Gen.Variant.Kazy.536908_4d9cc4700e

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:332

The Trojan injects its code into the following process(es):

9.9.exe:504

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process 9.9.exe:504 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EAFKB6GD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXYZKDE3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\Google Chrome.html (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WBE329MV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\Mozilla Firefox.html (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LURCTMJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXYZKDE3\cf[1].htm (747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EAFKB6GD\328[1].png (325 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process %original file name%.exe:332 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\PRo\9.9.exe (2093 bytes)
C:\PRo\FapCF.dll (203 bytes)

The Trojan deletes the following file(s):

C:\PRo\__tmp_rar_sfx_access_check_1412640 (0 bytes)

Registry activity

The process 9.9.exe:504 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB DD 26 A0 AA 13 87 16 8C E1 06 7F 23 B2 61 DD"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://trollface.biz"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:332 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 2B 52 E4 2F A7 2F 85 9D BC 0C CA 8C F2 0A 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\WinRAR SFX]
"C%%PRo" = "C:\PRo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PRo]
"9.9.exe" = "9.9"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
611747b0c580ff22d80ff04f73c736a5	c:\PRo\9.9.exe
be89332b6aa5fbee026d926912e6b82d	c:\PRo\FapCF.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:332

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EAFKB6GD\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXYZKDE3\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Desktop\Google Chrome.html (160 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WBE329MV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Desktop\Mozilla Firefox.html (160 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LURCTMJ\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXYZKDE3\cf[1].htm (747 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EAFKB6GD\328[1].png (325 bytes)
   C:\PRo\9.9.exe (2093 bytes)
   C:\PRo\FapCF.dll (203 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	165770	165888	4.65928	2ccda66720a3519c30d7d8548a42d267
.rdata	172032	20403	20480	3.7353	0f9e4b68eb2898dcd48e6188943ac30e
.data	192512	136232	5632	2.4029	972e0edc997fcfeb40fbe103776deb2b
.rsrc	331776	17588	17920	3.33146	0729f4d2c384b627d8fa2bf6c7ce423a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
fac8e5392443f745ea684d1717ecdcf2
42bdb0675bf04b8fcddaf43b9603387b
b7a9e80711043fec9f2cedbd5542146d

Network Activity

URLs

URL	IP
hxxp://static.adf.ly/static/css/adfly_4.css	104.20.1.4
hxxp://static.adf.ly/static/js/b64.js	104.20.1.4
hxxp://static.adf.ly/static/js/view42.js	104.20.1.4
hxxp://static.adf.ly/static/image/logo_fb2.png	104.20.1.4
hxxp://static.adf.ly/static/image/ahl6532.gif	104.20.1.4
hxxp://static.adf.ly/static/image/d_top_bg.png	104.20.1.4
hxxp://static.adf.ly/static/image/skip_ad/en_tran.png	104.20.1.4
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://star.c10r.facebook.com/plugins/like.php?href=https://www.facebook.com/x19ltd.adfly&width=150&fb_source=unshorten&layout=button_count&action=like&show_faces=false&share=true&height=21&appId=399141353502152
hxxp://static.adf.ly/static/image/d_bottom_bg2.png	104.20.1.4
hxxp://static.adf.ly/1market.php?p=xVZnHcUvikLHCbJuoYbG3ZNh09IyjLo6iAYHWdR0mhLmmIx65IIiiZwliJaHGaFizwaiCII56xImiLImsRIWnYBivocjnIQli1OWiYIuiRL3CcJvwhYmXIR7opbjmIFstJZXSdIi6wISiM91yEdjXNF4kodjSIIusJICnLNxlUYTXNJzjUaDCOI66IICiZIiswIinIBjyFbT3YR2vYY22Y9wsYITjMo4iEaTHZRj0NcTDNo4iQfDSNw1iIZTmOxihVcz2YgkidOzjNAlsJIDmN1jvJYjmIl6sIZCSdIi6wMiCIwxiIbiWO9iiMa2WcxilwXi2I9tzNIjjIo6iITimY8jiJfyQe==	104.20.1.4
hxxp://trollface.biz/	184.168.224.167
hxxp://trollface.biz/vote	184.168.224.167
hxxp://c.global-ssl.fastly.net/nr-476.min.js
hxxp://whos.amung.us/swidget/fapcfmodz.png	67.202.94.86
hxxp://beacon.newrelic.com/1/92a411bc23?a=4058140,2334836&pl=1422596420199&v=476.c73f3a6&to=YlNSbUYAV0IFBhdaWVsZc0xHFVZcSxYLXERBU15cRiJWXxAXDF9aUEQfTFoyUV4WEQZd&ap=8&fe=8922&dc=8922&f=[]&at=ThRFGw4aRB1GBEEJTUhL&jsonp=NREUM.setToken
hxxp://beacon.newrelic.com/1/92a411bc23?a=4058140,2334836&pl=1422596427839&v=476.c73f3a6&to=YlNSbUYAV0IFBhdaWVsZZUtdTghcBRcIVkIbRlhJ&ap=11&fe=1047&dc=1047&f=[]&at=ThRRGw4aREw=
hxxp://widgets.amung.us/small/03/328.png	173.192.200.70
hxxp://trollface.biz/css/style.css	184.168.224.167
hxxp://173.194.204.95/ajax/libs/mootools/1.3.1/mootools-yui-compressed.js
hxxp://trollface.biz/UTM_Bebas.eot?	184.168.224.167
hxxp://trollface.biz/images/search_icon.png	184.168.224.167
hxxp://trollface.biz/images/tags.png	184.168.224.167
hxxp://www-google-analytics.l.google.com/vi/q4pBFb3NCzk/0.jpg
hxxp://www-google-analytics.l.google.com/vi/poS0YGKNSTs/0.jpg
hxxp://trollface.biz/images/like.png	184.168.224.167
hxxp://www-google-analytics.l.google.com/vi/RCCXZ8ErVag/0.jpg
hxxp://trollface.biz/upload/t/1056.png	184.168.224.167
hxxp://trollface.biz/images/sprite_v12.png	184.168.224.167
hxxp://www-google-analytics.l.google.com/vi/UrDxiYYriJc/0.jpg
hxxp://imgur.com/nfXqfv7.png
hxxp://trollface.biz/upload/t/1055.jpg	184.168.224.167
hxxp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g	109.105.53.5
hxxp://trollface.biz/upload/t/1054.jpg	184.168.224.167
hxxp://trollface.biz/images/logo.png	184.168.224.167
hxxp://trollface.biz/images/upload_icon.png	184.168.224.167
hxxp://trollface.biz/images/buttons-white.png	184.168.224.167
hxxp://static.adf.ly/callback/2c42e77dc5b92544853ce18160cf6a1c	104.20.1.4
hxxp://trollface.biz/images/comment.png	184.168.224.167
hxxp://trollface.biz/images/loved.png	184.168.224.167
hxxp://trollface.biz/images/viewed.png	184.168.224.167
hxxp://trollface.biz/images/google.png	184.168.224.167
hxxp://widgets.amung.us/small.js	173.192.200.70
hxxp://yllix.com/images/premium.png	109.105.53.5
hxxp://yllix.com/show.php?vs=&ad=286387&f=300x250&a=956646&s=MDhiZTA0ODk4Y2VjOGU2MzBlOGVjODY2YmY4NDgwMjM=&u=586654&si=742431179&di=5811174&ci=16&cc=CA	109.105.53.5
hxxp://anycast-americas.quantserve.com.akadns.net/quant.js
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=433791101&utmhn=trollface.biz&utmcs=utf-8&utmsr=1024x768&utmvp=1004x599&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=New - Troll Face Funny&utmhid=1917424732&utmr=-&utmp=/vote&utmht=1422596434949&utmac=UA-29685024-1&utmcc=__utma=174148071.773612308.1422596435.1422596435.1422596435.1;+__utmz=174148071.1422596435.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=344341876&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~
hxxp://whos.amung.us/widget/usytk7tkcyx3.png	67.202.94.86
hxxp://widgets.amung.us/classic/04/411.png	173.192.200.70
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=41005801&utmhn=yllix.com&utmcs=utf-8&utmsr=1024x768&utmvp=300x250&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Yllix media&utmhid=871299865&utmr=http://trollface.biz/vote&utmp=/banner_show.php?section=General&pub=586654&format=300x250&ga=g&utmht=1422596435168&utmac=UA-33725520-1&utmcc=__utma=211441629.611147151.1422596435.1422596435.1422596435.1;+__utmz=211441629.1422596435.1.1.utmcsr=trollface.biz|utmccn=(referral)|utmcmd=referral|utmcct=/vote;&utmjid=2118429030&utmredir=1&utmu=qBAAAAAAAAAAAAAAAAAAAAAE~
hxxp://t.dtscout.com/i/?l=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g	69.4.231.30
hxxp://px-chg004.quantserve.com.akadns.net/pixel;r=631760284;a=p-EMbv-yy8jFpSp;fpan=1;fpa=P0-1475998630-1422596435355;ns=1;ce=1;cm=;je=1;sr=1024x768x32;enc=n;dst=1;et=1422596435355;tzo=-120;ref=http://trollface.biz/vote;url=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g;ogl=
hxxp://e332.g.akamaiedge.net/152media/tags/xbanner/xbanner.js?ap=1300
hxxp://star.c10r.facebook.com/plugins/like.php?app_id=669034239861694&channel=http://static.ak.facebook.com/connect/xd_arbiter/7r8gQb8MIqE.js?version=41#cb=f251c3fa86634de&domain=trollface.biz&origin=http%3A%2F%2Ftrollface.biz%2Ff33b7892863bd18&relation=parent.parent&href=http://www.facebook.com/trollface.biz&locale=en_US&sdk=joey&send=false&show_faces=true&width=290
hxxp://east.i.simpli.fi/dpx.js?cid=21707&m=1&sifi_tuid=6329
hxxp://whos.amung.us/pingjs/?k=psytrs8y6gmn&t=Yllix media&c=s&y=http://trollface.biz/vote&a=0&r=8601	67.202.94.86
hxxp://east.i.simpli.fi/p?cid=21707&cb=dpx_58114617._hp
hxxp://a.adk2x.com/imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r=
hxxp://widgets.amung.us/widtemplates/smalloutline.gif	173.192.200.70
hxxp://east.i.simpli.fi/dpx?cid=21707&m=1&sifi_tuid=6329&cbri=1334375555843&referrer=http://trollface.biz/vote
hxxp://a.adk2x.com/ul_cb/imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r=
hxxp://a1189.g.akamai.net/tc.js
hxxp://pagead.l.doubleclick.net/pixel?google_nid=simplifi&google_cm&google_sc
hxxp://pagead.l.doubleclick.net/pixel?google_nid=simplifi&google_cm=&google_sc=&google_tc=
hxxp://central.um.simpli.fi/g_match?id=&google_gid=CAESENgPIAiUVi0jv3eljxknN3o&google_cver=1
hxxp://dispaa.website/Track?pai=26d49ef3669c26f2&guj=300x250&fat=26d49ef3669c26f2
hxxp://pagead.l.doubleclick.net/pixel?google_nid=simplifi&google_hm=A2BCADB89762CB54D84AB87B024B7D7F
hxxp://central.um.simpli.fi/g_match?id=
hxxp://lp.showres.pw/flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E=
hxxp://de.tynt.com/deb/v2?id=w!psytrs8y6gmn&r=trollface.biz/vote	67.202.66.171
hxxp://ic.tynt.com/b/p?id=w!psytrs8y6gmn&ts=1422596436558&r=trollface.biz/vote&t=Yllix media	67.202.66.206
hxxp://ds-any-world.ngd.ysm.yahoodns.net/pixel?id=2085077&t=2&piggyback=http://ads.yahoo.com/cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1
hxxp://websource.website/flash/reset.css	104.28.22.64
hxxp://websource.website/flash/jquery-ui.css	104.28.22.64
hxxp://ds-any-world.ngd.ysm.yahoodns.net/cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1
hxxp://central.um.simpli.fi/y_match?xid=OpUesktx0bnS1._7RUN1UBwx
hxxp://websource.website/flash/core.css	104.28.22.64
hxxp://websource.website/flash/ie_fix.css	104.28.22.64
hxxp://websource.website/flash/html5shiv.js	104.28.22.64
hxxp://blogspot.l.googleusercontent.com/2014/08/b-red-releases-flaming-hot-new-track.html
hxxp://www.google.com/uds/css/gsearch.css	74.125.226.52
hxxp://blogspot.l.googleusercontent.com/-220e_g7edhs/VMsXtforiJI/AAAAAAAEZzg/Ru02XyZTxSs/s0/22.jpg
hxxp://dart.l.doubleclick.net/adj/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;abr=!ie;sz=728x90;ord=[timestamp]?
hxxp://pagead.l.doubleclick.net/pagead/js/google_top_exp.js
hxxp://blogger.l.google.com/img/icon18_wrench_allbkg.png
hxxp://blogspot.l.googleusercontent.com/-2VhpOMtGi9M/VKq5K-uegYI/AAAAAAAEOzE/LGnSu074gr0/s1600/00.png
hxxp://dart.l.doubleclick.net/adi/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;sz=728x90;ord=[timestamp]?
hxxp://blogspot.l.googleusercontent.com/-B9TeChMS3A8/VLWjCCx4RMI/AAAAAAAESvc/KYmzd1Dl5gc/s1600/1.jpg
hxxp://blogspot.l.googleusercontent.com/-ao95uV_Um5c/VMQRVLaoNQI/AAAAAAAEXeY/pI6fjZbMjl8/s1600/0.png
hxxp://blogspot.l.googleusercontent.com/-o3bkrf-qs0A/VKqAyof5pQI/AAAAAAAEOsw/vJqd_lEwam4/s1600/unnamed.gif
hxxp://blogspot.l.googleusercontent.com/-mcc90_3G694/VK1JjzkAFCI/AAAAAAAEPqg/OyqPpsMg5Gk/s1600/00.jpg
hxxp://lekkigardens.com/img/200x300.gif	67.20.76.118
hxxp://blogspot.l.googleusercontent.com/-h3JUlSgQ-_0/VK1KLDMRMgI/AAAAAAAEPqs/TR8XRbZvbY8/s1600/00.jpg
hxxp://blogspot.l.googleusercontent.com/-pzssax7ig_o/VMQQY1VHBhI/AAAAAAAEXeM/f381QtL8lmc/s1600/1.jpg
hxxp://www.mcomm.ca/callertunes/lindaikeji/ads/banner_160.gif	64.71.39.1
hxxp://blogspot.l.googleusercontent.com/-tgynBCYivZk/VMgdZOklr4I/AAAAAAAEY-k/qplcX1nppmc/s1600/a.jpg
hxxp://blogger.l.google.com/img/logo-16.png
hxxp://blogspot.l.googleusercontent.com/-nerBEGrWuFk/U7B9Sg0IJBI/AAAAAAADFto/lO0wova5fhs/s1600/LoLavita+Hair+%26+Beauty+2.jpg
hxxp://static-uk.addynamo.net/ad/js/deliverAds.js
hxxp://blogspot.l.googleusercontent.com/-I7qMNrH15Bg/VLk-QT3KL4I/AAAAAAAEUGs/7Yx5LDt8E7U/s1600/2.jpg
hxxp://blogspot.l.googleusercontent.com/-vm21KdojIls/VMQP8OWvjNI/AAAAAAAEXeA/8wj2VMb764k/s1600/unnamed.gif
hxxp://blogspot.l.googleusercontent.com/-lYQ_6IJ9-1k/VJvzDQLQ5ZI/AAAAAAAEKxk/dRnS1Y_bqZs/s1600/0.jpg
hxxp://blogspot.l.googleusercontent.com/-A-xhStXKSRc/U2Ib-ESdJbI/AAAAAAAC1Tc/LfWTAWidGB0/s1600/2.gif
hxxp://blogspot.l.googleusercontent.com/_ukqwa9IFmR4/TRw5oR3LM0I/AAAAAAAAAB8/1s_TvrzEhZQ/S220/26392_1104606111494_1717008926_185805_7177542_n.jpg
hxxp://pagead.l.doubleclick.net/pagead/js/lidar.js
hxxp://pagead.l.doubleclick.net/pagead/blank.html
hxxp://dart.l.doubleclick.net/viewad/3774000/NG_W5_D_VD15_26012015_728x90.jpg
hxxp://adf.ly/1market.php?p=xVZnHcUvikLHCbJuoYbG3ZNh09IyjLo6iAYHWdR0mhLmmIx65IIiiZwliJaHGaFizwaiCII56xImiLImsRIWnYBivocjnIQli1OWiYIuiRL3CcJvwhYmXIR7opbjmIFstJZXSdIi6wISiM91yEdjXNF4kodjSIIusJICnLNxlUYTXNJzjUaDCOI66IICiZIiswIinIBjyFbT3YR2vYY22Y9wsYITjMo4iEaTHZRj0NcTDNo4iQfDSNw1iIZTmOxihVcz2YgkidOzjNAlsJIDmN1jvJYjmIl6sIZCSdIi6wMiCIwxiIbiWO9iiMa2WcxilwXi2I9tzNIjjIo6iITimY8jiJfyQe==
hxxp://1.bp.blogspot.com/-nerBEGrWuFk/U7B9Sg0IJBI/AAAAAAADFto/lO0wova5fhs/s1600/LoLavita+Hair+%26+Beauty+2.jpg	74.125.226.42
hxxp://www.google-analytics.com/ga.js	74.125.226.32
hxxp://4.bp.blogspot.com/-o3bkrf-qs0A/VKqAyof5pQI/AAAAAAAEOsw/vJqd_lEwam4/s1600/unnamed.gif	74.125.226.44
hxxp://ajax.googleapis.com/ajax/libs/mootools/1.3.1/mootools-yui-compressed.js
hxxp://i.imgur.com/nfXqfv7.png	23.235.40.193
hxxp://ads.yahoo.com/cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1	98.138.49.42
hxxp://ad.doubleclick.net/adi/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;sz=728x90;ord=[timestamp]?	74.125.226.59
hxxp://img1.blogblog.com/img/icon18_wrench_allbkg.png	173.194.204.191
hxxp://img.youtube.com/vi/RCCXZ8ErVag/0.jpg	74.125.226.37
hxxp://i.simpli.fi/p?cid=21707&cb=dpx_58114617._hp	184.173.188.162
hxxp://beacon-3.newrelic.com/1/92a411bc23?a=4058140,2334836&pl=1422596427839&v=476.c73f3a6&to=YlNSbUYAV0IFBhdaWVsZZUtdTghcBRcIVkIbRlhJ&ap=11&fe=1047&dc=1047&f=[]&at=ThRRGw4aREw=	50.31.164.172
hxxp://3.bp.blogspot.com/-ao95uV_Um5c/VMQRVLaoNQI/AAAAAAAEXeY/pI6fjZbMjl8/s1600/0.png	74.125.226.42
hxxp://ad.doubleclick.net/adj/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;abr=!ie;sz=728x90;ord=[timestamp]?	74.125.226.59
hxxp://152media.adk2x.com/imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r=	1.97.192.21
hxxp://lindaikeji.blogspot.com/2014/08/b-red-releases-flaming-hot-new-track.html	74.125.226.42
hxxp://i.simpli.fi/dpx?cid=21707&m=1&sifi_tuid=6329&cbri=1334375555843&referrer=http://trollface.biz/vote	184.173.188.162
hxxp://cm.g.doubleclick.net/pixel?google_nid=simplifi&google_cm&google_sc	74.125.226.57
hxxp://pagead2.googlesyndication.com/pagead/js/lidar.js	74.125.226.57
hxxp://1.bp.blogspot.com/-pzssax7ig_o/VMQQY1VHBhI/AAAAAAAEXeM/f381QtL8lmc/s1600/1.jpg	74.125.226.42
hxxp://i.simpli.fi/dpx.js?cid=21707&m=1&sifi_tuid=6329	184.173.188.162
hxxp://cm.g.doubleclick.net/pixel?google_nid=simplifi&google_hm=A2BCADB89762CB54D84AB87B024B7D7F	74.125.226.57
hxxp://cdn.tynt.com/tc.js	184.84.243.208
hxxp://static.addynamo.net/ad/js/deliverAds.js	82.113.155.124
hxxp://js-agent.newrelic.com/nr-476.min.js	23.235.40.175
hxxp://cm.g.doubleclick.net/pixel?google_nid=simplifi&google_cm=&google_sc=&google_tc=	74.125.226.57
hxxp://img.youtube.com/vi/q4pBFb3NCzk/0.jpg	74.125.226.37
hxxp://2.bp.blogspot.com/-vm21KdojIls/VMQP8OWvjNI/AAAAAAAEXeA/8wj2VMb764k/s1600/unnamed.gif	74.125.226.42
hxxp://3.bp.blogspot.com/-lYQ_6IJ9-1k/VJvzDQLQ5ZI/AAAAAAAEKxk/dRnS1Y_bqZs/s1600/0.jpg	74.125.226.42
hxxp://4.bp.blogspot.com/-tgynBCYivZk/VMgdZOklr4I/AAAAAAAEY-k/qplcX1nppmc/s1600/a.jpg	74.125.226.44
hxxp://pixel.quantserve.com/pixel;r=631760284;a=p-EMbv-yy8jFpSp;fpan=1;fpa=P0-1475998630-1422596435355;ns=1;ce=1;cm=;je=1;sr=1024x768x32;enc=n;dst=1;et=1422596435355;tzo=-120;ref=http://trollface.biz/vote;url=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g;ogl=	72.5.205.26
hxxp://2.bp.blogspot.com/-2VhpOMtGi9M/VKq5K-uegYI/AAAAAAAEOzE/LGnSu074gr0/s1600/00.png	74.125.226.42
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=433791101&utmhn=trollface.biz&utmcs=utf-8&utmsr=1024x768&utmvp=1004x599&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=New - Troll Face Funny&utmhid=1917424732&utmr=-&utmp=/vote&utmht=1422596434949&utmac=UA-29685024-1&utmcc=__utma=174148071.773612308.1422596435.1422596435.1422596435.1;+__utmz=174148071.1422596435.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=344341876&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~	74.125.226.32
hxxp://2.bp.blogspot.com/-A-xhStXKSRc/U2Ib-ESdJbI/AAAAAAAC1Tc/LfWTAWidGB0/s1600/2.gif	74.125.226.42
hxxp://adf.ly/callback/2c42e77dc5b92544853ce18160cf6a1c
hxxp://4.bp.blogspot.com/-B9TeChMS3A8/VLWjCCx4RMI/AAAAAAAESvc/KYmzd1Dl5gc/s1600/1.jpg	74.125.226.44
hxxp://www.facebook.com/plugins/like.php?href=https://www.facebook.com/x19ltd.adfly&width=150&fb_source=unshorten&layout=button_count&action=like&show_faces=false&share=true&height=21&appId=399141353502152	31.13.74.1
hxxp://s0.2mdn.net/viewad/3774000/NG_W5_D_VD15_26012015_728x90.jpg	74.125.226.60
hxxp://um.simpli.fi/g_match?id=&google_gid=CAESENgPIAiUVi0jv3eljxknN3o&google_cver=1	108.168.159.136
hxxp://3.bp.blogspot.com/-I7qMNrH15Bg/VLk-QT3KL4I/AAAAAAAEUGs/7Yx5LDt8E7U/s1600/2.jpg	74.125.226.42
hxxp://um.simpli.fi/y_match?xid=OpUesktx0bnS1._7RUN1UBwx	108.168.159.136
hxxp://3.bp.blogspot.com/_ukqwa9IFmR4/TRw5oR3LM0I/AAAAAAAAAB8/1s_TvrzEhZQ/S220/26392_1104606111494_1717008926_185805_7177542_n.jpg	74.125.226.42
hxxp://um.simpli.fi/g_match?id=	108.168.159.136
hxxp://152media.adk2x.com/ul_cb/imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r=	1.97.192.21
hxxp://edge.quantserve.com/quant.js	64.94.107.44
hxxp://www.facebook.com/plugins/like.php?app_id=669034239861694&channel=http://static.ak.facebook.com/connect/xd_arbiter/7r8gQb8MIqE.js?version=41#cb=f251c3fa86634de&domain=trollface.biz&origin=http%3A%2F%2Ftrollface.biz%2Ff33b7892863bd18&relation=parent.parent&href=http://www.facebook.com/trollface.biz&locale=en_US&sdk=joey&send=false&show_faces=true&width=290	31.13.74.1
hxxp://img.youtube.com/vi/UrDxiYYriJc/0.jpg	74.125.226.37
hxxp://www.blogger.com/img/logo-16.png	173.194.204.191
hxxp://googleads.g.doubleclick.net/pagead/blank.html	74.125.226.58
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=41005801&utmhn=yllix.com&utmcs=utf-8&utmsr=1024x768&utmvp=300x250&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Yllix media&utmhid=871299865&utmr=http://trollface.biz/vote&utmp=/banner_show.php?section=General&pub=586654&format=300x250&ga=g&utmht=1422596435168&utmac=UA-33725520-1&utmcc=__utma=211441629.611147151.1422596435.1422596435.1422596435.1;+__utmz=211441629.1422596435.1.1.utmcsr=trollface.biz|utmccn=(referral)|utmcmd=referral|utmcct=/vote;&utmjid=2118429030&utmredir=1&utmu=qBAAAAAAAAAAAAAAAAAAAAAE~	74.125.226.32
hxxp://1.bp.blogspot.com/-h3JUlSgQ-_0/VK1KLDMRMgI/AAAAAAAEPqs/TR8XRbZvbY8/s1600/00.jpg	74.125.226.42
hxxp://cdn.offersquared.com/152media/tags/xbanner/xbanner.js?ap=1300	96.7.201.120
hxxp://ads.yahoo.com/pixel?id=2085077&t=2&piggyback=http://ads.yahoo.com/cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1	98.138.49.42
hxxp://beacon-3.newrelic.com/1/92a411bc23?a=4058140,2334836&pl=1422596420199&v=476.c73f3a6&to=YlNSbUYAV0IFBhdaWVsZc0xHFVZcSxYLXERBU15cRiJWXxAXDF9aUEQfTFoyUV4WEQZd&ap=8&fe=8922&dc=8922&f=[]&at=ThRFGw4aRB1GBEEJTUhL&jsonp=NREUM.setToken	50.31.164.172
hxxp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html	74.125.226.44
hxxp://2.bp.blogspot.com/-220e_g7edhs/VMsXtforiJI/AAAAAAAEZzg/Ru02XyZTxSs/s0/22.jpg	74.125.226.42
hxxp://img.youtube.com/vi/poS0YGKNSTs/0.jpg	74.125.226.37
hxxp://3.bp.blogspot.com/-mcc90_3G694/VK1JjzkAFCI/AAAAAAAEPqg/OyqPpsMg5Gk/s1600/00.jpg	74.125.226.42
hxxp://pagead2.googlesyndication.com/pagead/js/google_top_exp.js	74.125.226.57
backup333.googlecode.com	173.194.204.82
connect.facebook.net	96.16.47.139
redirecting.ws	69.65.52.68
accounts.google.com	173.194.204.84
stats.g.doubleclick.net	173.194.204.155
oauth.googleusercontent.com	74.125.226.44
ssl.gstatic.com	74.125.226.56
apis.google.com	74.125.226.35
flesler-plugins.googlecode.com	173.194.204.82
graph.facebook.com	31.13.74.1

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /vi/q4pBFb3NCzk/0.jpg HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.youtube.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Thu, 01 Jan 1970 00:23:32 GMT

Date: Fri, 30 Jan 2015 10:53:08 GMT

Expires: Fri, 30 Jan 2015 16:53:08 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 29142

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=21600

Age: 0

Alternate-Protocol: 80:quic,p=0.02

......JFIF......................................................................................................................................................h....".........................................Z.........................!1.AQ.."aq..2BR....#br.......3ST.......$4Cs.ct.....D....eu..%&..................................B........................!..1."AQq.2a...R....#3r..BC..5bs.6S.................?.......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B......!.!.@.B.....D-.>v.......[....w.l.>o..*.......*. K..[.)f.........[. e..e...;H..f..U.V... s...1..'.....Z.s}.M..,..I.{?.#..2}...e..u.se..k.z|$...v.e.........g...7..;Xy...~.)D .......>..O^...#.j..-c.d.q....|...................z.6jW.....x..X....^....N..c. }.S.W...x~^.N<............k..Y'...o.N..c.*..ShW...xg..L..O....#.x.7Md=.M..?..=}I...{%_..y..w.............^...{.? d.d.....S.G.{-_........~.....M......_...k5.n.I.<..|.jv..#....T.V....~Z....dz..%...n.-.q..e....:...S.....9...e..=9...F.z$..3m..Y../..t.S.....[!X/...?...I...:.y90.._.....jE{...d)..6..>..'.%.......?........!L.......?....;..>.....hF..C...`-.._9....{~...K...5.._...Y.Bu..{.B....]>.$......r3!<.......(....<].P...O?{.qg.......Y....#:.....Y......8...e.Ft'...8...e.{.qg...`dgBx....<].Q..'.x....Ft'...8...e.{.qg......O.{.qg...>.....}........'.x....~N,.w.S.r4!;....<].V>.I..'...J....8....}...<O.L........Y.~.>.I..'.........N,.?e=..'v.Py...

<<< skipped >>>

GET /vi/UrDxiYYriJc/0.jpg HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.youtube.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Thu, 01 Jan 1970 00:23:41 GMT

Date: Fri, 30 Jan 2015 10:53:08 GMT

Expires: Fri, 30 Jan 2015 16:53:08 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 6473

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=21600

Age: 0

Alternate-Protocol: 80:quic,p=0.02

......JFIF..............................(.....1#%.(:3=<9387@H\N@DWE78PmQW_bghg>Mqypdx\egc......./../cB8Bcccccccccccccccccccccccccccccccccccccccccccccccccc......h....".......................................F........................!.1a..AQ."2q#BRr........36T...Cb.....&.$45Ds.....................................................1!2.A............?...........................................................................................................................2.......-......2.......-......2.......-......2.......-......2......Z..\q.g @..B.....C........C..c..z%O8..'.Y..z,......g.........D.........f.5g5.....:8..g.ZQO.,.Vp.?.>.L.o......e...G......e...I.5....^q..,....)..`x....T....x.......P]....r.}l.io)~...1{V.....K-.K.}F...(/!.k..T.[|..~.T.'.Z.i...d..)~.).B../....c.w...OR.).M...(.>.V .C.4>.b..>.C.. .C.4>.b..>.C.. .C.4>.b..>.C.. .C.4>.b..>.C.. .C.4>.b..>.C..`....................WI......R.F...,@..Q.<<|.A....2.... -jX.>...w....M}.Q*.5M.I.|...<....../..7.[.U>}.j....V..M.l..s.. x2se.S.J...:).7....1..../..P.Q..5.ER....K3y.F.}.....G..\.......j<....c...8.I..8~..;.en..R.w~.........%.%......Y$..p....u........(){Mj...I......~,.9?....B.~g.........YH......"........................................2......RUUt.a.......eZ3.`..G...2.OO....._.!...R.L....[...{........T......?...........C...!gq?f......w...!..sS../.c].I....o.;Zo..O.VH .:..V:.B...b...V\...8.V.....!......;........M..c....[T.....f........FNJ.... ,......q=..............8..Tr.Tm=~u%.....q2.(...m.G...na....[e.B.!

<<< skipped >>>

GET /flash/reset.css HTTP/1.1

Accept: */*

Referer: hXXp://lp.showres.pw/flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: websource.website

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:12 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d21f0cd7a75f84a7363c8618f1a3423af1422615192; expires=Sat, 30-Jan-16 10:53:12 GMT; path=/; domain=.websource.website; HttpOnly

Last-Modified: Thu, 27 Nov 2014 14:50:39 GMT

Expires: Wed, 04 Feb 2015 10:53:12 GMT

Cache-Control: public, max-age=432000

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1fdb21aa0534-YYZ

Content-Encoding: gzip

253.............S...@...jW.9R...&/..B.3v...Kg..%......"$..i..>...on.RYww.....n. s..6..a.o........aYC.&z..'..#$........q..G.?....#..!.....))C..hm.$*\ 8.........8....X.`..P1d..E.jIq.:Y.S.......H....$ .z.B...T..Z...8.(Zap.......}J.:2.h..A...w......OX.X.K...7...SaX!....>CIS..q..'....:..........8.Op..i.X..M.e$.q0mgS!......#...(..~..<.mw..S.....X..Fv..am#....f,.uY'...f.`.....s..|..Of.}.x.M2...T}.61E^^..8oo}.0..T..~..k...s...]..Q/...5.sg>.....$......]..m;..6...\.p.f..... ......W..$.........%M...w.]...X..j...56..`..........T.....(n...`.ln.U.M...u.cy.rw.R>? ...)oek.O.{.\w%h.a.....<)T.v:.a(x"../l0........0......

GET /flash/ie_fix.css HTTP/1.1

Accept: */*

Referer: hXXp://lp.showres.pw/flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: websource.website

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:13 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dee59d189370362192e85a18db36fe86b1422615193; expires=Sat, 30-Jan-16 10:53:13 GMT; path=/; domain=.websource.website; HttpOnly

Last-Modified: Thu, 27 Nov 2014 14:50:25 GMT

Expires: Wed, 04 Feb 2015 10:53:13 GMT

Cache-Control: public, max-age=432000

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1fdc91b40534-YYZ

Content-Encoding: gzip

212.............Sa..@.. k.S=....r.rF.AM41z1.c....t..,..J....i..U..........q.m).L*L.j...4......s..L.P.9.*Q.m.Ed..g....hG.,7...b...g...(.G..4ZP%....LK......8O..p.:......L&.......{.u..-.'.[(!E.Y.H..Y..6l.%...4.m..\..,...l.......s.......Kr....fR{.....8dycv.....&.....&,...@..F;\X)5.....(....... /..D..R%.dW..T.r.e....B..C(..u..mf...7......C".. ..6.]...(.."..vXc......<Rb.!.GB..6....B'qW..z..Ii.....T.(..Z..q...v#.......U44.X%....).(Q.:U...=....\............D..[8fG..S....c.Bf9z.s.....m...V...u{s..z.7...a...4...[?..J1p.uW....R_]...e..U......0..

GET /-ao95uV_Um5c/VMQRVLaoNQI/AAAAAAAEXeY/pI6fjZbMjl8/s1600/0.png HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 3.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v45de7"

Expires: Sat, 31 Jan 2015 10:39:47 GMT

Content-Disposition: inline;filename="0.png"

Content-Type: image/png

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:39:47 GMT

Server: fife

Content-Length: 95589

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 807

Alternate-Protocol: 80:quic,p=0.02

.PNG........IHDR.......,.............sBIT....|.d... .IDATx...Y.$[~..;...d...W_...n......../c........Bb@B......^..$..0#.B....@B...F @`.....lf........U..../c......Ddf.m.......8..o....._..._.U.G.4...V...1~......hd..."...|<...\.lk.h .MH:.n..............d.....|wP...z........n...u......CR......>.. 1.WJ.O ..rK ...aA......{....2....a...1TP...._.w.e.{...g....n7.X.g{.]/YY....y_hJ.!F...>.{..3...|m.$./..t..6]{.."$9... K..... ..2.9.....S-%.!...P.9....(.....')1@.....1xQ...,|. ..3,?c..,|I#K,?....i.6....A.xqv<.....^#.k.h8..F.P...v3.LH.X..C..r4..L.8.W..........~=...9$.......b.....fX@|...80$..2.).X........|.m.0d.....9....."g....s....C....Pd6.ChJ...<...P...!y.=...T...x.9.J2....t.$......j.b...s........3.L.1.k.....R*d....................rF.!...$.-C.e.;.....A.i....{..T 03.^.e9. 3.....zy..o.l..L...A:.o......D.:?....?}.,c5&}.z.x&J].....}W.'...N ..f:S...F3e..Y-.,V.|.P.3.L......D......Ir.J-T.:.S.XI$..2.?H*O...9.l....PS..m..g.i,...R......A@`."... I>. .U..:....1O.u:.i......CJd&.p'I. U..g.Z.h{. .... e.2X.Na8......L..}hJ..e..XG..,0".C....O.M5.....OT%2.....s..G9.Jma.I..LM..J;O=S....I..J..9...DN9..UF_...D.8.S.b...Sd9}.tqJ.=".bz.0o.G...n7....%U...g)..........9..`.R.j...bq.@......'..X...J}.).:.o... .39...b..9...Y....O.'....3rt....<..9........>q.i..!9...u"..L.I<.~.#....y.(._!..CF>l..I>.wD.H0.$2../.$..b..j.1>4%....f.S..Tg:...H.S...T."&. ..\.3..fD`F.CN.T.._R.%....' .*9Oz!...9;O......u*b...g...P..2Q....k.bN..zI..fJw.`.........i..i.`.Rr...).0V.r.*...SD...1AQ....$.......8...!........[.9e..BF.}..MF..:..$U....t....O.

<<< skipped >>>

GET /-I7qMNrH15Bg/VLk-QT3KL4I/AAAAAAAEUGs/7Yx5LDt8E7U/s1600/2.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 3.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v4506c"

Expires: Sat, 31 Jan 2015 10:39:47 GMT

Content-Disposition: inline;filename="2.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:39:47 GMT

Server: fife

Content-Length: 18814

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 807

Alternate-Protocol: 80:quic,p=0.02

......JFIF..............Exif..II*.......1.......2...;.......9...i.......H.......Google.Design X-pats............0220........~.......................,.......................ICC_PROFILE...............mntrRGB XYZ .........$..acsp.......................................-....).=...U.xB....9.................................desc...D...ybXYZ........bTRC........dmdd........gXYZ...h....gTRC........lumi...|....meas.......$bkpt........rXYZ........rTRC........tech........vued........wtpt...p....cprt.......7chad.......,desc........sRGB IEC61966-2-1 black scaled..................................................................................XYZ ......$.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|...............................................................%. .2.8.>.E.L.R.Y.`.g.n.u.|.........................................&./.8.A.K.T.].g.q.z...............................!.-.8.C.O.Z.f.r.~......................... .-.;.H.U.c.q.~....................... .:.I.X.g.w.....................'.7.H.Y.j.{................... .=.O.a.t...................2.F.Z.n.................%.:.O.d.y...............'.=.T.j...............".9.Q.i...............*.C.\.u.............&.@.Z.t...............I.d.............%.A.^.z...........&.C.a.~...........1.O.m...........&.E.d...........#.C.c...........'.I.j...........4.V.x.........&.I.l...........A.e...........@.e......... .E.k.........*.Q.w.........;.c.........*.R.{.........G.p.........@.j.........>.i...... . A l . . .!.!H!u!.!.!."'"U".".".#.#8#f#.#.#.$.$M$|$.$.%.%8%h%.%.%.

<<< skipped >>>

GET /-lYQ_6IJ9-1k/VJvzDQLQ5ZI/AAAAAAAEKxk/dRnS1Y_bqZs/s1600/0.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 3.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v42b1a"

Expires: Sat, 31 Jan 2015 09:28:19 GMT

Content-Disposition: inline;filename="0.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:39:47 GMT

Server: fife

Content-Length: 27133

X-XSS-Protection: 1; mode=block

Age: 808

Cache-Control: public, max-age=86400, no-transform

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............xExif..II*.......1.......&...i...............Google............0220........d.......................X...............................................................................................................................................................X....".........................................d..........................!.1A.."Qa..2qu...#B..........%&Sbr...$356DRTUV....4C...Est..d.......ce....................................@......................!..1."AQ.2Raq........BS....3.#br..$CT...............?..\...P....~.Ey....^y.T.....,-..ql....EJZ.T..M.0Eo....7A..O..{.....~a.|./...&.%./W5z..n.....x....?.t......R...A8B...K4.....=?.....@..P.DS...%.....P.sY..g(?.)..W.W.n........^.@F.=....P..k......E?...c....;B..!..U.u.d..C..R.e).1,%J.0...;iV_Vb..H.n.,....:.....`..!..s9.... .J....B..P..D.....sf...g...d?..,~.uc..#......}.J..*O.S.]....*......CE..#..6L.q...P..E.......d....R.....&s..UO.:_.S.\.$'.U.w.......2K..o...F.............v..;T?....M}r8..D.g.%3........ p.7.?.-'.l..0.Q.../j=,y)......y.d....S.....!{..E[.i......0.Jo: ..Ud_.>..SL...)..Ay^....>..T.{n7!:...9d-.D..J....T...,A..."\.s...O......wjT...X.....o.:..n.....\....o6..U..x}:.8..{.. ..\.?.0..i.'..Y. .....7..G...TI.......^...&5".'.U..DtQ."..."0..F.0.W....(.....!.t.V...dH~..?2C..H.........F..Z.Ii.....$....,c,$.#..F!$.....y/$..^.w.i..V.l..]...c.^O.3.W......V.l..]..o....*.uJ.<....o.4.......0..?....h..'..D...r..y..F...p...#.h..N.P.*7.sRa(/..dG..T.....".E..".......'JEo......z,/3.n.x....LNK.M....Kju`)y..m...GE).EF...y/..7H..L....h..]bK..A.

<<< skipped >>>

GET /_ukqwa9IFmR4/TRw5oR3LM0I/AAAAAAAAAB8/1s_TvrzEhZQ/S220/26392_1104606111494_1717008926_185805_7177542_n.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 3.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v1f"

Expires: Sat, 31 Jan 2015 10:53:15 GMT

Cache-Control: public, max-age=86400, no-transform

Content-Disposition: inline;filename="26392_1104606111494_1717008926_185805_7177542_n.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:53:15 GMT

Server: fife

Content-Length: 14470

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............*Exif..II*.......1...............Google.............................................................................................................................................................................................L.........................!..1."AQ..aq..#2....$3BRs.4brt......S........Cc..................................8........................!1.AQq."a.2....3B..#...r..$Rb.............?...... 7?...?......<..=.g..3.8.KIs............R.<.....K.|...E%.>g.p"...3.8.Is.......q.?3....>g.p"...3.8.K<..~g.)c.|...E%.>g.p".y.....R\..~g.)c.|...E'.y.?3.EAx...[V<.'.9.."...{.....eR..i<v$y.|.!cN.....KF......U.9..A......\...G.z.y..........X.P..A.....u..#...8......-8....KN.%.......p!=`P.|X...>U...C.D_.....O..y......W>.1........}.........X....C....*..d...RQT}cmH[..cc~...^K?...`....P.....:;..RDJ9!....t.~.#4....ag..O(.;N.E..a.J....n.Z:....@.`5n..Y.y.$*c5h....S.@.v..:_.u......xy.saun.kvG..A.Gh....7.....{S.........M$D..^......Dj&t...c......nln..mp/..k0.....8.z..=N...K.....!#.....l...uW..c...|...M...\.......h.....=V.b........S.k!_..Sbv:.....{.E.<@..&...q.......4Q...,dR.....1.....G.m..X.#.{.ca...s)..rj..".n.!.0...T..sa.]...k.....J"..tE....F.....k..k..j..$.}..'..F.<....)...B.......q....G...wcd..7..E......F.....7.....s&.......7.........a.X....l.n.._.N...k........?.|1d.*...<.....:.M.....Q......$....-.&x>%#^.JF].#6;Z../R...!#.....{...uP........?.oa..j..ki..i..>:...`R...F......m...>.."....f.m.......%..x..B......E....ocan...`Ix.,.....a...pg...91..l5....(b{...\

<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:33:38 GMT

Expires: Fri, 30 Jan 2015 12:33:38 GMT

Last-Modified: Fri, 16 Jan 2015 00:55:08 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16151

Cache-Control: public, max-age=7200

Age: 1164

Alternate-Protocol: 80:quic,p=0.02

............yW...8.?..|{.....S..7.(m.....Ms.dY.iB....%.g..A..$...y.z..%..<mm.I~2...3....k9Z.2.}5....G.........dx.O:.Nz'...:.....I*b.v.o..q....Bh..z6..V.|.})...H..Q.Y....@.a4....'...`....3i..RC.%..0.Fz..J{.'C/...#O\BP]..^..../e..<1..p0...&.i......f{..zm..'&.w1...:...Y:...........p....`.n4....vz.W....|\c.-GX...:...5.y..".F:.. $....'..b2......k....:.....e.. t-{..^.^.....P....3........d..6.nM...."...^..|..1z......dq.t.}.....I46..Kb....1..A...t...q.N.7zt .P.a......o:0.>..$Y..x:=.$.....r./..0........n.%.vA.Ke.*....P/.....My..\..t...J(WW....,.A..<Q..........E..e.(.K.$......uBa ..1..yN.v..E....D=...:..[...>..zX.l^.._..z C..o.......Mk.............^\.G.I?.7.[...l.l=..@.......;...e./y,.cR.w`.d_...0.L/..F.q` j......y.5L....Zp*....#w0.%....]..:T..W...l.4.1U.,.W~.q0.=XO.z'..f.,/e..K..P".F.e..^..9..S...1..1..J.. .4....WW....K..I..x......\....@..c]...tj..3w$...cA... XD..F.a.......3...?..41.!.w}..T 8...vj..(.....q.P...........S^r.......A..X.e.K=J.5,o..0..Q.|=.v..l........j..';...B..$..-....$Z.R.L.OB.tL/:....t..g[..:A......i..4o[e8..3grr..SJI...2...\YW..j3.^J%.................x.?.6...){...o..V.c.........@hi.8.=..jR....]....x^.`.<..7........y1..8...YT...iLm}..Ye7T. X..d..T L Ui.....q}........#....elF.........m.6-..[./.-.x[{5 ....,.<....b.e..aK\].VWMZ....{.x(....O........p..[3I.@....4.)..x...Fk......4.Z.i p.7..`>.o.Z..O*<.c.....i.f...fk.g....J..a..y.....c_.X..%..4.Gz.M$....j5oe.0......$T~..}....0FtC].`-...Z.O..V.:Z..54o.4...oI...... .) ..6*...Y.1......B..-._..{r..1]F.....f..|8..u.OY...38..}5.c.`.. ....`.

<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Fri, 16 Jan 2015 00:55:08 GMT; length=41118

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Date: Fri, 30 Jan 2015 10:33:38 GMT

Expires: Fri, 30 Jan 2015 12:33:38 GMT

Age: 1171

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=0.02

....

GET /r/__utm.gif?utmwv=5.6.2&utms=1&utmn=433791101&utmhn=trollface.biz&utmcs=utf-8&utmsr=1024x768&utmvp=1004x599&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=New - Troll Face Funny&utmhid=1917424732&utmr=-&utmp=/vote&utmht=1422596434949&utmac=UA-29685024-1&utmcc=__utma=174148071.773612308.1422596435.1422596435.1422596435.1;+__utmz=174148071.1422596435.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=344341876&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://stats.g.doubleclick.net/collect?v=1&aip=1&t=dc&_r=2&tid=UA-29685024-1&cid=773612308.1422596435&jid=344341876&_v=5.6.2&z=433791101

Access-Control-Allow-Origin: *

Date: Fri, 30 Jan 2015 10:53:10 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

Content-Type: text/html; charset=UTF-8

Server: Golfe2

Content-Length: 366

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://stats.g.doubleclick.net/collect?v=1&aip=1&t=dc&_r=2&tid=UA-29685024-1&cid=773612308.1422596435&jid=344341876&_v=5.6.2&z=433791101">here</A>...</BODY></HTML>......

GET /r/__utm.gif?utmwv=5.6.2&utms=1&utmn=41005801&utmhn=yllix.com&utmcs=utf-8&utmsr=1024x768&utmvp=300x250&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Yllix media&utmhid=871299865&utmr=http://trollface.biz/vote&utmp=/banner_show.php?section=General&pub=586654&format=300x250&ga=g&utmht=1422596435168&utmac=UA-33725520-1&utmcc=__utma=211441629.611147151.1422596435.1422596435.1422596435.1;+__utmz=211441629.1422596435.1.1.utmcsr=trollface.biz|utmccn=(referral)|utmcmd=referral|utmcct=/vote;&utmjid=2118429030&utmredir=1&utmu=qBAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Fri, 30 Jan 2015 10:53:10 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.02

GIF89a.............,...........D..;....

GET /r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1634483302&utmhn=lindaikeji.blogspot.ca&utmcs=utf-8&utmsr=1024x768&utmvp=788x467&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Welcome to Linda Ikeji's Blog&utmhid=552264825&utmr=http://adf.ly/ruqdu&utmp=/2014/08/b-red-releases-flaming-hot-new-track.html&utmht=1422596438964&utmac=UA-46375425-1&utmcc=__utma=54566198.153484566.1422596439.1422596439.1422596439.1;+__utmz=54566198.1422596439.1.1.utmcsr=adf.ly|utmccn=(referral)|utmcmd=referral|utmcct=/ruqdu;&utmjid=692092355&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Fri, 30 Jan 2015 10:53:14 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.02

GIF89a.............,...........D..;..

GET /flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: lp.showres.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:13 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.28

4f20.. .<!DOCTYPE html>.<html class="wf-adobeclean-n3-active wf-adobeclean-n4-active wf-adobeclean-i4-active wf-adobeclean-n7-active wf-active"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <meta charset="utf-8">.. <title>Install Flash Player</title>.. <link href="hXXp://websource.website/flash/reset.css" rel="stylesheet">. <link href="hXXp://websource.website/flash/jquery-ui.css" rel="stylesheet">. <link href="http://websource.website/flash/core.css" rel="stylesheet">.. <!--[if lt IE 9]>. <link href="hXXp://websource.website/flash/ie_fix.css" rel="stylesheet">. <![endif]-->.. . <style type="text/css">.Text{font-family:"adobe-clean",sans-serif;}</style>. .. <!--[if lt IE 9]>. <script src="http://websource.website/flash/html5shiv.js" type="text/javascript"></script>. <![endif]-->.....<script type="text/javascript">alert('Page can not be displayed!\n\nPlease Update Flash Player to the latest version!');</script><IFRAME src="hXXp://clddown.com/?a=20480&c=66710&s1=in-f" frameBorder=0 marginwidth=0 marginheight=0 scrolling=no width=100% height=0 scrolling=no ALLOWTRANSPARENCY="true"></IFRAME>. ......<style>......ui-dialog{ filter: none !important; }....</style>. ..

<<< skipped >>>

GET /2014/08/b-red-releases-flaming-hot-new-track.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: lindaikeji.blogspot.ca

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Date: Fri, 30 Jan 2015 10:53:13 GMT

Content-Encoding: gzip

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Length: 17154

Server: GSE

Alternate-Protocol: 80:quic,p=0.02

...........}{_.J....."u...S ...i..Z[...........!.I....~...... ^.....0..f.....g[.7.N?l.=.o.\.......n=s.d..p...s2.e.. ..y.5Q..F.Q!o;]Q..j.%V.....b]...$..}Q......b./...:.4.. ...3....`o....>.TA.-.X^=32t.W.eI....'.Q.....e......D.....T.%^..h'W...B.|.....& .;......9...<.^_.m...*K]~...Z.g.....C.P..]...n......s.>Y.v..../g...g.g..........(. ....g.y...f.}...qa5.g....../lC..gu....b....zd5.%...' .......W.......V.^.V=..G..m.6..."MO..V.7.....u.FS=...[.q.p......z..-g..if..b......tl..Z.y.|E.GR.....X.....Y.l.!...@....F..1.L....gM.....Y7...u_..yK.0.*..6...cM.K.k...^...J......x.^N[..Z"u.. "...ok...aF8 ~.....rv\...xmW..^bu..I..)..._;..?..y.5(..U......... ....%G.....)...m.clB...l.8X..^\[]].CV...<......q,....Ja.W.5H.8....dPz6..?P..>f....*0t..C.m_........P.u.YD.........q^............Q.0..^......z.$...8F. (.j.[^...l....c..........8 .:..q..............}.......q^M&...J..~.....%<O.z...2......$P..-2.4..........]l_.l..7.....C:cU.).j..3#.5A.......4h2..2.C.z..f.f..}...2G.n...zP.rQ..b;.....Du....*j.\..r..r..j.yf.(|M.l..T3.....Iy.#.\m.....p.D.x... .3<.2?... .g.{....(>..P[w..@T......z.<.7.BtW.....:..C.[.n.....F...\..W.N....t...N.X.!....sh...\)...RE.....R*.ID}..}5:......-..:...&....ZE...3.mX...k..\.Vs.q.........2$d...K7:.r.("....0.. ........v.....$Y.5t.=..;.\.Xg.S2A.du.e.t......Iw..l..........c......g..../.......`.......it...He..g/......F.[.d3....ma..5.Ui....0....z=Hy....... .o9..y.$.m...j|..n..|....h.v...}%.....[....MPp$..:...,.....3.. .0U'..A...e.....a\....q^g......\....I..!^&...s.8..v.b.\..E...KjA.-...^.w.@.[B.... "P

<<< skipped >>>

GET /i/?l=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: t.dtscout.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:10 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: close

Set-Cookie: d=[]; expires=Wed, 29-Jan-2020 10:53:10 GMT; Max-Age=157680000; path=/; domain=dtscout.com

Expires: Fri, 30 Jan 2015 10:53:09 GMT

Cache-Control: no-cache

Content-Type: application/x-javascript

Set-Cookie: l=RQTnHlTLYpbAhQosvrZSAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=dtscout.com; path=/

380..function _dtsq(e,t){var n=e.split("?");if(n.length<2)return false;var r=n[1].split("&");for(var i=0;i<r.length;i ){var s=r[i].split("=");if(s.length==2&&s[0]==t){return s[1]}}return false}function _dtsi(){a=document.createElement("a");a.href=window.location.href;_dts.host=a.hostname;if(typeof document.referrer!=="undefined"&&document.referrer.length>0){_dts.r=document.referrer;if(_dtsq(document.referrer,"q")){_dts.q=_dtsq(document.referrer,"q")}else if(_dtsq(document.referrer,"p")){_dts.q=_dtsq(document.referrer,"p")}else if(_dtsq(document.referrer,"text")){_dts.q=_dtsq(document.referrer,"text")}else{_dts.q=0}}else{_dts.r=0;_dts.q=0}}var _dts={};_dtsi();var n=document.createElement("script");n.type="text/javascript";n.defer=true;n.async=true;n.src="hXXp://i.simpli.fi/dpx.js?cid=21707&m=1&sifi_tuid=6329";var r=document.getElementsByTagName("script")[0];r.parentNode.insertBefore(n,r);..0..

GET /g_match?id=&google_gid=CAESENgPIAiUVi0jv3eljxknN3o&google_cver=1 HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: um.simpli.fi

Connection: Keep-Alive

Cookie: uid=uK28olTLYpd7uErYf31LAg==; uid_syncd=true

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 30 Jan 2015 10:53:12 GMT

Content-Type: text/plain

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://cm.g.doubleclick.net/pixel?google_nid=simplifi&google_hm=A2BCADB89762CB54D84AB87B024B7D7F

P3P: policyref="hXXp://VVV.simplifi.com/w3c/Policies.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Access-Control-Allow-Methods: GET, POST, OPTIONS

Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type

p3p: policyref="hXXp://VVV.simpli.fi/w3c/p3p.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"

0......

GET /g_match?id= HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: um.simpli.fi

Cookie: uid=uK28olTLYpd7uErYf31LAg==; uid_syncd=true

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:12 GMT

Content-Type: text/plain; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

P3P: policyref="hXXp://VVV.simplifi.com/w3c/Policies.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Access-Control-Allow-Methods: GET, POST, OPTIONS

Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type

p3p: policyref="hXXp://VVV.simpli.fi/w3c/p3p.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"

0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 30 Jan 2015 10:53:12 GMT..Content-Type: text/plain; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..P3P: policyref="hXXp://VVV.simplifi.com/w3c/Policies.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"..Access-Control-Allow-Origin: *..Access-Control-Allow-Credentials: true..Access-Control-Allow-Methods: GET, POST, OPTIONS..Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type..p3p: policyref="hXXp://VVV.simpli.fi/w3c/p3p.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"..0..t>....

GET /y_match?xid=OpUesktx0bnS1._7RUN1UBwx HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: um.simpli.fi

Connection: Keep-Alive

Cookie: uid=uK28olTLYpd7uErYf31LAg==; uid_syncd=true

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:13 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: keep-alive

Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: nginx..Date: Fri, 30 Jan 2015 10:53:13 GMT..Content-Type: image/gif..Content-Length: 43..Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT..Connection: keep-alive..Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0..Pragma: no-cache..Expires: Thu, 01 Jan 1970 00:00:00 GMT..GIF89a.............!.......,...........L..;..

GET /1/92a411bc23?a=4058140,2334836&pl=1422596420199&v=476.c73f3a6&to=YlNSbUYAV0IFBhdaWVsZc0xHFVZcSxYLXERBU15cRiJWXxAXDF9aUEQfTFoyUV4WEQZd&ap=8&fe=8922&dc=8922&f=[]&at=ThRFGw4aRB1GBEEJTUhL&jsonp=NREUM.setToken HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: beacon-3.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Set-Cookie: JSESSIONID=c9667d3371c3955d;Path=/

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: text/javascript;charset=ISO-8859-1

Content-Length: 25

NREUM.setToken({'stn':1})..

GET /imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://yllix.com/show.php?vs=&ad=286387&f=300x250&a=956646&s=MDhiZTA0ODk4Y2VjOGU2MzBlOGVjODY2YmY4NDgwMjM=&u=586654&si=742431179&di=5811174&ci=16&cc=CA

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 152media.adk2x.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.4.7

Date: Fri, 30 Jan 2015 10:53:11 GMT

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: keep-alive

Set-Cookie: tuuid=10a3a476-f689-4ad6-a8d2-212c3348e170; path=/; expires=Sun, 29-Jan-2017 10:53:11 GMT

P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Location: hXXp://152media.adk2x.com/ul_cb/imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r=

Cache-Control: no-cache, no-store, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

....

GET /ul_cb/imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://yllix.com/show.php?vs=&ad=286387&f=300x250&a=956646&s=MDhiZTA0ODk4Y2VjOGU2MzBlOGVjODY2YmY4NDgwMjM=&u=586654&si=742431179&di=5811174&ci=16&cc=CA

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 152media.adk2x.com

Connection: Keep-Alive

Cookie: tuuid=10a3a476-f689-4ad6-a8d2-212c3348e170

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Fri, 30 Jan 2015 10:53:12 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: tuuid=10a3a476-f689-4ad6-a8d2-212c3348e170; path=/; expires=Sun, 29-Jan-2017 10:53:11 GMT

Set-Cookie: ih=!54524436,191857991; path=/; expires=Sun, 29-Jan-2017 10:53:12 GMT; domain=.adk2x.com

Set-Cookie: lcri5m=!55263156,1,191857991; path=/; expires=Sun, 29-Jan-2017 10:53:12 GMT; domain=.adk2x.com

Set-Cookie: lcai9h=!55442323,1,191857991; path=/; expires=Sun, 29-Jan-2017 10:53:12 GMT; domain=.adk2x.com

P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Cache-Control: no-cache, no-store, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

Content-Encoding: gzip

16a............e..r.0.E....Ew...X.#.....Z.8!D...H..........{N?.y6.......-C.V..3&=...(....Z..>.%....p..9.=Q.0....(d.#qS...Q......:).n@Y?...*.(..%k......../....'AX.... <..b...f.Q. ~..>.z%tJn..Y.....5r.:........9EE......../...fN)n..m.^..<<.!j........W6.ImC...b..&/ciQ..K.)U..:...f.....#A.......=x...'m..C....9.M..r.5c.=....}}....AQl..x.....c.......fAA._..:.].F...L.9......0..

GET /img/200x300.gif HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: lekkigardens.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:14 GMT

Server: Apache

Last-Modified: Thu, 02 Oct 2014 14:23:46 GMT

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Keep-Alive: timeout=10, max=500

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: image/gif

1faa..............g@S..7.N.Z..B..z..;.;....T5...w.Ho.;.zG@D@T..XPQ.....................3{2......QPt.....^.......~....d.D.}..nk.18..;1..<.a.sQ.ZSI..........r..o.......].V ,.K3.k...1..>W..Vy.w.sp~...../....^.lm...{.....O..m.775.6.......S.......g..t.....Zm..<.R<^.z.5._R.0.b...&..U..;W.:..$a..|..~.......*_...T~.zc.....d..pS]Ic.Mi....tRQ[j...3D.&Mq....g.#..r.....z..m =......?......s.77..|.t....d.. )5.. ...YxB..............y...=.............w?..PF..~Jfk....h..]..C...2.P..........%^Z.a.I.:ui.....$....]X_.{.s...?.].........v..Z.M.P.../}i.U.bq.:..I?.r.".......5.6....M5.pQ...#59nyz6.'.-1..O..Inhv.....p............;E^v..z.../.{/~..ot.y4.._<U.r.....j<R........|c|4....E/>.3..x...fX....xi./9........z..........i[.w'='.O....77.?......z..H.9.}.......ZY_''.6.....E.......2.........Hm.RO.........#G.##..G.=#...?.,.T.....&.......R..'..S=U......G.{~^Q.....YZGM.T.~....;>....s..R...g...%....%.~..}In.mi..n.-%.......%[cS..s.......@gW..P...m/.U..COx.^n.<6....@MwO/..`w.(.K.(.WE7..jh.....@?.Pgt.....R.*..[........_.A.W.P.U....@...f@.;ZV.#......$%$.e.....R.I.5..5I)qIy%i)%....?<W...<...t.7..3U....@.k....%..%..o_.TTT.O.RR.W%.C".C.#..Cx...-...`..P.....jtv...U..j...._......?D..:$...w-.9..........._.CB....f...C,#..........._...o..g....?..Z.t#..jP.}..\....C..Ty..H.y.))j.h..I.k..(h.HJ*Jjkhj*...H ..K*.w.........................................:....7_. ...V...VI3..94 .2 ...%..3 4 .3 ..i!....w.........j..{.qw....C...U....Kcd..e.u4...z..h...<.kW.........._.........:.?...../.W........_..?.|?......O.?...w|tx...vw...W./.

<<< skipped >>>

GET /static/image/ahl6532.gif HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:02 GMT

Content-Type: image/gif

Content-Length: 3221

Connection: keep-alive

Cache-Control: public, max-age=604800

Cf-Bgj: imgq:85

Etag: "c9d-51b1c54e-616cf7bbbb5ed14c"

Expires: Fri, 06 Feb 2015 10:53:02 GMT

Last-Modified: Fri, 07 Jun 2013 11:34:38 GMT

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1b0d1f97f476053a-YYZ

GIF87a..:....GPL......rp3..$...{...1U2JJ-Qp.;a...........,..1...7h..y4.....-..qOQ7..3.......5Z.................4....=Q...p..Hg..Eh.*M......[..'%'..BUr...G............fm>.....F.....E..n......779...M]C..X...[e=>@Fq.....ijm.6[a}._x...Q........p.3O..8Pl......\.3W.>a.....Z......m.... ..6.#.......Fy...U......#.!..>=6) .8l`;.....!;/.B`|J@..,A0- .6W...7\{..R.0T./S.8^.7].;b.:a.... M.,O..Q.-P.*L.9`.)K...,......:.....u..uR...2./...2*.....**..............o..W....W]/............*./...(..........&.]....../............2....................v.....W...TG..%~..*\......#J.....C(....Q....(..I..I.......eG..L..I..M~}r..i.b.!.\...1...H.*].....P.JmZ..P..........`...A.G...L8..`..#...8.b`...^....2...WCx.@!...&.*n:...;g.&......9&.......r..}..C..(.{.2...0k........;...|..e7..w^p.Fh.9.(_..y..U..8r...2g.....I....../..............M..l......la.`...$..ZK....v....~.6..y.5..{J(...v.'_qR8.!xE....:...[U<...(.`..."...4..!z...Ao...F.-.`ao.h8....(...L6.$.Z.0..V.....0.@..x...1n...m<i..h....76.....P..NJ....q.....G.......g.....@`..Vh...e....c8....f.)..A..........yY.|.i...>.F.l,.@...`F.#8Z..."... .A..".j..m.!.g.}@..i.P\.O......Y...rKh..4.........P..v.R......D...k....[...F{..R.K..?@.........3.....p...L.C..me........."1..#P...(.|/.E...e.0,..R(........k$...>,A...o.%......jP0.._\6.... ..@ ...38pu..J........Z..).E.q..;..a.i.pb.-.k..wcpD....x......P....8pY.....F.....a.g...m..E.0...........N..@$.F...@..@..................f&.....[f.....D............*...M..D..a.|...$...w..z.........;...`........7...s.@o..;).....^..e8..`z....|../.a......E...a

<<< skipped >>>

GET /static/image/d_bottom_bg2.png HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:02 GMT

Content-Type: image/png

Content-Length: 112

Connection: keep-alive

Cache-Control: public, max-age=604800

Cf-Bgj: imgq:85

Etag: "b0d-542ac002-8de1d53435b0efc8"

Expires: Fri, 06 Feb 2015 10:53:02 GMT

Last-Modified: Tue, 30 Sep 2014 14:36:50 GMT

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1b0d1f98a495053a-YYZ

.PNG........IHDR............./?B....7IDAT.W..... ..B...9...&.E]."[.....|'...l.y63.j..vy~.g....(..G......IEND.B`...

GET /adj/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;abr=!ie;sz=728x90;ord=[timestamp]? HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ad.doubleclick.net

Connection: Keep-Alive

Cookie: id=223d076a6a0300d7||t=1422615192|et=730|cs=002213fd48556f693ae5c022f7

HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Date: Fri, 30 Jan 2015 10:53:14 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Content-Type: text/javascript; charset=ISO-8859-1

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 31

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.02

...........Q..U..................

GET /Track?pai=26d49ef3669c26f2&guj=300x250&fat=26d49ef3669c26f2 HTTP/1.1

Accept: */*

Referer: hXXp://152media.adk2x.com/ul_cb/imp?p=41001717&size=300x250&ap=1300&ct=html&u=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g&r=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dispaa.website

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Transfer-Encoding: chunked

Date: Fri, 30 Jan 2015 10:53:10 GMT

121..top.location.href='hXXp://lp.showres.pw/flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E=';..0..

GET /dpx.js?cid=21707&m=1&sifi_tuid=6329 HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: i.simpli.fi

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:11 GMT

Content-Type: application/javascript; charset=UTF-8

Content-Length: 4500

Last-Modified: Tue, 04 Nov 2014 19:07:43 GMT

Connection: keep-alive

ETag: "545923ff-1194"

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Access-Control-Allow-Methods: GET, POST, OPTIONS

Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type

Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Set-Cookie: uid=uK28olTLYpd7uErYf31LAg==; expires=Sun, 31-Jan-16 10:53:11 GMT; domain=simpli.fi; path=/

P3P: policyref="/w3c/p3p.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"

Accept-Ranges: bytes

(function(win) {.. var hostname_as_int = parseInt((location.hostname || "local").substring(0,10), 36);.. if (typeof win['dpx_' hostname_as_int] != 'undefined') {. win['dpx_' hostname_as_int].run();. return;. }.. var dpx = {. sifi_pixel_url: '//i.simpli.fi/dpx?',. pixels_url: 'hXXp://i.simpli.fi/p?',. pixels: [],. matching_pixels: [],. protocol: (location.protocol == 'https:') ? 'https:' : "http:",. pixels_to_drop: [],. dropping_pixels: false,. rescue_pixel: null,. company_id: '',.. run: function() {. dpx.drop_pixels();. },.. drop_pixels: function() {. var sifi_pixels = dpx.get_sifi_pixels();. for (var i = sifi_pixels.length-1; i >= 0; i--) {. dpx.add_sifi_pixel(sifi_pixels[i]);. }. if (dpx.does_allow_matching() && !dpx.already_dropped_matching) {. dpx.get_matching_pixels();. } else {. dpx._drop_matching_pixels();. }. },.. get_sifi_pixels: function() {. var nodes = document.scripts || document.getElementsByTagName('script'),. pixels = [];. for (var i = nodes.length-1; i >= 0; i--) {. var node = nodes[i],. src = node.src || '';. if (src.indexOf('/dpx.js') > 0 && !node.getAttribute('data-sifi-parsed')) {. node.setAttribute('data-sifi-parsed', true);.

<<< skipped >>>

GET /p?cid=21707&cb=dpx_58114617._hp HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: i.simpli.fi

Connection: Keep-Alive

Cookie: uid=uK28olTLYpd7uErYf31LAg==

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:11 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

P3P: policyref="hXXp://VVV.simplifi.com/w3c/Policies.xml", CP="ADMa DEVa PSAa PSDa OUR IND DSP NON COR"

Set-Cookie: uid_syncd=true; path=/; expires=Mon, 02 Feb 2015 10:53:11 GMT; domain=.simpli.fi

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Access-Control-Allow-Methods: GET, POST, OPTIONS

Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type

Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

304..dpx_58114617._hp({"pixels":["//adadvisor.net/adscores/g.pixel?sid=9201915418","//um.simpli.fi/pm_match?hXXp://image2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTgwNiZ0bD01MTg0MDA=&piggybackCookie=uid:$UID","//VVV.googleadservices.com/pagead/conversion/1026675585/?random={ { cacheBust } }&cv=7&fst={ { cacheBust } }&fmt=3&value=0&label=eGG0CO2U2AIQgafH6QM&guid=ON","//um.simpli.fi/ox_match","//um.simpli.fi/rb_match","//um.simpli.fi/cw_match","//um.simpli.fi/lj_match","//um.simpli.fi/an","//um.simpli.fi/fb_match","//ads.yahoo.com/pixel?id=2085077&t=2&piggyback=http://ads.yahoo.com/cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1","//cm.g.doubleclick.net/pixel?google_nid=simplifi&google_cm&google_sc"]});..0......

<<< skipped >>>

GET /dpx?cid=21707&m=1&sifi_tuid=6329&cbri=1334375555843&referrer=http://trollface.biz/vote HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: i.simpli.fi

Connection: Keep-Alive

Cookie: uid=uK28olTLYpd7uErYf31LAg==; uid_syncd=true

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:11 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Access-Control-Allow-Methods: GET, POST, OPTIONS

Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type

GIF89a.............!.......,...........L..;..

GET /nr-476.min.js HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js-agent.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: IPGgWlaMkm7vqpwaNMM6LCVEcUway5aIDCMrISBYqdlzi/wlOHX6WHeJ1A1v5L/P

x-amz-request-id: 1FD492465421D709

Cache-Control: public, max-age=315360000

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Last-Modified: Tue, 30 Sep 2014 18:19:08 GMT

ETag: "d131658362c40cedda15546bb81e9644"

Content-Type: application/javascript

Server: AmazonS3

Content-Length: 18146

Accept-Ranges: bytes

Date: Fri, 30 Jan 2015 10:53:04 GMT

Via: 1.1 varnish

Age: 10496934

Connection: keep-alive

X-Served-By: cache-ord1724-ORD

X-Cache: HIT

X-Cache-Hits: 233659

X-Timer: S1422615184.623769999,VS0,VE0

Vary: Accept-Encoding

!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var u="function"==typeof __nr_require&&__nr_require;if(!i&&u)return u(t,!0);if(o)return o(t,!0);throw new Error("Cannot find module '" t "'")}var a=e[t]={exports:{}};n[t][0].call(a.exports,function(e){var o=n[t][1][e];return r(o?o:e)},a,a.exports)}return e[t].exports}for(var o="function"==typeof __nr_require&&__nr_require,i=0;i<t.length;i )r(t[i]);return r}({1:[function(n,e){e.exports=function(n,e){return"addEventListener"in window?addEventListener(n,e,!1):"attachEvent"in window?attachEvent("on" n,e):void 0}},{}],2:[function(n,e){function t(n,e,t,o){l("bstAgg",[n,e,t,o]),m[n]||(m[n]={});var i=m[n][e];return i||(m[n][e]=i={params:t||{}}),i.metrics=r(o,i.metrics),i}function r(n,e){return e||(e={count:0}),e.count =1,c(n,function(n,t){e[n]=o(t,e[n])}),e}function o(n,e){return e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.t*e.t,c:1}),e.c =1,e.t =n,e.sos =n*n,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}function i(n,e){return e?m[n]&&m[n][e]:m[n]}function u(n){for(var e,t={},r="",o=0;o<n.length;o )r=n[o],t[r]=a(m[r]),t[r].length&&(e=!0),delete m[r];return e?t:null}function a(n){return"object"!=typeof n?[]:c(n,function(n,e){return e})}function s(n,e){"undefined"==typeof e&&(e=(new Date).getTime()),p[n]=e}function f(n,e,r){var o=p[e],i=p[r];"undefined"!=typeof o&&"undefined"!=typeof i&&t("measures",n,{value:i-o})}var c=n(1),l=n("handle"),d=n(2),m={},p={};e.exports={store:t,take:u,get:i,mark:s,measure:f},setTimeout(function(){d("bstAgg",function(){})},1e

<<< skipped >>>

GET /-220e_g7edhs/VMsXtforiJI/AAAAAAAEZzg/Ru02XyZTxSs/s0/22.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 2.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v46739"

Expires: Sat, 31 Jan 2015 05:36:19 GMT

Content-Disposition: inline;filename="22.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:03:42 GMT

Server: fife

Content-Length: 238316

X-XSS-Protection: 1; mode=block

Age: 2972

Cache-Control: public, max-age=86400, no-transform

Alternate-Protocol: 80:quic,p=0.02

......JFIF..............Exif..II*.......1.......2...;.......9...i.......B.......Google.Olabode............0220........x...........`.............................................................................................................................................................................`..".........................................i............................!.."#13A2CQa.BRSq.....$TUbcrs.......4..........Dt....^u.....d.....&e.......................................R........................"...2..BRb...!r#1AQS....3CTq.......$a.4c.....EU..%Ds...5............?....7...IW.|....%%.W......@_.?..................@_.?.... /....I.U....Iv.....%v.....I..nl..)...f.iE...;.... Lm.....3S...O e..._.....Y$^y.@.s.P..3.;...$...s..Z.).q....W."(.........&^9.{.qC.....Mk.ei"?...{z.a..L..}G.......="xs .....q#..>_.B_......*../...II....W.U(%.2J../...IWK.}..:JL..]FJi~/...IY%...o.%%.tm.%/g.....U../...II.........}..:J.....|.):.......}..:J..2..W..JMZ...J>...O...V._~?.........G. /....V[.}...:JNZ.......}...:J..@_~?..... .".N.#XI.r.V..ut.fz'.?N.NS.;.....m.r..\..,e.L.)Eg'.>T..I..i...$..P..|...j}.(cp.H:.l.b......L.3...Y.C..HI-w.R...6..vH.......$.oG?W.(=."Et..{..HJ..{..Gq.....h.R...N....q..0o<.Yd.:.../...IWK.}..:JMJ..%.._.....VI~/...IIm....J~........./...II.W..A).<_~7.....}..:JM..oA){>_~7.....}..:JO.P.........t.o......%&.U..%.g.....U.._~?.................-.....%':..oCrQ..H.....U.......):...k.........Y.o.GH}l......N{...v{{Dc..t...^<.p{4.....!m..e!.,.............m..J.^.1..>TV..W....3.^r9...T...u.I........~.G.

<<< skipped >>>

GET /-A-xhStXKSRc/U2Ib-ESdJbI/AAAAAAAC1Tc/LfWTAWidGB0/s1600/2.gif HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 2.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v2d538"

Expires: Sat, 31 Jan 2015 09:38:22 GMT

Content-Disposition: inline;filename="2.gif"

Content-Type: image/gif

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:38:29 GMT

Server: fife

Content-Length: 66872

X-XSS-Protection: 1; mode=block

Age: 886

Cache-Control: public, max-age=86400, no-transform

Alternate-Protocol: 80:quic,p=0.02

GIF87a....w..!..NETSCAPE2.0.....!...,...,.................zEDD........./dt..O....G .Ez.G..HF.&G.*v....hw.....#.......fI.'...Nl.E. B..O.(..i.....Ix.......({.gy....IA..P.##.'i..e.............L..e.....(..Hd...o^I.F...c.......h@.i........'f..M.8z.g/.....vK,$G(=.....f..*.J..8{....w....KLM..e.%1.H)..z.i..5H.8eV.2.......Ux..k.gb..T..|.X........y..Va..^]sz.....7..K.8E.UK....U'........O...7.([KR......w5b..,.Y.....8.....{.g(A.Hh.Y..'..:.j9"....ha.(/..q..!Z_b.....x../h.AvduyF..x/........wgdg.WC.vJ.<...L443.9.....w........w..x..yF..2YVX....6f.:0G.3.....,.Vb.zg.: .X....g8L....Zh..n..).Y).w..xc.ZD...wv{......;..x.U.....v..Q>;>....j).Y..I0Y9-w.U.....O....i...-uFh.....mnnk......kYg..O.(E.'..jH..P.(E...&&%........P..m.8~.7F..M.6D.......w..WI.:...4..........u.iGB.z*.....Q..m....G.....g..e..I..g..GQ.J..)..gPI$3..........Z........5.H......*\.......~..d....3j...... C....SE.(S.\..e.O-c..I.c..5s..9..L.@...pR...-."].t........1.2m..h........0PR...t.0.Z....6i7.Y....]......o[.}..a.F['&..k[...bC...........u...c.Nu....C......nQ...?q..6M..k.-...]#-.~.U..- ..u..(Q..N....Gw.m...'L2....E..5..bUU[.Y./....u...C.~m1[:......N.|..HcZ~...G6!.'.?Q0....F....8.. ....su..\t...O..."A-.T......^...v.g.l#..)x..i....}....4K....H.x....PD.x. `.<dS..<.........!0...J0a.!..B.;...I...R.Y.dRK->.....Z..<.T.I..........F..W...e..;E......%.n~..$p|PE..Q...>..s.r....h.].W.-........Y.hx.*h.h.......j...O8|....H.p`F<.........K<*..,b...R.Jar....=...Q..@..5.Qp.N..I.g..{(..2.........J...x.#....P...%......K.....6.Z.@!k..J/........l#....z....g...B.|

<<< skipped >>>

GET /plugins/like.php?href=https://VVV.facebook.com/x19ltd.adfly&width=150&fb_source=unshorten&layout=button_count&action=like&show_faces=false&share=true&height=21&appId=399141353502152 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.facebook.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://VVV.facebook.com/plugins/like.php?href=https://VVV.facebook.com/x19ltd.adfly&width=150&fb_source=unshorten&layout=button_count&action=like&show_faces=false&share=true&height=21&appId=399141353502152

X-Content-Type-Options: nosniff

X-UA-Compatible: IE=edge,chrome=1

Vary: Accept-Encoding

Content-Type: text/html; charset=utf-8

X-FB-Debug: yxUg97sCqTt770YHItfhN3eEajGUQBD09rd/C/ODe2wI8JyNvnWwRh4qKeFVg/460DkWY2weekfzSUty9LuOSg==

Date: Fri, 30 Jan 2015 10:53:02 GMT

Connection: keep-alive

Content-Length: 0

....

GET /plugins/like.php?app_id=669034239861694&channel=http://static.ak.facebook.com/connect/xd_arbiter/7r8gQb8MIqE.js?version=41#cb=f251c3fa86634de&domain=trollface.biz&origin=http%3A%2F%2Ftrollface.biz%2Ff33b7892863bd18&relation=parent.parent&href=http://VVV.facebook.com/trollface.biz&locale=en_US&sdk=joey&send=false&show_faces=true&width=290 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.facebook.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://VVV.facebook.com/plugins/like.php?app_id=669034239861694&channel=http://static.ak.facebook.com/connect/xd_arbiter/7r8gQb8MIqE.js?version=41#cb=f251c3fa86634de&domain=trollface.biz&origin=http%3A%2F%2Ftrollface.biz%2Ff33b7892863bd18&relation=parent.parent&href=http://VVV.facebook.com/trollface.biz&locale=en_US&sdk=joey&send=false&show_faces=true&width=290

X-Content-Type-Options: nosniff

X-UA-Compatible: IE=edge

Vary: Accept-Encoding

Content-Type: text/html; charset=utf-8

X-FB-Debug: p gC28Ye8punk4bVBSEUlntdxqj8R990XnIfeTCle0TPQBDJa DXjgDdEHbgahBqKjeAMwsR0f28Dj7sWTawGw==

Date: Fri, 30 Jan 2015 10:53:11 GMT

Connection: keep-alive

Content-Length: 0

GET /vi/poS0YGKNSTs/0.jpg HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.youtube.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Thu, 01 Jan 1970 00:23:30 GMT

Date: Fri, 30 Jan 2015 10:35:52 GMT

Expires: Fri, 30 Jan 2015 16:35:52 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 11563

X-XSS-Protection: 1; mode=block

Age: 1036

Cache-Control: public, max-age=21600

Alternate-Protocol: 80:quic,p=0.02

......JFIF......................................................................................................................................................h...."........................................`.........................."2..#3BR...!1CSb.cs..$AFQqr.......%4.........5Dad.......6tu.....ET.................................-.......................2."3.B..1..#AQ..5Rb4............?.. ................N..>..P`._......ug........'.f.d.._Q.:[{....)..*........Sjy.uT...V....S[I$..r..A..-J.C37........P..T*vYt...Fs.M..k.......#B....WR..y......\..Uw..{Y:..~..~...wXV}MN...I...w......n.B9.w........M...]b.f^..)&.......mN....=.........R.....N..eZ.{~....&...Z..2G.2D./..&.5..R9]..p.......kNo...O.M....Ofk=4.f...ll....C..b...>K.....fHL.=O.*.}. H'{id...K.....i[....u.....(.St..{....S.2...LV.W.1..PV..P.n:.L>...{....c.%.b..s=.....................................Tx.....f.G.~Nxr..^..l.us.)2.....d...j..~<..I..Yu:......kb.....MjJ.x.V.g.F,j..9..M....L......L9[...f..G.$>i....sL... ........Z=...m..$..T7.M..$..[...}.....\..W..7k..f..p....U.m.9......i.N....z*to]U.4..2..X.7.XD.je................V.R..8c5.M~kP...*]U.SC.....?.&if.V..0..A...f...~jNk..[..g%[.....~jKg{.>(`..%Rm........6....Cs*.......l...$.{3....^.H.{R.2U/r=.ezj.X&...B...n{.d..Tc.m.........&....Q M.?.g....~.8......_...'.......................................6.N..........tx<...j....'.h..)..5...b.9..y<...bG.....=6.8..M....{p.7q.....QQ.z...e.zYKq...k...{s.....T..........f...&.v.#.dK...`vf ^.....cl.......6.O......6.K#g..yI.w\S>...nmS...]l...:....jn...=...

<<< skipped >>>

GET /vi/RCCXZ8ErVag/0.jpg HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.youtube.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Thu, 01 Jan 1970 00:23:41 GMT

Date: Fri, 30 Jan 2015 10:53:08 GMT

Expires: Fri, 30 Jan 2015 16:53:08 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 14209

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=21600

Age: 0

Alternate-Protocol: 80:quic,p=0.02

......JFIF......................................................................................................................................................h...."........................................V.........................."2B..#13R.!Cb..ASr....$Qcs...EDq....Tadt..........U....E................................/..........................".2BR..!1Qb...q................?..........................................................................................................................................................z...............$...?.^.#.&JwV.....'.?...sK...c.70...,.... ]I........m..e....W..=,..xK.t..b@..nG.9.l.U.q.....Q._.....;....FV..._b.................,`.....`...M..&....<8.x...i7._T....K..\yE..?.. N..~..C....A.WP.......r.@...RO(ug.....g..V.(....V.(uI<.0...Q<..F..;........h~'.....G...wA.....eO..8..........]_.,...JK...C..01@i.a.,;.....G.9.p.........'........3..,.{..~.2.iq....a......c....|. [.....#V.U0 <.b......7....Z.....<g..J).....O>/.SI.A.tSK..L. ......q.k.%Do..g.T...W..O}"zA.<Hbj...i.s.C.!..,............-..z*..._S.."...V...h...3.e....D....a.../...)...%..........v...4.k*j......X.q...w.....<......F,@..X.<..H....h?...F.0.*....j.F))...cF..2&..9.6.-r].. ?..Tb.yQ.....M.C3.]L.. ..O...8..y.#....vl.....Td\.2<....j..nJ../.9..1.....v...M.M;...........C...9..[.$::.6A.E.a"2...3..*3......;...s.&E.....=..1..nR%...c..Q.... )r...|[[..D..O...t..n.}2..kk%.....Oq......O...fab...2..d..6.!.......B......9...B.&N.n.*....NO|..!...5]7.....G....E...>...........4..M....G...n!7..$.I..

<<< skipped >>>

GET /nfXqfv7.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: i.imgur.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Mon, 15 Dec 2014 21:41:24 GMT

ETag: "ec32d787d28bea03b02b2b08957d4ad0"

Content-Type: image/png

cache-control: public, max-age=31536000

Content-Length: 11761

Accept-Ranges: bytes

Date: Fri, 30 Jan 2015 10:53:08 GMT

Age: 3935504

Connection: keep-alive

X-Served-By: cache-iad2131-IAD, cache-ord1729-ORD

X-Cache: HIT, HIT

X-Cache-Hits: 1, 53

X-Timer: S1422615188.762758,VS0,VE0

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

Server: cat factory 1.0

.PNG........IHDR...d...S.....i..A..-.IDATx....xU...q.Bi.......i{K....!n$Hp.......qwwwwww%B........h)......g....;..f..Yk....7\f!E.5..}......4..;.~Vl.sU.n.....8..UHr...C.=...E.:x.q.K....~g.k..*.....j'...Y.NP...-k..[.NP....j]...."..!..q.[ **...1..H>.K..../.y...j.4L.B4|.9...c..%...c....H..em{.............."..~-QI9.....?...t)..V~V..a.......g.k..`i.|....y5..~..d....n...)UK.......\....).G./^.....D`.0.x...Yb..=7.`...........#.....6......?l6.O`XGQQ..........s' X`.b............>..tvu..Q?.!H..@.....K7-zrrr\)..x<......n2...P...@....I.._|)yD7.@,..>.)m.T..../`..E$''&....{<.....~..5t.....*e...9!......@.jZ./M{</..... 6&&...a...}..%....u..X.....2L...Q>.....~..."h......0M.*V..CLLLG}}...#...^......k.........n.8..u....s....l.0Q.....#.?.........^.g..~R...@X.9e.....w.......RL.....ga...*.O<....V0 .w....La.rH......G....YZ....`....]..)..zy...}...%.Y...2T...............[;p.).......S..G....h...y<....K.}.....w$tI...,..DuC. {..3I.b..t. .......H9s,=.(.O.H..i..1.?y....T.5..N ..e..V9"......W.L..6.0(.........,!{.S....URR.....?q..A.51i..).K...@L1.^s./....!w.a..M.|lN.....S.6....../%...J..l..... .....M......)-...)....P.j..{Xw.A_;.....5a ..g4......3..........}^...2'-.1N..N ..1.$..X...z..]L.W..`.e"..*~.*G..W\.%.}eeec....$.....[.E.Y.........=3...._....xo0<..$.kj.A.dLU.....E....%%...K......r3.`....aTA.F....Z..ZAq.F....7WZ.g....TK..x.).......t.....^.......u[M.0E....w.9.&..........AX...X.......J?.....v.=.lw...^.=.....;..g.._..{m.N.=s.{......l.....2.q....].%.Mz..Pn...h..|:..U.....S.y.l...LR...qwD...VUU}.?.#66v.a...O*..M.3).

<<< skipped >>>

GET /152media/tags/xbanner/xbanner.js?ap=1300 HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/show.php?vs=&ad=286387&f=300x250&a=956646&s=MDhiZTA0ODk4Y2VjOGU2MzBlOGVjODY2YmY4NDgwMjM=&u=586654&si=742431179&di=5811174&ci=16&cc=CA

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.offersquared.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: public, max-age=3600, s-maxage=3600

Content-Type: text/plain; charset=utf-8

Server: nginx

x-adk2: tags

Content-Length: 1840

Date: Fri, 30 Jan 2015 10:53:11 GMT

Connection: keep-alive

(function(adParams){function template(str){return function(obj){return str.replace(/({([^}] )})/g,function($0,$1,$2){return obj[$2]||""})}}function apply(obj,ex){ex=ex||{};for(var key in ex)if(ex.hasOwnProperty(key))obj[key]=ex[key];return obj}function qs(obj,remove){var q=[];remove=remove||{};for(var prop in obj)if(obj.hasOwnProperty(prop)&&!remove[prop])q.push(prop "=" encodeURIComponent(obj[prop]));return q.length?"?" q.join("&"):""}function toObject(parameters){var str=parameters.str;var defaults=.parameters.defaults;var result={},x;str.replace(/([^?=&] )(=([^&]*))?/g,function($0,$1,$2,$3){result[$1]=decodeURIComponent($3.replace(/\ /g," "))});if(defaults)for(x in defaults)if(defaults.hasOwnProperty(x)&&!result.hasOwnProperty(x))result[x]=defaults[x];return result}function buildUrl(adParams,ignore){var query;if(!adParams||!adParams.p)return null;query=toObject({str:"ap=1300"});adParams.ap="1300"||adParams.ap;adParams.ct="html";adParams.size=adParams.size||"";if(adParams.size==="")delete adParams.size;.if(window.top!==self){adParams.u=encodeURI(document.referrer);adParams.r=""}else{adParams.r=encodeURI(document.referrer);adParams.u=encodeURI(window.location.href)}for(var key in query)if(query.hasOwnProperty(key)&&!adParams.hasOwnProperty(key))adParams[key]=query[key];return"http" (adParams.secure?"s":"") "://" adParams.serverdomain ".adk2x.com/imp" qs(adParams,apply(ignore||{},{networkalias:1,serverdomain:1,secure:1,width:1,height:1}))}var size=(""||adParams.size&&adParams.size).split("x");.adParams.width=si

<<< skipped >>>

GET /static/css/adfly_4.css HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:52:56 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

ETag: W/"980-542ac003-70fac4efd237108d"

Last-Modified: Tue, 30 Sep 2014 14:36:51 GMT

Cache-Control: public, max-age=604800

Expires: Fri, 06 Feb 2015 10:52:56 GMT

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1f72ff3c0fab-YYZ

Content-Encoding: gzip

2b2...............n.0.._%jT...5.....Z....Jh..X1.e..... ...Zm.\..f....k...f..-N....E.....2z...x.F.#...V.W\sJ.$[%m....#>0CA......f..,/a...7..Tw..Sq...@)..Fd.....S.j.G\.U.H...2j/iT*.../.._?..-....o6..U.-W.C.*...X.1".m-Fd..Y.....!.L...^......o"H..f.....Pfp..Y....i..=E...w..[....3d..........T.}Fz.P.?c.I.s... ...5.-R.Jn...k2..."[.,3....!,.X.G2..5.,/..L...M..t9.^.....S.rF.gW..*..b.P^..Tz.V_.!n..(]..N..t.J... ....|.rK.'....%.N(.;....4M..u..Z=........%k.Z......0o.\.>..w.@.....{~........p.......V...b-...K..4.8...!nw\_Z>Q.d..n.1..Pfr..`....Q2..K.Lk..... ...`f.[....R....i...2..*..^.....\...... v.%...yQ.!.TJ....W.ZnY.fz......{.E..W.7.Rq............0.M..^v/....U..g........]..a.v.."!.q..2#. ._0p........0......

GET /static/js/b64.js HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:52:56 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

ETag: W/"dc0-533ef451-73228b2e988dd6e8"

Last-Modified: Fri, 04 Apr 2014 18:05:05 GMT

Cache-Control: public, max-age=604800

Expires: Fri, 06 Feb 2015 10:52:56 GMT

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1f734f3e0fab-YYZ

Content-Encoding: gzip

46c...............r.D.......@...b[5...8...B.|..t:k...X.UwW....^.[.x....I...e[M;...W...?.....8a.....H.9..y.G.'.4...........)..>.J.}....JZ\L.q.!.%.....N(#!.n.pv.....2.f.%.hJ....Q..(.|.~..Kn.gp....R.r.$.GaE..C.Q.3...3.3....T...a...b..7..tN......&Sr-.t....8,.G.dL.y.S.Cd.......(......9....._y.F....."S.J..:.8.\t.sg.G..p?......].......:k.H.t....g...5........B....V.....o..G....<...g..........Q...........|?........>;9=;.x...K2.|.O.z5.#..7B.dv=...lw....W[_7m...kI.n....w[..[.tZ......U...\.l...G......0..........W.........P....m..s..k...0.....zx~2..Q..2...F.. ...1.......S.$P.8.y" .9*YF.6.i9.....>..I.....!.w.t..R..V.....@..wZxg....[......'O..._...;^...~J.g..7S.{.n=@...T[.H.[...e>....zN.....12...$T:({9>H%(....K.5..t...vg.........j.......p........<D6QA..l.......4.aK.z..TV...(..O.)..-c..zhn.@.#.6...z_...F..pw.......F..........|<.|.`........".9....*.].J.%..(.G...V.....s...#"dDXm..\Z...G].[>4.3....t5{....oE1M.zU.8R...\.QK.:I....~......\Sk....KX.....kx.j..l._.1.,...,.2... .:..wQq.j@U .q.=cS..gl...c....AFI.. .d...].....JN.........../..O..%/.O...T?..=..Z.o.o.).....^..`.v......L...M=....UI...Z.z.e......C...K.m.....%0......f.s......p./..........0......

<<< skipped >>>

GET /static/js/view42.js HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:52:56 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

ETag: W/"1117c-5464bf02-ead1cc10d4a977c2"

Last-Modified: Thu, 13 Nov 2014 14:24:02 GMT

Cache-Control: public, max-age=604800

Expires: Fri, 06 Feb 2015 10:52:56 GMT

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1f73af3f0fab-YYZ

Content-Encoding: gzip

500a..............yW.K.>.U*A....t...w'$..(..............u]w%........^..N.p.=O5.::q../g.7..g.iR.?...... .")Z...J...7..5.3.l..7..'......gI...j....x....~.&)Z.I.....z........n...y...V.<z.&).-..|..z..O...........fj.jl%E.....>..5....X...n...p .jYu_`..Oj5.1>....N...~`..I..L..........._$.w.e.....GY...[..G......aR.Cl..lE._\....U. v;...l.u.X......o.g....S..K.u|V..B |....j9A..[N..<.......V...n...q.t.......p..p...?..?1..m.^..M..rO'n.1&.&.......G.i..K....?..6..#........C.....]*\....cb/...$n..OL..8....@....8l.....~......^....c....Fg....#{.x~n...l9x9...EX.p..p.n".5........%.....$:..0......}.....R.....F...t'...Efx)...K.Nu...$......c!E.z*w....t....:."......_....}_x.......R.N.xz.x.u...@.RO....2/..m......-...|I.....v.0.'....'Iu..z...*.u=a..:^.....C..@2...u.zQ...N.i..... .......~..........H...~W..8&....T.s...u........I,.$.\H.......o...6q.!.c. ..!h$.t...]m....1...c..~.....}.<SA^.D..'YT.g.&.A....$...x.!y.7{....u'.u..Z....xX..2...SP..'>...[y.u.4.R.t..X..t..`...'^.7:.<...C.....1.l..?....U.J....p.-c.....i..~..q.Qrw~..M......., .y.................\.1.[.<.....n.?H".G.....}.,'#.k.....T...}...)...A..u.6..a...w.D......... ...?I.,&....^X.#..fM......C..2.R.$X0........K...Q......'.6..WL....e).4...{a..ud.....P.<mA....Fn'.2...d..EX`..$-..........`.&...M..LN.,.n'#>..@G..b..."..c.LH.x~..o...f..A.h6........R.....N.% ..bz].,...........TH $MD.[.......L4...^.@.$...(.~.w4.W...4.X#........r........D....$........|...I.b........]....p.....n.....|...A.S....o.G.....<z...Sz.h...l........g...)e.!...%.....3..n...>.c.e.2..

<<< skipped >>>

GET /static/image/logo_fb2.png HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:02 GMT

Content-Type: image/png

Content-Length: 6243

Connection: keep-alive

Cache-Control: public, max-age=604800

Cf-Bgj: imgq:85

Etag: "188b-5116a59d-2f8f7edb8dce95ec"

Expires: Fri, 06 Feb 2015 10:53:02 GMT

Last-Modified: Sat, 09 Feb 2013 19:38:05 GMT

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1b0d1f979fab0fab-YYZ

.PNG........IHDR.......b.......G.....PLTE.V.s.o*p.-**.........*r.....R.l....,........;,v.-x..h."\......Rw..'Ns.....C%d.GIO...aT2..0}.....T..#r..c...(...$`..Y.(j.Jy..........b....h..6..th..#^......."s.#j.!l.......E|.-z.'n.:v.%b. t...%.y?..3......m..&f.,w.8{.].......K......'h.K..R..F.......I...(l.........C$b......p Z.............(k.6:B*i....$_.4j.........X......t.."\... -z.Rv~.[.z..#u......9..@.........'f.-y.... n.rto&i....#^...;)o.%`....uf;..W s...7.n.'t...X T.^....A...;r.-f...:...%p.'i...9...Q...g.-x....,c.:j.!..*w...1^.......B e.&e...^# !'v.>....T!`..V.B:,&g....$a..b.!a...!......l....Y.....T.....M#\.w...n."c....&w...1"d....._.%f..O.#)44p.,p.1b..X.)m....#]..].)x.VWZ.x.'r. o..y. q.#h.'_..[.!X."Z."[."Z."Z.!Y.)n.#^.'h.-{...y#_....D.....e_T(\./j.`..&b....%\.a.y.."......$[.,|.-|.!Z. y..z.0t. s.3z........v.d....IDATx....\T...7.8.... B....QS..A@..d.x......0..a..<>....&..........f.XxP.$..........=..v.k...~.3.......a.4...._k......n......].....?..WR...I%%................(..N....V.&...u.g..6Z..l...G&CR..(8...m/U.*W.u....(.P........./QOI.&..n.....R.....o..:G....hW.|.FS....0x..J.p;..}..D..x.p.)....c>$.....,..........a..@5>...O..Nqw..O.F.CJq.....[L..222.~..).g. ....X...D..P..N..m...G.2.-.....Ut'''O....UX....C......Z.<|...3b2b.......H..N.V.<l.0U..."..bTa.N...>G~..........t..........cH......H ..:.. .w.......,x...|......dk..l5.Y5..!.....:..ohh....zc.........K..5#!b..w.......X.2....Q.....7...u\ .^..v7-.4.y....Ee....l4E....`!8..*..cG|....{..6%f......)......$....ie.).c..t[.F.0.#.r.....7n4,...........`xo..[.

<<< skipped >>>

GET /static/image/d_top_bg.png HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:02 GMT

Content-Type: image/png

Content-Length: 116

Connection: keep-alive

Cache-Control: public, max-age=604800

Cf-Bgj: imgq:85

Etag: "9c-51d450e3-8ab0ff4e53d010b5"

Expires: Fri, 06 Feb 2015 10:53:02 GMT

Last-Modified: Wed, 03 Jul 2013 16:27:15 GMT

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1b0d1f97ffac0fab-YYZ

.PNG........IHDR.......;.....5.w....;IDAT..c..Ifb.........4..a......j...!.E.......z.......O...u..k/..M.$....IEND.B`.....

GET /static/image/skip_ad/en_tran.png HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:02 GMT

Content-Type: image/png

Content-Length: 2171

Connection: keep-alive

Cache-Control: public, max-age=604800

Cf-Bgj: imgq:85

Etag: "13d4-51e829a4-3949693a3ed59e6e"

Expires: Fri, 06 Feb 2015 10:53:02 GMT

Last-Modified: Thu, 18 Jul 2013 17:45:08 GMT

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1b0d1f984fad0fab-YYZ

.PNG........IHDR.......)....."c[....BIDATx...].UU..=g.q...0.$.....L1...0.. ....(....T..,..""..y..1.^T.2g.......g{..@9...wO............s..k.........E1%).jH..o.........>sm..[..........;.....")."..........M.q..TH_o..`^.o...O...CYq.......X..`....0.v..M.cp..../.....$...XQ#........syqi........ `....F.........8.t.....7n...!....;...ze......7o V=sg.......C..o1e.Mm...me.>N.......51.G.O.:.l.... V.)~........Mn...pV29.....X..L..5...x... t...>x.?.............n.... .n.-..[F......e.xl......G...{....p$kDjtS.p|.-.7.....jDh...Y!.MO..............Wg.....I>....%.M..w.4..X..[g*.....@...... ...`.1X..l..=.2..[....h.......lv].(./.'....v..^yia{...O`.L........@...).7.*}...7..d).....>.P#.._.....tt....iZ..*.V6:R(_......2.\.A........W..t......g".)........[........J.....-.....M..p.....l..H..-_$eB[..w...,..}<2.."?lG3....`X.PcE..<.qhJ..c.V._..F...e....T5..d.'..`..!..q.f.M.....l! ....\.4.._.Hl...X.U..|J......>|kn..Md"a..5.-..U......X...c.".eK........X.E.......,!..[...b..a.|.....D....". .CX..(..P...1........:J....9./ZcE.Fb.Uw]..A8..phZ.8.a.!........ .o..l.A9z../."[.=:..../....~tM.....h....[..g.......a.p|dzt........mAk...r......s.?.......F........=U.....Jc#.;...*..t...b.........OY..P..]...aw.!...;.>q..... ........3.46.;......s...G.tl...8.a;.E....pt.8K>..|.....7`..r...L.....<....W..l...l.....F..X.` /.N.....(FH....6.n...m..i........L..]e..........a.F#Zd,....&.^..J...<..?h?..$.....l'.............[..X........./Jj7Z&.~.~...d........<....D.=.6K...&..6,./:....ba.9........K=Z...b.Lc.......(g..m...l.->..T._.c......

<<< skipped >>>

GET /pingjs/?k=psytrs8y6gmn&t=Yllix media&c=s&y=http://trollface.biz/vote&a=0&r=8601 HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:11 GMT

Content-Type: text/javascript

Transfer-Encoding: chunked

Connection: close

Set-Cookie: uid=CgH9JlTLYpeMCyhAdHc0Ag==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/

Content-Encoding: gzip

37.............w.././.P.0..04V.Q/(.,)*..4K..S.1....../q#.....0..

GET /uds/css/gsearch.css HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: NID=67=ORtcri62B5lLT0gmScQQOZ6PgyD0L3laixHZahqHHujeEZbaa73GuOw09MhpeE7DyzW_jWivMLXGgh3wMxHiWx0Kjhv3DmSsOiGxO6w6jeBD5Yuj6o5OaexIqwooJryu

HTTP/1.1 200 OK

Expires: Fri, 30 Jan 2015 10:53:14 GMT

Date: Fri, 30 Jan 2015 10:53:14 GMT

Cache-Control: public, max-age=0

Last-Modified: Mon, 10 Nov 2014 23:30:07 GMT

Content-Type: text/css

Content-Encoding: gzip

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic,p=0.02

Transfer-Encoding: chunked

a..............802...=k...... ..ri..\>..rR..8..%....7.H...@....Z............T.....L.....8.....w.M.Zwl2....u..8{.]....b..e.oys..!{y....K..9..=....M....bo..go..my...d.U......u.5.&o...[.....&O..........[...h.....oO..EyG.vu[ve..am.w.2h.-[>...)v....,p_u......W..-t.n.MY=...M.W....6..)ou.....2...Di......E....3;...g....Dl..[.._y..u.../:....Y..\C..nz.|.|..E.6...*....W.=..{....tR.u..............m..;.?....s.-...7.p.t...n........u..@..;$vE,.W|......s@.\...g.=..E(..;..5x.`..f.`..../.<...m....]..Q...A.^p..[....WM..........lc.....7Y.=T.S.z._..4....t./....Z......;.h..CW.4.x...WY^.....,.......p=/...>....p....l.........f3...%a.lp....@...KR.%R4.J.%q.|K.Vn`.:.h.-N.;....6.<.............A.-r..C.'.lw.....(j.F... 9].....m.........V..~vq.?..{....R.]..$...<.<5...P..Y.(......*...SwD].`...../8....}.:..U...^E.m.u..\N9.I.>5R|.....0..w$9...{.L.:.....z....f....:.........w!.3...X.....#.'..../..(.}.f. ..Y...B...s{...=.q.,F...V.m1' ,1.....].?..r.2...qru..;N..#..&..d.....l6.?LTnX..j...G....Gb.. .MK.bW..sI.H.......@...1E.]..(..O.c...c#.....y.'!....eA\X}o.V$R..}S.=??.....H...$t./..e..........W....:.;u.......j'..h_.<[t.q|.O.....|..}..U=........Go[6....l2...[..S.....j....y....*..\....(_......_ S.M.o.<P..>9v#`.?..DN ....lKu....U...Ly..........8....d..B...-.....E.&/.} . .. ....vj..........#.j.y.M..@W....."?...l2....3:.lS...n.cz........ .V...[..]...w..F.mG]P.,..Rl..G..F.qN..$!...........q..hBR.._YQ.5..|k.e.$[_.P.G...E..P.}r.........z............zb.........zU.7o.........:..\6u[.v..t.g...oW.....{[6|.#~;....AU......../.....

<<< skipped >>>

GET /adi/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;sz=728x90;ord=[timestamp]? HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ad.doubleclick.net

Connection: Keep-Alive

Cookie: id=223d076a6a0300d7||t=1422615192|et=730|cs=002213fd48556f693ae5c022f7

HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Date: Fri, 30 Jan 2015 10:53:14 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Content-Type: text/html; charset=ISO-8859-1

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: cafe

Content-Length: 859

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.02

...........T...8..*,..&' ..A..8.FG33.n6.R.Z.......w."....r9...?~.....<.GC..4.r.C<...g.2.....J8.*.}....".......^O/.<."z.`....i........Q|..bY......QF.4...#...(.<Co...V.7.P@...sK..!....g.`.>......C..*QQ..C\.b...2......e/.........#...`......f.i\<.E..g...z;w&Ew>.w......%.. |.|....i...Q...H^.....$1.Y...~.Og.m...r....<..ag2n.G...rX}.<...[3n.>.G.....D..(..D.....c.......pxU..g.u..|>.A.Q..$Rc..@X.....@....y.=......."Z3z9...#.GB.(KCP..P....B..6k]......N..zg?N....z/.[...R.~..'..k......p..]|]..c...X.....U#B.u2'A...v...u][O....VQ...2t...w....).%........O2.3K.e.L..-Yx.r`J|a=.E......h.`FS..".\......@%.G. .?.i....e....{.....I\....$pr..-.%0/SP.)'.5.G......0.PW$.z..U<p...M@ ...}.=>..9^v...E.F......v.....>..^.'.(.O.~...'.D.PC%.....Q..bJ.(...."&%~?..3.8..TW..(...T.....h..C.D.(.x...2A..E..3..V..V..L1......9.. k.......3...L....*......I..U:.J.a~o..g.U.. .5V.i....:..\......

GET /2014/08/b-red-releases-flaming-hot-new-track.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: lindaikeji.blogspot.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Location: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Content-Type: text/html; charset=UTF-8

Content-Encoding: gzip

Date: Fri, 30 Jan 2015 10:53:13 GMT

Expires: Fri, 30 Jan 2015 10:53:13 GMT

Cache-Control: private, max-age=0

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Content-Length: 218

Server: GSE

Alternate-Protocol: 80:quic,p=0.02

..........m.A..0.....!..T. K,T.V..$..clgM4iJ......q....<......<aUYlB.{^.....C..`.pJ?.}..F?.U..A.......O.Q.....1......ia.p.....@...#2...T....K../J..;..pQ.I..8X.......f.z"..P...#.....L......N..Tz.q....E......&....,........

GET /1market.php?p=xVZnHcUvikLHCbJuoYbG3ZNh09IyjLo6iAYHWdR0mhLmmIx65IIiiZwliJaHGaFizwaiCII56xImiLImsRIWnYBivocjnIQli1OWiYIuiRL3CcJvwhYmXIR7opbjmIFstJZXSdIi6wISiM91yEdjXNF4kodjSIIusJICnLNxlUYTXNJzjUaDCOI66IICiZIiswIinIBjyFbT3YR2vYY22Y9wsYITjMo4iEaTHZRj0NcTDNo4iQfDSNw1iIZTmOxihVcz2YgkidOzjNAlsJIDmN1jvJYjmIl6sIZCSdIi6wMiCIwxiIbiWO9iiMa2WcxilwXi2I9tzNIjjIo6iITimY8jiJfyQe== HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://adf.ly/ruqdu

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adf.ly

Connection: Keep-Alive

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:02 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.8

P3P: policyref="hXXp://adf.ly/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"

Cache-Control: max-age=0, no-store, no-cache, must-revalidate

Pragma: no-cache

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Last-Modified: Fri, 30 Jan 2015 10:53:02 GMT

Cache-Control: post-check=0, pre-check=0

Set-Cookie: adfly_483832=1670080; expires=Sat, 31-Jan-2015 10:53:02 GMT; Max-Age=86400; path=/

Set-Cookie: market_483832=1670080; expires=Fri, 30-Jan-2015 10:54:02 GMT; Max-Age=60; path=/

Server: cloudflare-nginx

CF-RAY: 1b0d1f9b63da0f9f-YYZ

Content-Encoding: gzip

69a.............Wks.6..._AcfUp.Q..6.%.[.N.4...d..j2.x).....-.......d7Ig.Xx....^..8..l.d...'O.K..K......w.=W.....u....."..v.TG.O.6`.....S4...."..].....;....J.X.......l6...e..O.....[.4)$.BIl.......X..H..L../....ukZ.}..5QYU#;..i8.8.2....l.B.Z..gS..4.B;..LE.WD..._...UwX....$..e..o?..U.?.%J..{8Rc.d .6...C_c9U3..K....J..}4..d......0.I._.^..k.6....[....|.P.:'....".'9.G.$....>.....y....m\..zdm<S;...~....b.w2..lU..f3..n9.^..T....U..T2b...F@..f!.$....m..|.;..DI.3..F....(...5..-".Z... ..]=..~E..2.z../^.........,FMy.S.f..~O.5.Jw..*..m./...2;..U...INb.$..n~...1$B.oZ.....k.?...V.;..*].,.XV@..J....D.!.Y,A7.a..Uqfy.._v.."....rM[..VV...Rf..d.j....../....=.]..[.8.5\>..cK .aU3.....O...=........r.....AC2...X..#....D._..H..u..f$e2..O.&....y........;.E..d.mK......[t@).z.1..g.ad)...=.#.-Q............ED....ko..q...m......A.W...?...Shv....i..4..L....z.Z.M..-@..Lp..~.u}..........x......~.5d..=..QJ......E........d/............K."..%...."%].......W...a..,AZ.....m4.m..m......2~..,vc...C\-..,..y......Y.........^x.Z./|..NRli.%...f...`o..pC..j.....h.F8-.X..%G..X._.....UD.E.Z......b..3.....?..'....TIb.F.....!..$.l..y..4..a....wo..^;...(r0.IQ.6.....0...FJ.....O.\.rob.^.*.._.Dhc.k....lgA....1.L;....x.T.k.].......*...Z..>[.....Q..__}]..s......._.o. ^8.^1......0..(...on.n#.l.d....u......4q./S...F.0..h...{8Rw..L..T.1.Q..X.E.....6..~.s4g..... I.#....W1..........wn.K......og....X$.-.3\.,.rA. .B.............V......*X...7..D.e......V..(..zwy.<.S..#....J..].<.eje5.....).....PP...M....D.....o.....h7yi....DQ.....V.2.]....,F.zv.N..9?:F.=.

<<< skipped >>>

POST /callback/2c42e77dc5b92544853ce18160cf6a1c HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://adf.ly/ruqdu

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adf.ly

Content-Length: 538

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b; __utma=255621336.1096569715.1422596427.1422596427.1422596427.1; adfly_483832=1670080; __utmb=255621336.0.10.1422596427; market_483832=1670080; __utmc=255621336; __utmz=255621336.1422596427.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

hithere=TAkyVOUyNICD4MwxQIyjkLi1L4CyJMygZIWFZTlDcBiCIV6FI5ikILsgIsmDlOk0ZYWj5L02IAjToNw0LACjJLmwb4GyFMzgaICFIT6DMBCCwViFc52kNLygZsXzNN3yIcjDoMx1M4DCIM0uLICDJIzSYx30JQlgcQ2VgRiOO5jCcI27OECjwViTdB2yJOyxZ4XSNN3gIQjloT3gOMT3IdsvIRnmdbipcdmFVIz7aACjIL62NADScRxJLNCVJTtgbs2TJZpsbJGWUai0OFjGAcstI9m21YvoYAmClMsuZQVz9LvhcxyGIb6pIpk35bvNIJiiwOiiYQWnNb0ladWW9YuyIVj2oc51LJCCJL6iIMjWoMihMZCj4Z4jNBDjEN2xNgzTgMylNND2AMz1OgDDINw0IUijwMi5aIGWFNzjaRC2IN63IUjmAMy0OMWmIMwiMomjNIkkNlj2JXknZ9GGMbxiZwTiFIj1McmDMMyxYImiIO0iOIDXFZl2NJjCYL3wOoDjFIi4IJny0eu=

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:09 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Server: cloudflare-nginx

CF-RAY: 1b0d1fc6c75a0f9f-YYZ

Content-Encoding: gzip

14........................0......

POST /callback/2c42e77dc5b92544853ce18160cf6a1c HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://adf.ly/ruqdu

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adf.ly

Content-Length: 538

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b; __utma=255621336.1096569715.1422596427.1422596427.1422596427.1; adfly_483832=1670080; __utmb=255621336.0.10.1422596427; market_483832=1670080; __utmc=255621336; __utmz=255621336.1422596427.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

hithere=TAkyVOUyNICD4MwxQIyjkLi1L4CyJMygZIWFZTlDcBiCIV6FI5ikILsgIsmDlOk0ZYWj5L02IAjToNw0LACjJLmwb4GyFMzgaICFIT6DMBCCwViFc52kNLygZsXzNN3yIcjDoMx1M4DCIM0uLICDJIzSYx30JQlgcQ2VgRiOO5jCcI27OECjwViTdB2yJOyxZ4XSNN3gIQjloT3gOMT3IdsvIRnmdbipcdmFVIz7aACjIL62NADScRxJLNCVJTtgbs2TJZpsbJGWUai0OFjGAcstI9m21YvoYAmClMsuZQVz9LvhcxyGIb6pIpk35bvNIJiiwOiiYQWnNb0ladWW9YuyIVj2oc11LJCCJL6iIMjWoMihMZCj4Z4jNBTjYN4xMgTTkMzlOND2IMy1NgjDMN30IUijwMi5aIGWFNzjaRC2IN63IUjmgM00NMWmMM5iYozjUI2kNlm2QX3nM92GIb5iNwTiEI51ZcjDRMixYIWiYOxiMIWXRZi2NJjCMLyxYojjMIy4IJny0eu=

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:13 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Server: cloudflare-nginx

CF-RAY: 1b0d1fdc88bd0f9f-YYZ

Content-Encoding: gzip

14........................0..

GET /pagead/blank.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: googleads.g.doubleclick.net

Connection: Keep-Alive

Cookie: id=223d076a6a0300d7||t=1422615192|et=730|cs=002213fd48556f693ae5c022f7

HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Content-Type: text/html; charset=UTF-8

ETag: 3442959754796973630

Date: Thu, 29 Jan 2015 17:31:20 GMT

Expires: Fri, 30 Jan 2015 17:31:20 GMT

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: cafe

Content-Length: 79

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400

Age: 62515

Alternate-Protocol: 80:quic,p=0.02

............(....I.O.T(...I.UJJL.N/./.K.M.../.R()J. .H,J. Q....).R`.\\...DsB.....

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html; charset=UTF-8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Location: hXXp://trollface.biz/vote

Server: Microsoft-IIS/8.0

Set-Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0; path=/

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:04 GMT

Content-Length: 148

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://trollface.biz/vote">here</a></body>....

GET /vote HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html

Content-Encoding: gzip

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Vary: Accept-Encoding

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:04 GMT

Content-Length: 12643

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".....|..>.......4...2}....g'.G.w.~.....O.<M..o...y.;.I_.u1m..=}.Q...mW......._..W...7.....]...n7..x..>:.....0}.(..g.....>..?.F......X....e........@..i>....i.....sp.|.H..m~..........l .......2[R....tV..}... A3.f).r^.......Q..q8..........m......*.N..UY......z..~|W..f.....v.....g..T....~s..?J...g.......r.N.Y...g..|..}.0.l....,o.u.j...d..D^.Wy..l.-~.d.I...g.7.v........'.Y^.og.."...;oL@.G..|U..&.a.}.....X......rN#....?~.....y..^.o.}<.....]..Q.a...C........!~.......t.N......#..5.N.S..........?.'.....J?....EE....o....?wJ..[...L..qZ]...1YA.....?h....."_...}:.....Ez.&r........C^...........Ic^0m....D.O...{[.......\.S`... .Q[c...;..._.........-7k..?..qY....L...7J.u........R...t..U.../.B..?.F;...;,.!..8.....b.6........Z..@...|.h..G..dX.DC.*m..UuQ.@..i~wF......VYU,...*..V.....1.O_..O.}[M.[FwUW$P.5k.[b=.vC......!.n..uMZ.....X.q../G^...oJS.....mRV...-..k...7j..x.Th}x....../f..O?}.so.....Ow?}./83_9..u8m..M{..jH.-.Y.}...2.-a....y.....0q6.8.w}p....y...yv.6c...r3..v.nS..}......c..8......L>.(m.....[.5...e...GG....G).._...O7w......zLm..7...x....(.a/.q..M..GO.Og.T.d..a5..................x...}....%..M...8./!We..W.b.^.m....U1...&...T<.4.0.!.o.b2QD..D/.c......M}N.S....\_..F{........tF.h..X....$r/..T..A..,..4...i>!....6...W._..c.. .M2F ...J....I.2.f.i1....i..2[..h.i.. ]d.r...1.....|.]..a(..}C...BbM.......{]25.KBo.|{7 ..Q.oi....X.../&j.....w...d...]7............".o.wp..._r..qv}..4..\.Xm.....I.\.......Z..

<<< skipped >>>

GET /css/style.css HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: text/css

Content-Encoding: gzip

Last-Modified: Wed, 28 Jan 2015 23:50:41 GMT

Accept-Ranges: bytes

ETag: "38e16539553bd01:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:04 GMT

Content-Length: 30652

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".....Z.e...-.e.....<....y6.._......~.~.../.'.$k>:L.z.(]......]..../.y.~|g.......y...;.yU/.v..|1.g.|.]..e{..?.3J.w..q..{/..:.n{U.....C....]...Y}Q,...N.....Z/g.....G?~.......w..<..].K?z...E....Xn_..v.hw.`g..0!... .E.n7.u).<.=....X^<...e.nhJ.......|.).....v]~.C=R......g...O._.-.h....Z,..i.....~H-..6-..l........hVev.X..k.XUu.-[...q..1.>..B.p|.]l......</....to....3zO...d..w...].=..U..E...........n.l...9......@.Y}...~...z{4..s...$..'..s.&...e....9....UZ,...IU.....O.e.6.....#.........0.1....Z....._.].9^-/..~....}.....WyF., ...f.d%M..tJ.....2.v[...............V%......)Z.(...E.....O..^;p.66...K.w{RV.......-.Yi`-.....;C*...N...'...}..4[..|.h.(..k.'..]g.b..;..a.lIdg.Hu....by^,.6O.....Z..\....m..E^,g.;.....]F..n.by...4....o.....>Z....|.zkk....7...&....&.p...O..:.m...-:.G@..`..>..:/..jc.....!..........:.F.....6.f.F.@.@.;.;.p\..D.;...T.lZ...|b@...9y...%1....C............o..~.'^?....~....h_./(..1X..n{.|.#..$...G......v.$..f..O...|zb.4L6..f....G;).J..I..3....;....7..0:dO....j..t.6D..c.iH.o..z.H............6%..#...Ws.U.IGK:..@..t..J*...xMU..u......[.>]..pXU....3n./....v.k....o..0...."_...L.....4..i..{.O.<{f[.k0.\\....z.....)...lI..>..p..yO..{.J.".<..Tm[-tTbs..>3........H3j../}...P....5x.6..\........2.).|'.1.1.........@8[..F_..>..N..O...??t=..._..G.R.I..euQ)d...|.V..>[y..K..n.O..:wq.U.......o...t.!=...>J?.#g:x.f..*..rD.?N~..I.|.c.7...IU...N`.w..Q.~w.....Ih...........?F.Xl

<<< skipped >>>

GET /UTM_Bebas.eot? HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: application/vnd.ms-fontobject

Last-Modified: Wed, 28 Jan 2015 23:50:35 GMT

Accept-Ranges: bytes

ETag: "be48a735553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:05 GMT

Content-Length: 32472

.~...}............................LP......................-.p\......................U.T.M. .B.e.b.a.s.....R.e.g.u.l.a.r.....B... .F.o.n.t. .c.h... .V.i...t. .s... .d...n.g. .b...n.g. .m... .U.n.i.c.o.d.e. .-. .h.t.t.p.:././.w.w.w...f.o.n.t.c.h.u.d.e.p...v.n.....U.T.M. .B.e.b.a.s................pOS/2D".....x...NPCLTC.@...}....6cmap...........Hcvt ...-.......<fpgm.3.O........glyf..........c.head...........6hhea.{.A...4...$hmtx!.5.........kern_J]...p....4loca.Y.|........maxp.......X... name..}H..u.....postu.bH..z.....prep.d.R...$..............\p_.<...........iH.....L4......N...............................N.........................Q.q.........@.........................3.......3.....f..............................KT .@. "..........t.....-.....;...=.....Q...Q.G... .E...E.O.S.p.K...`... . ... .G.|.Q.(.G.|.Q..... .?. ... .Q. .E. ... .G. .C. .C. .5. .;.|.Q.|.Q. .=. .G. .Q...(...1.A...?.Q...?.C.Q...Q...Q...?.j.Q...Q.....O.Q...Q.S.O.j.O. .?...Q. .?.7.Q.../...../.G.7.......p... ...../...`.......-. .(.......;.A...?.Q...?.C.Q...Q...Q...?.j.Q...Q.....O.Q...Q.S.O.j.O. .?...Q. .?.7.Q.../...../.G.7.......p... ...../........... . .........(...(...A. .................I.A...A...A...A...A...A...A...A...A...A...A...A...A...A...A...A...A.....Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q.......Q...7.......Q. .?. .?. .?. .?. .?. .?. .?. .?. .?. .?. .?./.G./.G./.G./.G./.G./.G./.G./.G./.G./.G./.G. .?. .?. .?. .?. .?. .?. ... ... ... ... ...A...A...A...A...A...A...A...A...A...A...A...A...A...A...A...A...A.....Q...Q...Q...Q...Q...Q...Q..

<<< skipped >>>

GET /images/search_icon.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:42 GMT

Accept-Ranges: bytes

ETag: "a492c739553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:07 GMT

Content-Length: 3308

.PNG........IHDR.......<.....qT......pHYs...........~....OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2....

<<< skipped >>>

GET /images/like.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:41 GMT

Accept-Ranges: bytes

ETag: "4e19b039553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:07 GMT

Content-Length: 12630

.PNG........IHDR...L...L.......Q ..1.IDATx....X....e<....'a.%.Hb.1L.l..mV.&NW./_..M....N.............6.......z...IHB.@ ..>G...$_w........x.....<.9.K ............c.J.D..{N..r.kM...i..tg.FS8....._.....qw.....N.x.g.IHHpa..{......6..?.c.:..E..;....l........5..X....lu...v/>.........Vz.]...o[zv.....s.....e.........{.......m..N...'.6'.N...T...y..........zkU@..J..V.i-.h....~...........~K....7. #>17?..U..o2...uj[...0..&.B....v....R.........T.T.x.@3.E`t.#...../.v...Fv~^....D*l.1d..".].Y........{1...h.p..W .......b..5!Fke..R..g.x.....7.....;y.......?...K......A......q.......0F..Q p.Fu.. ...K...do^G..8.6.%Km,.A.k.Z.G.[(.@.z.m.&{C..^..m..j....,w. -....3....X.....F.....23...D>...C&W.i.......1N8..14.e.=.l..W....]..lM..b....(..o..@...dmZ.c.[..c..q.rW6..........Fh..]s.....{..&......k...:.?".....7.....}...1.].:^@..O..S....ci.....<.&O.{...D.......m.....8..8.......~.&...M. ...\6.......5..."...a.U.........F.0E.|k".gd<./...7{...o....c.c..9.`..x.zN.w_]L7S.....Zr$...F.y..GP..P:.k/z&v..K..........ek}.,h-....X........8......m............1..ed......}fo..4 ..e!....?...........7yl.#?Ac. ..q.".Jf..}.4T...@.. ....:.y.q..R.8.x..'...sWY[.....&....4.'.\..-.D[.....p....n..uv...%....:..(..F<8|G\b..^.s.V.........6......3....)...G..v7...a...$....).,..Kc<.. q7..a.....X....i..X..\#...).....i...t.....$..E.^.).c:.<g..{:E.g......w.(...zn...r,.$3....6..z....w.../L.........?e1.....07.....e...?........!.Q.`u.!q.ZY.Y....~...s.B..#</9.cky.F.......emy.;...-.......-._...&.......>o\c.....=/.a...o...}ara.l....?...vy.......a

<<< skipped >>>

GET /images/sprite_v12.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:42 GMT

Accept-Ranges: bytes

ETag: "541cd139553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:07 GMT

Content-Length: 148533

.PNG........IHDR.............!.."....pHYs................ cHRM..z%..............u0...`..:....o._.F..C.IDATx...y|.e...g.4m..R.}...WQP.9.P..T...,*(.........?/tWWX..d."..*.!....M...EK..9....I'iz..i.|?.*..Lf.y;..;3.HB....U.$Ie..!4..... .@k....r...pX.$7K....1]b@ "....B.....hW..g.|%IR.K......q@.B..p...*N...N...,I..""j..A.1...5....$.ai.^@..8.....H./!.....<(.0 ..QM.....Z..5............Tg.I.....L..1 ..Q#..&.........@DD.C......B....Y...DD.8DW......j^. ..""j@./#T1.......@DD.C...u..F8....'....5.......U...........9R..J(.b8.p^..@DD.....*..U.'.........$..`]-..Gy^..@DD.$$...R...U.............V...T.......lf..h....!g.X..=...x.!... .....z..H......V..u.....z....JH5i=..].......*......$e..kW}...sy..H..h.......7..^.5.....=...~.pV..YxnDL....A...%.<y.....(.......3).l.%.7.^.5.......Jh.jz.....;..]l.3...3.<yr.|..?...I..HI..$I...5K[...^.$}9..%I....\.."\R... W.......W.^..z.2...?..s...v.7..9s.X.y$$$.K=!....X.|.|.^...`*.....b1<.c!...@.X...@......?M.L....5......~...._..y..g* .X......?. .(.BX........-((...d.......j9v.e#...B...z{.F...l......5.W..].............../...?.R.U...!..........;...k.n........L.:q..[..zED...$I..t.M.({..ExnbT..l..U...;,........K..S..$........ ....b.^.... ..V{S.&M....O..z5..?..._.N...9VKe...I..he.JU...^....~.}.../..)I..]Q..k......J.R....^.Q...$Iz!.S.....>W}...y,22...s...=.:.T.]SK.....S...g.......!>.$..j.Z.p..._.X,s...,.Y....ju]6.A..Jn...z....#..q..E.0..........zED......rv...L..c.......y..%......IU....H.....Z.h..<....._.Z.$.....G....V.t......P.e....~^g..........X...L.2E..S.@7.O..>.. .@.....zED!....q..I

<<< skipped >>>

GET /upload/t/1054.jpg HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Wed, 28 Jan 2015 23:50:51 GMT

Accept-Ranges: bytes

ETag: "fde74f3f553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:08 GMT

Content-Length: 158511

......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 100....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..o...K.|1x.. U..I...-.yf>L..).M.$..#.M.F.....}F.D....]M:Xk.R>....d.....H.[......4..p\.E.?......m.B"....h.72......"_.y...T..........w......b}E..%...../w....4vq.2M...i...|.2..`...m...,C..%$...-.vj..Em.]O..S..,........q......./<1.X.......!.*..wB....V."{..."...............%.aZ.&4E.LI.4w?.\......H)..*.......t..?.,/..SW..M1. ......Y..H......HO.,[b-.d,.../._.<.....4.-'1Y..9.%...U#...J.2..$.~R..\...pT1*.!C.8...z5x'..m...a1r.'.......(i3_.y..R...1.......@..BeH]....r..V%.._.....-t...[.xL.....y`..1;.. h.f.....7U'....M.A..ZAym."U.4[.7$. .PRU..8P.$`....i.Kx.....O........"O0..p..B...k..`...\o..S....M\l..........N.}-.../%{.x..O..K.{}....e6....n.|.v...1.....y....._...Z...m.{T$[..X.{.&.D.F.)....[D.#...?..f.E.....hc.......JB.j[.|..R...X)].9........?.O.Z...1..z......[.j3..^..4.K.bW...,.'.......3.J...2.5.^...o....A6.....\....Ml....i...j......K.K

<<< skipped >>>

GET /images/comment.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:41 GMT

Accept-Ranges: bytes

ETag: "e6449a39553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:09 GMT

Content-Length: 1386

.PNG........IHDR................a....tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:7135B5F362D111E4B03284059EC587A7" xmpMM:DocumentID="xmp.did:7135B5F462D111E4B03284059EC587A7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ACBE5662CC11E4B03284059EC587A7" stRef:documentID="xmp.did:7135B5F262D111E4B03284059EC587A7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>../.....IDATx..S.K.A..u'%...m.C...f,.B7.(.Z.]........{.(.xI.X....J..K.'.t...Eq...í7..1....y.{3...h....m4...$...h.n...x6..F...@$.a....h4.A. B..g?.L.3.X,..r.w 3h..H....R..,B.l.x...'..Z'. m......i..P(..U....V.i.....Jd.d2=2...h4M..... ..<....eL "....N...R0.8..u..z...X,.>..u..O.(r.E.....N.{u:...DB.`.w`HxJV.Tb.......B.pO.[..T.R9..(8......d.|......U.&.`0........g.v.]._.......3r......S..n.Z..wW..~.....e.~.........$.T..Q.J."'.v{.&q.$.q.%m.X.&.A......y..n....c.M.?.u....R.tQ.V........C..E Fs.....IEND.B`.....

<<< skipped >>>

GET /images/viewed.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:42 GMT

Accept-Ranges: bytes

ETag: "478dd39553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:09 GMT

Content-Length: 1207

.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:92ACBE5462CC11E4B03284059EC587A7" xmpMM:DocumentID="xmp.did:92ACBE5562CC11E4B03284059EC587A7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ACBE5262CC11E4B03284059EC587A7" stRef:documentID="xmp.did:92ACBE5362CC11E4B03284059EC587A7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Ig.....%IDATx..Q=N.@...!..... . ...Z..$.'pJKo.......7...5.T.P)T$..=...d..|.y....$I."Q..AI..<f.L....#.y...|I...5...a..'...(^.0.....0.Y....fd.8...Vx.|).b...[.R..UUu..o.{..(..W.4M..m.if.T.Q..... <_uGAm...0..V../~L.I..N......VJ.{=..J.u......6..q...>....G.Q..%......h....I...i7.......;...i......nF...{...`..v..........IEND.B`...

<<< skipped >>>

POST /callback/2c42e77dc5b92544853ce18160cf6a1c HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://adf.ly/ruqdu

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adf.ly

Content-Length: 536

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: __cfduid=d860e4e0440de5fb48f7f2b6256e4b5351422615175; FLYSESSID=5420d9e33c294bd05882efaaa6e27aff31843eb4; adf1=668e57544f6910e95c22591759704a2f; adf2=e8b8e1b450a222f8d1c56b9a088a166b; __utma=255621336.1096569715.1422596427.1422596427.1422596427.1; adfly_483832=1670080; __utmb=255621336.0.10.1422596427; market_483832=1670080; __utmc=255621336; __utmz=255621336.1422596427.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

hithere=TukAVyUONyCI4DwMQxyIkjiLL1C4JyyMZgWIZFlTcDiBIC6VIFi5IksLIgmslDkOZ0WY5j0LI2jAoTwNL0CAJjmLbwG4FyzMagCIIF6TMDCBwCiVcF25NkyLZgXsNz3NIyjcoDxMM1D4IC0MLuCIJDzIYS3xJ0lQcg2QgViROOj5cC2IO7CEwjiVdT2BJyyOZxX4NS3NIgjQol3TOgTMI3sdIvnRdmibcpmdVFzIa7CAIj6LN2DAcSxRLJCNJVtTbg2sJTpZbsGJUWiaO0jFAGscItm912vYYomAlCsMZuVQ9zvLchyxIG6bIpkp53vbINiJwiiOYiWQNn0balWd9WuYIyjVo2ycM1yJwCiLeiiMIW6MIhjZAjuZMjDBMjyNMxDgAT4MNlTNU21MM1TgED0NM0yUIjsMI5mIhWhNcj2Rg2iNO3iUJmiMY0TMcmzMYiWoUjyIYkmlZ2lXMnW9MG4bNiWwQi4IM1DcID0MZxmIYi4ONizINXkZZ2DJcCzLMxGoVjhIN4yJJy9e

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:13 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Server: cloudflare-nginx

CF-RAY: 1b0d1fdce17c0f9f-YYZ

Content-Encoding: gzip

14........................0..

GET /viewad/3774000/NG_W5_D_VD15_26012015_728x90.jpg HTTP/1.1

Accept: */*

Referer: hXXp://ad.doubleclick.net/adi/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;sz=728x90;ord=[timestamp]?

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s0.2mdn.net

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Fri, 30 Jan 2015 10:53:15 GMT

Expires: Fri, 30 Jan 2015 11:08:15 GMT

Cache-Control: public, max-age=900

Access-Control-Allow-Origin: *

Content-Type: image/gif

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 43

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.02

GIF89a.............!.......,...........L..;..

GET /-pzssax7ig_o/VMQQY1VHBhI/AAAAAAAEXeM/f381QtL8lmc/s1600/1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 1.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v45de4"

Expires: Sat, 31 Jan 2015 09:38:22 GMT

Content-Disposition: inline;filename="1.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:53:14 GMT

Server: fife

Content-Length: 18067

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 0

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............xExif..II*.......1.......&...i...............Google............0220........d.......................,...............................................................................................................................................................,....".........................................V............................!"2.#1BR.3bACQar..$Sqs....4ct........%...&5.....DU.......................................B........................!1.AQ."aq.......#2..R.$3Br....4STb..................?...YI.Yu.D......RIm}e....RIou{IV..[VV...[VV...ImYZ.^.I%.eyue..^.VVRIeeeF./.y..{.........poR.. ..n?Y.iVv.....y..`?....U......?......VW.n.p.. ..D6..6....\.W..Ukx..7.}#K1.&...t.m%!.kC........'v.....C.......K9.3.. .nAb..?%...]..g.@U.....n....3...Z.yb..s/bG.!K][_M..........CR.....N.........T...R7V..SH.........\K]Yu%ue..J.^RwV]I$.oI.Yu$......RI)Q.O.]...=..On................................FY.g.v.m..=...z[..8.Z...........u.@&<(.@!W..*g.0....~{D.4Z..>......-e.]..'.-}_7...y......._...E/f-..axf....M........V...CB..i..D......q...J......)%."^.5^gs.4A..a...y.w."....p..;..j.F....;........J).{@. ....m.dKU./.....8.pC.$`1...C..5...6.$.lr....D.gST............._... M......H..7Y^.......>Ax. .._.;....jV..=J.R..U.;...m}m.N..N........9*N5 k...m}q*N. ......$./uou5.....juue..R.R...][]Mu 5)ZI...S}J.JV.quG.!~,...........P....TW./.c.`G.Oa.4. ..-...n....Of.6 .w%....Vu.<..3Z.V.8..... ....a?..Q....f\ ....Y...W.......g..j.4..t./uw.........m.._...jN..0.9..h:v...}./.....'..l.....:'......n8..M....]W...W.........C...#..

<<< skipped >>>

GET /-nerBEGrWuFk/U7B9Sg0IJBI/AAAAAAADFto/lO0wova5fhs/s1600/LoLavita+Hair+%26+Beauty+2.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 1.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v316db"

Expires: Sat, 31 Jan 2015 10:03:48 GMT

Content-Disposition: inline;filename="LoLavita Hair & Beauty 2.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:03:48 GMT

Server: fife

Content-Length: 21501

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 2966

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............xExif..II*.......1.......&...i...............Google............0220........d.......................,...............................................................................................................................................................,...."..........................................Z..........................!"..12..ABQa.#Rbr..Sq..$3.....%........4CTc....Usu......5Dt....................................A.........................!.1AQ"a....2BRqr....#$4Sbs...%3...................?...x.........4....n.....|!Y%{.....Qgt..;..V..U~.R..$^..GuE..:.Hc.[.f.....i.Dd."...."#.{l....{\...../.HR6.1B"..K....p.A1.....(..$.Q...E.2K3......Y#H......D@M..........0.#.W........}K.....{U......K.. ...T.N..;.."B..W..l..X.uucw.A..vy.=^.....^..sX._..`).... ....N./..IJ}..BQ.m2.ld..A..hZ.S"OQ.4m....*....66..yDz.H...v.]Q,.0W..I*(.y_...=Fi..tq....^.qo..S.f.zm.`....I.9zc..(.0....V8..m"Q(.!.y.H...eO.s.JM......x.j...Ypy....9..K4.....4-........w.A.S.E....Li....b.e.)Yq...8.4M..=~nM.'m{mOKO=MC.T.Dj*&`...K...w<.DEfv.Uf....ymh...1TL.......fu,...e.K.U.P....4.....7.E]U.F.R.#.6.'\..$y%g......F.o.Zt...c.].t..(f..u..<.9.e..de1....I.....~...w..vv..jZ...L2.g..77...3..H..G4f...5{...........]s7...YS)..jp.S.N.53.O&H.Y...........W....tEa*..}R.j....I".i.c42...R.-.L..}.zSm;K@..A.3......%...$.....an"rlr...d......,....9Uc...7F...u1.c.t9.,o..e.v.u[.]..;S.vr....4.k...%...#".B@V (..T.H.....L..C....vmDP..P..G.YG..b..1q....qB.B.$..l>...R.....'...~..7..S.W.^:9....|r.r.b......._. ...3x....^...olC.n.....o12..41--...O.F.

<<< skipped >>>

GET /-o3bkrf-qs0A/VKqAyof5pQI/AAAAAAAEOsw/vJqd_lEwam4/s1600/unnamed.gif HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 4.bp.blogspot.com

Connection: Keep-Alive

<<< skipped >>>

GET /ajax/libs/mootools/1.3.1/mootools-yui-compressed.js HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT

Date: Thu, 29 Jan 2015 18:54:12 GMT

Expires: Fri, 29 Jan 2016 18:54:12 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 28377

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 57533

Alternate-Protocol: 80:quic,p=0.02

............i{.F.(.].B..2..Q..d.........I..l/E..F..IP ..$........=s.s'c.h.R]]]]]]]u.......mQ|(..28\M....&Z&e.X...h.......m....|....G...j.....b....lu..ev......Q6.1M.d...I.].....Q.}/...<8XD.U4.J.6;... .?...,.{~|.*.....].b(B....d..s~.-....?......EY..e..i.\...Ww.2.)..yr..=*UvNy..S..j..T....~u?..$....2..%. .{}'.........Y6Woo.r1....jX.:.e..l..^.?.x...._...U......:..oo.eQ*.}..F..I../..d......Hz...t............./..X.X.....t..=x||......f5..].h...J.^...O.=.gBr...?$?.......'.'......q..h...Q.......8.>qv...<.B.vu..~.......#7...z:.6e.Z.s._....t...Y>....U....8..H._a.p]........1cb...,Od.......].........;sV...........&P.5...2.&.S.. .f..j.....-..(...,S.D.x..,....u.......$..!.aC;.w.P.q.f....*.'.^o}......Q.0.wX.&..>J..W.:Y..v{.5^....i..P=7a.*..!.V..t.Q.=.K.o.%0..#.Sr.J C.cT...^c.7..9N..AS.8.W.o.g.-....^...\.;.s.......%$....x_.Lo..`(.2...$.._........ht.......Ye..90-..}.Ze..2......}.b....%..U..2c.n.[1.w..Y2$.F"...r.U...X......CA....),...?.....}X.>...|.F.{.5..t&H....P.....M...A..........~T..w}5....=}...*...L.(n.....s....^!.....{..0...).Vn...v.1p[.>0.l.....a.:...M.W!..Zf.|.`..P...U.4..],BZ..Z.....QY.,^ X].......;..c......u.j.s......U77f..o.%.2..L..a..E.h........Qi^Q..e........./Ap....@..D.v}...0r.w...V.....i.T..G..fsf_........E..,.....A.b&I.R..p.o.......<.....\..7F....H..........;......[.`....u*@.....h...p...Zuqa.} ....,b.2.U.j..t.7&..l..li....oSX....QMy....^Hr....,..uj. ? @b.(..Z.....i.......v..O8@.J.'......y..\R..]........3.{z#....r3.r7.;.....g....s....ck..~28.'Sk.a...R}.<..m.. .......iM#..o......4...|.T|.

<<< skipped >>>

GET /tc.js HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tynt.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "55f4560298442d75c07545e2311e2575:1421262147"

Last-Modified: Wed, 14 Jan 2015 18:51:39 GMT

Accept-Ranges: bytes

Content-Type: application/x-javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 4157

Cache-Control: max-age=259200

Date: Fri, 30 Jan 2015 10:53:11 GMT

Connection: keep-alive

............kw........\m...8.J.P.qZ...i.b..Z-B...$l.p...YI l.....&........m_.[.....N..d..j.7.<8.i.e..XZ..(j|..a.5>.L.W...9..9..c?..p.X...N80..X%...YgG.9'..W.0V>.sc0.e.&.A.W"m...VB6..j.xm......d.k. .g.E.D.< ..P.o._uI1&...$S.o...p.;HR.O.|.d...]...R...j.S.>...bA.....X.T.........T.#!.....lE.....s`>..3zA..K..*..qC.W|...vg .L1....,..R.F.i.'2.`(&.0I.|....{...r.."......0.r\IR..*.yx.....>~.*.').4.#..6Qz*b.w.>....v..y.`.......e..F.K...S.....`Y..l9....m........]X8..m.7p.g...S.i.v....R.{..-.0....{....?..}.D.".9b...t..4..v.>..uw.e...<.gZ.gmP..._t...vIg_.W.k.#..was............d.tQ.S>.....1..DNF*..#.........A..?K.5.w..ok."..Y[.`.X..2...h...s.iRir.VZ6.o.".{..........5I(...2.....M_.6m_y6ao..Il....^........./....??..........! R0>a.E..:~.&c..3.i...>............1H..H.A>.I..l....Hw....w.....}:/.<O'.U.x...\.....d..w.......U^.Y.b.v..3I......L?.]:[..\...0H.........p.w..(..W-..h.V6.B@.@!...q.d....(...R.{.V..u....p..&q..p..G"..EL..@.;..N.C...ny=.'cT....5}..D9.k7.......!..H...n..\....:.....4...|....#. ...u.A...!.[..P...p..I^.N.P.yf-.5.......>..[.v....o}..3..A...9.....mb.V.ABX7'.....V=......W. .l.%.)....=`..t.....4=8....t.cu.8..@.m......J@A.$..{ae.....7...=.`......3F.(M.......... ...L..}.J.O...g!.%.m........K..........I.....a..{H.T..."E.sz..h...A...V..&.'...z.I-9............(.5....z..H.F......>..W......s. j....t...<i....?\e.......`..)..x....g...T..uh.DZ.......?..........z....7o.............O.I..`.^\F.8..K.|ru=.}'.-`)...8..Y.....6\...=...NE...?.t...B..D....u.P........V.?........a......u

<<< skipped >>>

GET /ad/js/deliverAds.js HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.addynamo.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Length: 1435

Content-Type: application/x-javascript

Content-Encoding: gzip

Last-Modified: Wed, 12 Jun 2013 07:34:18 GMT

Accept-Ranges: bytes

ETag: "039203f3f67ce1:65a9"

Vary: Accept-Encoding

Server: Microsoft-IIS/6.0

X-Server: www03.entelligence.biz

X-Powered-By: ASP.NET

Date: Fri, 30 Jan 2015 10:53:01 GMT

...........W.o.6..*.. ^....mjj*....k{k/....$....r.........R..m.*...~.....;L#O.q.=.,..bF.vM":.FT....W......x.H...U.0...H(.'._.A....C.]._.#\!..|"x...4L....."....?...q.l.D;V......N..;.w...t"...z..9}2.<..x..%.^.0.eF.N..6.|...I(.AB.....Y...k..!^.1..Z...W`<.<.:.$......<..c..C...E#1n6...v.....D.#m..Vv....X.t.M:.0..{.>..n...4X..<,..U....Q.p.. Y".n.....|M....18.D:H...Y.I.&q6]r.h.....O...._[.ga{.d.{...a`......P.>..>..Yq.YV.g.vl....jG.l..?-\".....u....q.}.....i267^.E.v.k^2.R..A.t..,.g.3..o...BF\.x..>..>.}u.......{..]........T.<.%.A4.....M...[........!..o....^r..Y..h.q;d..j$.l....:`..0 ..4LGA...6.y1..q.T...V.k.N.{...rJ;0-..~~mA.|gJv.:A...!.......7}...Y.^.xf2..H...R=..w._jM..0=..D..F.v.{.WS....B*..3..8.|...I:H.......\)1|.Fq....iZ.(k..B...@.....zv..~..>g.1.........wo.~)q.;q%.`..T..^.V....K.W..){.s.[]r.....T _.b.hC..{^..f5.y.:.........m..o.......\tA<.../Te.Q.r.Zj..4......t.>......a...-.....Xv.E....Q._.._....1M....w.T.)Q...X.}.....'...SD'..1Qo.g...d".g;.j...)l2.".#.U.Y*.K.U*#.{..A.....<za.}OyXY'.V..T..,k....z)A....g...i<......za...7]...8..[.......5Oo....W_/..='.......p...D.J...q..,z.?4BYX..NN.....qh...]@.T..?.........P......K..q.jd..!m#..aL..&Z..g..>.!.$.c?.i.O.r_....c...X3...j..CN'LK.G....8..4...y..1A..o..E.....xa.U..x<.C8`.E1... .>..YH...!8..)...'..O....c.3 .... ..........Z.j."...[.....Q.S..t....&.....AZ...~C.P..A.......!ZmU..^lAh..?.$Q...k[........P.P......v....|.......J...w........ ...:kk.F.v............Qv.&$........?........

<<< skipped >>>

GET /deb/v2?id=w!psytrs8y6gmn&r=trollface.biz/vote HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: de.tynt.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Content-Type: application/javascript

Content-Length: 2

Date: Fri, 30 Jan 2015 10:53:11 GMT

Connection: close

P3P: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

{}..

GET /widget/usytk7tkcyx3.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Fri, 30 Jan 2015 10:53:10 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/classic/04/411.png

Set-Cookie: uid=CgH9JlTLYpaMCyhBzwnxAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/

0..

GET /show.php?vs=&ad=286387&f=300x250&a=956646&s=MDhiZTA0ODk4Y2VjOGU2MzBlOGVjODY2YmY4NDgwMjM=&u=586654&si=742431179&di=5811174&ci=16&cc=CA HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yllix.com

Connection: Keep-Alive

Cookie: fc_286387=1

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:10 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

X-Powered-By: PHP/5.4.36-0 deb7u3

Content-Encoding: gzip

1c9............}.M..0...H.......1.m..U..KK..T...!........V..u.[.a........=y1.2K~...."......g .R~....'s...,oA..$....K..........Iy<..c?,.V&_e..T#.l..D.f..igr.X..q.3.5..[...0.KA...v.a.......p79U$ mO.`.Y6.1.;..8....J.|... m.=.......|B..H.@...?R.._&-.5.4=...[R...d......1..}g.FG.h.....e....@.2;..SN.(|.6.h,.4g'5{.>..xo.l0w4n....b`.:..a...m5.^u.h...Z,.....A.RE..Q7.58..|..Euo.5...{V...@..............=.....4....f&,7...a...0-.....['.5.C.q...k.b.....C'.y........%A........0..

GET /small/03/328.png HTTP/1.1

Accept: */*

Referer: hXXp://wm.sumohit.com/cf.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Fri, 30 Jan 2015 10:53:04 GMT

Content-Type: image/png

Content-Length: 325

Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT

Connection: keep-alive

Expires: Sun, 01 Mar 2015 10:53:04 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...... .D#x.%....v!0Z..A.A......\Y2#j...5d.^.jF,we...........yU...z.1z/.....8..m".a.....N.7....$..`"..`.q.s.^.... !..,...6..I..|.;.'.t..x.y..?.K..........0V.6..o..V.....'..=.=.Z...7.N..u..U.....Y.I.>.......IEND.B`.HTTP/1.1 200 OK..Server: nginx/1.2.4..Date: Fri, 30 Jan 2015 10:53:04 GMT..Content-Type: image/png..Content-Length: 325..Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT..Connection: keep-alive..Expires: Sun, 01 Mar 2015 10:53:04 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes...PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...... .D#x.%....v!0Z..A.A......\Y2#j...5d.^.jF,we...........yU...z.1z/.....8..m".a.....N.7....$..`"..`.q.s.^.... !..,...6..I..|.;.'.t..x.y..?.K..........0V.6..o..V.....'..=.=.Z...7.N..u..U.....Y.I.>.......IEND.B`...

GET /small.js HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: widgets.amung.us

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Fri, 30 Jan 2015 10:53:09 GMT

Content-Type: application/x-javascript

Last-Modified: Wed, 31 Dec 2014 16:34:54 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sun, 01 Mar 2015 10:53:09 GMT

Cache-Control: max-age=2592000

Content-Encoding: gzip

86b.............Xow.:..*4/.......e;.....B...r8.c.!$Y.@...?r..h...yx..Y.dY.I...|..w...Pp.iR..d@.bJ.....G..........^.....tB...3...L...>u(W..H.#|./.=;.M... p0...Ja.d...0......}...}J/.rH.."0...&..*..&.....].....;.\....T....r*q.RT.x6.DN..~..W.....&$IQB9X{.0$.b.!....hx.&D.....%............U.'....W..@d ...q....P$*bs.kR.....AM...'Gh............L.,..h.8C5`I.:..K~.kR..K.....Xc.s..`.......]C.R1....|.w>.........!..~.&W....Kd..D&..,.y...>.qbL.....5&y..z....G.....Y.N.&...x~..4$.!....H!.h....w.j.z[.5t....f)x.5r5f^.y.[......Y|Zf.;.6..N....A.0.g..\.Lwn....B..$..h.oa...........]j.%..v.Z..?]N... 8-...l.......t:..oj...h7*...5f6.{......[..N....W..&......e...s.4..^.....Tg.T/u...:=.\..l.N....[.>j7.t.W*..l.....Q......o&.:n\.0.....O....3...<5.}.<5.....t.....^<V...f#w}_{......h....N.,../.k.:...3...^....r=....O.......s.\~p..L/..vu.3.U.6..!:wU... gD..........`....N..6....r..."}..n.n.*...........R..D.:,...G...]......*......osO....&......B.h2.... )....M.p:..$u...J|J....Y/.;I..S>.dW....Ey....FI.........W!$E.NN.%..t.."L..sA..p%B.. .R...|*T ...RY.:<-."[.._.(,..&C..}CV.......5.A#H4.&'.@_NX2L..TlH@*....qMr."...<.r.09.=...b%...<U..]dj{..2..5........&..2*R.&....S"EfM.Z!@L...?....Q.....w!.V..A~.mY.GL....[y...&....(."th.J...t..&`.&......)..Ct......R.5M.D...g....R..?:eR..IZ.l.....&.m..1...!......y..... .s...X...<.....2). X..3.....1..y.G..c...,...(... ."|..%..YdN..._6.E..../....}V<..K{......p..p.7..C....^.$.dvMr.OPv...{..;.:..[...D.......6.*6.O...K.sL...!.C..}........W..l....2..Z...1{....&..S.....k.C..|0..w......

<<< skipped >>>

GET /img/logo-16.png HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.blogger.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Tue, 27 Jan 2015 17:45:21 GMT

Date: Thu, 29 Jan 2015 07:52:13 GMT

Expires: Thu, 05 Feb 2015 07:52:13 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 279

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=604800

Age: 97261

Alternate-Protocol: 80:quic,p=0.02

.PNG........IHDR................a....IDAT8.c............h.cL.........(.e...e@.P......?...........#s.. .$`@2T3H...h.(vq...I.x..9.d3H...s.!.f ....c...0.....KB0..3`U....bD.../".@lt.....@7.(.`^...`t.`5.[ .B...........H........HH . [...$..K` ..A8.)).p...y....O.........9......IEND.B`...

GET /-mcc90_3G694/VK1JjzkAFCI/AAAAAAAEPqg/OyqPpsMg5Gk/s1600/00.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 3.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v43ea9"

Expires: Sat, 31 Jan 2015 09:28:17 GMT

Content-Disposition: inline;filename="00.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:39:47 GMT

Server: fife

Content-Length: 21075

X-XSS-Protection: 1; mode=block

Age: 807

Cache-Control: public, max-age=86400, no-transform

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............xExif..II*.......1.......&...i...............Google............0220........d.......................,...............................................................................................................................................................,....".........................................L.........................!..1.."AQ.2a.#Rq.....Bb...3r....$CS..D.%4Tcs......................................<.......................!.1.AQ."aq...2.......#B.b...RS..3r.............?.....:........`F........E....H....$..d.7~[#.k......$.. _s..?.6.:F}.....]n.T..n....1...m.n*.O.u..Z[..A..>.5.]Z..K-8.....A.6....jy|.bn:X........G.rrZ..0..r.X..$..T}?D.....ucfO.I...X....VE*ve...8...F.d.4.........qb.F...IqN|5........y.H.G..`...$3KL.P.C2..v.%....P.P....6.|...O/55G* .)....J..BFT)..q.Z..~p..Dy..qr.\/,......=......|UJj...S.. 1..C"... .2.vk-...v.........5.QM.S<B.s.x.U.H..F.$(.kF...7.....2p...O.Y.....V"..`.okbL......2..D..u....j#l#."?T|.....@.........*;.'c.]....l....m.n....\BeJz.h[....i......#.Jx.~.z........76..r68%.k.z*zV.....f{F")".(_....fs..cOz.V....R..3)q..8...e!V .6e'b.S.....a.. .~~.Y...@....s.PC.Zy.Pr.]B..$l.Ym.I.@.....E........U......\....8...r...[.*.j.|.|~.|6]..0y...mZ.\.....O@v..?.q0....$)}@...>....?....9........tv5/.P..y>C.... q............p........e...X......K.&2.....>.........N..Q.........5.......MW'{.>/w.......6P......O.......5..<.../....%...R?...)OM-....3...0{.....>g. X}..|....0S%..........N._g.....0z...?..p..5......=..^..Kebf^T./._E....PbG {...[.<'..#.?..).....

<<< skipped >>>

GET /pixel?google_nid=simplifi&google_cm&google_sc HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cm.g.doubleclick.net

Connection: Keep-Alive

HTTP/1.1 302 Found

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Location: hXXp://cm.g.doubleclick.net/pixel?google_nid=simplifi&google_cm=&google_sc=&google_tc=

Date: Fri, 30 Jan 2015 10:53:11 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Content-Type: text/html; charset=UTF-8

Server: HTTP server (unknown)

Content-Length: 295

X-XSS-Protection: 1; mode=block

Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 30-Jan-2015 11:08:11 GMT; path=/; domain=.doubleclick.net

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://cm.g.doubleclick.net/pixel?google_nid=simplifi&google_cm=&google_sc=&google_tc=">here</A>...</BODY></HTML>......

GET /pixel?google_nid=simplifi&google_cm=&google_sc=&google_tc= HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cm.g.doubleclick.net

Connection: Keep-Alive

Cookie: test_cookie=CheckForPermission

HTTP/1.1 302 Found

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Location: hXXp://um.simpli.fi/g_match?id=&google_gid=CAESENgPIAiUVi0jv3eljxknN3o&google_cver=1

Date: Fri, 30 Jan 2015 10:53:12 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Content-Type: text/html; charset=UTF-8

Server: HTTP server (unknown)

Content-Length: 289

X-XSS-Protection: 1; mode=block

Set-Cookie: id=223d076a6a0300d7||t=1422615192|et=730|cs=002213fd48556f693ae5c022f7; expires=Sun, 29-Jan-2017 10:53:12 GMT; path=/; domain=.doubleclick.net

Set-Cookie: test_cookie=; expires=Mon, 21-Jul-2008 23:59:00 GMT; path=/; domain=.doubleclick.net

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://um.simpli.fi/g_match?id=&google_gid=CAESENgPIAiUVi0jv3eljxknN3o&google_cver=1">here</A>...</BODY></HTML>......

GET /pixel?google_nid=simplifi&google_hm=A2BCADB89762CB54D84AB87B024B7D7F HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Cookie: id=223d076a6a0300d7||t=1422615192|et=730|cs=002213fd48556f693ae5c022f7

Connection: Keep-Alive

Host: cm.g.doubleclick.net

HTTP/1.1 302 Found

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Location: hXXp://um.simpli.fi/g_match?id=

Date: Fri, 30 Jan 2015 10:53:12 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Content-Type: text/html; charset=UTF-8

Server: HTTP server (unknown)

Content-Length: 228

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://um.simpli.fi/g_match?id=">here</A>...</BODY></HTML>....

GET /callertunes/lindaikeji/ads/banner_160.gif HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.mcomm.ca

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:14 GMT

Server: Apache

Last-Modified: Thu, 08 Jan 2015 10:37:05 GMT

ETag: "1000ed-50c219f091410"

Accept-Ranges: bytes

Content-Length: 1048813

Keep-Alive: timeout=5, max=256

Connection: Keep-Alive

Content-Type: image/gif

GIF89a..X....*5G.......pSI3,rUJ.fP%$$5FV645......qq.igg..m..r......NB5xvw...oG4.........DVj...i..{.9.XF.ye.{.hdXRRJwif.f..........$...xv..w.O5$!....5'4...Jd#...B7ASJG...n.6$. m.H..........xUD..Peu.z.d5*...3&&........YeXl..................#(3wti3H.CIX.......si.!)...THW.v`..........&...tuju..!31)igx............&17......BR[gtx.f@..Z.. A...je..c..............s....,}......l..........j...kR.........=b*..e?....X4.zu....RN....j]D....Z.9B.....&.........ZB...WZc^.%...w......JRH.u?....C!..9jtg.)0..O.......@H.............Yc..........ku)4.8..j. ............k.....z^A.WY..]..`...[})....kv[ZZ.........JJBJJKRRR...AB?...ZRP[ZQJBB................................................KBM...............=BK.........[Q`............RR[...AJJ......BJA...QZ^{c..........RZQ..............................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:55B347279689E3119CDDA4C983515C87" xmpMM:DocumentID="xmp.did:62746F88972111E48817DA7C28E5F390" xmpMM:InstanceID="xmp.iid:62746F87972111E48817DA7C28E5F390" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3A754

<<< skipped >>>

GET /classic/04/411.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Fri, 30 Jan 2015 10:53:10 GMT

Content-Type: image/png

Content-Length: 1487

Last-Modified: Sun, 13 Jun 2010 09:03:09 GMT

Connection: keep-alive

Expires: Sun, 01 Mar 2015 10:53:10 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

.PNG........IHDR...Q...........p.....PLTE...rrr..............................ttt...............ppp........................zzz..................\\\(((...555.'-...000......EEE888...---AAAQQQ===}'*h$'XXX.&,.7;.7;RJJ.#'.& [!$.\_.&,S..2. .' W=>333fNO9%&kKLNFF.UX .EJ.UY.',$$$.QU2((.KNJAAZZZ.MP{%(.KO...^...EI....@DN')|KM.IL= !&&&~' .UY;()<<<eVVN()...9...IM. $.JKMMM222y\].IM:'(:::.KO. $.KM.',J89VNN_FF....@E.' ,"#k.!...s. ..........#(F==,,,...$...RT.QU&...&,nnnS89xxx.EH@@@rJKX.!.\a....<@`&(.IL~NP^^^.<Akkk...J#%___.\^.QUeee///...E().@FOOO (..lVV.VW>>>lAC...111TTTcccbbbSSSmmmUUU...PPP.!&.',IIIaaar\]WWWBBB.& LLLGGG.'-CCCggg.%*ddd```]]]YYY.7<999fff???hhh.@F.<B.EJ.QV.\`.UY.IN.KP.MRjjj[[[KKK"""VVV'''...JJJNNN%%%...RRRFFF...........tRNS.@..f....IDATH...wS.A....wATPDps.Q.1....{.....".......&%..0.....%.p...W.......{..0.d..r.....V..w}P.".....Zj..r.5Ern.N....../!.8....). B=E.......!..kF K%.q.O..M|&sG...h....o~.>.Qt.Y..6[.......}.w.EFD...........[.......[..e.Ek;A.....aP.rVP.@t..l~..u....\..lv.8.....{...."S.?.6....zO....Z.....0._.F.....K.....8;.....`.2......C.0.........I"@%Q......T.Z.o).M).._8.......Q...-=..S.)}.....HJ..$.....=`.@.....&.U"*..h*.(.'d......m.........7......0..zQ...2.......... .T.).O8xy.C.#..v&De...@.. ...w......[..$.H.........!F.8~.qv...\-3:...Jn..mo8.........|n..K....`o-..........^w........`X......11.xb.Q..BA....,..TYL&....g.4|.....$...E'....'# ...=.#.....9'.l........q.M..q.oh...&....x.g.(,<..q.;.'.{x~.'....c#=(..z5n..)......[.F{B..z.c.......s.?.<...2b.....IEND.B`.

<<< skipped >>>

GET /widtemplates/smalloutline.gif HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: widgets.amung.us

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Fri, 30 Jan 2015 10:53:11 GMT

Content-Type: image/gif

Content-Length: 439

Last-Modified: Sun, 18 Mar 2012 22:00:46 GMT

Connection: keep-alive

Expires: Fri, 06 Feb 2015 10:53:11 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

GIF89aP.......bM.nX.82.G:................zc.....z.UC..n.'-...00/...555.......................................!.......,....P...... $.di.h...../r..l.x..|..0..At....r.l:...T..F.."#2p....xL.W!.B.1 ...WyN/.#....(*.u..Lw}.x.CF...tw...........b.E./p....@yD....~...Kwj.}.q...wWY....`...V...E..H...0.35>....-....&.0JI6...8.9..rc...v..........b.sar2..G...}..<...!<x..Dtr..:v...K.1# . ..|..]E(..4....#.w!a*...b=.6[....%8.3_....`..%7.sini..1.B,......;..

GET /swidget/fapcfmodz.png HTTP/1.1

Accept: */*

Referer: hXXp://wm.sumohit.com/cf.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Fri, 30 Jan 2015 10:53:04 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/small/03/328.png

Set-Cookie: uid=CgH9IlTLYpB5A3RreyyNAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/

0..

GET /quant.js HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: edge.quantserve.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: close

Vary: Accept-Encoding

Content-Encoding: gzip

Last-Modified: Fri, 30-Jan-2015 10:53:10 GMT

ETag: M0-072a287f

Content-Type: application/x-javascript

Cache-Control: private, no-transform, must-revalidate, max-age=604800

Expires: Fri, 06 Feb 2015 10:53:10 GMT

Content-Length: 3028

Date: Fri, 30 Jan 2015 10:53:10 GMT

Server: QS

............ks.6..........I=lY......t.m.....e ....%.........O..v....b......W..E.P%.....9...........{....5.T.3yuq.D......<.h5..9..Z.!)g..9A....U........=K...|......X..4.Q...!.......y...yP'En.G...qvA.{.E.k.....4 V..|..j..O.Bw.2)t....M~.53@Y..l.v.....5.=......ou..[C..y..v.~.%..k'. }......m...=.l.....\...A'.....% "..A......." ....I.....Q.zN.|..3.r.....L.q.*...TD.h.;..Nh.!.."3.W3oq.X./.W..y..9..<.]...HX......n......q..QB.'Q..-.h..).Ib..|.uly.4...&.`y.[....t&....kJ.\..`....m@.UZ9P.P.&y...P;.$....Nw.G....9...=.....R%..2MjCszZ.FN...7..>. a.~..k.F....T....X..j.[.P/.<.u..6.WTT.<..O..V..2....w..V.....Fb..E.......... .Y..l.3k..;.i.0..{....:..v<...z.J...<..Bp#.@..7..f....c...n.v...yq.\.!#@.......y...-. .W......l..]Eatu}y..q.\...zv=.....Yt=..W. .......Wa..aJ.t..U4g..y.6........L.. v.2:.f .n.M....f...%....ry...K..:.x.K...yx.Z..K.b3.\\..r.j7..<.{0'.&.S...#."\$...x..4?*iN..!r........z...p.?.k.~In.....?.!.}.d*N.....pH5!k.(?...[D.r% .6iN.J.\..........s...Z\......R..S.....-%..F...._..U:#R:....../.....p3...-....?..G"..)....P.9...2....(..L......=q..O.*...;q.5..&..........iA{.$.....;..R.c...!)B.....U.t.B.....u.,.V.y=v...HD..~W-..0.w...Y.........>.....FC..cd..q........*9...-I....CN7)....d..;..(O.j..|i.6..9=$[Z.......sE.[ .<.e....l........lW....h....T...............t.t...u..'.......\..n'I>........eM.N%(.:.....Hp.........&...(F...../.E.#... _5..O.RV.....w.. ..5%'h .t_.n...I.#.i..Pl....4a...EX....-..g..='.4.&4m._..p..Ck...!.*o..6=/tb.e..o.....l-d@...}..Ea.\.}lJ6R..;.S....qs!Y...c.:U*:.(.....l.......,b...y

<<< skipped >>>

GET /banner_show.php?section=General&pub=586654&format=300x250&ga=g HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yllix.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:09 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

X-Powered-By: PHP/5.4.36-0 deb7u3

Set-Cookie: fc_286387=1; expires=Fri, 30-Jan-2015 18:53:09 GMT; path=/

Content-Encoding: gzip

4e1.............V.r.6.}.W x(..I.b..Q..r.v";m..n&..H..M.4....... )rb7..-,...g...M./f7./Q....~s.....}B.l_.2.M._?...P3h.YI...KA3B..0.......j....,.2......1..}}`..:......3..G.4...36....Q.4EF.g.._..B....g..a.9)...51.C...TL..^.=..#N.../.:..Q.c.n._.@.F....A.=h.....:.\gl|.e|.r.s:"nk4..!M.....Z..=q..e.AJo2...4..4..Ia..u.D......hA3..`.......... .U...Rk..Z.z......>.1[....q...l..xc.."....g\..T...v;'.s....;0.y.T.=b.s.0E......B$......^....r..[....S....g.p>*...u.3.........(i..H_.r..i.|...h^.i..z.v..J...h.[..;...n..k..N').{v..........~..5.p.].....u...\M...v.|W........u.n6O.v#.p....G<l.HQ.^.a...NC..a.2....d...o......#.Ne....YE...D.b!.1.D.H.sUdt3.RX.../4.1.bE.N..qmIKd$...O...wC...J...X.4..1....R.6.$.F6....k.E%"C....h..0.Q.S...dT......]..h.T@.FD.. 6.9r./...yA#.D.T....[....g...U...M...:6....6...(../R..u.Y.sT..#.R..vxh.r.7.-].m...B.....l.......E.{...Y..Jh..yo..v......~.3.|.>.9...k,.L~L.....5.....V... .D..i>..........`...(....)p..b..&....vv..C.A.LF.$....2..z....(.yh.d.(xG.G....I.|.o.F.H.I.H..sQ-.. z.......R.-A.J.,.B.R...,Y=...p...X.......:.J#p.|......gK....n..................@.z`.E.0 .]..,.JxB.....,a.:..M....Y......}.{....W..mM*...W.j...6.....~^k;h.H|...(..\......lz./......m.......;...Y$..k.}...$_D.............. ....Z.@4....Ar...">...q.=~.|m.O.........%......0..

<<< skipped >>>

GET /flash/jquery-ui.css HTTP/1.1

Accept: */*

Referer: hXXp://lp.showres.pw/flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: websource.website

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:12 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d21f0cd7a75f84a7363c8618f1a3423af1422615192; expires=Sat, 30-Jan-16 10:53:12 GMT; path=/; domain=.websource.website; HttpOnly

Last-Modified: Thu, 27 Nov 2014 14:50:35 GMT

Expires: Wed, 04 Feb 2015 10:53:12 GMT

Cache-Control: public, max-age=432000

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1fdb2e470534-YYZ

Content-Encoding: gzip

1440.............]m..6.. ....,.>....v#..........p...%...,.$z.3.......EUQ....I.V=.^.....E.'Y...O..d.V.....m.......z..R........2J7[..u}1..........N.t....,..j..s .J5.m...]%.m../.V.....?.I...lWw..F^M^.Rw.$.v....W..vU.?>..7yo..r.|YK...u .Fvo.n.l.........Z./.(.x..v.......^..|.:'....9F..sv2.:.(.a?N.}..^UeN..Oe?..Z.X...s..V.V....j#.._..$~..../Y..I..02.T/.....K..n[....._......q...c:8. .....\.....".C._.s..|9v..Ty'[).....1~U.Q...j.uL.....y77ob=..X.o..u...y".C..~w.....u..p.?av=.LF.9..<...f...9..e.U&..}..U.B^.)jlD......&.v.N....iv.t5...fk.<...A~.]`....~.lC............./r.....j.>r...N.x.m...N...>P.a.[.........R..*(......$ev....Y.e.......c-.~.....nu}(...9~.6.... ....s........M....eb...T.u.K....$.....*D!.....,..TM/M....=mv.j...B?..1.<s%J..Zr#AD.6.......A.....d...S.S...p..WNd......A.}u.|..*...R7.-rIJJ.@.....O......F.T...Y..h...S..0...Z..F....p........8R>..a...g.iUXh.s.{..<^....F.y..uM........[.......)...........|.._..8.[r.Cw......o.......^.0.|W../.&.....].#...y):a.U>a6LO...h%I..2!..........g.@.?>p..4.s....'.....V......X.i.....Z=...N..X.D.!|.....<.c`...,.....A..`..!..8..9...S...fH...(1Rt.~Me.. E......b0.G.L:A8..q..a....`@.....YH......L..aB0@>..y...^..}b.....I...X. ...u.....O.k.5.dl\?..1'U..F..d4.b,t..B2@Ws)`...H.../.d..J0.d...S@6Y]1....Lb..2.^...v.@Y.MU..f..Ku..x..u....EK.;i.]..."..NC9.......\./....R....X.I$c...$.1..s.....LC...O..X.i,c .r..X....r..B.....)2...:..8.....&......p..!..........h>.p..!...p..G......M....j]620Ww,..1..t]..j..E......H..t .'.8E.J....qDB\..H..A.X.......TD~....Zs.c.(.

<<< skipped >>>

GET /flash/core.css HTTP/1.1

Accept: */*

Referer: hXXp://lp.showres.pw/flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: websource.website

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:12 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d21f0cd7a75f84a7363c8618f1a3423af1422615192; expires=Sat, 30-Jan-16 10:53:12 GMT; path=/; domain=.websource.website; HttpOnly

Last-Modified: Thu, 27 Nov 2014 14:50:22 GMT

Expires: Wed, 04 Feb 2015 10:53:12 GMT

Cache-Control: public, max-age=432000

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1fdc3e690534-YYZ

Content-Encoding: gzip

1084...............n.8.Wt...`-...-c..8/.u6M.&........-.$9.....CR.)Q....H.R..!g.y._..E1N.w......L..~.".q..e.....|..,H... t.".M..Q...qD...(...G.a...$..n.)J...l.g}.|D.,Hp.h......8.X0{.T.1.....8.M(.b...F.......v..%......zg.@.....%.[..v..l...<\.D#..I.....!q.N..P.'v..)..u....K.au8...Lb...f.P.6.=.(2....M...o.ki`N......b.%..@M.:.6... .t.q.A5.".dZC...I..W.Q....s.C.A.W..c.E./8`..l.;gO8z-.].>.`.......B=.eD.....a0{wh%,.@.V.C..{5x&~2w...bQ....K.".I>...1.q.*...m.......,...'qH...R.=.^l..x.62.. 6dt........,_[.K.7]t..d(.e...Jn...>P....F..k..t...X.Pd.. ..b .....f,..McF.....k.V$,t..\I.....V?\..B.....Q6cRr.....!.}..\'].#T...$.....=h..e....>....;.....'.b.][..a.X(..........>~"..C......Z..Zy..l.d...a.....$..f.T.l..E...M.h..l3..J....B. ...h........Y).v.U.Y...H.&I!....EE......8..K...3cN9*.Fh.qS.X.. ...E>....d...pe./..p5H...j.....t4..o.Z5..m..".%....5~...Z.......]_^5'....n..^...o...=}j.-..i...'o.=...?..........N.o...h5>=.#r.&w4@.....g...W2....{.8m........x5:=#.......z..~..z..]9_......G...t..\.XozA.....M..|rA.4.<Cw........3.]..?.n..]..v....q..|{.....]...|./.._.o.......?......3...ZYCg..!0......7<y./........}..~.8....9y.,&/.{X.1...~.......y.... g.........~..:..........}[...........3|.k....~.>.. .32..St.3.`nG.....S..............v4.t@.....r}.S."{.....}..Z4."U.k.C..I.7;.Z..8....t...d....7...?....-..',|...... ....C#...,..1.........."M..&...)......j.....hW....u.;...$om..)...p.v..4...f.....,}.....$....H5,.<..)..'|w...."so.o...lu....v...V\g..@\.....}..m..@YF...gK`....x..q...5u..4...0..'.a#.w...i..\.*E...t......

<<< skipped >>>

GET /flash/html5shiv.js HTTP/1.1

Accept: */*

Referer: hXXp://lp.showres.pw/flash/ca.php?st_xh=NWRiZDhmZTU0ZjQxZGRhNzE0MjI2MTUxOTA5ODQxODQuMTA3&no_tr=YzhhZGYxMDU3ZjE5MzZkZjE0MjI2MTUxOTA5ODQ=&nr_tu=MzguMzgxNDIyNjE1MTkwOTg0NWYzYTVmNGNmMDE4YWZiZQ==&gaf=MTQyMjYxNTE5MDk4NA==&ca=MjZkNDllZjM2NjljMjZmMg==&cr=MzAweDI1MA==&cry=Q0E=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: websource.website

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 30 Jan 2015 10:53:13 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dee59d189370362192e85a18db36fe86b1422615193; expires=Sat, 30-Jan-16 10:53:13 GMT; path=/; domain=.websource.website; HttpOnly

Last-Modified: Thu, 27 Nov 2014 14:50:25 GMT

ETag: W/"54773a31-2528"

Expires: Wed, 04 Feb 2015 10:53:13 GMT

Cache-Control: public, max-age=432000

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b0d1fdc9e750534-YYZ

Content-Encoding: gzip

593.............WMs.6...W.IG G..I..D3..]O2.....:..X..!..@.......R$#9.....v.o.~.L...............k.:.m..6 ..<C..7.K..9QYy...I....1..-J...Uv...|..-.....5.....6..5...X~.cZH........u..rF.=.7p.....Y..,M...B7.....m...|i.W.....M..P....a..f*..Q..Fi)..(.e`4^..R......hij....*!..`=..*...c.9......J.i.q.........8..t....\<...X.U..B..r...Y..$..5x..a..8..........x.~.{qf.(=.:.QI...(.p..L`d8.K..gA@%..J.Y...!..0...e.........Z..s"J%.Z.Po ..SJr.h.{....((........S..s$..M.Ei.c..!D.C.iY.Q..b..t.....zS..P<p...8W..<......4.....K.z,....x...W...BT.&(.=.3f,.E....0s./\).E..c...3?.C..(...H...!!........Q&..~&J.......u.:.\.$.............z.M%.bT.(@....l./.q.Z.....@oG2.~....Exj...S.5./..<=....x..z.~...V.....G=.q.pA..7.'Q....86....6'...dp..H.J.......'.N....U.<Z.$.y.....hg?. ..}7..... .~..A.A..yK.w..{..Z?.2Dt@c.<;......l.K...i{.N..s.\?.U..8...-.A?d...MZ....?.......1O..M.Gq.....QL.....r.....en..Bi!d......<.9..$u...n. '6$....@....l...M.....$%...CY..A.)..R{z.....Lt.Z.>...|i....>.."....C.(m......u...q.b.7.\........$.3>...Q9tl6...d.B.7Ay.%.*.s...|.....T.'c.....n1(......vz..E(m.9.....(t.p.9..c.:.16=..K.....uI...#...f6;=p....z(.....L.........R..A..%....X..].....g-!... c{{./w.......M....#TU.o.K&............V.......4.L.....s .a]1..W..Cc/}..;....$..2Z..;N...n%h....[.1./.2.........`Ih.c.....=.U: .1e*hi..4..ZB....4.-...1.L.k...o.Q...A%.J.R.g8P.z..6.X.4]C........D...#.6h.v...., 0S.....hqd.....X.........@.k.Q....-..xT.....M....N7.............&.%U...(....r n.....0..

<<< skipped >>>

GET /-h3JUlSgQ-_0/VK1KLDMRMgI/AAAAAAAEPqs/TR8XRbZvbY8/s1600/00.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 1.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v43eac"

Expires: Sat, 31 Jan 2015 10:03:48 GMT

Content-Disposition: inline;filename="00.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:03:48 GMT

Server: fife

Content-Length: 27852

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 2966

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............xExif..II*.......1.......&...i...............Google............0220........d...........x...........X...............................................................................................................................................................X.x..".........................................W...........................!"..12BR.#AQab.qr.3.......$CSU...........T....%cs....45Dt..................................A.........................!1AQ.."aq..2R.......B.#r..3b..$C.%S...............?....jP.p.......~`...7.)....k..-..P.n.*.<..O.a....h....I.v.?...knS$.........5......v..]*tx...U.Kv...a...j..[..T...............k)MlpY..j....`.....h]&.......mo..1.V].v.`.8#..G.[@.....I_`..[..Q.. K........Pd......~l9.......rZG.P]..].hee..5...\.<w.9j..a.#0S...k...YY..nh.{...6K,..x..X./(.\......o.......}$"...,.W..O*/......K~5..:=......(....h.\...,......Ge.&..5.V0.g.N...\.sq....lc...I.....|....k..96w`..;..a.b..."....E......55......-.z.E...Po..t[}..=........n..|oWv.^[..H?sdm-.b@.F...i.8G. .V`J...`.i.....q..M.j]..4x.....[K..R.w..F.\...H. kN.Qs@(....U...I'......<\...c...I/M...-..M;......CR.H..[.G....V,/`7.Ri9...._g:.G.b......$@H$]..R'fR..*.s`.x...\F....V.M.Q...:.-{|.Xq..*|..E.. ~.C.B4<.M....lc.R}b..|...{...........]4.O..._..y......u........j...t=..5...(-...]I_9....U@%.kZ5...u.3.t~ . .X..MH..C...\B.....1mH.ur....;....f.l.....^...P;[N..8..%T.(...ovt...u....]C.'......o... .fm....IU...v.%r.....;.W.}.....o........nr~.......:.........b......wF....y......Z.1...0e._.75...|..A.<.d.C...r8k....{q1...P.

<<< skipped >>>

GET /img/icon18_wrench_allbkg.png HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img1.blogblog.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Tue, 27 Jan 2015 17:45:21 GMT

Date: Thu, 29 Jan 2015 07:52:05 GMT

Expires: Thu, 05 Feb 2015 07:52:05 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 475

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=604800

Age: 97269

Alternate-Protocol: 80:quic,p=0.02

.PNG........IHDR.............a.~e....PLTE...... J.4e.............u..l..e..c{.........................................................................Y}.T|....`v.`w.............................................................[q.............Eq....__^........bY....tRNS.@..f....IDATx^M.U..1.@...A(33.Cf....qR......"..@....*.v&.g...X.="6.Xz.$/".3.;.R\....Mb.((...J...R...pK.OY.0...Q......q.r3..r.v...b...j ..h.r....<._...l.}lY........o%....b..d,l/. .........N...ig.K.....IEND.B`...

GET /1/92a411bc23?a=4058140,2334836&pl=1422596427839&v=476.c73f3a6&to=YlNSbUYAV0IFBhdaWVsZZUtdTghcBRcIVkIbRlhJ&ap=11&fe=1047&dc=1047&f=[]&at=ThRRGw4aREw= HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/1market.php?p=xVZnHcUvikLHCbJuoYbG3ZNh09IyjLo6iAYHWdR0mhLmmIx65IIiiZwliJaHGaFizwaiCII56xImiLImsRIWnYBivocjnIQli1OWiYIuiRL3CcJvwhYmXIR7opbjmIFstJZXSdIi6wISiM91yEdjXNF4kodjSIIusJICnLNxlUYTXNJzjUaDCOI66IICiZIiswIinIBjyFbT3YR2vYY22Y9wsYITjMo4iEaTHZRj0NcTDNo4iQfDSNw1iIZTmOxihVcz2YgkidOzjNAlsJIDmN1jvJYjmIl6sIZCSdIi6wMiCIwxiIbiWO9iiMa2WcxilwXi2I9tzNIjjIo6iITimY8jiJfyQe==

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: beacon-3.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Set-Cookie: JSESSIONID=2ad91fc44b8599d2;Path=/

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: image/gif

Content-Length: 0

GET /b/p?id=w!psytrs8y6gmn&ts=1422596436558&r=trollface.biz/vote&t=Yllix media HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ic.tynt.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Fri, 30 Jan 2015 10:53:12 GMT

Content-Type: image/gif

Content-Length: 35

Last-Modified: Fri, 16 Apr 2010 15:38:20 GMT

Connection: close

ETag: "4bc8846c-23"

Cache-Control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"

Expires: "Sat, 26 Jul 1997 05:00:00 GMT"

Set-Cookie: uid=CgUVZ1TLYpgj9QbHJrgSAg==; expires=Sat, 30-Jan-16 10:53:12 GMT; domain=tynt.com; path=/

P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"

Accept-Ranges: bytes

P3P: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

GIF89a.............,...........D..;..

GET /-B9TeChMS3A8/VLWjCCx4RMI/AAAAAAAESvc/KYmzd1Dl5gc/s1600/1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 4.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v44af8"

Expires: Sat, 31 Jan 2015 05:49:18 GMT

Content-Disposition: inline;filename="1.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:39:47 GMT

Server: fife

Content-Length: 23212

X-XSS-Protection: 1; mode=block

Age: 807

Cache-Control: public, max-age=86400, no-transform

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............xExif..II*.......1.......&...i...............Google............0220........d.......................Z...............................................................................................................................................................Z....".........................................a............................"..#2B.!3Rb$1r....ACQSTacs......%&45Utu.......7Dq.....6E.....'dv..e................................=.......................!.1A..Qa"2q.....BR.....S#3br..4.Cs..............?..%..V.....^.c.XH.%]U............)S...&&9=.K..q..A.....se......>.e..P.z.. .D.p....Y..Y..q%S<...x.....<..P...v..x<.........................j```..........W`...q.p.J..v....&...Q........[..."E.]C..-....c.-%.W..%..BWZ...zNr...0..{LQ.A...d..l..`.}U..=.b.s.4....bBDBCy.. ..V.F.......C......7....]"..S:...L....d.) ".tB..R..>.0. ..,[}.u..S.q...X2..Ct.s...<B...f...E|s..r;5.zR..[M.O .X...\J...H~...Be....b.......L.l..\I1..Ze|....:..$....S l..qy.[.........Q.kO/_=4_G.u8.....r..f.../GM.N..%..,..svg...E.OfzK...e.:...d.Zr)...k..{.; h.....y;.......s.3=o..#...j..].....v.........#..b...t...@N$.)"8<..;p).p....8!...#!.....D..X... . DB, .u.C.#...C:i.....I...X.cbGc]..>j.......C...eN.f1KK.N.R...H.............x.p.T.7..qm"g.....mP......|...M....bW...............A......b...5.Z.^...d.m...T3!zu....?...W.-Ao.P.?..w....>.i~.....<5lgY9.d8.Z_......&y.|.".]r..%.L....u........rf/........D..>5...!....1.jj0.........n....OF.......f.....4...u.[.L.. .".m@......V....j...j.b-.&K#=.....R.<.b....g._O..

<<< skipped >>>

GET /-tgynBCYivZk/VMgdZOklr4I/AAAAAAAEY-k/qplcX1nppmc/s1600/a.jpg HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 4.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v463ea"

Expires: Sat, 31 Jan 2015 06:43:51 GMT

Content-Disposition: inline;filename="a.jpg"

Content-Type: image/jpeg

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:39:47 GMT

Server: fife

Content-Length: 14591

X-XSS-Protection: 1; mode=block

Age: 807

Cache-Control: public, max-age=86400, no-transform

Alternate-Protocol: 80:quic,p=0.02

......JFIF.............xExif..II*.......1.......&...i...............Google............0220........d.......................,...............................................................................................................................................................,...."..........................................W..........................."...2!#BRb.13r..$AQas...4CSTq.........Uc...%D.......5u.....................................<........................!.1A.."Q2aq......RS....Bb..3r..#$C............?......s...V.w...}:...%,.""...^R!...."W......igR..iSY....B...Z.._?R3...Th.Y.....a......~...Z........k2..J....r"."RDl^Q...#.....u....;......u<?.r..H....q.}~....e.8..ig.Z...go{.un..z..F{..8.l\y.)...q.NO...b...E.....f..`....B$%oM.%. }j....W...W.ItgW.... OU-......T*5.:QJR.R....(.)J.JT9...._....f.....r1..(n;..r.C{.2..|...U`J.u..g.I.V..BT....g../........uA.o.-J.v.m..~.Nd..5.j...n...S..{.!C....Y......g......!....H...V....E.c.N...$..X.*.....~....wR...ko.E..qLi.B...l.[.J..~_...x..o.\..W..\...8n.?.....U....]..s.p...|...i......0......|."........d hT..I..5...t.y^...^ .i./j.....k... \o......JX....2.A..\...j3.^i....k......~.......tI).3#...,..../......He.\...~..K]....|%a.....ooq].I-?<|.).}..W6...m.....L..rb.....c-{Bg..E.H...l7.".?1.U...o.vC.G.H......7...N%..6..<..<..`.5q.W........W.....H. ..`.|...=y.3D.....Y,l.Q.b. &.."Z....."c.....gR.OD...^.k....L.....)..%......?.=.%.h..Te........'|..7&.....l%...j.....#M4.e..J....B,^_W"_....v..$p.X>YS...)[/\....p._.......Za.9N/ . ..mc.~..?f......i.MkJ..yl..{....x.

<<< skipped >>>

GET /-2VhpOMtGi9M/VKq5K-uegYI/AAAAAAAEOzE/LGnSu074gr0/s1600/00.png HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 2.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v43b32"

Expires: Sat, 31 Jan 2015 09:58:27 GMT

Content-Disposition: inline;filename="00.png"

Content-Type: image/png

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 09:58:27 GMT

Server: fife

Content-Length: 98065

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 3287

Alternate-Protocol: 80:quic,p=0.02

.PNG........IHDR.......,.......k.....sBIT.....O... .IDATx...y.eYU'..>..{..^L.S..SefeVU.<1#.6.."*XP8 .b...r....v...j..@&....b....2..y......9..x......?.}.Y@!j..'..x...w.=g.=..o..3..C@D.@...Bba.....DT.@@ ....h....D...4..H)J.TD......1!.a... ..XkY.Y.....YDD EDZi..F@...ZD.;.......'..FB..N..,..Z..9.F$".Z[k.H .6-....,3./$".`v..HJ...41....@............*RJ._1...]..@...ND.u..O....=...O..z....D.]..W....w...g......P.uR..N ....v...D$u."Z ...9.00D........D..A.]WH.E.......J$[....B....1.P.Xf....)[5D...^.$.....!k.....P.......ED......E.1.....RJ....""...f.t~3..I..3..... ........03k.....&...M^D...8w...36......K.?C,.........x..C]....Y....cW........2..l.D@D....03...s.......?..T...h...ED...s.......X..9{..~..M....TvI...=.."*"...'d. >c.Q.r...... ".Z........Y.........E2...J)E]...=""...........u.....R.@.9...........6.... .t..*EA`$....R.....E..8..L.Jkd...'"..8..RJ;.,'...QJuU. .. .....Z).%....t.. .......!.Q...3 T. ...U).p....D.d.....3;..P)......".B..=."R..U..=..........q....iA@....A)M..!"e...)...?..P_......U.....O}.-...........3;fQ@J.L..j..U..E....n.9....:F.m........!.8....w:1. b....3....=.r.hCD.5}....PW,..)R.....\.~;fR.XR.:fB ... .5.....v.Z.......WN..""..cD"...... Y.A.t...._...C. .o..@..A.5_.....<.p_6(I-H.$..bf..DDD.9g.)..Z..R..$i..q.z;.W..Z.1.7...o.RJ)..i..6....1.w...*..HX.s ..m6.......yO...>.R....K.%...H.R..G!R..H!z....Z...E..@..........^iu.<.V....O.....1;R.........x...U..I.>..G]..g....)..KUv3m.%$..?.0;.Q.f ...........7..A`.IiB@....."Z.....s...."...hB...U.....bv...... 03....W..........I...P!z.....9...Hu}5..03.#RJ k..

<<< skipped >>>

GET /-vm21KdojIls/VMQP8OWvjNI/AAAAAAAEXeA/8wj2VMb764k/s1600/unnamed.gif HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 2.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v45de1"

Expires: Sat, 31 Jan 2015 09:07:34 GMT

Content-Disposition: inline;filename="unnamed.gif"

Content-Type: image/gif

X-Content-Type-Options: nosniff

Date: Fri, 30 Jan 2015 10:09:53 GMT

Server: fife

Content-Length: 102349

X-XSS-Protection: 1; mode=block

Age: 2602

Cache-Control: public, max-age=86400, no-transform

Alternate-Protocol: 80:quic,p=0.02

GIF87a..,.w..!..NETSCAPE2.0.....!...,...,......,...j....t..dfL...4...........l.....$.4l.T.....L4z$...L........\.4...4.D.....$D.,..4..T.....DD.$..4......|.l......T.....L.....,.$............t.dD.4Lj......$$.4..lD.$...\.D..4...T.<.........<.$...l.,.....T..TTr,..$T.D...D.4..tD.,.....l..4.....,......T.$4n....,....$......<.4.....L..,............L.,..<..l........t.....$D.$...<.$...|.,...T.<dv......$4.4L.$.....4...........,..Ldz4l.L..|L.,..,................................................................................................................................................................................................................................................................................................................................................................................................3d.!......*4.0a...#B....D../j.......;..I2.I.(K.<..%.. .6..f...2o.....A.<s...S.O.E..E...Q.=.....)P.I.....C........k..f..U.V.Z.m....W.\.u.........%.........r...q....?v.Xre.H-g.|Psg..'{.}92h..M7n...D.l_K..W.m..c.....m..yG....A.6..........?...yN.....^}:...SG...}<....g@..!X.uwF.X<.|..3....?~....T~.~.Xm....e.)...'.P..^x.G. ....J.Q..6.Q..>...........(....x..d)HS.H....k.PC._..`...h..k.......A.O..F.k ...,J..@H...MK.Ed.,.....Ia..K".%W6"..~..... t...P....<,Q..#....j8...5.AP.>....(z...5(...5..DP..t....x.a'd.&.5..cM>|....a.qe..-... ..C..J.i_O*.F..F.B...TSM^}.Um.j..|..'..#@.........z[!.Z. .sidP...A.d.1....>d........5..G._....5..c......H.... .\..(.......n.N.;cD9j....&...N&|..v

<<< skipped >>>

GET /pagead/js/google_top_exp.js HTTP/1.1

Accept: */*

Referer: hXXp://lindaikeji.blogspot.ca/2014/08/b-red-releases-flaming-hot-new-track.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pagead2.googlesyndication.com

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 5892566358262920700

Date: Fri, 30 Jan 2015 10:03:18 GMT

Expires: Fri, 30 Jan 2015 12:03:18 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 2665

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=7200

Age: 2996

Alternate-Protocol: 80:quic,p=0.02

...........Xms.6..._!q22P....wg..&r..M......t..._N....d....]..(...3........< ...[DiB..Rd...a..8.....KWj..o%.s.=.... B.l5.e...wJ%.5.A:[.g.XdI.-.8u.r.0..fc.......nH`.jY..z......4.Z.6......Z.....zZA..l.V..7..7i%f".Q .4.4.."...@&..,...W|......R..#...........v.{...X..e...k...s..........!G.6.D5..........m.y`.A..T...?J.M.l....%._t:. .NSp.#.y.z..(....`C.`.|.^.%.........b.......[.U.IK{.d/...R.^q.`.. .;..L........K......zO..X.e......Z...s..-....8[.-2......%c....5D..!..=...td.&_......v....o......._.kS.I....A..~..'.a.....o...8..l..\..SQ.Wp./.M.EI@.P.......|._....-..~..%.}/.T...6q.o#1.E...~..........<..$........M.....q.....<..b..ea.V...._."4g...f,...YX.(s.B.e..q...v.. 1.F.....yX.g....... ....\...O.`F..x.a.^...|..%.<..F.o...............2....t7..zl..-........2)..Y.G..Q.....B....P..c........3U..l..L..v..h........2p.N...r.U....:....{gP..TwJ..Q............8.......( s....bE.l....e.B.......>..4.l....9=.7...~'F.<5...C5;......;.2..U....h....n....}xl.)6.....".]B..*....p...........Dp......l..?...)V/.. .E,....Z....uw...2.V.[...U.......c:.....y.b.v.....G..7....X...H.................sY.a....8.M...9.)o._...Z......._..{.w<\]..MG..\&.9D.....&.0.v._..T...#..c..C.<z..75.Y.o...n.u,.e...".......DG.T...~......"^H0....9...... l!...^.R9...N.9.r.6....d.?.V.la..!.t.x.....4..nAh...: .c.....t..3.q...E...4.C.q/UT..{ #..p......qh......P...X...{...."..{W..<.h..*.>"He.v.Z.Th.......A...".`..lB..~...8.....h....|v$.......9.....L..@a........1...N...h.e...7....n.5eL.U&...c4a...A ..I!..9.A..FW........(!.81....#.....bn...i..Rx.....

<<< skipped >>>

GET /pagead/js/lidar.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.doubleclick.net/adi/N7928.354842LINDAIKEJI.BLOGSPOT./B8074030.110392544;sz=728x90;ord=[timestamp]?

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pagead2.googlesyndication.com

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 4130157043356533555

Date: Fri, 30 Jan 2015 10:05:25 GMT

Expires: Fri, 30 Jan 2015 11:05:25 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 20280

X-XSS-Protection: 1; mode=block

Age: 2870

Cache-Control: public, max-age=3600

Alternate-Protocol: 80:quic,p=0.02

...........}iW....w~..f...16d.../ ..@HBf...j.....L..~......E...7.%.<...~.r(g....~].....]t.l.m..~M...d.z5.&..5.....K!..N......^..G..K........n{..Q.m...~...M..bzDi....Z06.......T...q:j...J.F..T.<.c,....jw8....d.....T..../*.9.B.So..H.B...h6.:....l..v.R..P.5..Z...;LF.-h.4.....Qs(.|../.q:....j?.vf.....0I..a.xkY,..L.........hz......!.Zy......06 nk............&,*k..zo.,.......6.&.%.k....8).".e.,.8.....`......5....d.ySZ>N.....[*v.fe...c{.,......uAmG1...J[..-..LZH...*..../.1,|&&....l.mh/...Z...b2.^=.L.@.........&'.......V..3Y.........(...S]..R..I.......,....%s.d.........T.#...Q_. .B ?..gzs..`(f..tU.....T.m3....98..)...h%.o.......K..f7../..%.Q.Q.81....&fiu8......2L.W1~A..B.. ......t....&(...ai.$...4}.?.......*s.vo..<..n.._...C..t.......PdS.....>.ISK_0o]...@.b.....L...%~..x..;e....*&.a.......Z*{...g.....7..R....F...,X_..u...<w.9..Sx....s.......X,.~..&...<..jm...(#S...A6.~s......_.J.~.....,......V..z~~..9...'*.^p./..-.e(..k,.]..Z...b.......D....q.'.....@......w}....:..._=.4;-.A.........sp3.=..<...........3.Md....k>..7..{.|...._.........pC.....%W..&...I*z@...JY71.Z8..iz4.......Q..$7:..o..2......*.&`..,./.@R.0..`K....4.r'nl.C.4n....#'...I...(.g.l.M....Ri.1...c u........u.... .;hL.y.a.N.h.D!(.........&..W.V...PU.@.K....I..U....`....F4.U...D..#.....|..<...N.......dG.?.....$m......-Sm.F.E.Z-....]@Jy...\@p}a.8...NA...,N3Bj.~...)m...j..A`0_...*w.....1.......G..........x6.v..;..Q./.)..6@..b......t a..u.~.&...#.....$..%7p..l.H].....i..\..=.Ng.0.4..|J<.....bg3!/(..z....!,&.t.mie.t0.J.......L.\...S'-.

<<< skipped >>>

GET /images/premium.png HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yllix.com

Connection: Keep-Alive

Cookie: fc_286387=1

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 Jan 2015 10:53:10 GMT

Content-Type: image/png

Content-Length: 624

Last-Modified: Wed, 06 Feb 2013 02:57:31 GMT

Connection: close

ETag: "5111c69b-270"

Expires: Sat, 30 Jan 2016 10:53:10 GMT

Cache-Control: max-age=31536000

Accept-Ranges: bytes

.PNG........IHDR.............o.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx...Ah.Q..g..5.Khh z..D.B..'E....e.Az.).,..z......^JO.. .....d. ...-b)...AJZ...4.v....zH...ofv....]".3`.\...[.O.~...1_k4$.D......1.. !y..kp.q..u....`.h....H[..r.^.p..v.O*.\.<.h#...Y..`*..O...>].o"......H$p...n.....E.em.@.{G..........F...rY..b.......J."c.?.f........W.~..D=.7.(..-.4)..{y.vw.T"..:Mo7..Ws.....1mn.{.m.......iR"....~..rN.im."...^.-.t...`;..v.d2....T,..%.l...VM...w.iB_..j.z...&.........O.WLC.....v...K....6...8......:M......`.......b~...j...#...X...w.?....-X....!4.L&.TU.T*.w.%.|@.u.x....*L.....=..'...?....bG........J.......IEND.B`...

GET /pixel;r=631760284;a=p-EMbv-yy8jFpSp;fpan=1;fpa=P0-1475998630-1422596435355;ns=1;ce=1;cm=;je=1;sr=1024x768x32;enc=n;dst=1;et=1422596435355;tzo=-120;ref=http://trollface.biz/vote;url=http://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g;ogl= HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pixel.quantserve.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: close

Content-Type: image/gif

Set-Cookie: mc=54cb6296-e5c68-98ed7-9e5f9; expires=Sun, 31-Jul-2016 10:53:10 GMT; path=/; domain=.quantserve.com

P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"

Cache-Control: private, no-cache, no-store, proxy-revalidate

Pragma: no-cache

Expires: Fri, 04 Aug 1978 12:00:00 GMT

Content-Length: 35

Date: Fri, 30 Jan 2015 10:53:10 GMT

Server: QS

GIF89a.......,.................D..;..

GET /nr-476.min.js HTTP/1.1

Accept: */*

Referer: hXXp://adf.ly/1market.php?p=xVZnHcUvikLHCbJuoYbG3ZNh09IyjLo6iAYHWdR0mhLmmIx65IIiiZwliJaHGaFizwaiCII56xImiLImsRIWnYBivocjnIQli1OWiYIuiRL3CcJvwhYmXIR7opbjmIFstJZXSdIi6wISiM91yEdjXNF4kodjSIIusJICnLNxlUYTXNJzjUaDCOI66IICiZIiswIinIBjyFbT3YR2vYY22Y9wsYITjMo4iEaTHZRj0NcTDNo4iQfDSNw1iIZTmOxihVcz2YgkidOzjNAlsJIDmN1jvJYjmIl6sIZCSdIi6wMiCIwxiIbiWO9iiMa2WcxilwXi2I9tzNIjjIo6iITimY8jiJfyQe==

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js-agent.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: IPGgWlaMkm7vqpwaNMM6LCVEcUway5aIDCMrISBYqdlzi/wlOHX6WHeJ1A1v5L/P

x-amz-request-id: 1FD492465421D709

Cache-Control: public, max-age=315360000

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Last-Modified: Tue, 30 Sep 2014 18:19:08 GMT

ETag: "d131658362c40cedda15546bb81e9644"

Content-Type: application/javascript

Server: AmazonS3

Content-Length: 18146

Accept-Ranges: bytes

Date: Fri, 30 Jan 2015 10:53:04 GMT

Via: 1.1 varnish

Age: 10496935

Connection: keep-alive

X-Served-By: cache-ord1729-ORD

X-Cache: HIT

X-Cache-Hits: 48790

X-Timer: S1422615184.627401590,VS0,VE0

Vary: Accept-Encoding

!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var u="function"==typeof __nr_require&&__nr_require;if(!i&&u)return u(t,!0);if(o)return o(t,!0);throw new Error("Cannot find module '" t "'")}var a=e[t]={exports:{}};n[t][0].call(a.exports,function(e){var o=n[t][1][e];return r(o?o:e)},a,a.exports)}return e[t].exports}for(var o="function"==typeof __nr_require&&__nr_require,i=0;i<t.length;i )r(t[i]);return r}({1:[function(n,e){e.exports=function(n,e){return"addEventListener"in window?addEventListener(n,e,!1):"attachEvent"in window?attachEvent("on" n,e):void 0}},{}],2:[function(n,e){function t(n,e,t,o){l("bstAgg",[n,e,t,o]),m[n]||(m[n]={});var i=m[n][e];return i||(m[n][e]=i={params:t||{}}),i.metrics=r(o,i.metrics),i}function r(n,e){return e||(e={count:0}),e.count =1,c(n,function(n,t){e[n]=o(t,e[n])}),e}function o(n,e){return e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.t*e.t,c:1}),e.c =1,e.t =n,e.sos =n*n,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}function i(n,e){return e?m[n]&&m[n][e]:m[n]}function u(n){for(var e,t={},r="",o=0;o<n.length;o )r=n[o],t[r]=a(m[r]),t[r].length&&(e=!0),delete m[r];return e?t:null}function a(n){return"object"!=typeof n?[]:c(n,function(n,e){return e})}function s(n,e){"undefined"==typeof e&&(e=(new Date).getTime()),p[n]=e}function f(n,e,r){var o=p[e],i=p[r];"undefined"!=typeof o&&"undefined"!=typeof i&&t("measures",n,{value:i-o})}var c=n(1),l=n("handle"),d=n(2),m={},p={};e.exports={store:t,take:u,get:i,mark:s,measure:f},setTimeout(function(){d("bstAgg",function(){})},1e

<<< skipped >>>

GET /images/tags.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:42 GMT

Accept-Ranges: bytes

ETag: "541cd139553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:07 GMT

Content-Length: 2960

.PNG........IHDR.....................pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /upload/t/1056.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:51 GMT

Accept-Ranges: bytes

ETag: "d9ac543f553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:07 GMT

Content-Length: 107151

.PNG........IHDR..............e4... .IDATx...y.\.......V..i_......"@...`.i.=.....g^......z..O...<=~...c{.3...nc3..2f_d..6.Ti.R......r...yo..............7"N.8.qN...x..G%.t.*....*....x.M'...@....}M..e......xJ....L...b.-.\Qg..\n..=..*'.U..AJ..1Z .......X4...$b1=.*.K.......$.)e.......^.*6....^4/.......3..}.8.Q.BQ...^$...!g..dx......D.=.I..=.W.o.FZ..F..D...W>e-M.VZ6.."e&....e.0/.@J....1.?...yk...L<.}?.?.;.. _...6.k.eA..<g.....s.M....|.....&J..........t.|..'...wW.S.hu..f...r...28../?........b..$......[.....1v.....l.0.P.]...@......l......P.,.....d.....;.N......c#.U;.-.p..k3Ai....477gX....!?.|...3.</.RJ.....Ov`sy..2/..nFF.I.T..$5UU8...|...7.a."-.......................".4z..mL.b.)...N..XU.! .Z.....HY.E~s|...hVA...LW..."....E..R#...o`I]y:.L...`..t!.J*.,....X....,..B....A..ZN..,..`....u........).ir.?...9}MK.U!B.EcY.S....gBd..Y..i...S.....P......c\...1."...)2...f..h.....<K. rM[:^.......Q.......-..\..j....ch|N.?....J..[..N.P_....800.....B......6...z.0.H......r".$....$.!....jZD..ahhi.S...........P..BI<>g.@14X]9.%*d....#E..........$. m.......uy......O..s.......o..!...#.5.3.?........F.6.Ct.`D...3.r.ih...o...z.o.#V....:N....*................3..I..Z....n.L.Dimke....SI}....n..M.X........p......z.3a|>O..Sqf.I.|n.I.23....N7.l..Ef.. p.]...y..XU...d.e5.4o.(r.... ..P...t.O.vi.-.......P..=.b........AJV...Q....XVe...5.....).g$...s...V...&b4...1...OW........u.7fTl.f&..^...`..z:..i...,.."k.3e..&.c8...9.d..{b.u.....h&..lF..7z..e.".`Bf..1y...z.1.E..f.y.$R.L.*P..m....\[.....V9.*....IDB.b1...Q..}...X g.4.V".R ......

<<< skipped >>>

GET /upload/t/1055.jpg HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Wed, 28 Jan 2015 23:50:51 GMT

Accept-Ranges: bytes

ETag: "e04a523f553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:08 GMT

Content-Length: 137138

......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 100....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?............ ..=G...<..I..A....t.....^..<r1....q.&..:~]...G.Q.....01...s. ......9. t.$.x.=...n..r)p6....w..0p0.O......{..8.8..~{d.....8.$.dz....g9...O......A..&....c....8.......<.9...OOb..@E........~...q.3Y....jo.X].........r.5.N1.. ..\r..8...v...uE89..pN:..Q..:.c..py.^...S.e..~)..|"..h.:|.3>.,...$...I......w.,....yE...7;Wi~.....3.u.O..$.7..Z.Z....Ux..xq.|.m.@'.pW.. ....'.....m.....k.B...U.....3.2I.N..#Z.i.5....X....t.t.........Wi'xtmo'. o....W. \.i.[[....X.$Y$..f..T.8... .....~.i.x[......g...J...f@8#.b.8.g.........Ok..>.KnX.*..F,U.. .`g.........'.E...[......dvx......G .z.....i.U0sII......K}._Rd.....'}n....c...5..ss".3.;>6..P...8=.....4.e.._.A.[...M..E.;.Y)!0.x..r.............>5xf..{G...c.S.]....;d..{...|....z....k[F....j..,NxQ...q...u`.QU. ..i.........(.T[.4.iZ[.....WZ...M...p..<-i-.....@....*r.....A.........u_..

<<< skipped >>>

GET /images/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:42 GMT

Accept-Ranges: bytes

ETag: "e3e1b639553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:08 GMT

Content-Length: 8673

.PNG........IHDR.......P......%....!.IDATx..].x.........B.P..@..b.!...BHBW..&E,.........R..'..D..D..%`.T@).`A...NbA....9....w....&...;..N.s....sCB....?$......{BB.:..[....LI.....j...Z..........LN.d\N?.......i...I.m..K..\]../..u...k....VW.n7.Lt~N............y.....;......@.=....r.>...u...Y.F...k....urj...^.V.......\.q..5..T..4-44&..9.....6..Q.N.;.5.f.5.D>.........}..G:..G...<..S...]....^s&;.1-.:ujr"3.....h.D:.....;....E..6|......M..._gg.=..c..v........C.Pz...i..~.>...q...Y..v...(/..Ku].%..(7..h.. ...)......={..B..........F..p....{...].'n.K%...pa...../m....%*...>.:.v.......99...UR..W_.$...#.....I.:.~.....u........k.[.V...o0^.w.....}....B.C........1.U...}*(.....q;.G%.k.!.\...w..8..!#.@T...$ ..N..%.....G.h.._...,B.k.=..mw..V.....{k.k..m..]..g.\Zw..S..g..N...\..m..C......JHW!UD.P.F...^<q.F.....F...^.*..A....=.#rS.l.B......}.d..^W... .H...=.z.....}......@'................$lws...m]...E.....@....4...(}.....jHU...`.`.B.W..sA.k...g......Iz,.&a[..F.,..P..p...s.sf...v~p..j.....@.....e.\....R...U.=...E@..i.#.......'.q....!.D.E.[1....X\.......E..."..x1X}.m..ruM. ...W......Aj...f .....}..=.h.X.....h.0...<..!E.`.U9b....................qs.F&.*V...../...F.<Ki...#3..q......H.*.k...U....I4.....E...*. .3.....{..W..F;...H].:!. %".....E%Y3..zG...L..;...r...../:..1H...!.F....b..r...?0`...........KK...=~..H..}..#...rAA6..3. ..6...^...Fm(M#..D'uDk ...\c...0.. .-...2.9.,'....?L....@......zI.-. tRG.,..\P.. .......]...!.x=..R. .n(.0(.../@.''4.^.....y.f... ..T.".....u-..9..7..Nt.. ..e.tYpa.n...0..Q.b...S..a..'.:%......

<<< skipped >>>

GET /images/upload_icon.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:42 GMT

Accept-Ranges: bytes

ETag: "eaa5da39553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:08 GMT

Content-Length: 3603

.PNG........IHDR................&....pHYs..........d_....OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /images/buttons-white.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:41 GMT

Accept-Ranges: bytes

ETag: "32809539553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:08 GMT

Content-Length: 3475

.PNG........IHDR.......w.......A.....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................LV.....tRNS......`.@.. 0.............p..6...8.M.....L.....P....*....,....b.Z.d..........~.).....................^e.1!.J.f..F.B..]....4....C>.K.3suwR........y."..5?.A...Wr9..$_ .2..T...i./.....[.zvE.NYGl.<.m..|=...j...Xx.:...{.'cnS7#-;..(&q.V.}.khH.OgQ.to.u0_...sIDATx^...S.....yfz...$....'@P....B..q....m6.QwYVVV......}...=.O....wk..w.nU........3.T...~...h.O..z.s..,.."....AI..xcO.%..*..X..Y<........M..@.$...0Z.....PP(..X../A.$.P..J._..F.........M.~l.a.........<TODBvM.....,. ....m;1j.*.R..."j....\....1(...YX.e....$.Cl.R..(B.e(.......N..f7.ri..[5J.|....}9.%..7.\h.(.v.X....DR.NwC.4.4!......op...eFD......D...H .F.(....X.J....>.8.O.,..C.{......R'.N.....!a.49.K.IBW.WP.PS....*!a..rB.z.Z$O.....n..g.#..~.....=....7..'"!..q..{...kM.$..Wt}....gj.U...

<<< skipped >>>

GET /images/loved.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:42 GMT

Accept-Ranges: bytes

ETag: "3d44b939553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:09 GMT

Content-Length: 3128

.PNG........IHDR................a....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /images/google.png HTTP/1.1

Accept: */*

Referer: hXXp://trollface.biz/vote

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trollface.biz

Connection: Keep-Alive

Cookie: PHPSESSID=a4to7ljqbg40qd3f1vuu9iu8j0

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Wed, 28 Jan 2015 23:50:41 GMT

Accept-Ranges: bytes

ETag: "a9cea339553bd01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 30 Jan 2015 10:53:09 GMT

Content-Length: 2111

.PNG........IHDR... ... .....szz.....IDATx...k.]E....Yk......iO/......B.. V!..Pk$."V....."..1j41.%..%.......@..!.".K.P..@....s.>....^k.......E.b..J.L.f.z.y.......G...?^y...zJ..`..5.....O...........6.....Z...Wv.......9....u......K.....0@i..-.8.O2|..Z.D........90|..........l..s..7.t.N......Ai.J.F{A..........iF.....X..u.v..n...:~?...5}.[U.......#..u-0k...*.E.V..a..8.w../>-......r....7.......@.J....G..x...m....6....Af.......`..MP.[.......<...tu.ZW...x..8A...v.5.)%...d.I..[..XOj=KTp.I.l...w. ......Y{.=K.7....."..>..m.$E.&....A...A..K...#....1.Ux.....Cbk.H`..K...v.E3v.....F.M....d.R..... O'.7..$.\.)LB.@.Eu9T.C.xt........:..?.?..Y...w...~..:...^.q.M....0.....R..."w.:..WP....;.~y.d.....E..m@kAiA......Lr..W..|r..~....]xIyy..&........;c\.1.$.._.*..~....<.z...R^:..m8..]..%_.\.DeO..!*Z.bFTp.yK.9.".iC^...l.&.1..7.n...#\.........B.R.!6...|F....}j..{*X'(<.z.q....l.oY..Bf....W0.A.AM)(..aF7.........^....r... ...\`....$#.B.....W..._..d.%nZ.FF.Z...C....$..o.t..m.ck_...Z3..&..L`.(u.0...Y..k....,.....v..D.SG......f ...9.....Y=.._@....^M.Rs... .z/.BZd...`...V.p.."F....Mz.......]...N....z.P......5d...q...J..p.wJ..v. .v.[f...Q.R.,.T0Jc.B..........d..'...H..L.......*.r..).i...r.b..'.00(.....EH...i....m.:~../.......\b....<..l...r.|y...yF......i.8m.H..I...`|...Y%N.~.i.....p.*j5u.9.O....K...o.e\9Z0E3k....\~V?s....q..I..F=.Q.U..?.....O..........Q..xg.T..$el......R4.oy.g...[c....foc.}..K....x....F*..q....78.o^.....)5..R.iC.(........ks.#...8..m.~...M./.?Z,..E.Rj..B......b.<..kW...eTj.c..R@....#?g...S.p.......l..(....m

<<< skipped >>>

GET /pixel?id=2085077&t=2&piggyback=http://ads.yahoo.com/cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1 HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Fri, 30 Jan 2015 10:53:12 GMT

Server: ATS

X-RightMedia-Hostname: raptor0965.rm.ne1.yahoo.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"

Set-Cookie: B=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT

Set-Cookie: B=db2h2placmoko&b=3&s=mf; path=/; expires=Mon, 30-Jan-2017 10:53:12 GMT; domain=.yahoo.com

Location: hXXp://ads.yahoo.com/cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Vary: *

Last-Modified: Fri, 30 Jan 2015 10:53:12 GMT

Expires: Fri, 30 Jan 2015 10:53:12 GMT

Pragma: no-cache

Content-Length: 0

Age: 0

Connection: keep-alive

....

GET /cms/v1?esig=1~553f012f6017f84fb8f957add36d12baf65ffaee&nwid=10000710111&sigv=1 HTTP/1.1

Accept: */*

Referer: hXXp://yllix.com/banner_show.php?section=General&pub=586654&format=300x250&ga=g

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ads.yahoo.com

Connection: Keep-Alive

Cookie: B=db2h2placmoko&b=3&s=mf

HTTP/1.1 302 Found

Date: Fri, 30 Jan 2015 10:53:12 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Location: hXXp://um.simpli.fi/y_match?xid=OpUesktx0bnS1._7RUN1UBwx

Cache-Control: private

Content-Length: 0

Content-Type: text/plain; charset=utf-8

Age: 0

Connection: keep-alive

Server: ATS

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_332:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

t(j.Xj\f

t(j.Xj\f

SSShp

SSShp

^SShq

^SShq

9.vpSW

9.vpSW

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

COMCTL32.dll

COMCTL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetCPInfo

GetCPInfo

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

COMDLG32.dll

COMDLG32.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

ADVAPI32.dll

ADVAPI32.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

GetConsoleOutputCP

GetConsoleOutputCP

WINRAR.SFX

WINRAR.SFX

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

:(,4;;?@

:(,4;;?@

3,45657879

3,45657879

8888888888887

8888888888887

version="1.0.0.0"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

Maximum allowed array size (%u) is exceeded

Maximum allowed array size (%u) is exceeded

rtmp%d

rtmp%d

Crypt32.dll

Crypt32.dll

GETPASSWORD1

GETPASSWORD1

sfxcmd

sfxcmd

%s %s

%s %s

%s %s %s

%s %s %s

%s%s%d

%s%s%d

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

%s.%d.tmp

%s.%d.tmp

winrarsfxmappingfile.tmp

winrarsfxmappingfile.tmp

-el -s2 "-d%s" "-p%s" "-sp%s"

-el -s2 "-d%s" "-p%s" "-sp%s"

__tmp_rar_sfx_access_check_%u

__tmp_rar_sfx_access_check_%u

WaitForMultipleObjects error %d, GetLastError %d

WaitForMultipleObjects error %d, GetLastError %d

Shell.Explorer

Shell.Explorer

riched20.dll

riched20.dll

riched32.dll

riched32.dll

KERNEL32.DLL

KERNEL32.DLL

mscoree.dll

mscoree.dll

Extracting files to %s folder

Extracting files to %s folder

Extracting from %s

Extracting from %s

Extracting %s

Extracting %s

C:\PRo

C:\PRo

Enter password

Enter password

&Enter password for the encrypted file:

&Enter password for the encrypted file:

Skipping %s

Skipping %s

The file "%s" header is corrupt

The file "%s" header is corrupt

Unknown method in %s

Unknown method in %s

Cannot open %s

Cannot open %s

Cannot create %s

Cannot create %s

Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password.

Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password.

Checksum error in %s Packed data checksum error in %s

Checksum error in %s Packed data checksum error in %s

5Write error in the file %s. Probably the disk is full

5Write error in the file %s. Probably the disk is full

Read error in the file %s

Read error in the file %s

ErroraErrors encountered while performing the operation

ErroraErrors encountered while performing the operation

Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.

Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.

Extracting files to %s folder$Extracting files to temporary folder

Extracting files to %s folder$Extracting files to temporary folder

=Total path and file name length must not exceed %d characters

=Total path and file name length must not exceed %d characters

Unknown encryption method in %s$The specified password is incorrect.

Unknown encryption method in %s$The specified password is incorrect.

Cannot copy %s to %s.

Cannot copy %s to %s.

Cannot create symbolic link %s

Cannot create symbolic link %s

Cannot create hard link %s

Cannot create hard link %s

9.9.exe_504:

.text

.text

`.data

`.data

.rsrc

.rsrc

SHDocVwCtl.WebBrowser

SHDocVwCtl.WebBrowser

Facebook: wWw.Facebook.com/fappro

Facebook: wWw.Facebook.com/fappro

ieframe.dll

ieframe.dll

WebBrowser

WebBrowser

C:\Users\JAMEMO~1\AppData\Local\Temp\RarSFX6\AutoPlay\Docs\Portable.VB6\VB6.OLB

C:\Users\JAMEMO~1\AppData\Local\Temp\RarSFX6\AutoPlay\Docs\Portable.VB6\VB6.OLB

#C:\Windows\System32\ieframe.oca

#C:\Windows\System32\ieframe.oca

ShellExecuteA

ShellExecuteA

user32.dll

user32.dll

shell32.dll

shell32.dll

kernel32.dll

kernel32.dll

PSAPI.DLL

PSAPI.DLL

ntdll.dll

ntdll.dll

VBA6.DLL

VBA6.DLL

sKey

sKey

.yGma

.yGma

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

operator

operator

C:\PRo\9.9.exe

C:\PRo\9.9.exe

OMUdP

OMUdP

D$(.cD

D$(.cD

lG;crT*

lG;crT*

0%DUt[

0%DUt[

T$ `h.RXz

T$ `h.RXz

8u%s\

8u%s\

#.vv/

#.vv/

a-zE}`

a-zE}`

aV%c

aV%c

.BY!_4

.BY!_4

.yT;[

.yT;[

EJ.vyW

EJ.vyW

%sF@t

%sF@t

>]%cV

>]%cV

4.mQz

4.mQz

D ~[-b}

D ~[-b}

.NcKT

.NcKT

2%S~jG

2%S~jG

;x.zi

;x.zi

0 0

0 0

USER32.dll

USER32.dll

#c9%s

#c9%s

xw%x\R^4f

xw%x\R^4f

cKERNEL32.dll

cKERNEL32.dll

[]%xP

[]%xP

R!eC%c

R!eC%c

.RU:K

.RU:K

\,%6U%|

\,%6U%|

vX2.qo

vX2.qo

@35./\~?

@35./\~?

HZ.Qr

HZ.Qr

eX.kC)gI

eX.kC)gI

9qe.UG

9qe.UG

)%F~9

)%F~9

>KND%SZ

>KND%SZ

bk.zw

bk.zw

3!G*.TZH

3!G*.TZH

_Q3

_Q3

.Iyr@

.Iyr@

O:\1J

O:\1J

t%C(Qv

t%C(Qv

[%1UR

[%1UR

.Yl)jK

.Yl)jK

%Fy`w

%Fy`w

y%X6z#

y%X6z#

GZ.LG(J

GZ.LG(J

.xh-|

.xh-|

>r%cT9

>r%cT9

.nnoB

.nnoB

O.bk &

O.bk &

0w.afX

0w.afX

{w%C'^

{w%C'^

o92Ihü.

o92Ihü.

.xR\ix

.xR\ix

Hk%Dp Nx

Hk%Dp Nx

9.JX=

9.JX=

P:3%Se

P:3%Se

.mqbh7

.mqbh7

M"%U9

M"%U9

!{%DP

!{%DP

,r.SQ

,r.SQ

~%cUH

~%cUH

.lL.f

.lL.f

##o9tj

##o9tj

).Qu2

).Qu2

H}.RrD

H}.RrD

MSVBVM60.DLL

MSVBVM60.DLL

Lp.GV

Lp.GV

hXXp:///

hXXp:///

*\AE:\srouce\modznc\Project1.vbp

*\AE:\srouce\modznc\Project1.vbp

C:\aim1

C:\aim1

C:\aim2.dat

C:\aim2.dat

\system32\Drivers\etc\hosts.ics

\system32\Drivers\etc\hosts.ics

crossfire.dat

crossfire.dat

HGWC.exe

HGWC.exe

iexplore.exe

iexplore.exe

adf.ly

adf.ly

\Desktop\Google Chrome.htm

\Desktop\Google Chrome.htm

\Desktop\Google Chrome.html

\Desktop\Google Chrome.html

\Desktop\Google Chrome.Lnk

\Desktop\Google Chrome.Lnk

\Desktop\Mozilla Firefox.htm

\Desktop\Mozilla Firefox.htm

\Desktop\Mozilla Firefox.html

\Desktop\Mozilla Firefox.html

\Desktop\Mozilla Firefox.Lnk

\Desktop\Mozilla Firefox.Lnk

WScript.Shell

WScript.Shell

hXXp://trollface.biz

hXXp://trollface.biz

hXXp://wm.sumohit.com/cf.html

hXXp://wm.sumohit.com/cf.html

LocationURL

LocationURL

InternetExplorer.Application

InternetExplorer.Application

\ddraw.dll

\ddraw.dll

0123456789

0123456789

\FapCF.dll

\FapCF.dll

Windows Internet Explorer

Windows Internet Explorer

Web Browser

Web Browser

iexplore.exe - Application Error

iexplore.exe - Application Error

crossfire.exe

crossfire.exe

\CShell.dll

\CShell.dll

hXXp://6b188f15.linkbucks.com

hXXp://6b188f15.linkbucks.com

hXXp://e96c08fe.linkbucks.com

hXXp://e96c08fe.linkbucks.com

hXXp://197290c7.linkbucks.com

hXXp://197290c7.linkbucks.com

hXXp://863ffe29.linkbucks.com

hXXp://863ffe29.linkbucks.com

hXXp://adf.ly/Wo4hu

hXXp://adf.ly/Wo4hu

hXXp://adf.ly/Wo4pL

hXXp://adf.ly/Wo4pL

hXXp://adf.ly/XX1H9

hXXp://adf.ly/XX1H9

hXXp://adf.ly/XX1JN

hXXp://adf.ly/XX1JN

hXXp://adf.ly/XX1FB

hXXp://adf.ly/XX1FB

hXXp://adf.ly/ruqY2

hXXp://adf.ly/ruqY2

hhXXp://adf.ly/ruqY2

hhXXp://adf.ly/ruqY2

hXXp://adf.ly/ruqZ7

hXXp://adf.ly/ruqZ7

hXXp://adf.ly/ruqdu

hXXp://adf.ly/ruqdu

hXXp://adf.ly/ruqbS

hXXp://adf.ly/ruqbS

@*\AE:\srouce\modznc\Project1.vbp

@*\AE:\srouce\modznc\Project1.vbp

KERNEL32.DLL

KERNEL32.DLL

mscoree.dll

mscoree.dll

Error at initialization of bundled DLL: %s

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Error at hooking API "%S"

Dumping first %d bytes:

Dumping first %d bytes:

9.5.exe

9.5.exe

9.9.exe_504_rwx_0040D000_00085000:

.yGma

.yGma

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

operator

operator

C:\PRo\9.9.exe

C:\PRo\9.9.exe

OMUdP

OMUdP

D$(.cD

D$(.cD

lG;crT*

lG;crT*

0%DUt[

0%DUt[

T$ `h.RXz

T$ `h.RXz

8u%s\

8u%s\

#.vv/

#.vv/

a-zE}`

a-zE}`

aV%c

aV%c

.BY!_4

.BY!_4

.yT;[

.yT;[

EJ.vyW

EJ.vyW

%sF@t

%sF@t

>]%cV

>]%cV

4.mQz

4.mQz

D ~[-b}

D ~[-b}

.NcKT

.NcKT

2%S~jG

2%S~jG

;x.zi

;x.zi

0 0

0 0

KERNEL32.DLL

KERNEL32.DLL

mscoree.dll

mscoree.dll

Error at initialization of bundled DLL: %s

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Error at hooking API "%S"

Dumping first %d bytes:

Dumping first %d bytes:

iexplore.exe_828:

%?9-*09,*19}*09

%?9-*09,*19}*09

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

SHLWAPI.dll

SHLWAPI.dll

SHDOCVW.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

IE-X-X

rsabase.dll

rsabase.dll

System\CurrentControlSet\Control\Windows

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

dw15 -x -s %u

watson.microsoft.com

watson.microsoft.com

IEWatsonURL

IEWatsonURL

%s -h %u

%s -h %u

iedw.exe

iedw.exe

Iexplore.XPExceptionFilter

Iexplore.XPExceptionFilter

jscript.DLL

jscript.DLL

mshtml.dll

mshtml.dll

mlang.dll

mlang.dll

urlmon.dll

urlmon.dll

wininet.dll

wininet.dll

shdocvw.DLL

shdocvw.DLL

browseui.DLL

browseui.DLL

comctl32.DLL

comctl32.DLL

IEXPLORE.EXE

IEXPLORE.EXE

iexplore.pdb

iexplore.pdb

ADVAPI32.dll

ADVAPI32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

IExplorer.EXE

IExplorer.EXE

IIIIIB(II<.fg>

IIIIIB(II<.fg>

7?_____ZZSSH%

7?_____ZZSSH%

)z.UUUUUUUU

)z.UUUUUUUU

,....Qym

,....Qym

````2```

````2```

{.QLQIIIKGKGKGKGKGKG

{.QLQIIIKGKGKGKGKGKG

;33;33;0

;33;33;0

8888880

8888880

8887080

8887080

browseui.dll

browseui.dll

shdocvw.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

6.00.2900.5512 (xpsp.080413-2105)

Windows

Windows

Operating System

Operating System

6.00.2900.5512

6.00.2900.5512