Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

whitepages.com is dangerous! Use extreme caution if visiting the site

August 22nd 2007 in Uncategorized

This is a serious issue.  www.whitepages.com must have a massive clientelle, and the thought of the number of people that are potentially at risk because of themalicious infiltration of the advertising network(s) is downright frightening.


This problem has got to be fixed, and it has got to be fixed SOON!!  Every minute, every hour, every day, that the advertisements are allowed to remain places who knows how many thousands, or hundreds of thousands, of visitors to the web site at risk of being frightened unnecessarily and ripped off by the fraudware that is the winfixer stable of products.


Ok, so I go to www.whitepages.com, and within seconds I see this:


image


With this hidden in the corner:


image


I click cancel on the primary window, and I am immediately redirected to:


image


So, let’s look at the captured Fiddler data, edited to remove certain geographical and identifying information – URLs are munged by replacing http with hXXP, adding spaces and various other trickery – to many of you it will be useless information, but it will have meaning for those who need it.  I’ve shown more than I need to, but it makes it very obvious that whitepages.com is the source of the outbreak.  I hope my readers will forgive my editing the data as I did, but those behind winfixer are known for using various trickery to avoid detection – time zone filtering, IP filtering, geographical checks and balances, cookies, caching and various other bits and pieces, so I try to be careful when posting such information to make it more difficult than it need be for those behind the malware to track down where the computer that is capturing this data is located…


GET /static/whitepages/forms/required_star.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 45
Date: Wed, 22 Aug 2007 12:00:35 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=5

——————————————————————
GET /RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/TFSMFlashWrapper201.js hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: oasads.whitepages.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 1934
Date: Wed, 22 Aug 2007 12:06:14 GMT
Content-Type: application/x-javascript
ETag: “***”
Server: Apache/1.3.28 (Unix) mod_oas/5.6 mod_cap/1.0
P3P: policyref=”hXXp:// www.whitepages.com/w3c/p3p.xml”, CP=”NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT”
Last-Modified: Fri, 10 Aug 2007 18:33:04 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding

——————————————————————
GET /ad/N1727.whitepages.com/B2102851.5;sz=1×1;ord=2001254179?” hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=***

hXXp/1.1 302 Moved Temporarily
Via: 1.0 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 0
Date: Wed, 22 Aug 2007 12:06:14 GMT
Location: hXXp://m1.2mdn.net/viewad/617966/84-1×1.gif
Cache-Control: no-cache
Pragma: no-cache

——————————————————————
GET /viewad/617966/84-1×1.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: m1.2mdn.net


hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 49
Date: Wed, 22 Aug 2007 12:06:14 GMT
Content-Type: image/gif
Server: DCLK Creative
Last-Modified: Mon, 04 Dec 2006 18:45:33 GMT

——————————————————————
GET /RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?clickTAG=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/766953505/x70/GetFreeCar_HalfBann_Aug07/Oxfam_430x200_html.txt/33616131643338613436636332366130?hXXp://oxfam.com/?ito=2449 hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
x-flash-version: 9,0,28,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: oasads.whitepages.com
Proxy-Connection: Keep-Alive
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 27176
Date: Wed, 22 Aug 2007 12:06:15 GMT
Content-Type: application/x-shockwave-flash
ETag: “***”
Server: Apache/1.3.28 (Unix) mod_oas/5.6 mod_cap/1.0
P3P: policyref=”hXXp:// www.whitepages.com/w3c/p3p.xml”, CP=”NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT”
Last-Modified: Fri, 10 Aug 2007 18:33:04 GMT
Accept-Ranges: bytes

——————————————————————
GET /M0N/iview/whtpgspr0670000053m0n/direct;wi.300;hi.250/01/&234254492?click=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/234254492/Medium_Rect/SprintB2B_MedR_Home_Aug07/SprintB2B_MedR_HOME_Jul07.txt/33616131643338613436636332366130? hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: view.atdmt.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 6443
Expires: 0
Date: Wed, 22 Aug 2007 12:06:15 GMT
Content-Type: text/html
Cache-Control: no-store

——————————————————————
GET /static/whitepages/images/rebrand/wp_footer_top_gradient_us.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 267
Date: Wed, 22 Aug 2007 12:00:36 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=5

——————————————————————
GET /APM/iview/whtpgdrv0010000709apm/direct;wi.728;hi.90/01/&822908219?click=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/822908219/x62/DrivePM_BottomBanner_Aug07/DrivePM_BottomBanner_Jan07.txt/33616131643338613436636332366130? hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: view.atdmt.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 2455
Expires: 0
Date: Wed, 22 Aug 2007 12:06:15 GMT
Content-Type: text/html
Cache-Control: no-store

——————————————————————
GET /static/common/finalmark.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 765
Date: Wed, 22 Aug 2007 12:00:36 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=5

——————————————————————
GET /static/common/BBBOnline-logo.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 1348
Date: Wed, 22 Aug 2007 12:00:36 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=5

——————————————————————
GET /static/whitepages/images/centers/centers_navad_job.jpg hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 7958
Date: Wed, 22 Aug 2007 12:00:36 GMT
Content-Type: image/jpeg
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=5

——————————————————————
GET /static/whitepages/forms/wp/balloon/top.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 1260
Date: Wed, 22 Aug 2007 12:00:37 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=5

——————————————————————
GET /static/whitepages/forms/tab_bg_a.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 93
Date: Wed, 22 Aug 2007 12:00:37 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=4

——————————————————————
GET /static/whitepages/forms/tab_bg_o.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 149
Date: Wed, 22 Aug 2007 12:00:37 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=4

——————————————————————
GET /static/whitepages/forms/tab_bg_basic_a.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 183
Date: Wed, 22 Aug 2007 12:00:37 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=4

——————————————————————
GET /static/whitepages/forms/tab_bg_advanced_o.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 265
Date: Wed, 22 Aug 2007 12:00:37 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=5

——————————————————————
GET /RealMedia/ads/adstream.cap/1530668087?c=profilesurveycookie&dv=1&e=1d&s=1 hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: oasads.whitepages.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 19
Date: Wed, 22 Aug 2007 12:06:16 GMT
Content-Type: application/x-javascript
Server: Apache/1.3.28 (Unix) mod_oas/5.6 mod_cap/1.0
P3P: policyref=”hXXp:// www.whitepages.com/w3c/p3p.xml”, CP=”NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT”
Set-Cookie: profilesurveycookie=1; domain=.whitepages.com; expires=Thu, 23-Aug-07 12:06:16 GMT path=/
Vary: Accept-Encoding

——————————————————————
GET /static/whitepages/forms/wp/balloon/close.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 139
Date: Wed, 22 Aug 2007 12:00:37 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/2.0.55 (Unix)
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=3

——————————————————————
GET /adi/N2524.N2524.Drive_Performanc/B2367440.3;sz=728×90;ord=106436938?click=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/822908219/x62/DrivePM_BottomBanner_Aug07/DrivePM_BottomBanner_Jan07.txt/33616131643338613436636332366130?hXXp://clk.atdmt.com/goiframe/24212350.24845398.28121735/whtpgdrv0010000709apm/direct/01?href= hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: hXXp://view.atdmt.com/APM/iview/whtpgdrv0010000709apm/direct;wi.728;hi.90/01/&822908219?click=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/822908219/x62/DrivePM_BottomBanner_Aug07/DrivePM_BottomBanner_Jan07.txt/33616131643338613436636332366130?
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=***

hXXp/1.1 200 OK
Via: 1.0 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 3900
Expires: Wed, 22 Aug 2007 12:06:17 GMT
Date: Wed, 22 Aug 2007 12:06:17 GMT
Content-Type: text/html
Server: DCLK-AdSvr
Cache-Control: no-cache
Pragma: no-cache

——————————————————————
GET /tl/DocumentDotWrite.js hXXp/1.1
Accept: */*
Referer: hXXp://view.atdmt.com/M0N/iview/whtpgspr0670000053m0n/direct;wi.300;hi.250/01/&234254492?click=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/234254492/Medium_Rect/SprintB2B_MedR_Home_Aug07/SprintB2B_MedR_HOME_Jul07.txt/33616131643338613436636332366130?
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: rmd.atdmt.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 50
Expires: Sun, 26 Aug 2007 09:00:35 GMT
Date: Wed, 22 Aug 2007 12:06:17 GMT
Content-Type: application/x-javascript
Allow: GET

——————————————————————
GET /RealMedia/ads/Creatives/default/empty.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: oasads.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 43
Date: Wed, 22 Aug 2007 12:06:17 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/1.3.28 (Unix) mod_oas/5.6 mod_cap/1.0
P3P: policyref=”hXXp:// www.whitepages.com/w3c/p3p.xml”, CP=”NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT”
Last-Modified: Sat, 19 Jun 2004 22:29:27 GMT
Accept-Ranges: bytes

——————————————————————
GET /clear/14955338970.gif hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.whitepages.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 43
Date: Wed, 22 Aug 2007 12:00:38 GMT
Content-Type: image/gif
ETag: “***”
Server: Apache/1.3.37 (Unix) mod_perl/1.30
Last-Modified: Thu, 16 Aug 2007 22:59:54 GMT
Accept-Ranges: bytes
X-Pad: avoid browser bug
Vary: Accept-Encoding

——————————————————————
GET /A06546/a3/0/3/1200/1/0/1148D77428F/0/0/00000000/698810426.gif?D=DM%5FLOC%3DhXXp%3A%2F%2Fwww%252Ewhitepages%252Ecom%2F%26DM%5FREF%3D%26DM%5FTIT%3DWhite%20Pages%20Phone%20Directory%20with%20Free%20People%20Search%26DM%5FEOM%3D1 hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: pix01.revsci.net

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 35
Date: Wed, 22 Aug 2007 12:06:24 GMT
Content-Type: image/gif
Server: RSI
P3P: CP=”NON PSAo PSDo OTPo OUR IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA”
Set-Cookie: N***; path=/; expires=Tue, 17 Aug 2027 12:06:24 GMT; domain=revsci.net
Set-Cookie: ***; path=/; expires=Tue, 17 Aug 2027 12:06:24 GMT; domain=revsci.net
Cache-Control: no-cache
Pragma: no-cache

——————————————————————
GET /b/ss/whitepagesprod/1/H.9-Pdvu-2/s06459940209915?[AQB]&ndh=1&t=22/7/2007%2020%3A6%3A16%203%20-480&ce=US-ASCII&ns=whitepages&pageName=Home&g=hXXp%3A//www.whitepages.com/&cc=USD&ch=Home&server=WhitePages.com%20%2810001%29&events=event4&c1=Form&h1=Home%7CForm&c2=Valid&c3=Valid%3AHome&v3=WhitePages.com%20%2810001%29&c4=WhitePages.com%20%2810001%29%3AHome&v4=WhitePages.com%20%2810001%29&c5=Home&s=1680×1050&c=32&j=1.3&v=Y&k=Y&bw=1659&bh=828&ct=lan&hp=N&[AQE] hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: metrics.whitepages.com
Cookie: ***
hXXp/1.1 302 Found
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Expires: Tue, 21 Aug 2007 12:06:18 GMT
Date: Wed, 22 Aug 2007 12:06:18 GMT
Location: hXXp://metrics.whitepages.com/b/ss/whitepagesprod/1/H.9-Pdvu-2/s06459940209915?[AQB]&pccr=true&vidn=46CC26BA00001D5B-A000ABE00003CD3&&ndh=1&t=22/7/2007%2020%3A6%3A16%203%20-480&ce=US-ASCII&ns=whitepages&pageName=Home&g=hXXp%3A//www.whitepages.com/&cc=USD&ch=Home&server=WhitePages.com%20%2810001%29&events=event4&c1=Form&h1=Home%7CForm&c2=Valid&c3=Valid%3AHome&v3=WhitePages.com%20%2810001%29&c4=WhitePages.com%20%2810001%29%3AHome&v4=WhitePages.com%20%2810001%29&c5=Home&s=1680×1050&c=32&j=1.3&v=Y&k=Y&bw=1659&bh=828&ct=lan&hp=N&[AQE]
Content-Type: text/plain
ETag: “***”
Set-Cookie: ***; Expires=Mon, 20 Aug 2012 12:06:18 GMT; Domain=.whitepages.com; Path=/
X-C: ms-3.2
Last-Modified: Thu, 23 Aug 2007 12:06:18 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
Vary: *
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
xserver: www190
Keep-Alive: timeout=15

——————————————————————
GET /crossdomain.xml hXXp/1.1
Accept: */*
x-flash-version: 9,0,28,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)

Host: mysurvey4u.com
Proxy-Connection: Keep-Alive

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 99
Date: Wed, 22 Aug 2007 12:06:17 GMT
Content-Type: application/xml
ETag: “****”
Server: lighXXpd/1.4.13
Accept-Ranges: bytes
Last-Modified: Thu, 17 May 2007 13:14:51 GMT

——————————————————————
GET /879366/flashwrite_1_2.js hXXp/1.1
Accept: */*
Referer: hXXp://ad.doubleclick.net/adi/N2524.N2524.Drive_Performanc/B2367440.3;sz=728×90;ord=106436938?click=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/822908219/x62/DrivePM_BottomBanner_Aug07/DrivePM_BottomBanner_Jan07.txt/33616131643338613436636332366130?hXXp://clk.atdmt.com/goiframe/24212350.24845398.28121735/whtpgdrv0010000709apm/direct/01?href=
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: m1.2mdn.net

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 801
Date: Wed, 22 Aug 2007 12:06:17 GMT
Content-Type: application/x-javascript
Server: DCLK Creative
Last-Modified: Mon, 06 Mar 2006 22:04:39 GMT

——————————————————————
GET /ds/0SM0NSPRTSPR/treo755p_elevator_300x250.swf?ver=1&clickTag1=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/234254492/Medium_Rect/SprintB2B_MedR_Home_Aug07/SprintB2B_MedR_HOME_Jul07.txt/33616131643338613436636332366130?hXXp://clk.atdmt.com/go/whtpgspr0670000053m0n/direct;wi.300;hi.250;ai.29248721;ct.1/01&clickTag=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/234254492/Medium_Rect/SprintB2B_MedR_Home_Aug07/SprintB2B_MedR_HOME_Jul07.txt/33616131643338613436636332366130?hXXp://clk.atdmt.com/go/whtpgspr0670000053m0n/direct;wi.300;hi.250;ai.29248721;ct.1/01 hXXp/1.1
Accept: */*
Referer: hXXp://view.atdmt.com/M0N/iview/whtpgspr0670000053m0n/direct;wi.300;hi.250/01/&234254492?click=hXXp://oasads.whitepages.com/RealMedia/ads/cl
x-flash-version: 9,0,28,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: spe.atdmt.com
Proxy-Connection: Keep-Alive
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 30474
Expires: Mon, 27 Aug 2007 13:24:56 GMT
Date: Wed, 22 Aug 2007 12:06:17 GMT
Content-Type: application/x-shockwave-flash
Allow: GET

——————————————————————
GET /adServer/adServerESI.aspx?bannerID=20266&siteID=whtpgspr0670000053m0n&creativeID=29248721 hXXp/1.1
Accept: */*
Referer: hXXp://view.atdmt.com/M0N/iview/whtpgspr0670000053m0n/direct;wi.300;hi.250/01/&234254492?click=hXXp://oasads.whitepages.com/RealMedia/ads/click_lx.ads/www.whitepages.com/HOME/234254492/Medium_Rect/SprintB2B_MedR_Home_Aug07/SprintB2B_MedR_HOME_Jul07.txt/33616131643338613436636332366130?
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: core.insightexpressai.com

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 225
Expires: Wed, 22 Aug 2007 12:06:18 GMT
Date: Wed, 22 Aug 2007 12:06:18 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
Set-Cookie: ***; domain=.insightexpressai.com; expires=Wed, 22-Aug-2012 12:00:00 GMT; path=/
Set-Cookie: ***; domain=.insightexpressai.com; expires=Wed, 22-Aug-2012 12:00:00 GMT; path=/
Set-Cookie: ***; domain=.insightexpressai.com; expires=Wed, 22-Aug-2012 12:00:00 GMT; path=/
Set-Cookie: ***; domain=.insightexpressai.com; expires=Wed, 22-Aug-2012 12:00:00 GMT; path=/
Set-Cookie: ***; domain=.insightexpressai.com; expires=Wed, 22-Aug-2012 12:00:00 GMT; path=/
Set-Cookie: ***; domain=.insightexpressai.com; expires=Wed, 22-Aug-2012 12:00:00 GMT; path=/
Set-Cookie: ***; domain=.insightexpressai.com; expires=Wed, 22-Aug-2012 12:00:00 GMT; path=/
P3P: CP=”OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA”
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: no-store

——————————————————————
GET /578176/ns-feet-product-4-728×90.swf?clickTag=hXXp%3A//ad.doubleclick.net/click%253Bh%3Dv8/35b6/3/0/%252a/m%253B114287425%253B0-0%253B0%253B17790946%253B3454-728/90%253B21586810/21604700/1%253B%253B%257Esscs%253D%253fhXXp%3A//marketing.networksolutions.com hXXp/1.1
Accept: */*
Referer: hXXp://ad.doubleclick.net/adi/N2524.N2524.Drive_Performanc/B2367440.3;sz=728×90;ord=106436938?click=hXXp://oasads.whitepages.com/RealMedia/a
x-flash-version: 9,0,28,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: m1.2mdn.net
Proxy-Connection: Keep-Alive

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 47510
Date: Wed, 22 Aug 2007 12:06:17 GMT
Content-Type: application/x-shockwave-flash
Server: DCLK Creative
Last-Modified: Fri, 22 Dec 2006 22:18:51 GMT

——————————————————————
GET /b/ss/whitepagesprod/1/H.9-Pdvu-2/s06459940209915?[AQB]&pccr=true&vidn=46CC26BA00001D5B-A000ABE00003CD3&&ndh=1&t=22/7/2007%2020%3A6%3A16%203%20-480&ce=US-ASCII&ns=whitepages&pageName=Home&g=hXXp%3A//www.whitepages.com/&cc=USD&ch=Home&server=WhitePages.com%20%2810001%29&events=event4&c1=Form&h1=Home%7CForm&c2=Valid&c3=Valid%3AHome&v3=WhitePages.com%20%2810001%29&c4=WhitePages.com%20%2810001%29%3AHome&v4=WhitePages.com%20%2810001%29&c5=Home&s=1680×1050&c=32&j=1.3&v=Y&k=Y&bw=1659&bh=828&ct=lan&hp=N&[AQE] hXXp/1.1
Accept: */*
Referer: hXXp:// www.whitepages.com/
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: metrics.whitepages.com
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Expires: Tue, 21 Aug 2007 12:06:18 GMT
Date: Wed, 22 Aug 2007 12:06:18 GMT
Content-Type: image/gif
ETag: “***”
X-C: ms-3.2
Last-Modified: Thu, 23 Aug 2007 12:06:18 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
Vary: *
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
xserver: www522
Keep-Alive: timeout=15

——————————————————————
GET /stats.php?campaign=i5nitp9y&u=1187784377127 hXXp/1.1
Accept: */*
Referer: hXXp://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?clickTAG=hXXp://oasads.whitepages.com/RealM
x-flash-version: 9,0,28,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: mysurvey4u.com
Proxy-Connection: Keep-Alive

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Date: Wed, 22 Aug 2007 12:06:18 GMT
Content-type: text/html
Server: lighXXpd/1.4.13
X-Powered-By: PHP/5.2.0-8+etch7
Last-Modified: Wed, 22 Aug 2007 12:06:18 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

——————————————————————
GET /pages/scanner/index.php?aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2 hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: ***
Referer: hXXp://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?clickTAG=hXXp://oasads.whitepages.com/RealM
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive
Cookie: lang=***; aid=***; lid=***; cnt=***; lng=***; rff=hXXp%3A%2F%2Fwww.mikeonads.com%2F2007%2F07%2F04%2Ferrorsafe-on-careerbuildercom%2F

hXXp/1.1 302 Found
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 22 Aug 2007 12:06:17 GMT
Location: hXXp://adfarm.mediaplex.com/ad/ck/53023/?aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=i5nitp9y_rdt&lid=s23
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
Set-Cookie: ***; expires=Thu, 23 Aug 2007 12:06:17 GMT; path=/
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:06:17 GMT; path=/; domain=.errorsafe.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:06:17 GMT; path=/; domain=.errorsafe.com

——————————————————————
GET /ad/ck/53023/?aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=i5nitp9y_rdt&lid=s23 hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: ***
Referer: hXXp://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?clickTAG=hXXp://oasads.whitepages.com/RealM
Cookie: svid=***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: adfarm.mediaplex.com
Proxy-Connection: Keep-Alive

hXXp/1.1 302 Moved Temporarily
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 0
Date: Wed, 22 Aug 2007 12:06:19 GMT
Location: hXXp:// www.drivecleaner.com/.freeware/?p=43&ax=0&ex=1&ed=2&aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=i5nitp9y_rdt&lid=s23
Server: Apache-Coyote/1.1
Cache-Control: no-cache

——————————————————————
GET /.freeware/?p=43&ax=0&ex=1&ed=2&aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=i5nitp9y_rdt&lid=s23 hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: ***
Referer: hXXp://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?clickTAG=hXXp://oasads.whitepages.com/RealM
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: www.drivecleaner.com
Proxy-Connection: Keep-Alive

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 22 Aug 2007 12:05:50 GMT
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
Set-Cookie: ***; expires=Thu, 23 Aug 2007 12:05:50 GMT; path=/
Set-Cookie: g***; expires=Thu, 23 Aug 2007 12:05:50 GMT; path=/

——————————————————————
GET /.freeware/?p=43&ax=0&ex=1&ed=2&aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=i5nitp9y_rdt&lid=s23&z=8 hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: www.drivecleaner.com
Proxy-Connection: Keep-Alive
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 22 Aug 2007 12:05:51 GMT
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
Set-Cookie: ***; expires=Tue, 22 Aug 2006 12:05:50 GMT
Set-Cookie: ***; expires=Tue, 22 Aug 2006 12:05:50 GMT
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:05:51 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:05:51 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:05:51 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:05:51 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:05:51 GMT; path=/; domain=.drivecleaner.com

——————————————————————
GET /.freeware/index.php?p=43&ax=1&ex=1&mpt=[CACHEBUSTER]&z=8&link=s23&ad=i5nitp9y_rdt_au_en_ed2&aff= hXXp/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: www.drivecleaner.com
Proxy-Connection: Keep-Alive
Cookie: ***
hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 22 Aug 2007 12:07:04 GMT
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
Set-Cookie: ***; expires=Tue, 22 Aug 2006 12:07:03 GMT
Set-Cookie: ***; expires=Tue, 22 Aug 2006 12:07:03 GMT
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:07:04 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:07:04 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:07:04 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:07:04 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 18 Apr 2008 12:07:04 GMT; path=/; domain=.drivecleaner.com
Set-Cookie: ***; expires=Fri, 21 Sep 2007 12:07:04 GMT; path=/; domain=.drivecleaner.com

——————————————————————
GET /.freeware/libs/product.js hXXp/1.1
Accept: */*
Referer: hXXp:// www.drivecleaner.com/.freeware/index.php?p=43&ax=1&ex=1&mpt=[CACHEBUSTER]&z=8&link=s23&ad=i5nitp9y_rdt_au_en_ed2&aff=
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.drivecleaner.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 2269
Date: Wed, 22 Aug 2007 12:08:25 GMT
Content-Type: application/x-javascript
ETag: “***”
Server: Apache
Last-Modified: Fri, 03 Nov 2006 17:05:53 GMT
Accept-Ranges: bytes

——————————————————————
GET /.freeware/libs/utils.php?ad=i5nitp9y_rdt_au_en_ed2&link=s23&ex=1&j=0&p=26&aff= hXXp/1.1
Accept: */*
Referer: hXXp:// www.drivecleaner.com/.freeware/index.php?p=43&ax=1&ex=1&mpt=[CACHEBUSTER]&z=8&link=s23&ad=i5nitp9y_rdt_au_en_ed2&aff=
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.drivecleaner.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 22 Aug 2007 12:08:26 GMT
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2

——————————————————————
GET /.freeware/test.php?cookie=1 hXXp/1.1
Accept: */*
Referer: hXXp:// www.drivecleaner.com/.freeware/index.php?p=43&ax=1&ex=1&mpt=[CACHEBUSTER]&z=8&link=s23&ad=i5nitp9y_rdt_au_en_ed2&aff=
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: drivecleaner.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 22 Aug 2007 11:36:44 GMT
Content-Type: image/gif
Server: Apache
X-Powered-By: PHP/4.4.2
Set-Cookie: ***; expires=Thu, 23 Aug 2007 11:36:44 GMT; path=/

——————————————————————
GET /.freeware/libs/flash_detect.js hXXp/1.1
Accept: */*
Referer: hXXp:// www.drivecleaner.com/.freeware/index.php?p=43&ax=1&ex=1&mpt=[CACHEBUSTER]&z=8&link=s23&ad=i5nitp9y_rdt_au_en_ed2&aff=
Accept-Language: ***
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.drivecleaner.com
Cookie: ***

hXXp/1.1 200 OK
Via: 1.1 ***
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 931
Date: Wed, 22 Aug 2007 12:08:27 GMT
Content-Type: application/x-javascript
ETag: “***”
Server: Apache
Last-Modified: Fri, 29 Dec 2006 17:34:58 GMT
Accept-Ranges: bytes

——————————————————————


Comments are closed.

As per http://msmvps.com/blogs/spywaresucks/archive/2007/08/22/1128996.aspx
Evidence:
GET /crossdomain.xml HTTP/1.1Accept: */*x-flash-version: 9,0,47,0UA-CPU: x86Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)Host: mysurvey4u.comProxy-Connection: Keep-Alive
GET /stats.php?campaign=i5nitp9y&u=1187751624408 HTTP/1.1Accept: */*Referer: http://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?clickTAG=http://oasads.whitepages.com/RealMx-flash-version: 9,0,47,0UA-CPU: x86Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)Host: mysurvey4u.comProxy-Connection: Keep-Alive
GET /pages/scanner/index.php?aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2 HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: en-usReferer: http://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?clickTAG=http://oasads.whitepages.com/RealMContent-Type: […]

Previous Entry

By default, Internet Explorer can store a maximum of 20 cookies for each domain. If a server in the domain sends more than 20 cookies to a client computer, the browser on the client computer automatically discards some old cookies.
Each cookie consists of a single name-value pair. This pair may be followed by attribute-value pairs […]

Next Entry

Archives