HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.146618 (B) (Emsisoft), Gen:Variant.Kazy.146618 (AdAware), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a1c3adcb6eb161412a113ab8a2acb4ad
SHA1: 0428cc7027591c3fd670c299eac5e7ec9023f1b7
SHA256: c34f9537ff60e6781439b3d52c120021c8e1ecfb726a2d10532c6b9589e81d32
SSDeep: 1536:aWPYkjtl3jcHrqnyVSD6wzAx5PG1EjUMWHQnYyz:ah6lg0R6Cc5PG JWHQn/
Size: 119112 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2013-02-14 08:26:30
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1156
Mutexes
The following mutexes were created/opened:
RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexfolohadlobos
File activity
The process %original file name%.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hknetmail[1].txt (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (190 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4everdreams[1].htm (10 bytes)
%Documents and Settings%\%current user%\folohadlobos.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tampabay[1].txt (171 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\goldcockerelbooks.co[1].htm (79 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zdnetmail[1].htm (2225 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "43 E8 02 1B 34 4D 66 0C 25 3E 57 70 16 2F 48 61"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 D4 84 DE 40 D2 AB C9 1E 0D DC BC 0D 54 22 3B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"folohadloboszap" = "6D 13 2C 45 5E 77 90 36 4F 68 81 9A 40 59 72 8B"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"folohadlobos" = "%Documents and Settings%\%current user%\folohadlobos.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hknetmail[1].txt (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@onebox[1].txt (190 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4everdreams[1].htm (10 bytes)
%Documents and Settings%\%current user%\folohadlobos.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tampabay[1].txt (171 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\goldcockerelbooks.co[1].htm (79 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zdnetmail[1].htm (2225 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"folohadlobos" = "%Documents and Settings%\%current user%\folohadlobos.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: tttttt Corporation
Product Name: HD Player
Product Version: 9.00.00.4503
Legal Copyright: (c) tttttt Corporation. All rights reserved.
Legal Trademarks:
Original Filename: migrate.exe
Internal Name: migrate.exe
File Version: 9.00.00.4503 (xpsp.080413-0845)
File Description: MLS Migrate DLL
Comments:
Language: Language Neutral
Company Name: tttttt CorporationProduct Name: HD Player Product Version: 9.00.00.4503Legal Copyright: (c) tttttt Corporation. All rights reserved.Legal Trademarks: Original Filename: migrate.exeInternal Name: migrate.exeFile Version: 9.00.00.4503 (xpsp.080413-0845)File Description: MLS Migrate DLLComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 8123 | 8192 | 1.95528 | bdf9ff571cb715841f3070eab9b48bd6 |
.rdata | 12288 | 79294 | 79360 | 4.18728 | 2e28b00638373d261901f903a9b718bb |
.data | 94208 | 20156 | 20480 | 0.023306 | b123c4225fd7ea8ee80aedde87c66661 |
.rdata2 | 114688 | 1000 | 1024 | 0 | 0f343b0931126a20f133d67c2b018a3b |
.data3 | 118784 | 626 | 1024 | 2.41596 | c09c50076d33f36b4c69df5193709373 |
.rsrc | 122880 | 960 | 1024 | 2.18771 | 2e5d23bf9177dca909a71f49bd7d990c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://udel.edu/?ptrxcz_KMOQTVXZbdgikmprtwy02469BDFHJL | |
hxxp://bellsouth.com/ | 139.76.134.15 |
hxxp://mtv.com/ | 206.220.43.92 |
hxxp://jotmail.com/?ptrxcz_qsuwy02468ACEGILNPRTVXZbdfhjlo | 64.4.6.233 |
hxxp://jotmail.com/?ptrxcz_qsuwz13579BEGIKMORTVXZbdgikmpr | 64.4.6.233 |
hxxp://love.com/?ptrxcz_358ACEGILNPRTVXacegikoMOQRTVWY | 64.12.79.57 |
hxxp://allstream.net/ | 207.245.244.133 |
hxxp://laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP | |
hxxp://talktalk.net/ | |
hxxp://surewest.net/?ptrxcz_DFHJMOQSUWYacegjloqsuwy13579BD | |
hxxp://job-index.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL | |
hxxp://yahoo.com.au/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG | |
hxxp://ministryofsound.net/?ptrxcz_XZcegikmprtvx02468ACEGILNPRTVX | 185.26.230.129 |
hxxp://bodybuilders.com/ | 206.207.84.93 |
hxxp://goldcockerelbooks.co.uk/ | 76.73.3.122 |
hxxp://posten.se/ | 147.14.11.241 |
hxxp://onebox.com/ | |
hxxp://sprintmail.com/ | 209.86.93.136 |
hxxp://sympatico.ca/?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578 | |
hxxp://tahoo.com/?ptrxcz_TVYacegikmprtvxz1468ACEGIKMOQS | 116.212.117.220 |
hxxp://start.no/?ptrxcz_Zbdfhkmprtvxz1368ACEGIKMORTVXZ | 193.200.235.71 |
hxxp://zdnetmail.com/ | 216.239.120.238 |
hxxp://microtek.com/?ptrxcz_acegikoqsuwy02468ACEGIKMOQSUWY | |
hxxp://yahoo.gr/ | 77.238.184.150 |
hxxp://love.com/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl | 64.12.79.57 |
hxxp://mtv.com/?ptrxcz_rtvxz1368ACEGIKMOQSUWYacegikmp | 206.220.43.92 |
hxxp://actuslendlease.com/ | |
hxxp://tampabay.com/ | 54.235.118.206 |
hxxp://tahoo.com/ | 116.212.117.220 |
hxxp://midway.edu/?ptrxcz_dfikmprtwy02479BDFHJMOQSUWYbdf | |
hxxp://sunolg.org/ | 178.79.190.156 |
hxxp://bailliegifford.com/?ptrxcz_oqsuwz13579BDFHKMOQSUWYacehjlo | 80.75.68.131 |
hxxp://nifty.ne.jp/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY | |
hxxp://hknetmail.com/ | |
hxxp://merck.com/?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf | 155.91.16.2 |
hxxp://mchsi.com/ | 64.8.70.102 |
hxxp://crosspaths.net/ | 162.39.145.20 |
hxxp://jotmail.com/?ptrxcz_jmprtvy02468ADFHJLNQSUWYacfhjl | 64.4.6.233 |
hxxp://dr.dk/ | 159.20.6.38 |
hxxp://ohiou.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ | |
hxxp://wa-net.com/?ptrxcz_VYbdgilpruwz1469CEHJMORTWZbegj | 96.127.156.202 |
hxxp://aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl | |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
care2.com | 63.146.170.87 |
frisurf.no | 153.110.239.145 |
croeso.com | 104.28.0.49 |
aol.com.com | 54.201.82.69 |
pba.com | 216.145.1.21 |
knology.net | 64.29.151.81 |
bluewin.com | 195.186.196.90 |
starpower.net | 207.172.157.182 |
virginia.edu | 128.143.22.36 |
yahoo.com.hk | 77.238.184.150 |
roadrunner.com | 24.28.199.168 |
ig.com.br | 54.208.23.82 |
atkearney.com | 4.26.46.40 |
zdnetonebox.com | 216.239.120.238 |
cablelan.net | 50.21.229.37 |
entel.cl | 200.12.171.52 |
tellmeimcute.com | 176.74.176.186 |
markbrent.com | 50.63.127.1 |
arcor.de | 151.189.21.100 |
idealcollectables.com | 205.178.189.131 |
kazza.com | 141.8.224.245 |
redlands.edu | 206.208.133.173 |
avinalarf.co.uk | 104.28.13.49 |
tartarus.uwa.edu.au | 130.95.128.3 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 147
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: laposte.net
Connection: Keep-Alive
Cache-Control: no-cache
..&.OD".\2....}..r...VUGfT.G..
v..}qY`.k0Y.gl...`$....7.3.Q........d..^..~\I..........s$.##..X.^...n...........^....~...r.....uG=......)v..u.
HTTP/1.1 301 Moved Permanently
Location: hXXp://VVV.laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP
Content-Length: 0
Accept-Ranges: bytes
Date: Thu, 12 Mar 2015 07:28:26 GMT
X-Varnish: 3386012683
Age: 0
Via: 1.1 varnish
X-Cache: MISS
HTTP/1.1 301 Moved Permanently..Location: hXXp://VVV.laposte.net/?ptrxcz_PRTVXZbdgikmprtvy02468ACEGJLNP..Content-Length: 0..Accept-Ranges: bytes..Date: Thu, 12 Mar 2015 07:28:26 GMT..X-Varnish: 3386012683..Age: 0..Via: 1.1 varnish..X-Cache: MISS..
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 131
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: bellsouth.com
Connection: Keep-Alive
Cache-Control: no-cache
hn...:........,..8F...y.............8.*.R.]._.w.y........e....(...[..c......M...Rb.l.@.V}.vp`...,...%.w...w.?....>..c.x')..&...<..
HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 12 Mar 2015 07:28:26 GMT
Content-length: 0
Content-type: text/html
Location: hXXp://VVV.att.com
HTTP/1.1 301 Moved Permanently..Server: Sun-ONE-Web-Server/6.1..Date: Thu, 12 Mar 2015 07:28:26 GMT..Content-length: 0..Content-type: text/html..Location: hXXp://VVV.att.com..
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 202
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: posten.se
Connection: Keep-Alive
Cache-Control: no-cache
%q ..;...k..P.h..2M.-c..........e.y...
5U.........`.X..=.J.!..w......u.i."oN.u.........'......`F......'n...h.M.'..Y..}.........{...k...O.ju......:.. ..c
7."...#...#B..$...%..?&.
'...'J..(.Pl)'.7*..
HTTP/1.1 400 Bad Request
content-length: 1389
content-type: text/html
date: Thu, 12 Mar 2015 07:33:40 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
server: WebSEAL/6.1.1.5 (Build 120405)
pragma: no-cache
cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">.<!-- Copyright (C) 2000 Tivoli Systems, Inc. -->.<!-- Copyright (C) 1999 IBM Corporation -->.<!-- Copyright (C) 1998 Dascom, Inc. -->.<!-- All Rights Reserved. -->.<!--. This is a WebSEAL error message template file. It is used. by the WebSEAL server to build a response when a particular. error occurs. This file can be modified as appropriate... Error details: .. * Code: 0x38cf0424. * Text: Bad Request. .-->.<html>.<head>.<meta http-equiv="Content-Type" content= "text/html; charset=UTF-8">.<!-- Enter Page Title -->.<title>Bad Request</title>.</head>.<body bgcolor="#FFFFFF">..<img src="/pics/amlogo.gif" . width=100% . height="75" . border="0". alt= "Access Manager for e-business Home">..<!-- Enter Message Header -->.<h1><font color="#FF0000">Bad Request</font></h1>..<p><!-- Enter Error Message -->.The Access Manager WebSEAL server received an invalid HTTP request...<BR><BR><BR>..<!-- Provide Error Explanation -->.<H4>Explanation</H4>.Possible causes for this message include:.<UL>.<LI>Incapatibility between the browser and the server..<LI>A problem with the browser..</UL>..<BR><BR><BR>..<!-- Provide Possible Solution -->.<H4>Solutions</H4>.<P>Contact your IBM Support Representative..</
<<< skipped >>>
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 184
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tahoo.com
Connection: Keep-Alive
Cache-Control: no-cache
n...>9z.5.\.........R...K...F1......l..kgs.U.<.?........Ne..Ga..t*...........l..\......I.?i@I....'.R..n.iKph...-.`.8..xn.W.J@:..9...f....b......R....
.Fnf..]...:g....`..'\.........
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 15:16:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Location: hXXp://VVV.99ff.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html;charset=gb2312
POST /?ptrxcz_KMOQTVXZbdgikmprtwy02469BDFHJL HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 246
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: udel.edu
Connection: Keep-Alive
Cache-Control: no-cache
..b%G. X:....~!..~G&.....a...B....`.....l..N}.'......*(.Cv(...(.;.....))tA)...).r.).>.)......X*...*Q.i.%.....-.8>-J$..7. ..",.......,......Z.1fI-#..........-.../..P....2.....-..$6......D../...%..R..h30..........2&$.x....&\....|.....1.T/25.....
HTTP/1.1 413 Request Entity Too Large
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8i
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>413 Request Entity Too Large</title>.</head><body>.<h1>Request Entity Too Large</h1>.The requested resource<br />/<br />.does not allow request data with POST requests, or the amount of data provided in.the request exceeds the capacity limit..<p>Additionally, a 413 Request Entity Too Large.error was encountered while trying to use an ErrorDocument to handle the request.</p>.<hr>.<address>Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8i Server at udel.edu Port 80</address>.</body></html>...
POST /?ptrxcz_acegikoqsuwy02468ACEGIKMOQSUWY HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 199
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: microtek.com
Connection: Keep-Alive
Cache-Control: no-cache
.....J`.Q..............Pd...,....2.e.........D.m....w...qU.....E.6...........`.@T....'.|..[Lx...@9...._s6.`..$.{,|.R..dG...........d.........M.p9..&.G.........H.r..T......jJ.......K.e.{..k...e\....
HTTP/1.1 302 Found
Date: Sun, 22 Mar 2015 09:44:13 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
location: hXXp://ww7.microtek.com.tw
Content-Length: 0
Connection: close
Content-Type: text/html; charset=iso-8859-1
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 152
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mchsi.com
Connection: Keep-Alive
Cache-Control: no-cache
Pz....R.,..n.;.oXl...M..T......s.R..<|.swQfv..\.V.Hx..?.T}V..}T.^.@|.rP.M.5...3.t.1.....U..|..*.Z.(.&...b....2........m.f....w..K"..
F.......J......
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 Mar 2015 07:28:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 245
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
X-Varnish: 1576525939
Age: 0
Via: 1.1 varnish
<?xml version="1.0" encoding="utf-8"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head><title></title></head>.<body></body>.</html>.HTTP/1.1 200 OK..Server: nginx..Date: Thu, 12 Mar 2015 07:28:37 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 245..Connection: keep-alive..Vary: Accept-Encoding..Accept-Ranges: bytes..X-Varnish: 1576525939..Age: 0..Via: 1.1 varnish..<?xml version="1.0" encoding="utf-8"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head><title></title></head>.<body></body>.</html>...
POST /?ptrxcz_TVYacegikmprtvxz1468ACEGIKMOQS HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 180
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tahoo.com
Connection: Keep-Alive
Cache-Control: no-cache
..1..I....
.%8.'.)...(K..L#....?!..Na.....v^.......S..#.......................6............d...a......$...tkV.....g...(.\..~A..y[...$...^)zTt(kG...?,{{&-x...............,t.1....
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 15:16:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Location: hXXp://VVV.99ff.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html;charset=gb2312
POST /?ptrxcz_Zbdfhkmprtvxz1368ACEGIKMORTVXZ HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: start.no
Connection: Keep-Alive
Cache-Control: no-cache
F..N.C.Oq.Q.o4R...SEf.T...
HTTP/1.1 405 Not allowed.
Server: Varnish
Content-Type: text/html; charset=utf-8
Content-Length: 473
Accept-Ranges: bytes
Date: Thu, 12 Mar 2015 07:28:28 GMT
X-Varnish: 2686377178
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Host: NOSTPX01
X-Cache: MISS
. <?xml version="1.0" encoding="utf-8"?>. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN". "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">. <html>. <head>. <title>405 Not allowed.</title>. </head>. <body>. <h1>Error 405 Not allowed.</h1>. <p>Not allowed.</p>. <h3>Guru Meditation:</h3>. <p>XID: 2686377178</p>. <hr>. <address>. <a href="hXXp://VVV.start.no/">Start Network AS</a>. </address>. </body>. </html>. ..
POST /?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 41
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yahoo.com.au
Connection: Keep-Alive
Cache-Control: no-cache
!.6BU\.B...C.&NC...C.W.DL.~D...D..JE.Q.E.
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Location: hXXp://au.yahoo.com/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG
Cache-Control: private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
b9 ..The document has moved <A HREF="hXXp://au.yahoo.com/?ptrxcz_FIKMOQSUXZbdfhjloqtvxz1357ACEG">here</A>.<P>.<!-- fe4.rd.aue.yahoo.com uncompressed/chunked Thu Mar 12 00:28:26 PDT 2015 -->...0..
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 129
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sprintmail.com
Connection: Keep-Alive
Cache-Control: no-cache
j.....>...-......H..U`...*P..;......R.....h..m......qd....u.6/A.,..
...l.o.!;._Q..........Z.5..F....\..(...;..;...sF.@.....[ .
HTTP/1.1 302 Found
Location: hXXp://VVV.earthlink.net/
Connection: close
POST /?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: aol.de
Connection: Keep-Alive
Cache-Control: no-cache
....N....C. R..!..."Im.#..c$3.a%.0F&.a.'.].(...(|..)...*f.. ...,j..-..h.T.f/..d0
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:30 GMT
Server: Apache
Location: hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl
Content-Length: 264
Keep-Alive: timeout=15, max=9987
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl">here</a>.</p>.</body></html>.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:30 GMT..Server: Apache..Location: hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl..Content-Length: 264..Keep-Alive: timeout=15, max=9987..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.de/?ptrxcz_ORT3579ACEFHJKMOPRTUWYZbdegijl">here</a>.</p>.</body></html>...
POST /?ptrxcz_358ACEGILNPRTVXacegikoMOQRTVWY HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: love.com
Connection: Keep-Alive
Cache-Control: no-cache
.q
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache
Location: hXXp://VVV.aol.com/
Content-Length: 227
Keep-Alive: timeout=15, max=9421
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.com/">here</a>.</p>.</body></html>.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:26 GMT..Server: Apache..Location: hXXp://www.aol.com/..Content-Length: 227..Keep-Alive: timeout=15, max=9421..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.aol.com/">here</a>.</p>.</body></html>...
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 123
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: dr.dk
Connection: Keep-Alive
Cache-Control: no-cache
..c.5.a...E......1(.....
.[..........y.......c.....J.ZDb...F.7.......)*...Z..6W...S.
..^..|...z....
v.aM.......M@.d...
HTTP/1.1 301 Moved Permanently
Server: Varnish
Cache-Control: public,max-age=0
Location: hXXp://VVV.dr.dk/
X-Cacheable: REDIR:301
Accept-Ranges: bytes
Date: Thu, 12 Mar 2015 07:28:39 GMT
X-Varnish: 1668772977
Age: 0
Via: 1.1 varnish
Connection: close
X-Via: varnishol01.dr.dk (172.18.120.36:80)
X-Cache: MISS
X-WebEdge: 44
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 129
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: crosspaths.net
Connection: Keep-Alive
Cache-Control: no-cache
..X..9.._.d...eJ.......m.d...ij3......k...m5....A.ok....R.....G..t....]...1.....*.TW[....v\........tcy(v.zx!.........}z.z..1...
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:38 GMT
Server: IBM_HTTP_Server
Location: hXXp://VVV.windstream.net
Content-Length: 233
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.windstream.net">here</a>.</p>.</body></html>...
POST /?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 90
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: merck.com
Connection: Keep-Alive
Cache-Control: no-cache
.u...:..,...W...........@u..^:...1...(......1. ..v........D.8...p!T......w..P.x.sf....;...
HTTP/1.1 302 Found
Date: Thu, 12 Mar 2015 07:28:36 GMT
Server: Apache
Location: hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf
Content-Length: 253
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: BIGipServerVVV.merck.com-HTTP=42078380.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf">here</a>.</p>.</body></html>.HTTP/1.1 302 Found..Date: Thu, 12 Mar 2015 07:28:36 GMT..Server: Apache..Location: hXXp://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf..Content-Length: 253..Keep-Alive: timeout=15, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..Set-Cookie: BIGipServerVVV.merck.com-HTTP=42078380.20480.0000; path=/..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="http://VVV.merck.com/index.html?ptrxcz_fhjlortvxz13579CEGIKMOQSUWZbdf">here</a>.</p>.</body></html>...
POST /?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 212
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ohiou.edu
Connection: Keep-Alive
Cache-Control: no-cache
.z../...5...,;.s.
...$...\:........M.E....I*..s..;.S!...$.W.&e.u).
,..k...21...3/.t6k....s.;..2>..p.......[K...MY8 ....QH.8To.\Y..GY>..[i.=^..7aN..c.w`f...hQ..k..6n...pT|.s..u.6.x#b.{...}.Nx.3F........N.)^..
HTTP/1.0 302 Found
Location: hXXp://VVV.ohio.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
HTTP/1.0 302 Found..Location: hXXp://VVV.ohio.edu/?ptrxcz_JLNPSUWYacegiloqsuwy03579BDFHJ..Server: BigIP..Connection: Keep-Alive..Content-Length: 0..
POST /?ptrxcz_VYbdgilpruwz1469CEHJMORTWZbegj HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 21
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: wa-net.com
Connection: Keep-Alive
Cache-Control: no-cache
!.A.....Yx..........-
HTTP/1.1 403 Forbidden
Date: Thu, 12 Mar 2015 07:28:38 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 278
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>403 Forbidden</title>.</head><body>.<h1>Forbidden</h1>.<p>You don't have permission to access /.on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) Server at wa-net.com Port 80</address>.</body></html>...
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=6103
Date: Thu, 12 Mar 2015 07:28:25 GMT
Connection: keep-alive
X-CCC: IT
X-CID: 2
1401D04D49E16F8687....
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:36:45 GMT
Accept-Ranges: bytes
ETag: "804c50f7c94fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 49859
Cache-Control: max-age=4274
Date: Thu, 12 Mar 2015 07:28:25 GMT
Connection: keep-alive
X-CCC: IT
X-CID: 2
MSCF............,...................I.......#.........WFw. .authroot.stl.....08..CK...<.......m..dK.......D.d'....fW...RJe.).."...n.Ie.,E.RH...L....\...z.^...p.<g.9...~...=.d/.. ...H....8f|&x.N.d..p(....(....g.@ga0..4...E(.p`d. .....D.....g%.j..w.DF..GW .....*.@6....#.8....v..=T..^.G.G.!.A........_...r..3n...G.g\_.r.....Au..sw.3.....G.f. ..0..0.^.R".K|.....y...l..1.......t.(...0Y......4.,......x..ENY.`d..O.....!..9A~....^...H.2.-.jK.r.....m.q.....5.@.r...@....A.B.....e...x.).|.H...A.[.Q. D`.}YQvx.B`b.=....,X...-.5S..N..=x.....C.Mj^.H....5b...5........I...`..... ..l.n.:.....j...u2gA.hx.`%K.bw...\!o.........R....=..*...w..J....q.?^.PuA..W...>.._..O......9|.../......m.E.u.d...J2.U.e?....}h.S.zC^...<.c)...^c.b}.2..'X567.!.h. ......5.......S*.z%..%..e...R...C#p..k.[...3...jI.<.Z.GX.u.- ....ut{.&>...:.......f...f.)y.....5.../R.b.......r.!.4.-a.....!...P......Q'7.0.%[.~m_..v....;..:.X..~...,.......O....u|T.L....w....)5.bBs..W..r..u.......W......'G......y...h.. %. z?..............f.Nx./c...R...`..y.>....'......l=.O..#......... ..P..Q.......3.............M......%...v.:(...u..zU......G_.<ue...F.....6Xo......P.......@L#........4<....K.g:...3o.N..:..zb...5..,.5...C... .4..`Q0.....$9./.$1....WL)$.0F......^..k..D.*.#.L3. (}.,,.kd.<W.....[,.....Y.n.b.....4.Y)...c.g..`.y.........X..I? '.{Cb.GDh.d..F..2B...sT.^..!.L..}.P....C...?.......~.....d....5.j...1.y9^_K..g..pX.......^z.e)....yc......?..o...e......KJ..H.O..m......B27....?.~m ..xt...c...@b..S.......a(....f1...h.0.u4..(.........2b`....]..H.Ja..
<<< skipped >>>
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 203
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: talktalk.net
Connection: Keep-Alive
Cache-Control: no-cache
.5.?...@2fg@f..@..KA...A..0BP .B...B..zC.Y.C-.EDa..D.".E. .
..E>Q[F.O.F..?G,..GK~$H...H......n
E.I
....0..".L..8M..j.r.hL.<.L...P.k.M4i.Nh.~N...N.1IO.0.OE.-Py`.P...P..^Q/..Qc.\R.%.R..'S.U.S3..St.qT...
HTTP/1.1 302 Object moved
Location: hXXp://VVV.talktalk.co.uk
Connection: close
POST /?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 51
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: job-index.ch
Connection: Keep-Alive
Cache-Control: no-cache
PB......H..!..:":o..^..a..yafe.#.....U7#4.G%.h...*.
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache
Location: hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL
Cache-Control: max-age=1
Expires: Thu, 12 Mar 2015 07:28:27 GMT
Content-Length: 330
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL">here</a>.</p>.<hr>.<address>Apache Server at job-index.ch Port 80</address>.</body></html>.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:26 GMT..Server: Apache..Location: hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL..Cache-Control: max-age=1..Expires: Thu, 12 Mar 2015 07:28:27 GMT..Content-Length: 330..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.hrtoday.ch/?ptrxcz_JLOQSUWYbdfhjmprtvx02468ADFHJL">here</a>.</p>.<hr>.<address>Apache Server at job-index.ch Port 80</address>.</body></html>...
<<< skipped >>>
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 203
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: onebox.com
Connection: Keep-Alive
Cache-Control: no-cache
z.I..3...2a.J0....x.....'...u[(..Y...W&.E.....=.......;.c.....l..}..3.....5..D..3.3.....Z.I....=.{....K..$L.I..!.x....M....C.s..*h..(..-.<.n....UT
...X.....6..M..5.4..I....e..F..S.c.......a.0q..~....m.
HTTP/1.1 302 Object moved
Date: Thu, 12 Mar 2015 07:28:38 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Pragma: no-cache
Location: hXXp://VVV.onebox.com/oneboxlogin.asp
Content-Length: 158
Content-Type: text/html
Expires: Thu, 12 Mar 2015 07:27:38 GMT
Set-Cookie: xpcook=o9Gjoc8PxanwsxIK74Lvqkzsu4/M4DZ7; expires=Fri, 01-Jan-2016 05:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCSCTCRTT=GAKJCJJACOBFBBCIOFIKIOAH; path=/
Cache-control: no-cache
Set-Cookie: oneboxwb=ffffffff0989118145525d5f4f58455e445a4a423660;expires=Thu, 12-Mar-2015 07:33:38 GMT;path=/;httponly
<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://VVV.onebox.com/oneboxlogin.asp">here</a>.</body>.HTTP/1.1 302 Object moved..Date: Thu, 12 Mar 2015 07:28:38 GMT..Server: Microsoft-IIS/6.0..X-UA-Compatible: IE=EmulateIE7..X-Powered-By: ASP.NET..Pragma: no-cache..Location: hXXp://VVV.onebox.com/oneboxlogin.asp..Content-Length: 158..Content-Type: text/html..Expires: Thu, 12 Mar 2015 07:27:38 GMT..Set-Cookie: xpcook=o9Gjoc8PxanwsxIK74Lvqkzsu4/M4DZ7; expires=Fri, 01-Jan-2016 05:00:00 GMT; path=/..Set-Cookie: ASPSESSIONIDCSCTCRTT=GAKJCJJACOBFBBCIOFIKIOAH; path=/..Cache-control: no-cache..Set-Cookie: oneboxwb=ffffffff0989118145525d5f4f58455e445a4a423660;expires=Thu, 12-Mar-2015 07:33:38 GMT;path=/;httponly..<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="http://VVV.onebox.com/oneboxlogin.asp">here</a>.</body>...
<<< skipped >>>
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 200
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tampabay.com
Connection: Keep-Alive
Cache-Control: no-cache
.d..sa....P...N.:U......>N{.....iy......z....;...7..'.......E.M..'e.V$c......O..&L......!.hd.s..6p.....go..h..'.6....c.k..y...w...d.\.......JF......h....m....2..3J.k....R...N...K....8.6vO..rM.G.d..7|.
HTTP/1.1 301 Moved Permanently
Accept-Ranges: bytes
Age: 0
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 12 Mar 2015 07:28:31 GMT
Location: hXXp://VVV.tampabay.com/
Server: nginx/1.6.2
Set-Cookie: TPC=Ci4rJFUBQB9dzF4GBIr1Ag==; expires=Thu, 12-Mar-15 08:28:31 GMT; domain=tampabay.com; path=/
Via: 1.1 varnish
X-Cache: MISS
X-Cacheable: NO CACHE: POST request
X-Served-By: livesite-prd-varnish-2.localdomain
X-Varnish: 1322858855
Content-Length: 232
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.tampabay.com/">here</a>.</p>.</body></html>.HTTP/1.1 301 Moved Permanently..Accept-Ranges: bytes..Age: 0..Content-Type: text/html; charset=iso-8859-1..Date: Thu, 12 Mar 2015 07:28:31 GMT..Location: hXXp://VVV.tampabay.com/..Server: nginx/1.6.2..Set-Cookie: TPC=Ci4rJFUBQB9dzF4GBIr1Ag==; expires=Thu, 12-Mar-15 08:28:31 GMT; domain=tampabay.com; path=/..Via: 1.1 varnish..X-Cache: MISS..X-Cacheable: NO CACHE: POST request..X-Served-By: livesite-prd-varnish-2.localdomain..X-Varnish: 1322858855..Content-Length: 232..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.tampabay.com/">here</a>.</p>.</body></html>...
<<< skipped >>>
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hknetmail.com
Connection: Keep-Alive
Cache-Control: no-cache
..*...&.
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 310
Content-Type: text/html; charset=utf-8
Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=1aa95ea7-505a-496c-9960-63c7a2769197; path=/
Set-Cookie: VisitorID=59f14903-41a5-478e-8c2e-c4ca6eb2af2d&Exp=3/12/2018 12:28:37 AM; expires=Mon, 12-Mar-2018 07:28:37 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:37 GMT
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Length: 310..Content-Type: text/html; charset=utf-8..Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..p3p: CP="CAO PSA OUR"..Set-Cookie: SessionID=1aa95ea7-505a-496c-9960-63c7a2769197; path=/..Set-Cookie: VisitorID=59f14903-41a5-478e-8c2e-c4ca6eb2af2d&Exp=3/12/2018 12:28:37 AM; expires=Mon, 12-Mar-2018 07:28:37 GMT; path=/..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:37 GMT..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=hknetmail.com&output=html&drid=as-drid-oo-1750951074443211">here</a>.</h2>..</body></html>....
<<< skipped >>>
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 31
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: goldcockerelbooks.co.uk
Connection: Keep-Alive
Cache-Control: no-cache
.'..:...!.8..f92..pj.x.h$y...
HTTP/1.1 200 OK
Date: Thu, 12 Mar 2015 07:28:27 GMT
Server: Apache
Last-Modified: Mon, 06 Oct 2014 14:36:36 GMT
Accept-Ranges: bytes
Content-Length: 79
Connection: close
Content-Type: text/html
<meta http-equiv="refresh" content="0; url=hXXp://goldcockerelbooks.com/web" />..
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 152
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: actuslendlease.com
Connection: Keep-Alive
Cache-Control: no-cache
.P..o.`.?F...At..m=..h......B....%d.......^.h{..8...
........M.k...;Za.......t.........$..m.....g....?ri..s.,..l...]z.{l:......./.......W>.-.....
....
HTTP/1.0 301 Moved Permanently
Location: hXXp://VVV.actuslendlease.com/
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
HTTP/1.0 301 Moved Permanently..Location: hXXp://VVV.actuslendlease.com/..Server: BigIP..Connection: Keep-Alive..Content-Length: 0..
POST /?ptrxcz_qsuwy02468ACEGILNPRTVXZbdfhjlo HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 130
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jotmail.com
Connection: Keep-Alive
Cache-Control: no-cache
8!..R...l..... ..QS......O........7./.j.I...cL..}.....5...h..|...H..{..&GM.x...}........`..CK...~.4.B...u......>..-....>.......
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:30 GMT
Content-Length: 169
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:30 GMT..Content-Length: 169..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>......
POST /?ptrxcz_jmprtvy02468ADFHJLNQSUWYacfhjl HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 105
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jotmail.com
Connection: Keep-Alive
Cache-Control: no-cache
=..rmy..7 ...........@.F........[o.W&!........h.6..... ....Je.....<.....?..4..^d....n..G.xf....Y..tQ.z.
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:42 GMT
Content-Length: 169
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:42 GMT..Content-Length: 169..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>....
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 162
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: zdnetmail.com
Connection: Keep-Alive
Cache-Control: no-cache
/........C.Z.XQ[.>\......P....._a....~x`..:cp.2...ie.M..k|.....
..i..$...<.y.l......`....Ck.%..3.-..~.np..p....D.r..G=s.o..C.....j...L....~.t.~5...aP....3..~>..G
HTTP/1.1 200 OK
Date: Thu, 12 Mar 2015 07:28:29 GMT
Server: Apache
Expires: Thu Mar 12 07:33:29 2015 GMT
Cache-Control: private, max-age=300, must-revalidate
P3P: CP="NON DSP COR DEVa PSAa PSDa OUR IND UNI COM", policyref="hXXp://VVV.cnet.com/w3c/p3p.xml"
Keep-Alive: timeout=300, max=976
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
23e0..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html><head><!--ss720--><!--ID.113-->.<script>window.location="hXXp://search.com/search"</script>.<style><!--.img {. border: 0;. }..ol, ul {..list-style-image:none;..list-style-position:outside;..list-style-type:none;..}..body {..background-color:#FFFFFF;..font-family:arial,helvetica,verdana,sans-serif;..font-size:13px;..}..a {..color:navy;..text-decoration:underline;..}..#header h1 {..font-size: 150%;..padding-bottom: 10px;..color: #333;..}..#header .searchbox {..float:left;..}..#header .searchbox .q {..width:300px;..}..#header #wrap {..float: left;..margin: 8px;..width:750px;..padding-bottom: 15px;..border-bottom: 1px solid #999;..}...query {..float:left;..}..#results_wrap {..float:left;..width:100%;..}..#results {..margin:0pt;..padding:0pt;..}..#results h3 {..color:#555555;..font-size:13px;..margin:10px 0px;..}..#header b {..color:#555555;..font-size:13px;..}..#results #dmoz_wrap {..padding-bottom: 18px;..border-bottom: 1px solid #777;..width:750px;. margin: 0 0 0 8px;..}..#results #dmoz {..border:0pt none;..font-size:11px;..width: 100%;..margin: 0 0 0 10px;..}..#results #dmoz b {..font-size:13px;..}..#results #dmoz td {..padding:5px 5px 5px 0;..}..#results #services_wrap {..width:750px;..margin: 0 0 0 8px;..padding-top: 8px;..}..#services {..margin: 0 0 0 10px;..width: 750px;..}..#services td {..padding:5px 5px 5px
<<< skipped >>>
POST /?ptrxcz_dfikmprtwy02479BDFHJMOQSUWYbdf HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 11
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: midway.edu
Connection: Keep-Alive
Cache-Control: no-cache
A. ..XQ..S.
HTTP/1.1 403 Forbidden
Date: Thu, 12 Mar 2015 07:28:32 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>403 Forbidden</title>.</head><body>.<h1>Forbidden</h1>.<p>You don't have permission to access /.on this server.</p>.<p>Additionally, a 500 Internal Server Error.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>...
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 230
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mtv.com
Connection: Keep-Alive
Cache-Control: no-cache
.z.. ...l........AN.....<r..
.......:J....@k..t.{......._..2..^0D......`..2.t.Q....)@...6:.Y....p...g;...;.5.......W.=^.....j.......6. ...TH....f..x....2.$...e....?|......pG.5...v.,......6....\.Fg..z.'....../..#.r.W....^=.......
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:26 GMT
Server: Apache/2.2.23 (Unix)
Location: hXXp://VVV.mtv.com/
Content-Length: 298
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.mtv.com/">here</a>.</p>.<hr>.<address>Apache/2.2.23 (Unix) Server at mtv.com Port 80</address>.</body></html>...
POST /?ptrxcz_qsuwz13579BEGIKMORTVXZbdgikmpr HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 63
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jotmail.com
Connection: Keep-Alive
Cache-Control: no-cache
v.Q...R.:........d6...j..........oM.....<....c..XY.......*e....
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 12 Mar 2015 07:28:26 GMT
Content-Length: 169
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Location: hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD..Server: Microsoft-IIS/8.5..X-AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 12 Mar 2015 07:28:26 GMT..Content-Length: 169..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.bing.com/search?q=jotmail&form=MSSRPD">here</a>.</h2>..</body></html>....
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 241
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yahoo.gr
Connection: Keep-Alive
Cache-Control: no-cache
...@Ay>A..#B...B
.C.:kD/..E...E...FMd2G...G...Hx.zI..EJ;..J...K...Lf.?M.
Nn..N.znO..9PT......Q.phR.....6.."..Ve.IW....{..V...W..1[..@Y...YA..Z..o[..!\l..\.{.]/.i^^..b..yc!.*d|..d...eL.rf..$g...gj..h..Si P.j...j.J.kK{Ml...m...mi@|n.pGo,;.o.
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:29 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: BX=eouc0qlag2g0t&b=3&s=61; expires=Sun, 12-Mar-2017 07:28:29 GMT; path=/; domain=.yahoo.gr
Cache-Control: max-age=3600, private
Location: hXXp://gr.yahoo.com/
Vary: Accept-Encoding
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Age: 0
Connection: keep-alive
Server: ATS/4.0.2
.<!-- src3.ops.ir2.yahoo.com Thu Mar 12 07:28:29 UTC 2015 -->.HTTP/1.1 301 Moved Permanently..Date: Thu, 12 Mar 2015 07:28:29 GMT..P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"..Set-Cookie: BX=eouc0qlag2g0t&b=3&s=61; expires=Sun, 12-Mar-2017 07:28:29 GMT; path=/; domain=.yahoo.gr..Cache-Control: max-age=3600, private..Location: hXXp://gr.yahoo.com/..Vary: Accept-Encoding..Content-Length: 62..Content-Type: text/html; charset=UTF-8..Age: 0..Connection: keep-alive..Server: ATS/4.0.2...<!-- src3.ops.ir2.yahoo.com Thu Mar 12 07:28:29 UTC 2015 -->...
POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 62
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sprintmail.com
Connection: Keep-Alive
Cache-Control: no-cache
(7"*... .*.-..J/..-1...2V.@4@
6...7..69...:...<j.,>aP.@>..A..
HTTP/1.1 302 Found
Location: hXXp://VVV.earthlink.net/
Connection: close
POST /?ptrxcz_XZcegikmprtvx02468ACEGILNPRTVX HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 248
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ministryofsound.net
Connection: Keep-Alive
Cache-Control: no-cache
..j.'h..u....03.....y.....H."...pXy.." .....g.[..O......^~>..H......bw:.....C...
...n......]....g..Q..Y.s.u.T.....'.E...v..Y(.>.... Y..
.9O....;.....0...~F......'uh.u....... nd.y....6....-.pe.../....).g....\Z.....^.....<.. ..b.....8.....Y....{..
HTTP/1.1 200 OK
Last-Modified: Wed, 07 Jun 2006 10:38:30 GMT
ETag: "e7a6b-f-4159ff7e7f580"
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Server: NetNames
Transfer-Encoding: chunked
Date: Thu, 12 Mar 2015 07:28:26 GMT
Connection: keep-alive
00f..<HTML>.</HTML>...0..HTTP/1.1 200 OK..Last-Modified: Wed, 07 Jun 2006 10:38:30 GMT..ETag: "e7a6b-f-4159ff7e7f580"..Vary: Accept-Encoding..Content-Type: text/html; charset=iso-8859-1..Server: NetNames..Transfer-Encoding: chunked..Date: Thu, 12 Mar 2015 07:28:26 GMT..Connection: keep-alive..00f..<HTML>.</HTML>...0..
POST /?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 238
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: nifty.ne.jp
Connection: Keep-Alive
Cache-Control: no-cache
..S.......K..4...`
..X ....~7...L..=b.........\#..".......G. !@."%9.$.f.%X..'G..)K.. ,.r.=../,<.1.bM.N.b../.=...>.....l:A$.OC...G5..G#P*I...J B"M/;.O&..Q.a.R;&.U2..V)L.XG..[1>.\B..^.d.`0..bA".d8..fI..hM.j7:|l;3xn?,tpC%pra..tK.hvO.dx`o
HTTP/1.1 301 Moved Permanently
Date: Thu, 12 Mar 2015 07:28:33 GMT
Server: Apache
Location: hXXp://VVV.nifty.com/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY
Content-Length: 267
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.nifty.com/?ptrxcz_Yacfhjloqsuwy13579BDFHJMOQSUWY">here</a>.</p>.</body></html>...
POST /?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578 HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 6
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sympatico.ca
Connection: Keep-Alive
Cache-Control: no-cache
p....@
HTTP/1.1 301 Moved Permanently
Location: hXXp://VVV.sympatico.ca/?ptrxcz_MOQRTUWYZbdeghjlmpqsuwxz024578
Content-Length: 0
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1156_rwx_00860000_0000C000:
GetWindowsDirectoryA
GetWindowsDirectoryA
kernel32.dll
kernel32.dll
msvcrt.dll
msvcrt.dll
GetProcessHeap
GetProcessHeap
hsu#%s
hsu#%s
.ACl;.
.ACl;.
.Wn.r
.Wn.r
0obP0.aU
0obP0.aU
&ntL2ta@.me
&ntL2ta@.me
cbL*elT<.bl>
cbL*elT<.bl>
aiM%te;%ux
aiM%te;%ux
W:\eF
W:\eF
d5.FSp
d5.FSp
%original file name%.exe_1156_rwx_00880000_0000F000:
GetWindowsDirectoryA
GetWindowsDirectoryA
kernel32.dll
kernel32.dll
msvcrt.dll
msvcrt.dll
GetProcessHeap
GetProcessHeap
hsu#%s
hsu#%s
.ACl;.
.ACl;.
.Wn.r
.Wn.r
0obP0.aU
0obP0.aU
&ntL2ta@.me
&ntL2ta@.me
cbL*elT<.bl>
cbL*elT<.bl>
aiM%te;%ux
aiM%te;%ux
W:\eF
W:\eF
d5.FSp
d5.FSp
%original file name%.exe_1156_rwx_008B0000_0000F000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
SSh(S
SSh(S
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
%s\%s.exe
%s\%s.exe
Content-Length: %d
Content-Length: %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
\system32\svchost.exe
\system32\svchost.exe
hXXps://%s
hXXps://%s
software\microsoft\windows\currentversion
software\microsoft\windows\currentversion
del %s
del %s
if exist %s goto :repeat
if exist %s goto :repeat
hXXp://%s
hXXp://%s
smtp.compuserve.com
smtp.compuserve.com
mail.airmail.net
mail.airmail.net
smtp.directcon.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
smtp.live.com
PSAPI.DLL
PSAPI.DLL
USERENV.dll
USERENV.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
HttpSendRequestA
HttpSendRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
CryptImportKey
CryptImportKey
CryptDestroyKey
CryptDestroyKey
CryptExportKey
CryptExportKey
CryptGenKey
CryptGenKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
bEiO5\E.XD0]L;k]O
bEiO5\E.XD0]L;k]O
0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;
0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;
%original file name%.exe_1156_rwx_01DA0000_00006000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
hXXp://%s/?ptrxcz_%s
hXXp://%s/?ptrxcz_%s
hXXp://%s/
hXXp://%s/
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: %d
Content-Length: %d
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
XNG7opotonline.net
XNG7opotonline.net
accountant.com
accountant.com
brick.net
brick.net
gmx.com
gmx.com
wagged.com
wagged.com
aol.de
aol.de
stargate.net
stargate.net
starpower.net
starpower.net
orange.pl
orange.pl
ohiou.edu
ohiou.edu
zdnetonebox.com
zdnetonebox.com
jjay.cuny.edu
jjay.cuny.edu
univision.com
univision.com
fluor.com
fluor.com
zdnetmail.com
zdnetmail.com
charter.com
charter.com
hoymail.com
hoymail.com
laposte.net
laposte.net
aon.at
aon.at
wilbursmith.com
wilbursmith.com
sympatico.ca
sympatico.ca
yahoo.gr
yahoo.gr
windstream.net
windstream.net
yahoo.com.au
yahoo.com.au
cbunited.com
cbunited.com
happemail.com
happemail.com
eznet.net
eznet.net
tampabay.com
tampabay.com
kazza.com
kazza.com
metrocast.net
metrocast.net
cytanet.com.cy
cytanet.com.cy
migente.com
migente.com
frisurf.no
frisurf.no
posten.se
posten.se
dr.dk
dr.dk
24.com
24.com
markbrent.com
markbrent.com
163.com
163.com
croeso.com
croeso.com
ntl.com
ntl.com
actuslendlease.com
actuslendlease.com
rowdee.com
rowdee.com
love.com
love.com
valornet.com
valornet.com
primusonline.com.au
primusonline.com.au
otakumail.com
otakumail.com
talktalk.net
talktalk.net
mail.unomaha.edu
mail.unomaha.edu
injersey.com
injersey.com
embarqmail.com
embarqmail.com
tartarus.uwa.edu.au
tartarus.uwa.edu.au
allstream.net
allstream.net
korea.com
korea.com
mynet.com
mynet.com
tigers-net.com
tigers-net.com
redlands.edu
redlands.edu
surewest.net
surewest.net
erre.net
erre.net
clear.net.nz
clear.net.nz
bailliegifford.com
bailliegifford.com
nmsu.edu
nmsu.edu
ig.com.br
ig.com.br
mtv.com
mtv.com
the-wild-west.com
the-wild-west.com
allstate.com
allstate.com
atkearney.com
atkearney.com
catt.com
catt.com
cocmast.net
cocmast.net
crosspaths.net
crosspaths.net
metro.net
metro.net
bluewin.com
bluewin.com
models.com
models.com
excite.it
excite.it
jotmail.com
jotmail.com
schoolsports.com
schoolsports.com
windermere.com
windermere.com
genesys.com
genesys.com
cybertron.com
cybertron.com
creighton.edu
creighton.edu
sscomputing.com
sscomputing.com
hotmiail.com
hotmiail.com
american.edu
american.edu
dsl.com
dsl.com
microtek.com
microtek.com
nsatel.net
nsatel.net
yahoo.dk
yahoo.dk
world-net.co.nz
world-net.co.nz
tahoo.com
tahoo.com
hawaiiantel.net
hawaiiantel.net
bodybuilders.com
bodybuilders.com
tellmeimcute.com
tellmeimcute.com
excite.co.jp
excite.co.jp
law.com
law.com
bassettfurniture.com
bassettfurniture.com
newparkdf.com
newparkdf.com
coastalnow.net
coastalnow.net
earthlink.net
earthlink.net
kiva.net
kiva.net
cablelan.net
cablelan.net
earthlink.com
earthlink.com
sprintmail.com
sprintmail.com
madrid.com
madrid.com
ethansalwen.com
ethansalwen.com
chickensys.com
chickensys.com
bendcable.com
bendcable.com
midway.edu
midway.edu
goldcockerelbooks.co.uk
goldcockerelbooks.co.uk
blackplanet.com
blackplanet.com
mchsi.com
mchsi.com
rcn.com
rcn.com
bellsouth.com
bellsouth.com
entel.cl
entel.cl
bluewin.ch
bluewin.ch
cableone.net
cableone.net
tvn.hu
tvn.hu
nifty.ne.jp
nifty.ne.jp
eircom.net
eircom.net
knology.net
knology.net
mweb.co.za
mweb.co.za
arcor.de
arcor.de
gm.com
gm.com
briansmail.com
briansmail.com
rediffmail.com
rediffmail.com
caramail.com
caramail.com
orst.edu
orst.edu
spin.com
spin.com
onebox.com
onebox.com
iupui.edu
iupui.edu
optonline.com
optonline.com
merck.com
merck.com
jwu.edu
jwu.edu
sify.com
sify.com
q.com
q.com
carolina.com
carolina.com
cox.com
cox.com
virginia.edu
virginia.edu
ministryofsound.net
ministryofsound.net
start.no
start.no
t-online.de
t-online.de
metallica.com
metallica.com
mzsg.at
mzsg.at
roadrunner.com
roadrunner.com
tylerknott.com
tylerknott.com
iwon.com
iwon.com
aol.com.com
aol.com.com
avinalarf.co.uk
avinalarf.co.uk
gci.net
gci.net
erzt.com
erzt.com
globalcrossing.com
globalcrossing.com
rockford.edu
rockford.edu
job-index.ch
job-index.ch
yahoo.com.hk
yahoo.com.hk
txstate.edu
txstate.edu
mailshell.com
mailshell.com
waupacafoundry.com
waupacafoundry.com
evansville.net
evansville.net
pba.com
pba.com
care2.com
care2.com
ono.es
ono.es
mountainmax.net
mountainmax.net
wa-net.com
wa-net.com
genie.co.uk
genie.co.uk
sunolg.org
sunolg.org
diamondcpu.com
diamondcpu.com
hknetmail.com
hknetmail.com
grayfoot.mailshell.com
grayfoot.mailshell.com
cablelynx.com
cablelynx.com
gallatinriver.net
gallatinriver.net
robvivian.com
robvivian.com
catech-systems.com
catech-systems.com
idealcollectables.com
idealcollectables.com
colorado.edu
colorado.edu
bigmir.net
bigmir.net
udel.edu
udel.edu
o2.co.uk
o2.co.uk
yahoo.hk
yahoo.hk
infoseek.jp
infoseek.jp
webound.com
webound.com
ciudad.com.ar
ciudad.com.ar
potamkinmitsubishi.com
potamkinmitsubishi.com
backpacker.com
backpacker.com
voicestream.com
voicestream.com
0 0&0,02080
0 0&0,02080
%original file name%.exe_1156_rwx_04000000_0000F000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
SSh(S
SSh(S
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
%s\%s.exe
%s\%s.exe
Content-Length: %d
Content-Length: %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
\system32\svchost.exe
\system32\svchost.exe
hXXps://%s
hXXps://%s
software\microsoft\windows\currentversion
software\microsoft\windows\currentversion
del %s
del %s
if exist %s goto :repeat
if exist %s goto :repeat
hXXp://%s
hXXp://%s
smtp.compuserve.com
smtp.compuserve.com
mail.airmail.net
mail.airmail.net
smtp.directcon.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
smtp.live.com
PSAPI.DLL
PSAPI.DLL
USERENV.dll
USERENV.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
HttpSendRequestA
HttpSendRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
CryptImportKey
CryptImportKey
CryptDestroyKey
CryptDestroyKey
CryptExportKey
CryptExportKey
CryptGenKey
CryptGenKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
hXXp://%s/?ptrxcz_%s
hXXp://%s/?ptrxcz_%s
hXXp://%s/
hXXp://%s/
XNG7opotonline.net
XNG7opotonline.net
accountant.com
accountant.com
brick.net
brick.net
gmx.com
gmx.com
wagged.com
wagged.com
aol.de
aol.de
stargate.net
stargate.net
starpower.net
starpower.net
orange.pl
orange.pl
ohiou.edu
ohiou.edu
zdnetonebox.com
zdnetonebox.com
jjay.cuny.edu
jjay.cuny.edu
univision.com
univision.com
fluor.com
fluor.com
zdnetmail.com
zdnetmail.com
charter.com
charter.com
hoymail.com
hoymail.com
laposte.net
laposte.net
aon.at
aon.at
wilbursmith.com
wilbursmith.com
sympatico.ca
sympatico.ca
yahoo.gr
yahoo.gr
windstream.net
windstream.net
yahoo.com.au
yahoo.com.au
cbunited.com
cbunited.com
happemail.com
happemail.com
eznet.net
eznet.net
tampabay.com
tampabay.com
kazza.com
kazza.com
metrocast.net
metrocast.net
cytanet.com.cy
cytanet.com.cy
migente.com
migente.com
frisurf.no
frisurf.no
posten.se
posten.se
dr.dk
dr.dk
24.com
24.com
markbrent.com
markbrent.com
163.com
163.com
croeso.com
croeso.com
ntl.com
ntl.com
actuslendlease.com
actuslendlease.com
rowdee.com
rowdee.com
love.com
love.com
valornet.com
valornet.com
primusonline.com.au
primusonline.com.au
otakumail.com
otakumail.com
talktalk.net
talktalk.net
mail.unomaha.edu
mail.unomaha.edu
injersey.com
injersey.com
embarqmail.com
embarqmail.com
tartarus.uwa.edu.au
tartarus.uwa.edu.au
allstream.net
allstream.net
korea.com
korea.com
mynet.com
mynet.com
tigers-net.com
tigers-net.com
redlands.edu
redlands.edu
surewest.net
surewest.net
erre.net
erre.net
clear.net.nz
clear.net.nz
bailliegifford.com
bailliegifford.com
nmsu.edu
nmsu.edu
ig.com.br
ig.com.br
mtv.com
mtv.com
the-wild-west.com
the-wild-west.com
allstate.com
allstate.com
atkearney.com
atkearney.com
catt.com
catt.com
cocmast.net
cocmast.net
crosspaths.net
crosspaths.net
metro.net
metro.net
bluewin.com
bluewin.com
models.com
models.com
excite.it
excite.it
jotmail.com
jotmail.com
schoolsports.com
schoolsports.com
windermere.com
windermere.com
genesys.com
genesys.com
cybertron.com
cybertron.com
creighton.edu
creighton.edu
sscomputing.com
sscomputing.com
hotmiail.com
hotmiail.com
american.edu
american.edu
dsl.com
dsl.com
microtek.com
microtek.com
nsatel.net
nsatel.net
yahoo.dk
yahoo.dk
world-net.co.nz
world-net.co.nz
tahoo.com
tahoo.com
hawaiiantel.net
hawaiiantel.net
bodybuilders.com
bodybuilders.com
tellmeimcute.com
tellmeimcute.com
excite.co.jp
excite.co.jp
law.com
law.com
bassettfurniture.com
bassettfurniture.com
newparkdf.com
newparkdf.com
coastalnow.net
coastalnow.net
earthlink.net
earthlink.net
kiva.net
kiva.net
cablelan.net
cablelan.net
earthlink.com
earthlink.com
sprintmail.com
sprintmail.com
madrid.com
madrid.com
ethansalwen.com
ethansalwen.com
chickensys.com
chickensys.com
bendcable.com
bendcable.com
midway.edu
midway.edu
goldcockerelbooks.co.uk
goldcockerelbooks.co.uk
blackplanet.com
blackplanet.com
mchsi.com
mchsi.com
rcn.com
rcn.com
bellsouth.com
bellsouth.com
entel.cl
entel.cl
bluewin.ch
bluewin.ch
cableone.net
cableone.net
tvn.hu
tvn.hu
nifty.ne.jp
nifty.ne.jp
eircom.net
eircom.net
knology.net
knology.net
mweb.co.za
mweb.co.za
arcor.de
arcor.de
gm.com
gm.com
briansmail.com
briansmail.com
rediffmail.com
rediffmail.com
caramail.com
caramail.com
orst.edu
orst.edu
spin.com
spin.com
onebox.com
onebox.com
iupui.edu
iupui.edu
optonline.com
optonline.com
merck.com
merck.com
jwu.edu
jwu.edu
sify.com
sify.com
q.com
q.com
carolina.com
carolina.com
cox.com
cox.com
virginia.edu
virginia.edu
ministryofsound.net
ministryofsound.net
start.no
start.no
t-online.de
t-online.de
metallica.com
metallica.com
mzsg.at
mzsg.at
roadrunner.com
roadrunner.com
tylerknott.com
tylerknott.com
iwon.com
iwon.com
aol.com.com
aol.com.com
avinalarf.co.uk
avinalarf.co.uk
gci.net
gci.net
erzt.com
erzt.com
globalcrossing.com
globalcrossing.com
rockford.edu
rockford.edu
job-index.ch
job-index.ch
yahoo.com.hk
yahoo.com.hk
txstate.edu
txstate.edu
mailshell.com
mailshell.com
waupacafoundry.com
waupacafoundry.com
evansville.net
evansville.net
pba.com
pba.com
care2.com
care2.com
ono.es
ono.es
mountainmax.net
mountainmax.net
wa-net.com
wa-net.com
genie.co.uk
genie.co.uk
sunolg.org
sunolg.org
diamondcpu.com
diamondcpu.com
hknetmail.com
hknetmail.com
grayfoot.mailshell.com
grayfoot.mailshell.com
cablelynx.com
cablelynx.com
gallatinriver.net
gallatinriver.net
robvivian.com
robvivian.com
catech-systems.com
catech-systems.com
idealcollectables.com
idealcollectables.com
colorado.edu
colorado.edu
bigmir.net
bigmir.net
udel.edu
udel.edu
o2.co.uk
o2.co.uk
yahoo.hk
yahoo.hk
infoseek.jp
infoseek.jp
webound.com
webound.com
ciudad.com.ar
ciudad.com.ar
potamkinmitsubishi.com
potamkinmitsubishi.com
backpacker.com
backpacker.com
voicestream.com
voicestream.com
0 0&0,02080
0 0&0,02080
opotonline.net;accountant.com;brick.net;gmx.com;wagged.com;aol.de;stargate.net;starpower.net;orange.pl;ohiou.edu;zdnetonebox.com;jjay.cuny.edu;univision.com;fluor.com;zdnetmail.com;charter.com;hoymail.com;laposte.net;aon.at;wilbursmith.com;sympatico.ca;yahoo.gr;windstream.net;yahoo.com.au;cbunited.com;happemail.com;eznet.net;tampabay.com;kazza.com;metrocast.net;cytanet.com.cy;migente.com;frisurf.no;posten.se;dr.dk;24.com;markbrent.com;163.com;croeso.com;ntl.com;actuslendlease.com;rowdee.com;love.com;valornet.com;primusonline.com.au;otakumail.com;talktalk.net;mail.unomaha.edu;injersey.com;embarqmail.com;tartarus.uwa.edu.au;allstream.net;korea.com;mynet.com;tigers-net.com;redlands.edu;surewest.net;erre.net;clear.net.nz;bailliegifford.com;nmsu.edu;ig.com.br;mtv.com;the-wild-west.com;allstate.com;atkearney.com;catt.com;cocmast.net;crosspaths.net;metro.net;bluewin.com;models.com;excite.it;jotmail.com;schoolsports.com;windermere.com;genesys.com;cybertron.com;creighton.edu;sscomputing.com;hotmiail.com;american.edu;dsl.com;microtek.com;nsatel.net;yahoo.dk;world-net.co.nz;tahoo.com;hawaiiantel.net;bodybuilders.com;tellmeimcute.com;excite.co.jp;law.com;bassettfurniture.com;newparkdf.com;coastalnow.net;earthlink.net;kiva.net;cablelan.net;earthlink.com;sprintmail.com;madrid.com;ethansalwen.com;chickensys.com;bendcable.com;midway.edu;goldcockerelbooks.co.uk;blackplanet.com;mchsi.com;rcn.com;bellsouth.com;entel.cl;bluewin.ch;cableone.net;tvn.hu;nifty.ne.jp;eircom.net;knology.net;mweb.co.za;arcor.de;gm.com;briansmail.com;rediffmail.com;caramail.com;orst.edu;spin.com;onebox.com;iupui.edu;optonline.com;merck.com;jwu.edu;sify.com;q.com;carolina.com;cox.com;virginia.edu;ministryofsound.net;start.no;t-online.de;metallica.com;ohiou.edu;mzsg.at;univision.com;fluor.com;roadrunner.com;hoymail.com;laposte.net;tylerknott.com;iwon.com;aol.com.com;avinalarf.co.uk;yahoo.com.au;gci.net;erzt.com;markbrent.com;globalcrossing.com;rockford.edu;job-index.ch;yahoo.com.hk;txstate.edu;valornet.com;mailshell.com;waupacafoundry.com;evansville.net;pba.com;tartarus.uwa.edu.au;care2.com;ono.es;mountainmax.net;wa-net.com;tigers-net.com;genie.co.uk;sunolg.org;diamondcpu.com;hknetmail.com;grayfoot.mailshell.com;cablelynx.com;bailliegifford.com;gallatinriver.net;robvivian.com;the-wild-west.com;allstate.com;catech-systems.com;idealcollectables.com;crosspaths.net;colorado.edu;bigmir.net;udel.edu;jotmail.com;o2.co.uk;yahoo.hk;cybertron.com;infoseek.jp;webound.com;american.edu;ciudad.com.ar;potamkinmitsubishi.com;backpacker.com;world-net.co.nz;voicestream.com;
opotonline.net;accountant.com;brick.net;gmx.com;wagged.com;aol.de;stargate.net;starpower.net;orange.pl;ohiou.edu;zdnetonebox.com;jjay.cuny.edu;univision.com;fluor.com;zdnetmail.com;charter.com;hoymail.com;laposte.net;aon.at;wilbursmith.com;sympatico.ca;yahoo.gr;windstream.net;yahoo.com.au;cbunited.com;happemail.com;eznet.net;tampabay.com;kazza.com;metrocast.net;cytanet.com.cy;migente.com;frisurf.no;posten.se;dr.dk;24.com;markbrent.com;163.com;croeso.com;ntl.com;actuslendlease.com;rowdee.com;love.com;valornet.com;primusonline.com.au;otakumail.com;talktalk.net;mail.unomaha.edu;injersey.com;embarqmail.com;tartarus.uwa.edu.au;allstream.net;korea.com;mynet.com;tigers-net.com;redlands.edu;surewest.net;erre.net;clear.net.nz;bailliegifford.com;nmsu.edu;ig.com.br;mtv.com;the-wild-west.com;allstate.com;atkearney.com;catt.com;cocmast.net;crosspaths.net;metro.net;bluewin.com;models.com;excite.it;jotmail.com;schoolsports.com;windermere.com;genesys.com;cybertron.com;creighton.edu;sscomputing.com;hotmiail.com;american.edu;dsl.com;microtek.com;nsatel.net;yahoo.dk;world-net.co.nz;tahoo.com;hawaiiantel.net;bodybuilders.com;tellmeimcute.com;excite.co.jp;law.com;bassettfurniture.com;newparkdf.com;coastalnow.net;earthlink.net;kiva.net;cablelan.net;earthlink.com;sprintmail.com;madrid.com;ethansalwen.com;chickensys.com;bendcable.com;midway.edu;goldcockerelbooks.co.uk;blackplanet.com;mchsi.com;rcn.com;bellsouth.com;entel.cl;bluewin.ch;cableone.net;tvn.hu;nifty.ne.jp;eircom.net;knology.net;mweb.co.za;arcor.de;gm.com;briansmail.com;rediffmail.com;caramail.com;orst.edu;spin.com;onebox.com;iupui.edu;optonline.com;merck.com;jwu.edu;sify.com;q.com;carolina.com;cox.com;virginia.edu;ministryofsound.net;start.no;t-online.de;metallica.com;ohiou.edu;mzsg.at;univision.com;fluor.com;roadrunner.com;hoymail.com;laposte.net;tylerknott.com;iwon.com;aol.com.com;avinalarf.co.uk;yahoo.com.au;gci.net;erzt.com;markbrent.com;globalcrossing.com;rockford.edu;job-index.ch;yahoo.com.hk;txstate.edu;valornet.com;mailshell.com;waupacafoundry.com;evansville.net;pba.com;tartarus.uwa.edu.au;care2.com;ono.es;mountainmax.net;wa-net.com;tigers-net.com;genie.co.uk;sunolg.org;diamondcpu.com;hknetmail.com;grayfoot.mailshell.com;cablelynx.com;bailliegifford.com;gallatinriver.net;robvivian.com;the-wild-west.com;allstate.com;catech-systems.com;idealcollectables.com;crosspaths.net;colorado.edu;bigmir.net;udel.edu;jotmail.com;o2.co.uk;yahoo.hk;cybertron.com;infoseek.jp;webound.com;american.edu;ciudad.com.ar;potamkinmitsubishi.com;backpacker.com;world-net.co.nz;voicestream.com;
4events.at;4everandever.de;4everevents.nl;4evermusic.pl;4evernet.de;4everweb.nl;4everyone.nl;4everyware.nl;9online.fr;9t6grafikdesign.de;7atable.be;accountingtechs.biz;0daymusic.biz;4dmobil.at;4dbabamozi.hu;4estates.eu;4etoiles.fr;4ever4you.de;4everdreams.nl;4everflashlight.de;
4events.at;4everandever.de;4everevents.nl;4evermusic.pl;4evernet.de;4everweb.nl;4everyone.nl;4everyware.nl;9online.fr;9t6grafikdesign.de;7atable.be;accountingtechs.biz;0daymusic.biz;4dmobil.at;4dbabamozi.hu;4estates.eu;4etoiles.fr;4ever4you.de;4everdreams.nl;4everflashlight.de;
0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;
0risiko.de;4dmobil.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;0kommanix.de;4e-energiezentrale.de;4effect.pl;4egolifestyle.de;4elementos.cl;4elementos.es;4elements.cz;4elements.gr;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4ernila.de;4e-solutions.ch;accounting.ee;0daymusic.biz;0handicap.at;4darabians.nl;4dbenelux.be;accords-bilateraux.ch;4e-energiezentrale.de;
%Documents and Settings%\%current user%\folohadlobos.exe
%Documents and Settings%\%current user%\folohadlobos.exe