1
arcor.de	151.189.21.100
idealcollectables.com	205.178.189.131
kazza.com	141.8.224.245
redlands.edu	206.208.133.173
avinalarf.co.uk	104.28.13.49
tartarus.uwa.edu.au	130.95.128.3

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 147

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: laposte.net

Connection: Keep-Alive

Cache-Control: no-cache

..&.OD".\2....}..r...VUGfT.G..

v..}qY`.k0Y.gl...`$....7.3.Q........d..^..~\I..........s$.##..X.^...n...........^....~...r.....uG=......)v..u.

HTTP/1.1 301 Moved Permanently

Location: hXXp://VVV.laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP

Content-Length: 0

Accept-Ranges: bytes

Date: Thu, 12 Mar 2015 07:28:26 GMT

X-Varnish: 3386012683

Age: 0

Via: 1.1 varnish

X-Cache: MISS

HTTP/1.1 301 Moved Permanently..Location: hXXp://VVV.laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP..Content-Length: 0..Accept-Ranges: bytes..Date: Thu, 12 Mar 2015 07:28:26 GMT..X-Varnish: 3386012683..Age: 0..Via: 1.1 varnish..X-Cache: MISS..

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 131

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: bellsouth.com

Connection: Keep-Alive

Cache-Control: no-cache

hn...:........,..8F...y.............8.*.R.]._.w.y........e....(...[..c......M...Rb.l.@.V}.vp`...,...%.w...w.?....>..c.x')..&...<..

HTTP/1.1 301 Moved Permanently

Server: Sun-ONE-Web-Server/6.1

Date: Thu, 12 Mar 2015 07:28:26 GMT

Content-length: 0

Content-type: text/html

Location: hXXp://VVV.att.com

HTTP/1.1 301 Moved Permanently..Server: Sun-ONE-Web-Server/6.1..Date: Thu, 12 Mar 2015 07:28:26 GMT..Content-length: 0..Content-type: text/html..Location: hXXp://VVV.att.com..

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 202

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: posten.se

Connection: Keep-Alive

Cache-Control: no-cache

%q ..;...k..P.h..2M.-c..........e.y...

5U.........`.X..=.J.!..w......u.i."oN.u.........'......`F......'n...h.M.'..Y..}.........{...k...O.ju......:.. ..c

7."...#...#B..$...%..?&.

'...'J..(.Pl)'.7*..

HTTP/1.1 400 Bad Request

content-length: 1389

content-type: text/html

date: Thu, 12 Mar 2015 07:33:40 GMT

p3p: CP="NON CUR OTPi OUR NOR UNI"

server: WebSEAL/6.1.1.5 (Build 120405)

pragma: no-cache

cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">......<html>.<head>.<meta http-equiv="Content-Type" content= "text/html; charset=UTF-8">..<title>Bad Request</title>.</head>.<body bgcolor="#FFFFFF">..<img src="/pics/amlogo.gif" . width=100% . height="75" . border="0". alt= "Access Manager for e-business Home">...<h1><font color="#FF0000">Bad Request</font></h1>..<p>.The Access Manager WebSEAL server received an invalid HTTP request...<BR><BR><BR>...<H4>Explanation</H4>.Possible causes for this message include:.<UL>.<LI>Incapatibility between the browser and the server..<LI>A problem with the browser..</UL>..<BR><BR><BR>...<H4>Solutions</H4>.<P>Contact your IBM Support Representative..</

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 184

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: tahoo.com

Connection: Keep-Alive

Cache-Control: no-cache

n...>9z.5.\.........R...K...F1......l..kgs.U.<.?........Ne..Ga..t*...........l..\......I.?i@I....'.R..n.iKph...-.`.8..xn.W.J@:..9...f....b......R....

.Fnf..]...:g....`..'\.........

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 15:16:55 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.2.17

Location: hXXp://VVV.99ff.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html;charset=gb2312

POST /?ptrxcz_KMOQTVXZbdgikmprtwy02469BDFHJL HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 246

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: udel.edu

Connection: Keep-Alive

Cache-Control: no-cache

..b%G. X:....~!..~G&.....a...B....`.....l..N}.'......*(.Cv(...(.;.....))tA)...).r.).>.)......X*...*Q.i.%.....-.8>-J$..7. ..",.......,......Z.1fI-#..........-.../..P....2.....-..$6......D../...%..R..h30..........2&$.x....&\....|.....1.T/25.....

HTTP/1.1 413 Request Entity Too Large

Date: Thu, 12 Mar 2015 07:28:26 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8i

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>413 Request Entity Too Large</title>.</head><body>.<h1>Request Entity Too Large</h1>.The requested resource<br />/<br />.does not allow request data with POST requests, or the amount of data provided in.the request exceeds the capacity limit..<p>Additionally, a 413 Request Entity Too Large.error was encountered while trying to use an ErrorDocument to handle the request.</p>.<hr>.<address>Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8i Server at udel.edu Port 80</address>.</body></html>...

POST /?ptrxcz_acegikoqsuwy02468ACEGIKMOQSUWY HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 199

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: microtek.com

Connection: Keep-Alive

Cache-Control: no-cache

.....J`.Q..............Pd...,....2.e.........D.m....w...qU.....E.6...........`.@T....'.|..[Lx...@9...._s6.`..$.{,|.R..dG...........d.........M.p9..&.G.........H.r..T......jJ.......K.e.{..k...e\....

HTTP/1.1 302 Found

Date: Sun, 22 Mar 2015 09:44:13 GMT

Server: Apache/2.0.52 (Red Hat)

X-Powered-By: PHP/4.3.9

location: hXXp://ww7.microtek.com.tw

Content-Length: 0

Connection: close

Content-Type: text/html; charset=iso-8859-1

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 152

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: mchsi.com

Connection: Keep-Alive

Cache-Control: no-cache

Pz....R.,..n.;.oXl...M..T......s.R..<|.swQfv..\.V.Hx..?.T}V..}T.^.@|.rP.M.5...3.t.1.....U..|..*.Z.(.&...b....2........m.f....w..K"..

F.......J......

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 12 Mar 2015 07:28:37 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 245

Connection: keep-alive

Vary: Accept-Encoding

Accept-Ranges: bytes

X-Varnish: 1576525939

Age: 0

Via: 1.1 varnish

<?xml version="1.0" encoding="utf-8"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head><title></title></head>.<body></body>.</html>.HTTP/1.1 200 OK..Server: nginx..Date: Thu, 12 Mar 2015 07:28:37 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 245..Connection: keep-alive..Vary: Accept-Encoding..Accept-Ranges: bytes..X-Varnish: 1576525939..Age: 0..Via: 1.1 varnish..<?xml version="1.0" encoding="utf-8"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head><title></title></head>.<body></body>.</html>...

POST /?ptrxcz_TVYacegikmprtvxz1468ACEGIKMOQS HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 180

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: tahoo.com

Connection: Keep-Alive

Cache-Control: no-cache

..1..I....

.%8.'.)...(K..L#....?!..Na.....v^.......S..#.......................6............d...a......$...tkV.....g...(.\..~A..y[...$...^)zTt(kG...?,{{&-x...............,t.1....

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 15:16:51 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.2.17

Location: hXXp://VVV.99ff.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html;charset=gb2312

POST /?ptrxcz_Zbdfhkmprtvxz1368ACEGIKMORTVXZ HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 27

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: start.no

Connection: Keep-Alive

Cache-Control: no-cache

F..N.C.Oq.Q.o4R...SEf.T...

HTTP/1.1 405 Not allowed.

Server: Varnish

Content-Type: text/html; charset=utf-8

Content-Length: 473

Accept-Ranges: bytes

Date: Thu, 12 Mar 2015 07:28:28 GMT

X-Varnish: 2686377178

Age: 0

Via: 1.1 varnish

Connection: close

X-Varnish-Host: NOSTPX01

X-Cache: MISS

. <?xml version="1.0" encoding="utf-8"?>. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">. <html>. <head>. <title>405 Not allowed.</title>. </head>. <body>. <h1>Error 405 Not allowed.</h1>. <p>Not allowed.</p>. <h3>Guru Meditation:</h3>. <p>XID: 2686377178</p>. <hr>. <address>. <a href="hXXp://VVV.start.no/">Start Network AS</a>. </address>. </body>. </html>. ..

POST /?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 41

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: yahoo.com.au

Connection: Keep-Alive

Cache-Control: no-cache

!.6BU\.B...C.&NC...C.W.DL.~D...D..JE.Q.E.

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:26 GMT

Location: hXXp://au.yahoo.com/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG

Cache-Control: private

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=utf-8

b9 ..The document has moved <A HREF="hXXp://au.yahoo.com/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG">here</A>.<P>....0..

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 129

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: sprintmail.com

Connection: Keep-Alive

Cache-Control: no-cache

j.....>...-......H..U`...*P..;......R.....h..m......qd....u.6/A.,..

...l.o.!;._Q..........Z.5..F....\..(...;..;...sF.@.....[ .

HTTP/1.1 302 Found

Location: hXXp://VVV.earthlink.net/

Connection: close

POST /?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 80

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: aol.de

Connection: Keep-Alive

Cache-Control: no-cache

....N....C. R..!..."Im.#..c$3.a%.0F&.a.'.].(...(|..)...*f.. ...,j..-..h.T.f/..d0

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:30 GMT

Server: Apache

Location: hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl

Content-Length: 264

Keep-Alive: timeout=15, max=9987

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl">here</a>.</p>.</body></html>.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:30 GMT..Server: Apache..Location: hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl..Content-Length: 264..Keep-Alive: timeout=15, max=9987..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl">here</a>.</p>.</body></html>...

POST /?ptrxcz_358ACEGILNPRTVXacegikoMOQRTVWY HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 2

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: love.com

Connection: Keep-Alive

Cache-Control: no-cache

.q

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:26 GMT

Server: Apache

Location: hXXp://VVV.aol.com/

Content-Length: 227

Keep-Alive: timeout=15, max=9421

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.com/">here</a>.</p>.</body></html>.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:26 GMT..Server: Apache..Location: hXXp://www.aol.com/..Content-Length: 227..Keep-Alive: timeout=15, max=9421..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.com/">here</a>.</p>.</body></html>...

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 123

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: dr.dk

Connection: Keep-Alive

Cache-Control: no-cache

..c.5.a...E......1(.....

.[..........y.......c.....J.ZDb...F.7.......)*...Z..6W...S.

..^..|...z....

v.aM.......M@.d...

HTTP/1.1 301 Moved Permanently

Server: Varnish

Cache-Control: public,max-age=0

Location: hXXp://VVV.dr.dk/

X-Cacheable: REDIR:301

Accept-Ranges: bytes

Date: Thu, 12 Mar 2015 07:28:39 GMT

X-Varnish: 1668772977

Age: 0

Via: 1.1 varnish

Connection: close

X-Via: varnishol01.dr.dk (172.18.120.36:80)

X-Cache: MISS

X-WebEdge: 44

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 129

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: crosspaths.net

Connection: Keep-Alive

Cache-Control: no-cache

..X..9.._.d...eJ.......m.d...ij3......k...m5....A.ok....R.....G..t....]...1.....*.TW[....v\........tcy(v.zx!.........}z.z..1...

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:38 GMT

Server: IBM_HTTP_Server

Location: hXXp://VVV.windstream.net

Content-Length: 233

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.windstream.net">here</a>.</p>.</body></html>...

POST /?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 90

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: merck.com

Connection: Keep-Alive

Cache-Control: no-cache

.u...:..,...W...........@u..^:...1...(......1. ..v........D.8...p!T......w..P.x.sf....;...

HTTP/1.1 302 Found

Date: Thu, 12 Mar 2015 07:28:36 GMT

Server: Apache

Location: hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf

Content-Length: 253

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

Set-Cookie: BIGipServerVVV.merck.com-HTTP=42078380.20480.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf">here</a>.</p>.</body></html>.HTTP/1.1 302 Found..Date: Thu, 12 Mar 2015 07:28:36 GMT..Server: Apache..Location: hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf..Content-Length: 253..Keep-Alive: timeout=15, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..Set-Cookie: BIGipServerVVV.merck.com-HTTP=42078380.20480.0000; path=/..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="http://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf">here</a>.</p>.</body></html>...

POST /?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 212

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: ohiou.edu

Connection: Keep-Alive

Cache-Control: no-cache

.z../...5...,;.s.

...$...\:........M.E....I*..s..;.S!...$.W.&e.u).

,..k...21...3/.t6k....s.;..2>..p.......[K...MY8 ....QH.8To.\Y..GY>..[i.=^..7aN..c.w`f...hQ..k..6n...pT|.s..u.6.x#b.{...}.Nx.3F........N.)^..

HTTP/1.0 302 Found

Location: hXXp://VVV.ohio.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ

Server: BigIP

Connection: Keep-Alive

Content-Length: 0

HTTP/1.0 302 Found..Location: hXXp://VVV.ohio.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ..Server: BigIP..Connection: Keep-Alive..Content-Length: 0..

POST /?ptrxcz_VYbdgilpruwz1469CEHJMORTWZbegj HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 21

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: wa-net.com

Connection: Keep-Alive

Cache-Control: no-cache

!.A.....Yx..........-

HTTP/1.1 403 Forbidden

Date: Thu, 12 Mar 2015 07:28:38 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 278

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>403 Forbidden</title>.</head><body>.<h1>Forbidden</h1>.<p>You don't have permission to access /.on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) Server at wa-net.com Port 80</address>.</body></html>...

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT

Accept-Ranges: bytes

ETag: "05934e1494dd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=6103

Date: Thu, 12 Mar 2015 07:28:25 GMT

Connection: keep-alive

X-CCC: IT

X-CID: 2

1401D04D49E16F8687....

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Feb 2015 00:36:45 GMT

Accept-Ranges: bytes

ETag: "804c50f7c94fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 49859

Cache-Control: max-age=4274

Date: Thu, 12 Mar 2015 07:28:25 GMT

Connection: keep-alive

X-CCC: IT

X-CID: 2

MSCF............,...................I.......#.........WFw. .authroot.stl.....08..CK...<.......m..dK.......D.d'....fW...RJe.).."...n.Ie.,E.RH...L....\...z.^...p.<g.9...~...=.d/.. ...H....8f|&x.N.d..p(....(....g.@ga0..4...E(.p`d. .....D.....g%.j..w.DF..GW .....*.@6....#.8....v..=T..^.G.G.!.A........_...r..3n...G.g\_.r.....Au..sw.3.....G.f. ..0..0.^.R".K|.....y...l..1.......t.(...0Y......4.,......x..ENY.`d..O.....!..9A~....^...H.2.-.jK.r.....m.q.....5.@.r...@....A.B.....e...x.).|.H...A.[.Q. D`.}YQvx.B`b.=....,X...-.5S..N..=x.....C.Mj^.H....5b...5........I...`..... ..l.n.:.....j...u2gA.hx.`%K.bw...\!o.........R....=..*...w..J....q.?^.PuA..W...>.._..O......9|.../......m.E.u.d...J2.U.e?....}h.S.zC^...<.c)...^c.b}.2..'X567.!.h. ......5.......S*.z%..%..e...R...C#p..k.[...3...jI.<.Z.GX.u.- ....ut{.&>...:.......f...f.)y.....5.../R.b.......r.!.4.-a.....!...P......Q'7.0.%[.~m_..v....;..:.X..~...,.......O....u|T.L....w....)5.bBs..W..r..u.......W......'G......y...h.. %. z?..............f.Nx./c...R...`..y.>....'......l=.O..#......... ..P..Q.......3.............M......%...v.:(...u..zU......G_.<ue...F.....6Xo......P.......@L#........4<....K.g:...3o.N..:..zb...5..,.5...C... .4..`Q0.....$9./.$1....WL)$.0F......^..k..D.*.#.L3. (}.,,.kd.<W.....[,.....Y.n.b.....4.Y)...c.g..`.y.........X..I? '.{Cb.GDh.d..F..2B...sT.^..!.L..}.P....C...?.......~.....d....5.j...1.y9^_K..g..pX.......^z.e)....yc......?..o...e......KJ..H.O..m......B27....?.~m ..xt...c...@b..S.......a(....f1...h.0.u4..(.........2b`....]..H.Ja..

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 203

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: talktalk.net

Connection: Keep-Alive

Cache-Control: no-cache

.5.?...@2fg@f..@..KA...A..0BP .B...B..zC.Y.C-.EDa..D.".E. .

..E>Q[F.O.F..?G,..GK~$H...H......n

E.I

....0..".L..8M..j.r.hL.<.L...P.k.M4i.Nh.~N...N.1IO.0.OE.-Py`.P...P..^Q/..Qc.\R.%.R..'S.U.S3..St.qT...

HTTP/1.1 302 Object moved

Location: hXXp://VVV.talktalk.co.uk

Connection: close

POST /?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 51

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: job-index.ch

Connection: Keep-Alive

Cache-Control: no-cache

PB......H..!..:":o..^..a..yafe.#.....U7#4.G%.h...*.

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:26 GMT

Server: Apache

Location: hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL

Cache-Control: max-age=1

Expires: Thu, 12 Mar 2015 07:28:27 GMT

Content-Length: 330

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL">here</a>.</p>.<hr>.<address>Apache Server at job-index.ch Port 80</address>.</body></html>.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:26 GMT..Server: Apache..Location: hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL..Cache-Control: max-age=1..Expires: Thu, 12 Mar 2015 07:28:27 GMT..Content-Length: 330..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL">here</a>.</p>.<hr>.<address>Apache Server at job-index.ch Port 80</address>.</body></html>...

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 203

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: onebox.com

Connection: Keep-Alive

Cache-Control: no-cache

z.I..3...2a.J0....x.....'...u[(..Y...W&.E.....=.......;.c.....l..}..3.....5..D..3.3.....Z.I....=.{....K..$L.I..!.x....M....C.s..*h..(..-.<.n....UT

...X.....6..M..5.4..I....e..F..S.c.......a.0q..~....m.

HTTP/1.1 302 Object moved

Date: Thu, 12 Mar 2015 07:28:38 GMT

Server: Microsoft-IIS/6.0

X-UA-Compatible: IE=EmulateIE7

X-Powered-By: ASP.NET

Pragma: no-cache

Location: hXXp://VVV.onebox.com/oneboxlogin.asp

Content-Length: 158

Content-Type: text/html

Expires: Thu, 12 Mar 2015 07:27:38 GMT

Set-Cookie: xpcook=o9Gjoc8PxanwsxIK74Lvqkzsu4/M4DZ7; expires=Fri, 01-Jan-2016 05:00:00 GMT; path=/

Set-Cookie: ASPSESSIONIDCSCTCRTT=GAKJCJJACOBFBBCIOFIKIOAH; path=/

Cache-control: no-cache

Set-Cookie: oneboxwb=ffffffff0989118145525d5f4f58455e445a4a423660;expires=Thu, 12-Mar-2015 07:33:38 GMT;path=/;httponly

<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://VVV.onebox.com/oneboxlogin.asp">here</a>.</body>.HTTP/1.1 302 Object moved..Date: Thu, 12 Mar 2015 07:28:38 GMT..Server: Microsoft-IIS/6.0..X-UA-Compatible: IE=EmulateIE7..X-Powered-By: ASP.NET..Pragma: no-cache..Location: hXXp://VVV.onebox.com/oneboxlogin.asp..Content-Length: 158..Content-Type: text/html..Expires: Thu, 12 Mar 2015 07:27:38 GMT..Set-Cookie: xpcook=o9Gjoc8PxanwsxIK74Lvqkzsu4/M4DZ7; expires=Fri, 01-Jan-2016 05:00:00 GMT; path=/..Set-Cookie: ASPSESSIONIDCSCTCRTT=GAKJCJJACOBFBBCIOFIKIOAH; path=/..Cache-control: no-cache..Set-Cookie: oneboxwb=ffffffff0989118145525d5f4f58455e445a4a423660;expires=Thu, 12-Mar-2015 07:33:38 GMT;path=/;httponly..<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="http://VVV.onebox.com/oneboxlogin.asp">here</a>.</body>...

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 200

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: tampabay.com

Connection: Keep-Alive

Cache-Control: no-cache

.d..sa....P...N.:U......>N{.....iy......z....;...7..'.......E.M..'e.V$c......O..&L......!.hd.s..6p.....go..h..'.6....c.k..y...w...d.\.......JF......h....m....2..3J.k....R...N...K....8.6vO..rM.G.d..7|.

HTTP/1.1 301 Moved Permanently

Accept-Ranges: bytes

Age: 0

Content-Type: text/html; charset=iso-8859-1

Date: Thu, 12 Mar 2015 07:28:31 GMT

Location: hXXp://VVV.tampabay.com/

Server: nginx/1.6.2

Set-Cookie: TPC=Ci4rJFUBQB9dzF4GBIr1Ag==; expires=Thu, 12-Mar-15 08:28:31 GMT; domain=tampabay.com; path=/

Via: 1.1 varnish

X-Cache: MISS

X-Cacheable: NO CACHE: POST request

X-Served-By: livesite-prd-varnish-2.localdomain

X-Varnish: 1322858855

Content-Length: 232

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.tampabay.com/">here</a>.</p>.</body></html>.HTTP/1.1 301 Moved Permanently..Accept-Ranges: bytes..Age: 0..Content-Type: text/html; charset=iso-8859-1..Date: Thu, 12 Mar 2015 07:28:31 GMT..Location: hXXp://VVV.tampabay.com/..Server: nginx/1.6.2..Set-Cookie: TPC=Ci4rJFUBQB9dzF4GBIr1Ag==; expires=Thu, 12-Mar-15 08:28:31 GMT; domain=tampabay.com; path=/..Via: 1.1 varnish..X-Cache: MISS..X-Cacheable: NO CACHE: POST request..X-Served-By: livesite-prd-varnish-2.localdomain..X-Varnish: 1322858855..Content-Length: 232..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.tampabay.com/">here</a>.</p>.</body></html>...

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 8

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: hknetmail.com

Connection: Keep-Alive

Cache-Control: no-cache

..*...&.

HTTP/1.1 302 Found

Cache-Control: private

Content-Length: 310

Content-Type: text/html; charset=utf-8

Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

p3p: CP="CAO PSA OUR"

Set-Cookie: SessionID=1aa95ea7-505a-496c-9960-63c7a2769197; path=/

Set-Cookie: VisitorID=59f14903-41a5-478e-8c2e-c4ca6eb2af2d&Exp=3/12/2018 12:28:37 AM; expires=Mon, 12-Mar-2018 07:28:37 GMT; path=/

X-Powered-By: ASP.NET

Date: Thu, 12 Mar 2015 07:28:37 GMT

<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Length: 310..Content-Type: text/html; charset=utf-8..Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..p3p: CP="CAO PSA OUR"..Set-Cookie: SessionID=1aa95ea7-505a-496c-9960-63c7a2769197; path=/..Set-Cookie: VisitorID=59f14903-41a5-478e-8c2e-c4ca6eb2af2d&Exp=3/12/2018 12:28:37 AM; expires=Mon, 12-Mar-2018 07:28:37 GMT; path=/..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:37 GMT..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211">here</a>.</h2>..</body></html>....

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 31

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: goldcockerelbooks.co.uk

Connection: Keep-Alive

Cache-Control: no-cache

.'..:...!.8..f92..pj.x.h$y...

HTTP/1.1 200 OK

Date: Thu, 12 Mar 2015 07:28:27 GMT

Server: Apache

Last-Modified: Mon, 06 Oct 2014 14:36:36 GMT

Accept-Ranges: bytes

Content-Length: 79

Connection: close

Content-Type: text/html

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 152

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: actuslendlease.com

Connection: Keep-Alive

Cache-Control: no-cache

.P..o.`.?F...At..m=..h......B....%d.......^.h{..8...

........M.k...;Za.......t.........$..m.....g....?ri..s.,..l...]z.{l:......./.......W>.-.....

....

HTTP/1.0 301 Moved Permanently

Location: hXXp://VVV.actuslendlease.com/

Server: BigIP

Connection: Keep-Alive

Content-Length: 0

HTTP/1.0 301 Moved Permanently..Location: hXXp://VVV.actuslendlease.com/..Server: BigIP..Connection: Keep-Alive..Content-Length: 0..

POST /?ptrxcz_qsuwy02468ACEGILNPRTVXZbdfhjlo HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 130

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: jotmail.com

Connection: Keep-Alive

Cache-Control: no-cache

8!..R...l..... ..QS......O........7./.j.I...cL..}.....5...h..|...H..{..&GM.x...}........`..CK...~.4.B...u......>..-....>.......

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD

Server: Microsoft-IIS/8.5

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Date: Thu, 12 Mar 2015 07:28:30 GMT

Content-Length: 169

<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:30 GMT..Content-Length: 169..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>......

POST /?ptrxcz_jmprtvy02468ADFHJLNQSUWYacfhjl HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 105

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: jotmail.com

Connection: Keep-Alive

Cache-Control: no-cache

=..rmy..7 ...........@.F........[o.W&!........h.6..... ....Je.....<.....?..4..^d....n..G.xf....Y..tQ.z.

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD

Server: Microsoft-IIS/8.5

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Date: Thu, 12 Mar 2015 07:28:42 GMT

Content-Length: 169

<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:42 GMT..Content-Length: 169..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>....

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 162

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: zdnetmail.com

Connection: Keep-Alive

Cache-Control: no-cache

/........C.Z.XQ[.>\......P....._a....~x`..:cp.2...ie.M..k|.....

..i..$...<.y.l......`....Ck.%..3.-..~.np..p....D.r..G=s.o..C.....j...L....~.t.~5...aP....3..~>..G

HTTP/1.1 200 OK

Date: Thu, 12 Mar 2015 07:28:29 GMT

Server: Apache

Expires: Thu Mar 12 07:33:29 2015 GMT

Cache-Control: private, max-age=300, must-revalidate

P3P: CP="NON DSP COR DEVa PSAa PSDa OUR IND UNI COM", policyref="hXXp://VVV.cnet.com/w3c/p3p.xml"

Keep-Alive: timeout=300, max=976

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html; charset=utf-8

23e0..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html><head>.<script>window.location="hXXp://search.com/search"</script>.<style><!--.img {. border: 0;. }..ol, ul {..list-style-image:none;..list-style-position:outside;..list-style-type:none;..}..body {..background-color:#FFFFFF;..font-family:arial,helvetica,verdana,sans-serif;..font-size:13px;..}..a {..color:navy;..text-decoration:underline;..}..#header h1 {..font-size: 150%;..padding-bottom: 10px;..color: #333;..}..#header .searchbox {..float:left;..}..#header .searchbox .q {..width:300px;..}..#header #wrap {..float: left;..margin: 8px;..width:750px;..padding-bottom: 15px;..border-bottom: 1px solid #999;..}...query {..float:left;..}..#results_wrap {..float:left;..width:100%;..}..#results {..margin:0pt;..padding:0pt;..}..#results h3 {..color:#555555;..font-size:13px;..margin:10px 0px;..}..#header b {..color:#555555;..font-size:13px;..}..#results #dmoz_wrap {..padding-bottom: 18px;..border-bottom: 1px solid #777;..width:750px;. margin: 0 0 0 8px;..}..#results #dmoz {..border:0pt none;..font-size:11px;..width: 100%;..margin: 0 0 0 10px;..}..#results #dmoz b {..font-size:13px;..}..#results #dmoz td {..padding:5px 5px 5px 0;..}..#results #services_wrap {..width:750px;..margin: 0 0 0 8px;..padding-top: 8px;..}..#services {..margin: 0 0 0 10px;..width: 750px;..}..#services td {..padding:5px 5px 5px

<<< skipped >>>

POST /?ptrxcz_dfikmprtwy02479BDFHJMOQSUWYbdf HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 11

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: midway.edu

Connection: Keep-Alive

Cache-Control: no-cache

A. ..XQ..S.

HTTP/1.1 403 Forbidden

Date: Thu, 12 Mar 2015 07:28:32 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 333

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>403 Forbidden</title>.</head><body>.<h1>Forbidden</h1>.<p>You don't have permission to access /.on this server.</p>.<p>Additionally, a 500 Internal Server Error.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>...

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 230

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: mtv.com

Connection: Keep-Alive

Cache-Control: no-cache

.z.. ...l........AN.....<r..

.......:J....@k..t.{......._..2..^0D......`..2.t.Q....)@...6:.Y....p...g;...;.5.......W.=^.....j.......6. ...TH....f..x....2.$...e....?|......pG.5...v.,......6....\.Fg..z.'....../..#.r.W....^=.......

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:26 GMT

Server: Apache/2.2.23 (Unix)

Location: hXXp://VVV.mtv.com/

Content-Length: 298

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.mtv.com/">here</a>.</p>.<hr>.<address>Apache/2.2.23 (Unix) Server at mtv.com Port 80</address>.</body></html>...

POST /?ptrxcz_qsuwz13579BEGIKMORTVXZbdgikmpr HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 63

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: jotmail.com

Connection: Keep-Alive

Cache-Control: no-cache

v.Q...R.:........d6...j..........oM.....<....c..XY.......*e....

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD

Server: Microsoft-IIS/8.5

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Date: Thu, 12 Mar 2015 07:28:26 GMT

Content-Length: 169

<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:26 GMT..Content-Length: 169..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>....

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 241

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: yahoo.gr

Connection: Keep-Alive

Cache-Control: no-cache

...@Ay>A..#B...B

.C.:kD/..E...E...FMd2G...G...Hx.zI..EJ;..J...K...Lf.?M.

Nn..N.znO..9PT......Q.phR.....6.."..Ve.IW....{..V...W..1[..@Y...YA..Z..o[..!\l..\.{.]/.i^^..b..yc!.*d|..d...eL.rf..$g...gj..h..Si P.j...j.J.kK{Ml...m...mi@|n.pGo,;.o.

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:29 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Set-Cookie: BX=eouc0qlag2g0t&b=3&s=61; expires=Sun, 12-Mar-2017 07:28:29 GMT; path=/; domain=.yahoo.gr

Cache-Control: max-age=3600, private

Location: hXXp://gr.yahoo.com/

Vary: Accept-Encoding

Content-Length: 62

Content-Type: text/html; charset=UTF-8

Age: 0

Connection: keep-alive

Server: ATS/4.0.2

..HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:29 GMT..P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"..Set-Cookie: BX=eouc0qlag2g0t&b=3&s=61; expires=Sun, 12-Mar-2017 07:28:29 GMT; path=/; domain=.yahoo.gr..Cache-Control: max-age=3600, private..Location: hXXp://gr.yahoo.com/..Vary: Accept-Encoding..Content-Length: 62..Content-Type: text/html; charset=UTF-8..Age: 0..Connection: keep-alive..Server: ATS/4.0.2......

POST / HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 62

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: sprintmail.com

Connection: Keep-Alive

Cache-Control: no-cache

(7"*... .*.-..J/..-1...2V.@4@

6...7..69...:...<j.,>aP.@>..A..

HTTP/1.1 302 Found

Location: hXXp://VVV.earthlink.net/

Connection: close

POST /?ptrxcz_XZcegikmprtvx02468ACEGILNPRTVX HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 248

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: ministryofsound.net

Connection: Keep-Alive

Cache-Control: no-cache

..j.'h..u....03.....y.....H."...pXy.." .....g.[..O......^~>..H......bw:.....C...

...n......]....g..Q..Y.s.u.T.....'.E...v..Y(.>.... Y..

.9O....;.....0...~F......'uh.u....... nd.y....6....-.pe.../....).g....\Z.....^.....<.. ..b.....8.....Y....{..

HTTP/1.1 200 OK

Last-Modified: Wed, 07 Jun 2006 10:38:30 GMT

ETag: "e7a6b-f-4159ff7e7f580"

Vary: Accept-Encoding

Content-Type: text/html; charset=iso-8859-1

Server: NetNames

Transfer-Encoding: chunked

Date: Thu, 12 Mar 2015 07:28:26 GMT

Connection: keep-alive

00f..<HTML>.</HTML>...0..HTTP/1.1 200 OK..Last-Modified: Wed, 07 Jun 2006 10:38:30 GMT..ETag: "e7a6b-f-4159ff7e7f580"..Vary: Accept-Encoding..Content-Type: text/html; charset=iso-8859-1..Server: NetNames..Transfer-Encoding: chunked..Date: Thu, 12 Mar 2015 07:28:26 GMT..Connection: keep-alive..00f..<HTML>.</HTML>...0..

POST /?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 238

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: nifty.ne.jp

Connection: Keep-Alive

Cache-Control: no-cache

..S.......K..4...`

..X ....~7...L..=b.........\#..".......G. !@."%9.$.f.%X..'G..)K.. ,.r.=../,<.1.bM.N.b../.=...>.....l:A$.OC...G5..G#P*I...J B"M/;.O&..Q.a.R;&.U2..V)L.XG..[1>.\B..^.d.`0..bA".d8..fI..hM.j7:|l;3xn?,tpC%pra..tK.hvO.dx`o

HTTP/1.1 301 Moved Permanently

Date: Thu, 12 Mar 2015 07:28:33 GMT

Server: Apache

Location: hXXp://VVV.nifty.com/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY

Content-Length: 267

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.nifty.com/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY">here</a>.</p>.</body></html>...

POST /?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578 HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/octet-stream

Content-Length: 6

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: sympatico.ca

Connection: Keep-Alive

Cache-Control: no-cache

p....@

HTTP/1.1 301 Moved Permanently

Location: hXXp://VVV.sympatico.ca/?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578

Content-Length: 0

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1156_rwx_00860000_0000C000:

GetWindowsDirectoryA

kernel32.dll

msvcrt.dll

GetProcessHeap

hsu#%s

.ACl;.

.Wn.r

0obP0.aU

&ntL2ta@.me

cbL*elT<.bl>

aiM%te;%ux

W:\eF

d5.FSp

%original file name%.exe_1156_rwx_00880000_0000F000:

GetWindowsDirectoryA

kernel32.dll

msvcrt.dll

GetProcessHeap

hsu#%s

.ACl;.

.Wn.r

0obP0.aU

&ntL2ta@.me

cbL*elT<.bl>

aiM%te;%ux

W:\eF

d5.FSp

%original file name%.exe_1156_rwx_008B0000_0000F000:

.text

`.rdata

@.data

.reloc

SSh(S

software\microsoft\windows\currentversion\run

%s\%s.exe

Content-Length: %d

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

\system32\svchost.exe

hXXps://%s

software\microsoft\windows\currentversion

del %s

if exist %s goto :repeat

hXXp://%s

smtp.compuserve.com

mail.airmail.net

smtp.directcon.net

smtp.sbcglobal.yahoo.com

smtp.mail.yahoo.com

smtp.live.com

PSAPI.DLL

USERENV.dll

IPHLPAPI.DLL

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

InternetCrackUrlA

WININET.dll

WS2_32.dll

SHLWAPI.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

CryptImportKey

CryptDestroyKey

CryptExportKey

CryptGenKey

ADVAPI32.dll

ole32.dll

bEiO5\E.XD0]L;k]O

0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;

%original file name%.exe_1156_rwx_01DA0000_00006000:

.text

`.rdata

@.data

.reloc

hXXp://%s/?ptrxcz_%s

hXXp://%s/

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: %d

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

WININET.dll

WS2_32.dll

SHLWAPI.dll

KERNEL32.dll

USER32.dll

ole32.dll

XNG7opotonline.net

accountant.com

brick.net

gmx.com

wagged.com

aol.de

stargate.net

starpower.net

orange.pl

ohiou.edu

zdnetonebox.com

jjay.cuny.edu

univision.com

fluor.com

zdnetmail.com

charter.com

hoymail.com

laposte.net

aon.at

wilbursmith.com

sympatico.ca

yahoo.gr

windstream.net

yahoo.com.au

cbunited.com

happemail.com

eznet.net

tampabay.com

kazza.com

metrocast.net

cytanet.com.cy

migente.com

frisurf.no

posten.se

dr.dk

24.com

markbrent.com

163.com

croeso.com

ntl.com

actuslendlease.com

rowdee.com

love.com

valornet.com

primusonline.com.au

otakumail.com

talktalk.net

mail.unomaha.edu

injersey.com

embarqmail.com

tartarus.uwa.edu.au

allstream.net

korea.com

mynet.com

tigers-net.com

redlands.edu

surewest.net

erre.net

clear.net.nz

bailliegifford.com

nmsu.edu

ig.com.br

mtv.com

the-wild-west.com

allstate.com

atkearney.com

catt.com

cocmast.net

crosspaths.net

metro.net

bluewin.com

models.com

excite.it

jotmail.com

schoolsports.com

windermere.com

genesys.com

cybertron.com

creighton.edu

sscomputing.com

hotmiail.com

american.edu

dsl.com

microtek.com

nsatel.net

yahoo.dk

world-net.co.nz

tahoo.com

hawaiiantel.net

bodybuilders.com

tellmeimcute.com

excite.co.jp

law.com

bassettfurniture.com

newparkdf.com

coastalnow.net

earthlink.net

kiva.net

cablelan.net

earthlink.com

sprintmail.com

madrid.com

ethansalwen.com

chickensys.com

bendcable.com

midway.edu

goldcockerelbooks.co.uk

blackplanet.com

mchsi.com

rcn.com

bellsouth.com

entel.cl

bluewin.ch

cableone.net

tvn.hu

nifty.ne.jp

eircom.net

knology.net

mweb.co.za

arcor.de

gm.com

briansmail.com

rediffmail.com

caramail.com

orst.edu

spin.com

onebox.com

iupui.edu

optonline.com

merck.com

jwu.edu

sify.com

q.com

carolina.com

cox.com

virginia.edu

ministryofsound.net

start.no

t-online.de

metallica.com

mzsg.at

roadrunner.com

tylerknott.com

iwon.com

aol.com.com

avinalarf.co.uk

gci.net

erzt.com

globalcrossing.com

rockford.edu

job-index.ch

yahoo.com.hk

txstate.edu

mailshell.com

waupacafoundry.com

evansville.net

pba.com

care2.com

ono.es

mountainmax.net

wa-net.com

genie.co.uk

sunolg.org

diamondcpu.com

hknetmail.com

grayfoot.mailshell.com

cablelynx.com

gallatinriver.net

robvivian.com

catech-systems.com

idealcollectables.com

colorado.edu

bigmir.net

udel.edu

o2.co.uk

yahoo.hk

infoseek.jp

webound.com

ciudad.com.ar

potamkinmitsubishi.com

backpacker.com

voicestream.com

0 0&0,02080

%original file name%.exe_1156_rwx_04000000_0000F000:

.text

`.rdata

@.data

.reloc

SSh(S

software\microsoft\windows\currentversion\run

%s\%s.exe

Content-Length: %d

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

\system32\svchost.exe

hXXps://%s

software\microsoft\windows\currentversion

del %s

if exist %s goto :repeat

hXXp://%s

smtp.compuserve.com

mail.airmail.net

smtp.directcon.net

smtp.sbcglobal.yahoo.com

smtp.mail.yahoo.com

smtp.live.com

PSAPI.DLL

USERENV.dll

IPHLPAPI.DLL

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

InternetCrackUrlA

WININET.dll

WS2_32.dll

SHLWAPI.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

CryptImportKey

CryptDestroyKey

CryptExportKey

CryptGenKey

ADVAPI32.dll

ole32.dll

hXXp://%s/?ptrxcz_%s

hXXp://%s/

XNG7opotonline.net

accountant.com

brick.net

gmx.com

wagged.com

aol.de

stargate.net

starpower.net

orange.pl

ohiou.edu

zdnetonebox.com

jjay.cuny.edu

univision.com

fluor.com

zdnetmail.com

charter.com

hoymail.com

laposte.net

aon.at

wilbursmith.com

sympatico.ca

yahoo.gr

windstream.net

yahoo.com.au

cbunited.com

happemail.com

eznet.net

tampabay.com

kazza.com

metrocast.net

cytanet.com.cy

migente.com

frisurf.no

posten.se

dr.dk

24.com

markbrent.com

163.com

croeso.com

ntl.com

actuslendlease.com

rowdee.com

love.com

valornet.com

primusonline.com.au

otakumail.com

talktalk.net

mail.unomaha.edu

injersey.com

embarqmail.com

tartarus.uwa.edu.au

allstream.net

korea.com

mynet.com

tigers-net.com

redlands.edu

surewest.net

erre.net

clear.net.nz

bailliegifford.com

nmsu.edu

ig.com.br

mtv.com

the-wild-west.com

allstate.com

atkearney.com

catt.com

cocmast.net

crosspaths.net

metro.net

bluewin.com

models.com

excite.it

jotmail.com

schoolsports.com

windermere.com

genesys.com

cybertron.com

creighton.edu

sscomputing.com

hotmiail.com

american.edu

dsl.com

microtek.com

nsatel.net

yahoo.dk

world-net.co.nz

tahoo.com

hawaiiantel.net

bodybuilders.com

tellmeimcute.com

excite.co.jp

law.com

bassettfurniture.com

newparkdf.com

coastalnow.net

earthlink.net

kiva.net

cablelan.net

earthlink.com

sprintmail.com

madrid.com

ethansalwen.com

chickensys.com

bendcable.com

midway.edu

goldcockerelbooks.co.uk

blackplanet.com

mchsi.com

rcn.com

bellsouth.com

entel.cl

bluewin.ch

cableone.net

tvn.hu

nifty.ne.jp

eircom.net

knology.net

mweb.co.za

arcor.de

gm.com

briansmail.com

rediffmail.com

caramail.com

orst.edu

spin.com

onebox.com

iupui.edu

optonline.com

merck.com

jwu.edu

sify.com

q.com

carolina.com

cox.com

virginia.edu

ministryofsound.net

start.no

t-online.de

metallica.com

mzsg.at

roadrunner.com

tylerknott.com

iwon.com

aol.com.com

avinalarf.co.uk

gci.net

erzt.com

globalcrossing.com

rockford.edu

job-index.ch

yahoo.com.hk

txstate.edu

mailshell.com

waupacafoundry.com

evansville.net

pba.com

care2.com

ono.es

mountainmax.net

wa-net.com

genie.co.uk

sunolg.org

diamondcpu.com

hknetmail.com

grayfoot.mailshell.com

cablelynx.com

gallatinriver.net

robvivian.com

catech-systems.com

idealcollectables.com

colorado.edu

bigmir.net

udel.edu

o2.co.uk

yahoo.hk

infoseek.jp

webound.com

ciudad.com.ar

potamkinmitsubishi.com

backpacker.com

voicestream.com

0 0&0,02080

opotonline.net;accountant.com;brick.net;gmx.com;wagged.com;aol.de;stargate.net;starpower.net;orange.pl;ohiou.edu;zdnetonebox.com;jjay.cuny.edu;univision.com;fluor.com;zdnetmail.com;charter.com;hoymail.com;laposte.net;aon.at;wilbursmith.com;sympatico.ca;yahoo.gr;windstream.net;yahoo.com.au;cbunited.com;happemail.com;eznet.net;tampabay.com;kazza.com;metrocast.net;cytanet.com.cy;migente.com;frisurf.no;posten.se;dr.dk;24.com;markbrent.com;163.com;croeso.com;ntl.com;actuslendlease.com;rowdee.com;love.com;valornet.com;primusonline.com.au;otakumail.com;talktalk.net;mail.unomaha.edu;injersey.com;embarqmail.com;tartarus.uwa.edu.au;allstream.net;korea.com;mynet.com;tigers-net.com;redlands.edu;surewest.net;erre.net;clear.net.nz;bailliegifford.com;nmsu.edu;ig.com.br;mtv.com;the-wild-west.com;allstate.com;atkearney.com;catt.com;cocmast.net;crosspaths.net;metro.net;bluewin.com;models.com;excite.it;jotmail.com;schoolsports.com;windermere.com;genesys.com;cybertron.com;creighton.edu;sscomputing.com;hotmiail.com;american.edu;dsl.com;microtek.com;nsatel.net;yahoo.dk;world-net.co.nz;tahoo.com;hawaiiantel.net;bodybuilders.com;tellmeimcute.com;excite.co.jp;law.com;bassettfurniture.com;newparkdf.com;coastalnow.net;earthlink.net;kiva.net;cablelan.net;earthlink.com;sprintmail.com;madrid.com;ethansalwen.com;chickensys.com;bendcable.com;midway.edu;goldcockerelbooks.co.uk;blackplanet.com;mchsi.com;rcn.com;bellsouth.com;entel.cl;bluewin.ch;cableone.net;tvn.hu;nifty.ne.jp;eircom.net;knology.net;mweb.co.za;arcor.de;gm.com;briansmail.com;rediffmail.com;caramail.com;orst.edu;spin.com;onebox.com;iupui.edu;optonline.com;merck.com;jwu.edu;sify.com;q.com;carolina.com;cox.com;virginia.edu;ministryofsound.net;start.no;t-online.de;metallica.com;ohiou.edu;mzsg.at;univision.com;fluor.com;roadrunner.com;hoymail.com;laposte.net;tylerknott.com;iwon.com;aol.com.com;avinalarf.co.uk;yahoo.com.au;gci.net;erzt.com;markbrent.com;globalcrossing.com;rockford.edu;job-index.ch;yahoo.com.hk;txstate.edu;valornet.com;mailshell.com;waupacafoundry.com;evansville.net;pba.com;tartarus.uwa.edu.au;care2.com;ono.es;mountainmax.net;wa-net.com;tigers-net.com;genie.co.uk;sunolg.org;diamondcpu.com;hknetmail.com;grayfoot.mailshell.com;cablelynx.com;bailliegifford.com;gallatinriver.net;robvivian.com;the-wild-west.com;allstate.com;catech-systems.com;idealcollectables.com;crosspaths.net;colorado.edu;bigmir.net;udel.edu;jotmail.com;o2.co.uk;yahoo.hk;cybertron.com;infoseek.jp;webound.com;american.edu;ciudad.com.ar;potamkinmitsubishi.com;backpacker.com;world-net.co.nz;voicestream.com;

4events.at;4everandever.de;4everevents.nl;4evermusic.pl;4evernet.de;4everweb.nl;4everyone.nl;4everyware.nl;9online.fr;9t6grafikdesign.de;7atable.be;accountingtechs.biz;0daymusic.biz;4dmobil.at;4dbabamozi.hu;4estates.eu;4etoiles.fr;4ever4you.de;4everdreams.nl;4everflashlight.de;

0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;

%Documents and Settings%\%current user%\folohadlobos.exe

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps