|
IT Security Office Cornell University security@cornell.edu 31 March 2005 |
An Analysis of the New Marketscore Proxy
This technical document accompanies the white paper Blocking Marketscore: Why Cornell Did It.
An addendum to this document was published in June 2005.
Abstract
Marketscore (http://www.marketscore.com), a subsidiary of the marketing firm ComScore, has made software available to Internet users which is advertised as a tool to help the user influence the Internet and gain "benefits" as part of the Marketscore community and to protect the user's system from e-mail-borne viruses while providing marketing data to the Marketscore company.
The installation process for this software places an agent on the client PC. This agent periodically polls the Marketscore servers for configuration and software updates. Software updates occur frequently and appear to bring additional technical capabilities. Configuration updates occur very frequently, often every few minutes, and instruct the local agent on sites and content of interest, how to acquire and package data, what applications to monitor, and what data about the local machine to gather. This data, when gathered, is compressed and returned to the Marketscore servers. It is important to note that, once installed, the activities of this agent are undetectable and may not be configured by the PC user.
The new Marketscore proxy is capable of intercepting SSL sessions, can eavesdrop on various instant messaging traffic, gathers a great deal of local hardware information, intercepts and redirects POP e-mail traffic, and proxies HTTP and FTP sessions. What follows is a technical discussion of these capabilities, their implementation, and implications for sites attempting to detect Marketscore PCs and limit loss of data.
The findings of this analysis represent the work of the staff of the Cornell University IT Security Office and technical staff of Carnegie Mellon University. Information regarding older versions of the Marketscore software and Cornell University's response to it can be found at http://www.cit.cornell.edu/computer/security/marketscore/.
Methodology
The test system was a Dell GX270 running Microsoft Windows XP Pro, installed on a small 4GB NTFS volume and patched to the latest level as of March 2005. Other than Windows, the following software was installed to assist with our analysis:
Commview, a network sniffer like Ethereal, allowed us to observe communications between the Web browser and the Marketscore agent. The Sysinternals tools reported on the running processes on the machine. The three anti-spyware tools were useful for evaluating their ability to detect Marketscore and effect a complete removal.
- Ethereal
- Commview
- Process Explorer from Sysinternals
- Spybot: Search and Destroy, Ad Aware SE, and Microsoftıs anti-spyware Beta
XP Pro, while not necessarily representative of the majority of the Windows systems on the market, offered some technical capabilities not present in the Home variant. Most importantly, the ability to force a system memory dump on demand made for easier software analysis.
Using Helix, a forensics variant of Knoppix (http://www.knoppix.org/), a dd image of the NTFS volume was captured prior to the Marketscore installation. Further, using the tripwire-like tool called AIDE, MD5 and SHA1 hashes of all installed files were kept. This information was stored in a local Linux volume, apart from the Windows installation. Repeated baselining and comparison with AIDE allowed us to determine what files had been installed, removed, or changed during the operation of the PC.
Lastly, the system shared a small Ethernet hub with a Solaris machine. This external host was used to gather data exchanged between Marketscore and the PC agent.
Observations
Internet Explorer was used to visit the Marketscore site. The installation process left behind a small InstallShield stub:
C:\WINDOWS\Downloaded Program Files\setup.exeThe install includeed mksc.exe, osmim.dll, okshook.dll, and silc_dll.dll, along with a large number of registry keys.
The mksc.exe process was a localhost proxy listening on port 8254/tcp for connections from the local browser. A Layered-Service-Provider (LSP), osmim.dll, redirected a variety of connections to the Marketscore agent. This agent then extracted data of interest and forwarded it to a remote host owned by Marketscore by means of a POST to contentidpost.dll. The data sent via this POST was generally a small amount of XML and Zlib compressed (presumably to speed the transaction and as a minor obstacle to eavesdropping). Contained within this XML was session information about the most recent Web transaction of interest. In particular, we have seen cookies, session keys, search URLs, page titles, the HTTP response code ("200", "302", etc), response message, and apparent response latency of the remote Web server.
All Web connections appeared to be redirected in this way. The agent seemed fully capable of intercepting and decoding SSL sessions, as it contained its own certificate and key and functioned as a man-in-the-middle. FTP connections through the browser seemed to be proxied as well.
One service offered by Marketscore is "e-mail protection" from viruses and other malware. In practice, the LSP (Layered Service Provider) present on the local machine redirected POP3 connections to port 11000 on a remote Marketscore host. These sessions included the username/password passed by the e-mail client, the intended destination POP3 server, and its port. Presumably, the remote host retrieved e-mail conventionally, applied e-mail virus scanning as promised, and forwarded the results to the PC for normal consumption.
The proxy periodically polled Marketscore servers for application and configuration updates. As each POST included the version of the locally installed agent, rapid upgrades seemed possible and were, in fact, observed. Configuration updates were frequently seen as well. These updates consisted of XML files which included the following changes or updates:
- a list of IP addresses associated with Marketscore systems;
- URL matching regular expressions and MIME types to observe;
- a series of "biometric" rules matching simple words. This feature seems intended to distinguish between interactive use of the PC and automated applications by tracking mouse and keyboard use;
- a series of "dittorules" matching URLs to MIME types similar to the above URL matching.
- POST data rules including regular expressions to extract POST content;
- configuration rules dictating whether to scan pop-ups, HTML or just HTTP headers, Content-ID grabbing, etc.;
- speed testing parameters to determine network latency by making empty queries to Marketscore servers;
- upload/download testing parameters;
- instant messaging capture configuration parameters, giving executable names and TCP ports, presumably on which to sniff traffic;
- URL matching rules that will cause the browser to generate Marketscore-branded pop-up advertising when visiting certain sites.
See Appendix A for XML captures on 30 March 2005.
The Marketscore agent was observed (via tcpdump) sending a system inventory at regular intervals. This inventory was in the clear and, unlike harvested Web data, uncompressed. It included a complete system inventory, including CPU type and speed; installed RAM; installed drives, their manufacturers, serial numbers, and sizes; and installed video hardware and monitor type. In fact, every device detectable by Windows XP was enumerated and reported.
The agent itself has many other capabilities. Among those observed:
- detect the Windows XP firewall and allow access for itself;
- detect installed browsers and instant messaging applications and, where necessary, disable popup-ad blockers to permit its survey functions;
- poll Marketscore for software upgrades and silently install them;
- enumerate installed hardware;
The human-readable strings in the mksc.exe binary were checked and from those the following capabilities seem to exist, though they there not observed on the test system:
- analyze streaming video and audio sessions for a variety of protocols;
- analyze instant messaging protocols;
- monitor Windows Remote Access Services (RAS) use;
- identify and report AOLıs parental access control settings for the current user.
As a result of general Web surfing on the test system, several examples of content capture and transmittal were observed. In practice, we extracted the Zlib:deflate-encoded data sent to Marketscore via a POST to contendidpost.dll and inflated it using perl's Compress::Zlib module. Some of those extracts follow, along with their context:
A book purchase from Amazon:
<udata ci="7" et="0" pr="0" ro="3266"> <nsrecord> <tt>Amazon.com Checkout Sign In</tt> <pid>62BC389A1475002001|35A18B9C6247001003|</pid> <request> <mt>POST <url>http://www.amazon.com/gp/cart/view.html/ref=pd_luc_mri/104-7564053-6622369 <cv>HTTP/1.1 <rf>http://www.amazon.com/exec/obidos/tg/stores/static/-/generic/shopping-cart-gp-add/ ref=dp_start-buy-box-form_1/104-7564053-6622369?%5Fencoding=UTF8 &encodedOffering.1=s2Q2JY%252FYOd4MFaHrWKaBZyD8fqHdTjqYGPbgcfCvPyaCeS%252bN3FPaxn3d5TFnksq2z%252BTxwGGXsjM%253D &isDirectAssociateLink=0&quantity.1=1&sourceCustomerOrgListID=&itemCount=1 &sourceCustomerOrgListItemID=&isDebug=&isToBeGiftWra</rf> <al>en-us,x-ns1z95iEjXGNhp,x-ns2p2f0bt0V5ab</al> <ua>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</ua> <ck>session-id-time=1112342400l; session-id=104-7564053-6622369; ubid-main=430-5621900-9442242; obidos_path_continue-shopping= continue-shopping-url=/tg/stores/static/-/generic/shopping-cart-gp-add/ ref%3Ddp%5Fstart-buy-box-form%5F1/104-7564053-6622369%3F%255Fencoding%3DUTF8%26 encodedOffering.1%3Ds2Q2JY%25252FYOd4MFaHrWKaBZYD8fQHdTjqYGPBgcfCvPyaCeS% 25252BN3FPAxn3d5TFnksq2z%25252BTxwGGXsjM%25253D%26isDirectAssociateLink%3D0% 26quantity.1%3D1%26sourceCustomerOrgListID%3D%26itemCount%3D1%26 sourceCustomerOrgListItemID%3D%26isDebug%3D%26isToBeGiftWrapped%3D0%26store% 3Dbooks&continue-shopping-post-data=&continue-shopping-description=stores/ static%7E%7C%7Egeneric%7E%7C%7Eshopping-cart-gp-add</ck> <oss>OSSProxy 1.3.301.311 (Build 301.311 Win32 en-us)(Mar 4 2005 18:05:38) </oss> <ac>2000,ac</ac> <pdb64>YWNOaXZlSXRlbUNVdW50PTEmaXNUb0JlR2lmdFdyYXBwZWRQcmV2aW91cy5jYXJ0PTAmaXRlbUlELj E9 VTNWUFhDRjVYNO8zSjcmcXVhbnRpdHIKuMT0xJnByb2NlZWRUb0NoZWNrb3V0Lng9MjImcHJvY2VlZFRv Q2hlY2tvdXQueT03</pdb64> </request> <reply> <rc>200</rc> <rs>OK</rs> <ct>text/html; charset=iso-8859-1</ct> <rb>10347</rb> <sc>ubid-main=430-5621900-9442242; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT</sc> <sc>session-id-time=1112342400l; path=/; domain=.amazon.com; expires=Fri Apr 01 08:00:00 2005 GMT</sc> <sc>session-id=104-7564053-6622369; path=/; domain=.amazon.com; expires=Fri Apr 01 08:00:00 2005 GMT</sc> </reply> </nsrecord> </udata>We observed the following after using Cornell's Web search page to find the e-mail address and on-campus directory information of one of the authors. This data was most likely reported to Marketscore because the agent was configured to report all Google-based queries and the Cornell search pages rely on Google:
<udata ci="7" et="0" pr="0" ro="47"> <nsrecord> <tt>Cornell University - Search Cornell <pid>6C3B5A718942001001| <request> <mt>GET <url>http://www.cornell.edu/search/index.cfm?tab=people&netid=wm63&q=wm63 <cv>HTTP/1.1 <rf>http://www.google.com/u/cuweb?q=wm63&sa=Search&domains=cornell.edu&sitesearch=cornell.eduen-us,x-ns1z95iEjXGNhp,x-ns2p2f0bt0V5ab Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) CFID=6232802; CFTOKEN=10409161 OSSProxy 1.3.301.311 (Build 301.311 Win32 en-us)(Mar 4 2005 18:05:38) </request> <reply> <rc>200</rc> <rs>OK</rs> <ct>text/html; charset=utf-8</ct> <rb>10405</rb> <sc>CFID=6232802;path=/</sc> <sc>CFTOKEN=10409161;path=/</sc> </reply> </nsrecord> </udata>We observed the Marketscore software uploading authentication cookies for a restricted user data update site maintained at Cornell:
<udata ci="7" et="0" pr="0" ro="78"> <nsrecord> <tt>WhoIAm</tt> <pid>6C3B5A718942001001|</pid> <request> <mt>GET</mt> <url>http://whoiam.cornell.edu/whoiam/DirectoryInfo?email=show&cw_inChannelLink=1</url> <cv>HTTP/1.1</cv> <rf>http://whoiam.cornell.edu/whoiam/DirectoryInfo?directory=show&cw_inChannelLink=1</rf> <al>en-us,x-ns1z95iEjXGNhp,x-ns2p2f0bt0V5ab</al> <ua>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</ua> <ck>cuweblogin=discarded; CUWEBAUTH:128.253.161.165=KfLZ1S5yMPob3UkDLJVnDtn4bGft9spdIIb4TCbRcJo=</ck> <oss>OSSProxy 1.3.301.311 (Build 301.311 Win32 en-us)(Mar 4 2005 18:05:38) </oss> <ac>2000,6d</ac> </request> <reply> <rc>200</rc> <rs>OK</rs> <ct>text/html</ct> <rb>5853</rb> </reply> </nsrecord> </udata>Initial session data from CUWebLogin, a Web single-sign-on application in heavy use at Cornell, was observed:
<udata ci="7" et="0" pr="0" ro="0"> <nsrecord> <pid>3561ABC89247001002|</pid> <request> <mt>GET</mt> <url>http://cuweblogin.cit.cornell.edu/cuwl-cgi/login.cgi?sessID=pend813320258 &reason=noCookie&allowGuest=false&origURL=http://whoiam.cornell.edu/whoiam/ &CustMsg=&AltUrl=</url> <cv>HTTP/1.1</cv> <rf>http://www.google.com/u/cuweb?q=whoiam&domains=cornell.edu&sitesearch=cornell.edu</rf> <al>en-us,x-ns1z95iEjXGNhp,x-ns2p2f0bt0V5ab</al> <ua>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</ua> <oss>OSSProxy 1.3.301.311 (Build 301.311 Win32 en-us)(Mar 4 2005 18:05:38) </oss> </request> <reply> <rc>302</rc> <rs>Found</rs> <loc>https://cuweblogin.cit.cornell.edu:443/cuwl-cgi/login.cgi?sessID=pend813320258 &reason=noCookie&allowGuest=false&origURL=http://whoiam.cornell.edu/whoiam/ &CustMsg=&AltUrl=</loc> <ct>text/html; charset=iso-8859-1</ct> <rb>453</rb> </reply> </nsrecord> </udata>Analysis: Detection and Removal
Agent behavior was observed on localhost:8254 using Commview, which lead to the conclusion that this new agent represents a fundamental shift in operations. It is important to note that as of December 2004, when many higher-ed sites began blocking Marketscore with a variety of techniques (DNS, route maps, packetshaper configuration, etc), the assumption was that all browser traffic was sent directly to Marketscore, from there to the destination site, and the Web traffic in response followed the reverse path. That these defensive techniques, each intended to notify PC owners of the presence of Marketscore while preventing the leakage of data, worked as designed bears out that technical understanding.
However, it appears the new agent simply stands in the middle of transactions, forwarding requests and processing replies, and picks out those pieces suitable for forwarding to Marketscore. General Web surfing does not transit the Marketscore network in this model. While this design carries a notable efficiency improvement for Marketscore, it also means that the current generation of defensive techniques will not notify the PC owner of the presence of the agent. They will prevent the harvested data from reaching its destination, but detection and cleanup per local security policy will be considerably more difficult.
It has been discovered that the agent's communications port, 8254, is detectable externally with a tool such as nmap (http://www.insecure.org/nmap), though no external communication with the proxy via that socket seems possible.
Further, all transactions with the Marketscore server are conducted over cleartext HTTP. Passive detection methods continue to be reliable and the use of Zlib dissectors (common in many commercial and open source sniffer packages) may be used to determine passed data.
All three installed anti-spyware tools were tried, though none was allowed to complete its removal steps. Each was able to find some part of the Marketscore installation, including some subset of the registry keys, the LSP installation, and, rarely, the mksc.exe agent itself. Any two in conjunction would be likely to render the installation non-functional. See Appendix E for the results of each scan.Marketscore's own removal instructions reference a procedure available from the Members section of their Web site. That section was unreachable as of this writing, despite having a valid e-mail address/password used to initially install the software. In the absence of that tool, the Windows Add/Remove Programs control panel applet was tried. After a system reboot, all Marketscore files were still present in their original locations, but the agent was not running, no 8254 port was present, and, according to tcpdump, all Web traffic was going to and from its intended destination hosts with no side communications to Marketscore.
Appendix A
XML and Configuration Files
These XML and configuration files are periodically updated by Marketscore. They all contain configuration information for the Marketscore proxy, specifying what data to capture and send to Marketscore. These were found in the web cache for Internet Explorer.
Popup advertisement configuration rule example; visits to Budget Car Rental will cause popup surveys:<SURVEY surveyID="66601" url="http://oss-ad.marketscore.com/oss/survey.asp? scomp=1&surveyID=66601&browserIDC=z95iEjXGNhpp2f0bt0V5ab&osite=15" site="http://drivebudget.com/*" delayTime="20" textMimeOnly="True" surveyOdds="1" height="0" width="0" flags="287" /> <SURVEY surveyID="66601" url="http://oss-ad.marketscore.com/oss/survey.asp? scomp=1&surveyID=66601&browserIDC=z95iEjXGNhpp2f0bt0V5ab&osite=15" site="https://*.drivebudget.com/*" delayTime="20" textMimeOnly="True" surveyOdds="1" height="0" width="0" flags="287" /> <SURVEY surveyID="66601" url="http://oss-ad.marketscore.com/oss/survey.asp? scomp=1&surveyID=66601&browserIDC=z95iEjXGNhpp2f0bt0V5ab&osite=15" site="https://drivebudget.com/*" delayTime="20" textMimeOnly="True" surveyOdds="1" height="0" width="0" flags="287" /> </XML>
oss-content.marketscore.com/oss/speed_sslt.aspTest OK
oss-crules.marketscore.com/oss/contentidrules.asp
<XML> <CONTENTRULE url="http://*.atdmt.com/*" mimeType="*" /> <CONTENTRULE url="http://*.atwola.com/*" mimeType="*" /> <CONTENTRULE url="http://*.advertising.com/*" mimeType="*" /> <CONTENTRULE url="http://*.adsdk.com/*" mimeType="*" /> <CONTENTRULE url="http://*.burstnet.com/*" mimeType="*" /> <CONTENTRULE url="http://*.linkexchange.com/*" mimeType="*" /> <CONTENTRULE url="http://ad.contentzone.com/*" mimeType="*" /> <CONTENTRULE url="http://*.doubleclick.net/*" mimeType="*" /> <CONTENTRULE url="http://adcontent.gamespy.com/*" mimeType="*" /> <CONTENTRULE url="http://adforce.imgis.com/*" mimeType="*" /> <CONTENTRULE url="http://connect.247media.ads.link4ads.com/*" mimeType="*" /> <CONTENTRULE url="http://ads.gamespy.com/*" mimeType="*" /> <CONTENTRULE url="http://centraladmin.realmedia.com/*" mimeType="*" /> <CONTENTRULE url="http://commonwealth.riddler.com/*" mimeType="*" /> <CONTENTRULE url="http://icover.realmedia.com/*" mimeType="*" /> <CONTENTRULE url="http://network.realmedia.com/*" mimeType="*" /> <CONTENTRULE url="http://*.247media.com/*" mimeType="*" /> <CONTENTRULE url="http://realads.realmedia.com/*" mimeType="*" /> <CONTENTRULE url="http://retaildirect.realmedia.com/*" mimeType="*" /> <CONTENTRULE url="http://rmeast6.realmedia.com/*" mimeType="*" /> <CONTENTRULE url="http://s2a.realmedia.com/*" mimeType="*" /> <CONTENTRULE url="http://*teknosurf*.com/*" mimeType="*" /> <CONTENTRULE url="http://*psstt.com/*" mimeType="*" /> <CONTENTRULE url="http://*.valueclick.com/*" mimeType="*" /> <CONTENTRULE url="http://*.valueclick.net/*" mimeType="*" /> <CONTENTRULE url="http://*.clickagents.com/*" mimeType="*" /> <CONTENTRULE url="http://*.oas-central.com/*" mimeType="*" /> <CONTENTRULE url="http://*oascentral.investors.com/*" mimeType="*" /> <CONTENTRULE url="http://*oas-central.investors.com/*" mimeType="*" /> <CONTENTRULE url="http://*tribalfusion.com/*" mimeType="*" /> <CONTENTRULE url="http://*.expedia.com/*" mimeType="*" /> <CONTENTRULE url="http://*.travelocity.com/*" mimeType="*" /> <CONTENTRULE url="http://*shopping.msn.com/*" mimeType="*" /> <CONTENTRULE url="http://global.msads.net/*" mimeType="*" /> <CONTENTRULE url="http://*.mocda.com" mimeType="*" /> <CONTENTRULE url="http://*.mocda1.com" mimeType="*" /> <CONTENTRULE url="http://*.mocda2.com" mimeType="*" /> <CONTENTRULE url="http://*.mocda3.com" mimeType="*" /> <CONTENTRULE url="http://*.mocda4.com" mimeType="*" /> <CONTENTRULE url="http://*.netsetter.com/aolping.asp" mimeType="*" exclude="true" /> <CONTENTRULE url="http://media.adcentriconline.com/adcentric/tag/394/*" mimeType="*" /> <CONTENTRULE url="http://media.adcentriconline.com/adcentric/tag/395/*" mimeType="*" /> <CONTENTRULE url="http://media.adcentriconline.com/adcentric/data/394/*" mimeType="*" /> <CONTENTRULE url="http://media.adcentriconline.com/adcentric/data/395/*" mimeType="*" /> <CONTENTRULE url="http://*.edge.ru4.com/*" mimeType="*" /> <CONTENTRULE url="http://*.content.ru4.com/*" mimeType="*" /> <CONTENTRULE url="http://*.suitesmart.com/*" mimeType="*" /> <CONTENTRULE url="http://*ne.getit4u.com/*" mimeType="*" /> <CONTENTRULE url="http://*.insightexpress.com/*" mimeType="*" /> <CONTENTRULE url="*img.mediaplex.com/*" mimeType="*" /> <CONTENTRULE url="*c4.maxserving.com/*" mimeType="*" /> <CONTENTRULE url="*frusonket.com*" mimeType="*" /> <CONTENTRULE url="*us.a1.yimg.com*" mimeType="*" /> <CONTENTRULE url="*phobos.apple.com*" mimeType="text/plain" /> <CONTENTRULE url="*adrevolver.com/*" mimeType="*" /> <CONTENTRULE url="*" mimeType="application/x-app-prot-data" /> <CONTENTRULE url="*" mimeType="application/x-ditto-data" /> <CONTENTRULE url="*" mimeType="text/html*" /> <CONTENTRULE url="*" mimeType="text/plain*" /> <CONTENTRULE url="*" mimeType="*" exclude="true" noroutable="true" recordType="1" /> <CONTENTRULE url="*" mimeType="*" exclude="true" noroutable="true" recordType="2" /> <CONTENTRULE url="*" mimeType="*" exclude="true" noroutable="true" recordType="3" /> <CONTENTRULE url="*" mimeType="*" exclude="true" noroutable="true" recordType="4" /> <CONTENTRULE url="*" mimeType="*" exclude="true" noroutable="true" recordType="5" /> <CONTENTRULE url="*" mimeType="*" recordType="6" /> <CONTENTRULE url="*" mimeType="[MISSING]" recordType="7" /> <CONTENTRULE url="*" mimeType="text/*" recordType="7" /> <CONTENTRULE url="*" mimeType="audio/*" /> <CONTENTRULE url="*" mimeType="video/*" /> <CONTENTRULE url="*" mimeType="x-audio/*" /> <CONTENTRULE url="*" mimeType="x-video/*" /> <CONTENTRULE url="*" mimeType="application/x-aol-url-data" /> <CONTENTRULE url="*" mimeType="application/x-osroute-data" /> <CONTENTRULE url="*" mimeType="application/x-ras-data" /> <CONTENTRULE url="*" mimeType="application/*-flash" /> <CONTENTRULE url="*" mimeType="application/x-rtsp-tunnelled"/> <CONTENTRULE url="*" mimeType="misc/ultravox"/> <CONTENTRULE url="*" mimeType="application/x-aol-pb*"/> <CONTENTRULE url="*" recordType="2"/> <CONTENTRULE url="http://*.sdp" mimeType="*" /> <CONTENTRULE url="http://*.asf" mimeType="application/octet-stream" /> <CONTENTRULE url="http://*.sdp?*" mimeType="*" /> <CONTENTRULE url="http://*.asf?*" mimeType="application/octet-stream" /> <CONTENTRULE url="*.asx" mimeType="application/asx" /> <CONTENTRULE url="*.asx?*" mimeType="application/asx" /> <CONTENTRULE url="*real*exe" mimeType="*" /> <CONTENTRULE url="*rp8-setup.exe*" mimeType="*" /> <CONTENTRULE url="*rp7-standard-setup.exe*" mimeType="*" /> <CONTENTRULE url="*r32_g20_3sm.exe*" mimeType="*" /> <CONTENTRULE url="*rp32_50.exe*" mimeType="*" /> <CONTENTRULE url="*rp32_401.exe*" mimeType="*" /> <CONTENTRULE url="*ra32_30.exe*" mimeType="*" /> <CONTENTRULE url="*rjukebox*setup.exe*" mimeType="*" /> <CONTENTRULE url="*rp16_50.exe*" mimeType="*" /> <CONTENTRULE url="*ra16_30.exe*" mimeType="*" /> <CONTENTRULE url="http://*.rad" mimeType="application/octet-stream" /> <CONTENTRULE url="http://*.rad?*" mimeType="application/octet-stream" /> <CONTENTRULE url="*" mimeType="application/vnd.rn-realmedia"/> <CONTENTRULE url="http://proxycfg.netsetter.com/aolping.asp" mimeType="*/*" exclude="true" /> <CONTENTRULE url="*rds.yahoo.com*http://*.altavista.com/*" mimeType="*" /> <CONTENTRULE url="*.trafficmp.com*" mimeType="*" /> <CONTENTRULE url="*casalemedia.com*" mimeType="*" /> <CONTENTRULE url="*209.132.209.28*" mimeType="*" /> <CONTENTRULE url="*ads.addesktop.com*" mimeType="*" /> <CONTENTRULE url="*sc4.maxserving.com*" mimeType="*" /> <CONTENTRULE url="*.starwave.com*" mimeType="*" /> <CONTENTRULE url="*ads.emarketmakers.com*" mimeType="*" /> <CONTENTRULE url="*66.226.0.30*" mimeType="*" /> <CONTENTRULE url="*ads.addesktop.com*" mimeType="*" /> <CONTENTRULE url="*fastclick.net*" mimeType="*" /> <CONTENTRULE url="*adserver.com*" mimeType="*" /> <CONTENTRULE url="*speedera.net" mimeType="*" /> <CONTENTRULE url="*pennyweb.com" mimeType="*" /> <CONTENTRULE url="*ads.addynamix.com" mimeType="*" /> </XML>
proxycfg.marketscore.com/oss/biometricrules.asp<xml update="288"> <BIOMETRIC key="WWW." id = "1"/> <BIOMETRIC key=".COM" id = "2"/> <BIOMETRIC key="THAT" id = "3"/> <BIOMETRIC key="WITH" id = "4"/> <BIOMETRIC key="THEY" id = "5"/> <BIOMETRIC key="THIS" id = "6"/> <BIOMETRIC key="FROM" id = "7"/> <BIOMETRIC key="HAVE" id = "8"/> <BIOMETRIC key="WHAT" id = "9"/> <BIOMETRIC key="WERE" id = "10"/> <BIOMETRIC key="WHEN" id = "11"/> <BIOMETRIC key="YOUR" id = "12"/> <BIOMETRIC key="THE " id = "13"/> <BIOMETRIC key="AND " id = "14"/> <BIOMETRIC key="YOU " id = "15"/> <BIOMETRIC key="FOR " id = "16"/> <BIOMETRIC key="WAS " id = "17"/> <BIOMETRIC key="ARE " id = "18"/> <BIOMETRIC key="HTTP" id = "19"/> </xml>
proxycfg.marketscore.com/oss/dittorules.asp<xml update="288"> <dittorule url="*yahoo.com.mx*" mimeType="text/*" /> <dittorule url="*yahoo.es*" mimeType="text/*" /> <dittorule url="*t1msn.com.mx*" mimeType="text/*" /> <dittorule url="*terra.es*" mimeType="text/*" /> <dittorule url="*iespana.es*" mimeType="text/*" /> <dittorule url="*mercadolibre.com.mx*" mimeType="text/*" /> <dittorule url="*elmundo.es*" mimeType="text/*" /> <dittorule url="*terra.com.co*" mimeType="text/*" /> <dittorule url="*lycos.es*" mimeType="text/*" /> <dittorule url="*terra.com.mx*" mimeType="text/*" /> <dittorule url="*msn.es*" mimeType="text/*" /> <dittorule url="*yahoo.com.ar*" mimeType="text/*" /> <dittorule url="*ig.com.br*" mimeType="text/*" /> <dittorule url="*google.com.mx*" mimeType="text/*" /> <dittorule url="*univision.com*" mimeType="text/*" /> <dittorule url="*terra.com*" mimeType="text/*" /> <dittorule url="*esmas.com*" mimeType="text/*" /> <dittorule url="*cnnenespanol.com*" mimeType="text/*" /> <dittorule url="*starmedia.com*" mimeType="text/*" /> <dittorule url="*hispavista.com*" mimeType="text/*" /> <dittorule url="*tuparada.com*" mimeType="text/*" /> <dittorule url="*latinchat.com*" mimeType="text/*" /> <dittorule url="*miarroba.com*" mimeType="text/*" /> <dittorule url="*melodysoft.com*" mimeType="text/*" /> <dittorule url="*ya.com*" mimeType="text/*" /> <dittorule url="*yupimsn.com*" mimeType="text/*" /> <dittorule url="*galeon.com*" mimeType="text/*" /> <dittorule url="*latinmail.com*" mimeType="text/*" /> <dittorule url="*gusanito.com*" mimeType="text/*" /> <dittorule url="*amigos.com*" mimeType="text/*" /> <dittorule url="*labolsa.com*" mimeType="text/*" /> <dittorule url="*latingames.com*" mimeType="text/*" /> <dittorule url="*telemundo.com*" mimeType="text/*" /> <dittorule url="*lopeor.com*" mimeType="text/*" /> <dittorule url="*mexico.com*" mimeType="text/*" /> <dittorule url="*todito.com*" mimeType="text/*" /> <dittorule url="*atame.org*" mimeType="text/*" /> <dittorule url="*peru.com*" mimeType="text/*" /> <dittorule url="*wn.com*" mimeType="text/*" /> <dittorule url="*esmascompras.com*" mimeType="text/*" /> <dittorule url="*aola.com*" mimeType="text/*" /> <dittorule url="*clarin.com*" mimeType="text/*" /> </xml>
proxycfg.marketscore.com/oss/kwrules2.asp<xml update="144"> <kwrule domain="09zone.com"> </kwrule> <kwrule domain="12.47.101.200"> </kwrule> <kwrule domain="12.47.101.201"> </kwrule> <kwrule domain="12.47.101.202"> </kwrule> <kwrule domain="12.47.101.203"> </kwrule> <kwrule domain="12.47.101.204"> </kwrule> <kwrule domain="170.224.14"> </kwrule> <kwrule domain="180096hotel.com"> </kwrule> <kwrule domain="1800flowers.com"> </kwrule> <kwrule domain="209.167.164.66"> </kwrule> <kwrule domain="216.74.85.170"> </kwrule> <kwrule domain="24-7-pharmacy.com"> </kwrule> <kwrule domain="4adodge.com"> </kwrule> <kwrule domain="5000.ru"> </kwrule> <kwrule domain="555.ru"> </kwrule> <kwrule domain="a2zimaging.com"> </kwrule> <kwrule domain="aBJ </kwrule> <kwrule domain="abcnews.com"> </kwrule> <kwrule domain="abercrombie.com"> </kwrule> <kwrule domain="about.com"> </kwrule> <kwrule domain="accountonline.com"> </kwrule> <kwrule domain="accuweather.com"> </kwrule> <kwrule domain="acura.com"> </kwrule> <kwrule domain="adanit.com"> </kwrule> <kwrule domain="adidas.com"> </kwrule> <kwrule domain="ads.cars.com"> </kwrule> <kwrule domain="adv-care.com"> </kwrule> <kwrule domain="advair.com"> </kwrule> <kwrule domain="aeromexico.com"> </kwrule> <kwrule domain="affordablerx.com"> </kwrule> <kwrule domain="airborne.com"> </kwrule> <kwrule domain="airtran.com"> </kwrule> <kwrule domain="aitsafe.com"> </kwrule> <kwrule domain="alamo.com"> </kwrule> <kwrule domain="alaskaair.com"> </kwrule> <kwrule domain="albertsons.com"> </kwrule> <kwrule domain="alero.com"> </kwrule> <kwrule domain="alienaa.com"> </kwrule> <kwrule domain="all-hotels.com"> </kwrule> <kwrule domain="allbooks4less.com"> </kwrule> <kwrule domain="allegra.com"> </kwrule> <kwrule domain="allergy-medications.com"> </kwrule> <kwrule domain="allergyrewards.com"> </kwrule> <kwrule domain="allposters.ru"> </kwrule> <kwrule domain="altavista.com"> </kwrule> <kwrule domain="altnet.com"> </kwrule> <kwrule domain="alzheimersconcern.com"> </kwrule> <kwrule domain="amadeus.net"> </kwrule> <kwrule domain="amaryl.com"> </kwrule> <kwrule domain="amazon.ca"> </kwrule> <kwrule domain="amazon.co.uk"> </kwrule> <kwrule domain="amazon.com"> </kwrule> <kwrule domain="amazon.de"> </kwrule> <kwrule domain="amazon.fr"> </kwrule> <kwrule domain="americanexpress.com"> </kwrule> <kwrule domain="americangreetings.com"> </kwrule> <kwrule domain="americansingles.com"> </kwrule> <kwrule domain="americawest.com"> </kwrule> <kwrule domain="amtrak.com"> </kwrule> <kwrule domain="aol.com"> </kwrule> <kwrule domain="aolmnreg.musicnetBJ </kwrule> <kwrule domain="appdecision.com"> </kwrule> <kwrule domain="apple.com"> </kwrule> <kwrule domain="apprisal.com"> </kwrule> <kwrule domain="aptecha.com"> </kwrule> <kwrule domain="arcamax.com"> </kwrule> <kwrule domain="aricept.com"> </kwrule> <kwrule domain="aromat.ru"> </kwrule> <kwrule domain="ask.com"> </kwrule> <kwrule domain="att.com"> </kwrule> <kwrule domain="att.net"> </kwrule> <kwrule domain="attws.com"> </kwrule> <kwrule domain="atyouroffice.com"> </kwrule> <kwrule domain="auctions.yahoo.com"> </kwrule> </kwrule> <kwrule domain="audiusa.com"> </kwrule> <kwrule domain="auroracar.com"> </kwrule> <kwrule domain="autobuyingusa.com"> </kwrule> <kwrule domain="autobytel.com"> </kwrule> <kwrule domain="automobiles.com"> </kwrule> <kwrule domain="autoweb.com"> </kwrule> <kwrule domain="avandia.diabeteslife.com"> </kwrule> <kwrule domain="avis.com"> </kwrule> <kwrule domain="awcv.com"> </kwrule> <kwrule domain="banamex.com"> </kwrule> <kwrule domain="banamex.com.mx"> </kwrule> <kwrule domain="bancomer.com.mx"> </kwrule> <kwrule domain="bankofamerica.com"> </kwrule> <kwrule domain="banorte.com"> </kwrule> <kwrule domain="barnesandnoble.com"> </kwrule> <kwrule domain="bcentral.com"> </kwrule> <kwrule domain="bedbathandbeyond.com"> </kwrule> <kwrule domain="belk.com"> </kwrule> <kwrule domain="belltronix.com"> </kwrule> <kwrule domain="bestbuy.com"> </kwrule> <kwrule domain="bestcruisebuy.com"> </kwrule> <kwrule domain="bestwestern.com"> </kwrule> <kwrule domain="bhg.com"> </kwrule> <kwrule domain="bigstar.com"> </kwrule> <kwrule domain="blackplanet.com"> </kwrule> <kwrule domain="bmwusa.com"> </kwrule> <kwrule domain="bobbibrowncosmetics.com"> </kwrule> <kwrule domain="bookcloseouts.com"> </kwrule> <kwrule domain="books.ru"> </kwrule> <kwrule domain="borderrx.com"> </kwrule> <kwrule domain="bpc2001.org"> </kwrule> <kwrule domain="bravada.com"> </kwrule> <kwrule domain="briefcase.yahoo.com"> </kwrule> <kwrule domain="britishairways.com"> </kwrule> <kwrule domain="broderbund.com"> </kwrule> <kwrule domain="brylanehome.com"> </kwrule> <kwrule domain="bugsmusic.co.kr"> </kwrule> <kwrule domain="buick.com"> </kwrule> <kwrule domain="buildyourjaguar.com"> </kwrule> <kwrule domain="burnadisc.com"> </kwrule> <kwrule domain="buy.com"> </kwrule> <kwrule domain="buychal.com"> </kwrule> <kwrule domain="buyerconnection.com"> </kwrule> <kwrule domain="buylowdrugs.com"> </kwrule> <kwrule domain="c1hrapps.com"> </kwrule> <kwrule domain="cadillac.com"> </kwrule> <kwrule domBJ <kwrule domain="canada-drugs-online.com"> </kwrule> <kwrule domain="canada-pharmacy.com"> </kwrule> <kwrule domain="canadadirectdrugs.com"> </kwrule> <kwrule domain="canadadiscountrx.com"> </kwrule> <kwrule domain="canadadrugco.com"> </kwrule> <kwrule domain="canadadrugs.com"> </kwrule> <kwrule domain="canadafamilymeds.com"> </kwrule> <kwrule domain="canadamed.com"> </kwrule> <kwrule domain="canadamedexpress.com"> </kwrule> <kwrule domain="canadamedicinecompany.com"> </kwrule> <kwrule domain="canadameds.com"> </kwrule> <kwrule domain="canadamedshop.com"> </kwrule> <kwrule domain="canadapaylessrx.com"> </kwrule> <kwrule domain="canadapharmacy.com"> </kwrule> <kwrule domain="canadarx.com"> </kwrule> <kwrule domain="canadarx.net"> </kwrule> <kwrule domain="canadarxconnection.com"> </kwrule> <kwrule domain="canadarxfree.com"> </kwrule> <kwrule domain="canadatrustrx.com"> </kwrule> <kwrule domain="cBJ </kwrule> <kwrule domain="canadiandrugs.ca"> </kwrule> <kwrule domain="canadiandrugstore.com"> </kwrule> <kwrule domain="canadianmed.com"> </kwrule> <kwrule domain="canadianmedco.com"> </kwrule> <kwrule domain="canadianmeds.com"> </kwrule> <kwrule domain="canadianmedsonline.com"> </kwrule> <kwrule domain="canadianmedsusa.com"> </kwrule> <kwrule domain="canadianpharm.com"> </kwrule> <kwrule domain="canadianpharmacylink.com"> </kwrule> <kwrule domain="canadianpharmacynetwork.com"> </kwrule> <kwrule domain="canadianprescriptionsavers.com"> </kwrule> <kwrule domain="canadianrxplus.com"> </kwrule> <kwrule domain="canammeds.com"> </kwrule> <kwrule domain="cancer.org"> </kwrule> <kwrule domain="candrugstore.com"> </kwrule> <kwrule domain="canpd.com"> </kwrule> <kwrule domain="canusarx.com"> </kwrule> <kwrule domain="capitalone.com"> </kwrule> <kwrule domain="capitolhummer.com"> </kwrule> <kwrule domain="cardinalscriptnet.com"> </kwrule> <kwrule domain="carguides.autotrader.com"> </kwrule> <kwrule domain="carmax.com"> </kwrule> <kwrule domain="carnival.com"> </kwrule> <kwrule domain="carpoint.msn.com"> </kwrule> <kwrule domain="carprices.com"> </kwrule> <kwrule domain="carrefour.com"> </kwrule> <kwrule domain="carsdirect.com"> </kwrule> <kwrule domain="casesladder.com"> </kwrule> <kwrule domain="ccbparis.fr"> </kwrule> <kwrule domain="cdc.gov"> </kwrule> <kwrule domain="cdiscount.com"> </kwrule> <kwrule domain="cdpoint.com.br"> </kwrule> <kwrule domain="cduniverse.com"> </kwrule> <kwrule domain="cdw.com"> </kwrule> <kwrule domain="cecile.co.jp"> </kwrule> <kwrule domain="cheaptickets.com"> </kwrule> <kwrule domain="chevrolet.com"> </kwrule> <kwrule domain="choicehotels.com"> </kwrule> <kwrule domain="chollian.net"> </kwrule> <kwrule domain="chrysler.com"> </kwrule> <kwrule domain="cialis.com"> </kwrule> <kwrule domain="circuitcity.com"> </kwrule> <kwrule domain="citibank.com"> </kwrule> <kwrule domain="citibankonline.com"> </kwrule> <kwrule domain="citicards.com"> </kwrule> <kwrule domain="clarinex.com"> </kwrule> <kwrule domain="claritas.com"> </kwrule> <kwrule domain="claritin.com"> </kwrule> <kwrule domain="classifieds2000.com"> </kwrule> <kwrule domain="classmates.com"> </kwrule> <kwrule domain="clinique.com"> </kwrule> <kwrule domain="clubsoriana.com"> </kwrule> <kwrule domain="cnet.search.com"> </kwrule> <kwrule domain="cnn.com"> </kwrule> <kwrule domain="coastalmeds.com"> </kwrule> <kwrule domain="combivent.com"> </kwrule> <kwrule domain="compaq.com"> </kwrule> <kwrule domain="compete.com"> </kwrule> <kwrule domain="compusa.com"> </kwrule> <kwrule domain="computershop.ru"> </kwrule> <kwrule domain="continental.com"> </kwrule> <kwrule domain="cooltravelassistant.com"> </kwrule> <kwrule domain="countryinns.com"> </kwrule> <kwrule domain="creditcardsatchase.com"> </kwrule> <kwrule domain="crossborderpharmacy.com"> </kwrule> <kwrule domain="cunard.com"> </kwrule> <kwrule domain="currys.co.uk"> </kwrule> <kwrule domain="cwsubscribe.com"> </kwrule> <kwrule domain="darty.fr"> </kwrule> <kwrule domain="date.com"> </kwrule> <kwrule domain="dealernet.com"> </kwrule> <kwrule domain="dealine.ru"> </kwrule> <kwrule domain="deandeluca.com"> </kwrule> <kwrule domain="delias.com"> </kwrule> <kwrule domain="depo.ru"> </kwrule> <kwrule domain="designyourvolvo.com"> </kwrule> <kwrule domain="dhl-usa.com"> </kwrule> <kwrule domain="digita.ru"> </kwrule> <kwrule domain="digitalhealthcare.com"> </kwrule> <kwrule domaBJ </kwrule> <kwrule domain="discountdrugsofcanada.com"> </kwrule> <kwrule domain="disney.com"> </kwrule> <kwrule domain="dixons.co.uk"> </kwrule> <kwrule domain="dixons.com"> </kwrule> <kwrule domain="doctorsolve.com"> </kwrule> <kwrule domain="dodge.com"> </kwrule> <kwrule domain="dogpile.com"> </kwrule> <kwrule domain="dollar.com"> </kwrule> <kwrule domain="domestications.com"> </kwrule> <kwrule domain="dotcomadvisors.com"> </kwrule> <kwrule domain="download.com.com"> </kwrule> <kwrule domain="dreammates.com"> </kwrule> <kwrule domain="drf.com"> </kwrule> <kwrule domain="drkoop.com"> </kwrule> <kwrule domain="drugstore.com"> </kwrule> <kwrule domain="e-port.ru"> </kwrule> <kwrule domain="ea.com"> </kwrule> <kwrule domain="eacura.com"> </kwrule> <kwrule domain="eagames.com"> </kwrule> <kwrule domain="earthlink.net"> </kwrule> <kwrule domain="ebay.co.uk"> </kwrule> <kwrule domain="ebay.com"> </kwrule> <kwrule domain="ebay.de"> </kwrule> <kwrule domain="ebay.fr"> </kwrule> <kwrule domain="ec-box.com.pe"> </kwrule> <kwrule domain="efax.com"> </kwrule> <kwrule domain="eflorist.com"> </kwrule> <kwrule domain="eharmony.com"> </kwrule> <kwrule domain="ehonda.com"> </kwrule> <kwrule domain="emedscanada.com"> </kwrule> <kwrule domain="emusic.com"> </kwrule> <kwrule domain="enterprise.com"> </kwrule> <kwrule domain="epanel.marketfacts.com"> </kwrule> <kwrule domain="epanel.synovate.net"> </kwrule> <kwrule domain="epoll.com"> </kwrule> <kwrule domain="eratings.com"> </kwrule> <kwrule domain="esteelauder.com"> </kwrule> <kwrule domain="estyle.com"> </kwrule> <kwrule domain="esurance.com"> </kwrule> <kwrule domain="etrends.net"> </kwrule> <kwrule domain="everydaykidz.com"> </kwrule> <kwrule domain="excite.com"> </kwrule> <kwrule domain="expedia.ca"> </kwrule> <kwrule domain="expedia.co.uk"> </kwrule> <kwrule domain="expedia.com"> </kwrule> <kwrule domain="expedia.fr"> </kwrule> <kwrule domain="famsa.com"> </kwrule> <kwrule domain="fast-discount-drugs.com"> </kwrule> <kwrule domain="fedex.com"> </kwrule> <kwrule domain="feelbest.com"> </kwrule> <kwrule domain="firstgov.gov"> </kwrule> <kwrule domain="firstusa.com"> </kwrule> <kwrule domain="fivestardealers.com"> </kwrule> <kwrule domain="fleet.com"> </kwrule> <kwrule domain="flowerclub.com"> </kwrule> <kwrule domain="fogdog.com"> </kwrule> <kwrule domain="forddirect.com"> </kwrule> <kwrule domain="fordvehicles.com"> </kwrule> <kwrule domain="fossil.com"> </kwrule> <kwrule domain="freshcartons-store.com"> </kwrule> <kwrule domain="ftd.com"> </kwrule> <kwrule domain="fullaudio.com"> </kwrule> <kwrule domain="gamefly.com"> </kwrule> <kwrule domain="gamehouse.com"> </kwrule> <kwrule domain="games.yahoo.com"> </kwrule> <kwrule domain="gamespot.com"> </kwrule> <kwrule domain="gamespy.com"> </kwrule> <kwrule domain="gamespyid.com"> </kwrule> </kwrule> <kwrule domain="gazoo.com"> </kwrule> <kwrule domain="geappliances.com"> </kwrule> <kwrule domain="getfreemeds.com"> </kwrule> <kwrule domain="getmycigs-store.com"> </kwrule> <kwrule domain="getmycigs.com"> </kwrule> <kwrule domain="getsmart.com"> </kwrule> <kwrule domain="globaltestmarket.com"> </kwrule> <kwrule domain="gloss.com"> </kwrule> <kwrule domain="gm.com"> </kwrule> <kwrule domain="gmac-fintoolssaturn.com"> </kwrule> <kwrule domain="gmacfinancial.com"> </kwrule> <kwrule domain="gmacfinancialtools.com"> </kwrule> <kwrule domain="gmautobuilder.com"> </kwrule> <kwrule domain="gmbuypower.com"> </kwrule> <kwrule domain="gmc.com"> </kwrule> <kwrule domain="gmev.com"> </kwrule> <kwrule domain="gmnao.com"> </kwrule> <kwrule domain="go.com"> </kwrule> <kwrule domain="goantique.com"> </kwrule> <kwrule domain="goarmy.com"> </kwrule> <kwrule domain="goestoeleven.com"> </kwrule> <kwrule domain="google.com"> </kwrule> <kwrule domain="governmentguide.com"> </kwrule> <kwrule domain="gpoaccess.gov"> </kwrule> <kwrule domain="grisoft.com"> </kwrule> <kwrule domain="groceryonline.com"> </kwrule> <kwrule domain="groceryworks2.com"> </kwrule> <kwrule domain="gsa.gov"> </kwrule> <kwrule domain="halfoffmeds.com"> </kwrule> <kwrule domain="hanBJ </kwrule> <kwrule domain="harrispollonline.com"> </kwrule> <kwrule domain="hbcard.com"> </kwrule> <kwrule domain="hcsapplication.com"> </kwrule> <kwrule domain="health.gov"> </kwrule> <kwrule domain="healthmeds.com"> </kwrule> <kwrule domain="hi-fi.ru"> </kwrule> <kwrule domain="hillhill.com"> </kwrule> <kwrule domain="hilton.com"> </kwrule> <kwrule domain="homedepot.com"> </kwrule> <kwrule domain="homegrocer.com"> </kwrule> <kwrule domain="homeruns.com"> </kwrule> <kwrule domain="hometownmeds.com"> </kwrule> <kwrule domain="honda2001.com"> </kwrule> <kwrule domain="hondacars.com"> </kwrule> <kwrule domain="hp.com"> </kwrule> <kwrule domain="hsn.com"> </kwrule> <kwrule domain="hummer.com"> </kwruleBJ <kwrule domain="i.mb00.net"> </kwrule> <kwrule domain="ibreathe.com"> </kwrule> <kwrule domain="ibs.co.za"> </kwrule> <kwrule domain="icruise.com"> </kwrule> <kwrule domain="igl.net"> </kwrule> <kwrule domain="ign.com"> </kwrule> <kwrule domain="imagestation.com"> </kwrule> <kwrule domain="impactrx.com"> </kwrule> <kwrule domain="infiniti.com"> </kwrule> <kwrule domain="insightexpress.com"> </kwrule> <kwrule domain="interpark.com"> </kwrule> <kwrule domain="intriguecar.com"> </kwrule> <kwrule domain="isuzu.com"> </kwrule> <kwrule domain="itn.net"> </kwrule> <kwrule domain="iwon.com"BJ </kwrule> <kwrule domain="jaguar.com"> </kwrule> <kwrule domain="jcrew.com"> </kwrule> <kwrule domain="jeep.com"> </kwrule> <kwrule domain="jeepunpaved.com"> </kwrule> <kwrule domain="jetblueairways.com"> </kwrule> <kwrule domain="jjill.com"> </kwrule> <kwrule domain="kazaaplus.com"> </kwrule> <kwrule domain="kelleybluebook.com"> </kwrule> <kwrule domain="kffl.com"> </kwrule> <kwrule domain="kiplinger.com"> </kwrule> <kwrule domain="kiss.com"> </kwrule> <kwrule domain="komus.ru"> </kwrule> <kwrule domain="koshelek.ru"> </kwrule> <kwrule domain="lancome.com"> </kwrule> <kwrule domain="landrover.com"> </kwrule> <kwrule domain="landsend.com"> </kwrule> <kwrule domain="launch.com"> </kwrule> <kwrule domain="lavalife.com"> </kwrule> <kwrule domain="lepharmacy.com"> </kwrule> <kwrule domain="levitra.com"> </kwrule> <kwrule domain="lexis.com"> </kwrule> <kwrule domain="lexus.com"> </kwrule> <kwrule domain="lgeshop.com"> </kwrule> <kwrule domain="lightspeedpanel.com"> </kwrule> <kwrule domain="lincolnvehicles.com"> </kwrule> <kwrule domain="looksmart.com"> </kwrule> <kwrule domain="lotte.com"> </kwrule> <kwrule domain="love.aol.com"> </kwrule> <kwrule domain="lowcostcanadianrx.com"> </kwrule> <kwrule domain="lowestfare.com"> </kwrule> <kwrule domain="lowestpriceprescriptiondrugs.com"> </kwrule> <kwrule domain="lycos.com"> </kwrule> <kwrule domain="maccosmetics.com"> </kwrule> <kwrule domain="macys.com"> </kwrule> <kwrule domain="magazine-rack.com"> </kwrule> <kwrule domain="mags4sale.com"> </kwrule> <kwrule domain="magzi.com"> </kwrule> <kwrule domain="mail.com"> </kwrule> <kwrule domain="mapleleafmeds.com"> </kwrule> <kwrule domain="mapleleafpharmacy.com"> </kwrule> <kwrule domain="marines.com"> </kwrule> <kwrule domain="marketrx.com"> </kwrule> <kwrule domain="match.com"> </kwrule> <kwrule domain="matchmaker.com"> </kwrule> <kwrule domain="mazdausa.com"> </kwrule> <kwrule domain="mb00.net"> </kwrule> <kwrule domain="mbcc.com"> </kwrule> <kwrule domain="mbna.com"> </kwrule> <kwrule domain="mbusa.com"> </kwrule> <kwrule domain="mcafee.com"> </kwrule> <kwrule domain="mcafeestore.com"> </kwrule> <kwrule domain="mciworldcom.com"> </kwrule> <kwrule domain="mcknights-canadian-pharmacies.com"> </kwrule> <kwrule domain="medcentercanada.com"> </kwrule> <kwrule domain="medicaled.com"> </kwrule> <kwrule domain="medications4less.com"> </kwrule> <kwrule domain="medoutletcanada.com"> </kwrule> <kwrule domain="medscape.com"> </kwrule> <kwrule domain="medsforless.com"> </kwrule> <kwrule domain="mercuryvehiclBJ </kwrule> <kwrule domain="metability.com"> </kwrule> <kwrule domain="mexicana.com"> </kwrule> <kwrule domain="miniclip.com"> </kwrule> <kwrule domain="miniusa.com"> </kwrule> <kwrule domain="mintopharmacy.com"> </kwrule> <kwrule domain="misssmneds.com"> </kwrule> <kwrule domain="mitsubishicars.com"> </kwrule> <kwrule domain="mitsubishimotors.com"> </kwrule> <kwrule domain="mondera.com"> </kwrule> <kwrule domain="movieflix.com"> </kwrule> <kwrule domain="movietickets.com"> </kwrule> <kwrule domain="mp3.com"> </kwrule> <kwrule domain="mstrav.com"> </kwrule> </kwrule> <kwrule domain="musica.co.za"> </kwrule> <kwrule domain="musicandfilm.fr"> </kwrule> <kwrule domain="musictoday.com"> </kwrule> <kwrule domain="mvideo.ru"> </kwrule> <kwrule domain="my-drugs.ca"> </kwrule> <kwrule domain="my-metrix.com"> </kwrule> <kwrule domain="myciti.com"> </kwrule> <kwrule domain="mydrugrep.com"> </kwrule> <kwrule domain="mydrugscanada.com"> </kwrule> <kwrule domain="myhomekey.com"> </kwrule> <kwrule domain="mypoints.com"> </kwrule> <kwrule domain="myprescription.com"> </kwrule> <kwrule domain="myrxforless.com"> </kwrule> <kwrule domain="mysearch.com"> </kwrule> <kwrule domain="myway.com"> </kwrule> <kwrule domain="napster.com"> </kwrule> <kwrule domain="nasacort.com"> </kwruleBJ <kwrule domain="nashdrugs.com"> </kwrule> <kwrule domain="nationalcar.com"> </kwrule> <kwrule domain="nationwide.com"> </kwrule> <kwrule domain="navy.com"> </kwrule> <kwrule domain="nba.com"> </kwrule> <kwrule domain="neckerman..de"> </kwrule> <kwrule domain="neckermann.de"> </kwrule> <kwrule domain="neckermann.fr"> </kwrule> <kwrule domain="netflix.com"> </kwrule> <kwrule domain="netgrocer.com"> </kwrule> <kwrule domain="netprice.co.jp"> </kwrule> <kwrule domain="netratings.com"> </kwrule> <kwrule domain="netscape.com"> </kwrule> </kwrule> <kwrule domain="nielsennetpanel.com"> </kwrule> <kwrule domain="nissandealer.com"> </kwrule> <kwrule domain="nissandriven.com"> </kwrule> <kwrule domain="nordstrom.com"> </kwrule> <kwrule domain="northamericandiscountdrugs.com"> </kwrule> <kwrule domain="northcountryrx.com"> </kwrule> <kwrule domain="northernlight.com"> </kwrule> <kwrule domain="northernmeds.com"> </kwrule> <kwrule domain="novuslink.net"> </kwrule> <kwrule domain="novusnet.com"> </kwrule> <kwrule domain="npdfashionworld.com"> </kwrule> <kwrule domain="npdfoodworld.com"> </kwrule> <kwrule domain="npdfunworld.com"> </kwrule> <kwrule domain="npdhouseworld.com"> </kwrule> <kwrule domain="npdtechworld.com"> </kwrule> <kwrule domain="nytimes.com"> </kwrule> <kwrule domain="ofoto.com"> </kwrule> <kwrule domain="ojibwas.com"> </kwrule> <kwruleBJ </kwrule> <kwrule domain="omarproductions.com"> </kwrule> <kwrule domain="onetravel.com"> </kwrule> <kwrule domain="onlineauto.com"> </kwrule> <kwrule domain="onlinecanadiandrugstore.com"> </kwrule> <kwrule domain="onlinecanadianpharmacy.com"> </kwrule> <kwrule domain="onlinepharmaciescanada.com"> </kwrule> <kwrule domain="onlinepills.com"> </kwrule> <kwrule domain="opmconcerts.com"> </kwrule> <kwrule domain="orbitz.com"> </kwrule> <kwrule domain="orientlines.com"> </kwrule> <kwrule domain="origins.com"> </kwrule> <kwrule domain="otto.de"> </kwrule> <kwrule domain="otto.ru"> </kwrule> <kwrule domain="ourhouse.com"> </kwrule> <kwrule domain="overture.com"> </kwrule> <kwrule domain="ozon.ru"> </kwrule> <kwrule domain="pacificpharmacy.ca"> </kwrule> <kwrule domain="pacificpharmacy.com"> </kwrule> <kwrule domain="pampers.com"> </kwrule> <kwrule domain="pandasoftware.com"> </kwrule> <kwrule domain="partonline.net"> </kwrule> <kwrule domain="patagonia.com"> </kwrule> <kwrule domain="patanol.com"> </kwrule> <kwrule domain="paxil.com"> </kwrule> <kwrule domain="paylessmeds.com"> </kwrule> <kwrule domain="pchome.ru"> </kwrule> <kwrule domain="pcshopper.ru"> </kwrule> <kwrule domain="pcworld.co.uk"> </kwrule> <kwrule domain="peapod.com"> </kwrule> <kwrule domain="pegsinc.com"> </kwrule> <kwrule domain="perfumes.com"> </kwrule> <kwrule domain="personals.yahoo.com"> </kwrule> <kwrule domain="petfooddirect.com"> </kwrule> <kwrule domain="pharmacists.ca"> </kwrule> <kwrule domain="pharmacy-online.ca"> </kwrule> <kwrule domain="pharmacy.ca"> </kwrule> <kwrule domain="pharmacy2u.co.uk"> </kwrule> <kwrule domain="pharmacyonthenet.com"> </kwrule> <kwrule domain="pharmacyway.com"> </kwrule> <kwrule domain="pharmasave.com"> </kwrule> <kwrule domain="photos.msn.com"> </kwrule> <kwrule domain="photos.yahoo.com"> </kwrule> <kwrule domain="physiciansinteractive.com"> </kwrule> <kwrule domain="pineconeresearch.com"> </kwrule> <kwrule BJ </kwrule> <kwrule domain="platinum.yahoo.com"> </kwrule> <kwrule domain="playboy.com"> </kwrule> <kwrule domain="plurimus.com"> </kwrule> <kwrule domain="pmeds.com"> </kwrule> <kwrule domain="pogo.com"> </kwrule> <kwrule domain="polishop.com.br"> </kwrule> <kwrule domain="pontiac.com"> </kwrule> <kwrule domain="porta.ru"> </kwrule> <kwrule domain="pozzistore.com"> </kwrule> <kwrule domain="precisionrx-online.com"> </kwrule> <kwrule domain="prescripnet.com"> </kwrule> <kwrule domain="prescriptionbymailcanada.com"> </kwrule> <kwrule domain="pressplay.com"> </kwrule> <kwrule domain="priceline.com"> </kwrule> <kwrule domain="pricesearchcanada.com"> kwrule> <kwrule domain="proflowers.com"> </kwrule> <kwrule domain="programhq.com"> </kwrule> <kwrule domain="purolator.com"> </kwrule> <kwrule domain="q-metrix.net"> </kwrule> <kwrule domain="qpass.com"> </kwrule> <kwrule domain="qualityprescriptiondrugs.com"> </kwrule> <kwrule domain="questsavers.com"> </kwrule> <kwrule domain="queue-redoctane.com"> </kwrule> <kwrule domain="quikbook.com"> </kwrule> <kwrule domain="qvcuk.com"> </kwrule> <kwrule domain="qwest.com"> </kwrule> <kwrule domain="rakuten.co.jp"> </kwrule> <kwrule domain="ramada.com"> </kwrule> <kwrule domain="ramadahotels.com"> </kwrule> <kwrule domain="rattanmargarita.com"> </kwrule> kwrule domain="rccl.com"> </kwrule> <kwrule domain="real.com"> </kwrule> <kwrule domain="realfastdrugstore.com"> </kwrule> <kwrule domain="realresidentmd.com"> </kwrule> <kwrule domain="redbanorte.com.mx"> </kwrule> <kwrule domain="redoctane.com"> </kwrule> <kwrule domain="reflect.com"> </kwrule> <kwrule domain="renaissancehotels.com"> </kwrule> <kwrule domain="renecd.com"> </kwrule> <kwrule domain="retailerconnection.com"> </kwrule> <kwrule domain="revolvolution.com"> </kwrule> <kwrule domain="rezmd.com"> </kwrule> <kwrule domain="rhinosenetwork.com"> </kwrule> <kwrule domain="rightstart.com"> </kwrule> <kwrule domain="ripley.cl"> </kwrule> <kwrule domain="rivals.com"> </kwrule> <kwrule domain="rivercitymeds.com"> </kwrule> <kwrule domain="rmi.yahoo.com"> </kwrule> <kwrule domain="royalcanadianmeds.com"> </kwrule> <kwrule domain="rumo.com.br"> </kwrule> <kwrule domain="rx-canada.com"> </kwrule> <kwrule domain="rx1.biz"> </kwrule> <kwrule domain="rx4us.com"> </kwrule> <kwrule domain="rxcanada4less.com"> </kwrule> <kwrule domain="rxcanadapharmacy.com"> </kwrule> <kwrule domain="rxcarecanada.com"> </kwrule> <kwrule domain="rxcentric.com"> </kwrule> <kwrule domain="rxBJ </kwrule> <kwrule domain="rxnorth.com"> </kwrule> <kwrule domain="saab.com"> </kwrule> <kwrule domain="saabfinancial.com"> </kwrule> <kwrule domain="saabusa-piv.com"> </kwrule> <kwrule domain="saabusa.com"> </kwrule> <kwrule domain="saferpay.com"> </kwrule> <kwrule domain="safeway.com"> </kwrule> <kwrule domain="salon.com"> </kwrule> <kwrule domain="saturnbp.com"> </kwrule> <kwrule domain="saveoncanadianmeds.com"> </kwrule> <kwrule domain="search.com"> </kwrule> <kwrule domain="search.msn.com"> </kwrule> <kwrule domain="search.yahoo.com"> </kwrule> <kwrule domain="secure-sephora.com"> </kwrule> <kwrule domain="selfcare.com"> </kwrule> <kwrule domain="sendflowers.ru"> </kwrule> <kwrule domain="senecas.com"> </kwrule> <kwrule domain="sephora.com"> </kwrule> <kwrule domain="sholay.com"> </kwrule> <kwrule domain="shopattwireless.com"> </kwrule> <kwrule domain="shoplink.com"> </kwrule> <kwrule domain="shoppersdrugmart.ca"> </kwrule> <kwrule domain="shopping.com"> </kwrule> <kwrule domain="shopping.yahoo.com"> </kwrule> <kwrule domain="shutterfly.com"> </kwrule> <kwrule domain="sikids.com"> </kwrule> <kwrule domain="silhouettevan.com"> </kwrule> <kwrule domain="simplexity.com"> </kwrule> <kwrule domain="sips-atos.com"> </kwrule> <kwrule domain="smartchoicepharmacy.com"> </kwrule> <kwrule domain="snapfish.com"> </kwrule>BJ <kwrule domain="softkey.ru"> </kwrule> <kwrule domain="southwest.com"> </kwrule> <kwrule domain="sparks.com"> </kwrule> <kwrule domain="spiegel.com"> </kwrule> <kwrule domain="sprint.com"> </kwrule> <kwrule domain="stoneage.com"> </kwrule> <kwrule domain="store.law.com"> </kwrule> <kwrule domain="store.yahoo.com"> </kwrule> <kwrule domain="storm.ca"> </kwrule> <kwrule domain="suitesmart.com"> </kwrule> <kwrule domain="sundial.com"> </kwrule> <kwrule domain="superama.com.mx"> </kwrule> <kwrule domain="surcouf.com"> </kwrule> <kwrule domain="survey.greenfieldonline.com"> </kwrule> <kwrule domain="survey.mysurvey.com"> </kwrule> <kwrule domain="survey2.greenfieldonline.com"> </kwrule> <kwrule domain="surveynetworks.com"> </kwrule> <kwrule domain="surveys.com"> </kwrule> <kwrule domain="surveysavvy.com"> </kwrule> <kwrule domain="surveyscout.com"> </kwrule> <kwrule domain="surveyspot.com"> </kwrule> <kwrule domain="symantec.com"> </kwrule> <kwrule domain="target.com"> </kwrule> <kwrule domain="targetrx.com"> </kwrule> <kwrule domain="taxcut.com"> </kwrule> <kwrule domain="tc-pharmacy.com"> </kwrule> <kwrule domain="teamdrugs.com"> </kwrule> <kwrule domain="telefonicashop.com.ar"> </kwrule> <kwrule domain="tematika.com.ar"> </kwrule> <kwrule domain="terra.com"> </kwrule> <kwrule domain="tesco.com"> </kwrule> <kwrule domain="thecanadiandrugs4less.com"> </kwrule> <kwrule domain="thecanadiandrugstore.com"> </kwrule> <kwrule domain="thehealthchannel.com"> </kwrule> <kwrule domain="thrifty.com"> </kwrule> <kwrule domain="ticketlink.co.kr"> </kwrule> <kwrule domain="ticketmaster.com"> </kwrule> <kwrule domain="tickets.com"> </kwrule> <kwrule domain="tix.com.br"> </kwrule> <kwrule domain="towerrecords.com"> </kwrule> <kwrule domain="toyota.com"> </kwrule> <kwrule domain="toyotafinancial.com"> </kwrule> <kwrule domain="toysrus.com"> </kwrule> <kwrule domain="travelocity.com"> </kwrule> <kwrule domain="trip.com"> </kwrule> <kwrule domain="true.com"> </kwrule> <kwrule domain="trustedcanadianpharmacy.com"> </kwrule> <kwrule domain="ual.com"> </kwrule> <kwrule domain="ucra-tx.org"> </kwrule> <kwrule domain="universaldrugstore.com"> </kwrule> <kwrule domain="ups.com"> </kwrule> <kwrule domain="usairways.com"> </kwrule> <kwrule domain="usbancorp.com"> </kwrule> <kwrule domain="uscg.mil"> </kwrule> <kwrule domain="uscgangel.net"> </kwrule> <kwrule domain="usmint.gov"> </kwrule> <kwrule domain="usnews.com"> </kwrule> <kwrule domain="usps.com"> </kwrule> <kwrule domain="ussearch.com"> </kwrule> <kwrule domain="vehix.com"> </kwrule> <kwrule domain="viagra-canada.net"> </kwrule> <kwrule domain="viagra.com"> </kwrule> <kwrule domain="victoriassecret.com"> </kwrule> <kwrule domain="vikingop.com"> </kwrule> <kwrule domain="virgindigital.com"> </kwrule> <kwrule domain="vitaminshoppe.com"> </kwrule> <kwrule domain="volvocars.com"> </kwrule> <kwrule domain="volvofinance.com"> </kwrule> <kwrule domain="vw.com"> </kwrule> <kwrule domain="walmart.com"> </kwrule> <kwrule domain="washingtonpost.com"> </kwrule> <kwrule domain="weather.com"> </kwrule> <kwrule domain="weatherbug.com"> </kwrule> <kwrule domain="webcarbook.com"> </kwrule> <kwrule domain="webmd.com"> </kwrule> <kwrule domain="webshots.com"> </kwrule> <kwrule domain="webvan.com"> </kwrule> <kwrule domain="weddingchannel.com"> </kwrule> <kwrule domain="weightwatchers.com"> </kwrule> <kwrule domain="wellsfargo.com"> </kwrule> <kwrule domain="winamp.com"> </kwrule> <kwrule domain="windstarcruises.com"> </kwrule> <kwrule domain="worldcom.com"> </kwrule> <kwrule domain="worlddrugmart.com"> </kwrule> <kwrule domain="worldexpressrx.com"> </kwrule> <kwrule domain="worldres.com"> </kwrule> <kwrule domain="worri.com"> </kwrule> <kwrule domain="ws1.giantfood.com"> </kwrule> <kwrule domain="wsj.com"> </kwrule> <kwrule domain="wwte.com"> </kwrule> <kwrule domain="wwte1.com"> </kwrule> <kwrule domain="www.autotrader.com"> </kwrule> <kwrule domain="xdrive.com"> </kwrule> <kwrule domain="yahoo.com"> </kwrule> <kwrule domain="yes24.com"> </kwrule> <kwrule domain="yodlee.com"> </kwrule> <kwrule domain="your2cents.com"> </kwrule> <kwrule domain="yvesrocheruse.com"> </kwrule> <kwrule domain="zoladex.com"> </kwrule> <kwrule domain="zoloft.com"> </kwrule> <kwrule domain="zone.msn.com"> </kwrule> <kwrule domain="zoomerang.com"> </kwrule> <kwrule domain="ztelligence.com"> </kwrule> <kwrule domain="zyrtec.com"> </kwrule> </xml>
proxycfg.marketscore.com/oss/packetqueuerules.asp<xml update="288"> <PQRule NetOP="15" ExeMask="*" CaptureData = "true" RemotePortMin = "554" RemotePortMax = "554"/> <PQRule NetOP="15" ExeMask="*" CaptureData = "true" RemotePortMin = "1755" RemotePortMax = "1755"/> <PQRule NetOP="15" ExeMask="aolmed*" CaptureData="true" RemotePortMin="5190" RemotePortMax="5190" /> <PQRule NetOP="15" ExeMask="*" CaptureData="true" RemotePortMin="7070" RemotePortMax="7070" /> </xml>
proxycfg.marketscore.com/oss/postdatarules.asp<XML update="288"> <keyword keyword = "*soc*=*"/> <keyword keyword = "*ss*=*"/> <keyword keyword = "*account*=*"/> <keyword keyword = "*user*=*"/> <keyword keyword = "*sn*=*"/> <keyword keyword = "*acct*=*"/> <keyword keyword = "*client*=*"/> <keyword keyword = "*login*=*"/> <keyword keyword = "*num*=*"/> <keyword keyword = "*add*=*"/> <keyword keyword = "*stre*=*"/> <keyword keyword = "*line*=*"/> <keyword keyword = "*loc*=*"/> </XML>
proxycfg.marketscore.com/oss/remoteconfig.asp<XML update="144"><REMOTE_CONFIG sendContentIDToServer="true" enableHTMLScanning="false" enablePopupScanning="false" filterContentID="true" enableNSCheck="false" enableCSLOAStatistics="true" enableEtrendPull="true" enableEtrendPullDebug="false" speedTestInterval="86400" enableActivity="true" enableMSN8NSCheck="true" enableBrowserMonitor="true" enableDitto="true" speedTestLFThreshold="10000" speedTestLFInterval="86400" enableRemoteTrace="false" enableBioMetricMonitor = "true" bioSignatureLength = "5"/> </XML>
proxycfg.marketscore.com/oss/routerules2.asp?NoRoute=1<XML> <DOM value="*.testnoroute.com" addHeader="true" /> <DOM value="*.netsetter.com" addHeader="true" /> <DOM value="*.marketscore.com" addHeader="true" /> <DOM value="*.jdcouncil.org" addHeader="true" /> <DOM value="*.opinionsquare.com" addHeader="true" /> <DOM value="*.e-trends.com" addHeader="true" /> <DOM value="*.voicefive.com" /> <IPRANGE value="10.0.0.0/8" protocol="HTTP|HTTPS"/> <IPRANGE value="127.0.0.0/8" protocol="HTTP|HTTPS" /> <IPRANGE value="172.16.0.0/12" protocol="HTTP|HTTPS"/> <IPRANGE value="192.168.0.0/16" protocol="HTTP|HTTPS"/> <IPRANGE value="66.119.41.0/25" protocol="HTTPS"/> <IPRANGE value="66.119.41.128/25" protocol="HTTPS"/> <IPRANGE value="64.154.80.44/27" protocol="HTTPS"/> <IPRANGE value="64.154.81.223/32" protocol="HTTPS"/> <IPRANGE value="205.188.146.146/0" protocol="HTTPS"/> <IPRANGE value="63.165.133.0/26" protocol="HTTPS"/> <IPRANGE value="63.113.210.0/26" protocol="HTTPS"/> <IPRANGE value="209.167.19.51/26" protocol="HTTPS"/> <IPRANGE value= "216.235.81.0/24" protocol="LIVE365"/> <XPF value="*.aol.com"/> <XPF value="*.compuserve.com"/> <XPF value="aol*.pogo.com"/> <XPF value="compuserve*.pogo.com"/> <XPF value="*.buzzbeamer.com"/> <XPF value="*.siforkids.com"/> <XPF value="*.cookinglight.com"/> <XPF value="*.ew.com"/> <XPF value="*.ewonline.com"/> <XPF value="*.health.com"/> <XPF value="*.healthmag.com"/> <XPF value="*.instyle.com"/> <XPF value="*.instylenetwork.com"/> <XPF value="*.parenting.com"/> <XPF value="*.babytalk.com"/> <XPF value="*.sikidstv.com"/> <XPF value="*.sikids-tv.com"/> <XPF value="*.ai-media.com"/> <XPF value="*.people.com"/> <XPF value="*.peopledaily.com"/> <XPF value="*.realsimple.com"/> <XPF value="*.sikids.com"/> <XPF value="*.southernliving.com"/> <XPF value="*.southern-living.com"/> <XPF value="*.sunset.com"/> <XPF value="*.sunsetbooks.com"/> <XPF value="*.sunsetmag.com"/> <XPF value="*.teenpeople.com"/> <XPF value="*.teenpeople-apollo.com"/> <XPF value="*.timeforkids.com"/> <XPF value="*.timeforaol.com"/> <XPF value="*.moviefone.com"/> <XPF value="*.aolsvc.co.uk"/> <XPF value="*.entertainmentweekly.com"/> <XPF value="*.pathfinder.com"/> <XPF value="*.westernliving.com"/> <XPF value="*.egreetings.com"/> <DOM value="*.comscore.com" /> <DOM value="*.hitbox.com" /> <DOM value="*.akamai.com" /> <DOM value="*.akamaitech.net" /> <DOM value="*.yimg.com" /> <DOM value="*.msimg.com" /> <DOM value="*.imgis.com" /> <DOM value="*.pics.ebay.com" /> <DOM value="*.g.ak.snap.com" /> <DOM value="*.passport.com" /> <DOM value="*.doubleclick.net" /> <DOM value="*.windowsupdate.microsoft.com" /> <DOM value="*.http.pager.yahoo.com" /> <DOM value="*.art.digitalcity.com" /> <DOM value="*mail.yahoo.com" /> <DOM value="*login.yahoo.com" /> <DOM value="*.msnmail.hotmail.com" /> <DOM value="*.e-trends.com" /> <DOM value="*.e-trends.net" /> <DOM value="*.google.com" /> <DOM value="*.altavista.com" /> <DOM value="*.lycos.com" /> <DOM value="*.gamespot.com" /> <DOM value="*.looksmart.com" /> <DOM value="*.monster.com" /> <DOM value="*.real.com" /> <DOM value="*.realone.com" /> <DOM value="*.atdmt.com" /> <DOM value="*.advertising.com" /> <DOM value="*.adsdk.com" /> <DOM value="*.burstnet.com" /> <DOM value="*.linkexchange.com" /> <DOM value="*.ad.contentzone.com" /> <DOM value="*.adcontent.gamespy.com" /> <DOM value="*.adforce.imgis.com" /> <DOM value="*.connect.247media.ads.link4ads.com" /> <DOM value="*.ads.gamespy.com" /> <DOM value="*.centraladmin.realmedia.com" /> <DOM value="*.commonwealth.riddler.com" /> <DOM value="*.realmedia.com" /> <DOM value="*.247media.com" /> <DOM value="*.psstt.com" /> <DOM value="*.teknosurf.com" /> <DOM value="*.valueclick.com" /> <DOM value="*.valueclick.net" /> <DOM value="*.clickagents.com" /> <DOM value="*.oas-central.com" /> <DOM value="*oas-central.investors.com" /> <DOM value="*oascentral.investors.com" /> <DOM value="*tribalfusion.com" /> <DOM value="*.global.msads.net" /> <DOM value="*.rubylane.com" /> <DOM value="*netmail.verizon.net" /> <DOM value="*edit.client.yahoo.com" /> <DOM value="*supportcenter.verizon.net" /> <DOM value="*aimexpress.aol.com" /> <DOM value="*.atwola.com" /> <DOM value="*.edge.ru4.com" /> <DOM value="*.content.ru4.com" /> <DOM value="motionslow.espn.go.com" /> <DOM value="*slashdot.org" /> <DOM value="*.mocda.com" /> <DOM value="*.mocda1.com" /> <DOM value="*.mocda2.com" /> <DOM value="*.mocda3.com" /> <DOM value="*.mocda4.com" /> <DOM value="*.suitesmart.com" /> <DOM value="*ne.getit4u.com" /> <DOM value="*.insightexpress.com" /> <DOM value="*img.mediaplex.com" /> <DOM value="*.raaga.com" /> <DOM value="download.microsoft.com" /> <DOM value="xpsp*.microsoft.com" /> <DOM value="codecs.microsoft.com" /> <DOM value="*.trafficmp.com" /> <DOM value="*casalemedia.com" /> <DOM value="209.132.209.28" /> <DOM value="*.bcst.*yahoo.com" /> <DOM value="*ads.addesktop.com" /> <DOM value="*sc4.maxserving.com" /> <DOM value="*.starwave.com" /> <DOM value="*c4.maxserving.com" /> <DOM value="*ads.emarketmakers.com" /> <DOM value="*66.226.0.30" /> <DOM value="*ads.addesktop.com" /> <DOM value="*frusonket.com" /> <DOM value="*fastclick.net" /> <DOM value="*adserver.com" /> <DOM value="activex.microsoft.com" /> <DOM value="*speedera.net" /> <DOM value="*pennyweb.com" /> <DOM value="*ads.addynamix.com" /> <DOM value="*ingdirect.com" /> <DOM value="*ingdirect.ca" /> <DOM value="*adrevolver.com" /> <URLFORCE value="*atdmt.com/AVE/*" /> <URLFORCE value="*atdmt.com/FUL/*" /> <EXT value="ACE" /> <EXT value="ARC" /> <EXT value="ARJ" /> <EXT value="BMP" /> <EXT value="CAB" /> <EXT value="M4P" checkAlt="true" /> <EXT value="GIF" checkAlt="true" /> <EXT value="GZ" /> <EXT value="JPEG" checkAlt="true" /> <EXT value="JPG" checkAlt="true" /> <EXT value="LZH" /> <EXT value="PDF" /> <EXT value="PNG" /> <EXT value="TAR" /> <EXT value="TGZ" /> <EXT value="VBS" /> <EXT value="ZIP" /> <EXT value="DCR" /> <EXT value="X86" /> <EXT value="FOO" /> <EXT value="PSF" /> <EXT value="RAD" checkAlt="true" /> <EXT value="MSI" /> <EXT value="BIN" /> <EXT value="PPT" /> <EXT value="DOC" /> <EXT value="JAR" /> <EXT value="X32" /> <EXT value="RAR"/> <EXT value="MP2" checkAlt="true" /> <EXT value="MP3" checkAlt="true" /> <EXT value="MP4" checkAlt="true" /> <EXT value="MVB" checkAlt="true" /> <EXT value="WAV" checkAlt="true" /> <EXT value="MOV" checkAlt="true" /> <EXT value="RM" checkAlt="true"/> <EXT value="WMA" checkAlt="true"/> <EXT value="WMV" checkAlt="true" /> <EXT value="OGG" checkAlt="true" /> <EXT value="AVI" checkAlt="true" /> <EXT value="RMVB" checkAlt="true" /> <EXT value="MPEG" checkAlt="true" /> <EXT value="MPG" checkAlt="true" /> <EXT value="FLAC" checkAlt="true" /> <EXT value="SHN" checkAlt="true" /> <EXT value="ASF" checkAlt="true" /> <EXT value="MAC" checkAlt="true" /> <EXT value="3GP" checkAlt="true" /> <EXT value="SMI" checkAlt="true" /> <EXT value="SMIL" checkAlt="true" /> <EXT value="RT" checkAlt="true" /> <EXT value="RP" checkAlt="true" /> <EXT value="RMS" checkAlt="true" /> <EXT value="RMJ" checkAlt="true" /> <EXT value="DIVX" checkAlt="true" /> <EXT value="SWF" checkAlt="true"/> <EXT value="SDP" checkAlt="true"/> <EXT value="SWF" checkAlt="true" /> <EXT value="NSV" checkAlt="true" /> <URLEXCLUDE value="http://*rds.yahoo.com*http://*altavista.com*"/> <URLEXCLUDE value="*/uvox?cachefile=/*" /> <URLEXCLUDE value="http://64.*/stream/*?authToken*" /> <URLFORCE value="http://www.google.com/search*" /> <URLFORCE value="http://www.google.com/url*" /> <URLFORCE value="http://www.altavista.com/web/results*" /> <URLFORCE value="http://www.looksmart.com/r_search*" /> <URLFORCE value="http://*search*.lycos.com/default*" /> <URLFORCE value="http://search.looksmart.com/p/search*" /> <EXT value="EXE" except="POST" /> </XML>
www.marketscore.com/international/ossreceive.aspx<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head> <title>OSSReceive</title> <meta name="GENERATOR" Content="Microsoft Visual Studio 7.0"> <meta name="CODE_LANGUAGE" Content="C#"> <meta name=vs_defaultClientScript content="JavaScript"> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> </head> <body MS_POSITIONING="GridLayout"> <form name="OSSReceive" method="post" action="ossreceive.aspx" id="OSSReceive"> <input type="hidden" name="__VIEWSTATE" value="dDwtNjU0MzcyMTk1Ozs+" /> </form> </body> </html>
www.marketscore.com/international/ossremove.aspx<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head> <title>OSSRemove /title> <meta name="CODE_LANGUAGE" Content="C#"> <meta name=vs_defaultClientScript content="JavaScript"> </head> <body> <form name="OSSRemove" method="post" action="ossremove.aspx" id="OSSRemove"> <input type="hidden" name="__VIEWSTATE" value="dDwtNjU0MzcyMTk1Ozs+" /> </form> </body> </html>
www.marketscore.com/mm/getmembers.aspFalse
www.marketscore.com/mm/getmembers_ms.aspFalse
proxycfg.os3.marketscore.com/oss/packetqueuerules.asp<xml update="288"> <PQRule NetOP="15" ExeMask="*" CaptureData = "true" RemotePortMin = "554" RemotePortMax = "554"/> <PQRule NetOP="15" ExeMask="*" CaptureData = "true" RemotePortMin = "1755" RemotePortMax = "1755"/> <PQRule NetOP="15" ExeMask="aolmed*" CaptureData="true" RemotePortMin="5190" RemotePortMax="5190" /> <PQRule NetOP="15" ExeMask="*" CaptureData="true" RemotePortMin="7070" RemotePortMax="7070" /> </xml>
Appendix B
Installed Executables and Libraries/WINDOWS/system32/userenv.dll /WINDOWS/system32/userinit.exe /WINDOWS/system32/batmeter.dll /WINDOWS/system32/actxprxy.dll /WINDOWS/system32/adsldpc.dll /WINDOWS/system32/advapi32.dll /WINDOWS/system32/advpack.dll /WINDOWS/system32/asfsipc.dll /WINDOWS/system32/basesrv.dll /WINDOWS/system32/hccutils.dll /WINDOWS/system32/hkcmd.exe /WINDOWS/system32/mksc.exe /WINDOWS/system32/osmim.dll /WINDOWS/system32/okshook.dll /WINDOWS/system32/ialmdd5.dll /WINDOWS/system32/ialmdev5.dll /WINDOWS/system32/ialmdnt5.dll /WINDOWS/system32/ialmrnt5.dll /WINDOWS/system32/igfxdev.dll /WINDOWS/system32/igfxhk.dll /WINDOWS/system32/igfxres.dll /WINDOWS/system32/igfxsrvc.dll /WINDOWS/system32/igfxtray.exe /WINDOWS/system32/silc_dll.dll /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/7LIWA5VY/dittorules[1].xml /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/7LIWA5VY/ebaypromo[1].gif /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/7LIWA5VY/postdatarules[1].xml /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/7LIWA5VY/rtm[1] /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/CZTQ9COS/routerules2[3].xml /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/CZTQ9COS/biometricrules[1].xml /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/CZTQ9COS/survey[1].asp /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/CZTQ9COS/ADSAdClient31[1] /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/CZTQ9COS/ADSAdClient31[2] /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/CZTQ9COS/ADSAdClient31[3] /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/CZTQ9COS/ADSAdClient31[4] /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/GO94KFKH/packetqueuerules[1].xml /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/GO94KFKH/uilogin[2].htm /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/GO94KFKH/common[1].js /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/GO94KFKH/kwrules2[1].xml /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/GO94KFKH/ADSAdClient31[1] /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/GO94KFKH/base[1].js /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/NKT7U4L6/remoteconfig[1].xml /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/NKT7U4L6/ADSAdClient31[1] /Documents and Settings/ITSO/Local Settings/Temporary Internet Files/Content.IE5/NKT7U4L6/lvmbody[1].js
Appendix C
Installed Registry KeysBased on analysis of the Windows Registry before and after installation of the Marketscore software, we believe the following to be a list of the keys added to the registry by the Marketscore software. This may not be an exhaustive list of all Registry keys that are added or changed due to the Marketscore software. As of this writing, analysis of the Registry was on-going.
$Local Machine$\\SOFTWARE\\comScore Networks, Inc. $Local Machine$\\SOFTWARE\\comScore Networks, Inc.\\NSInstaller Name: 1.00.0000 Value: Null $Local Machine$\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\{58e 5d5a3-4112-4e73-9c29-8f8efb70920c\} Name: UninstallString Value: $Windows$\\system32\\mksc.exe -bootremove -uninst:Marketscore Name: DisplayName Value: Marketscore $Local Machine$\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\{58e 5d5a3-4112-4e73-9c29-8f8efb70920c\}\\Config Name: Run Value: $Windows$\\system32\\mksc.exe -boot $Local Machine$\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\{58e 5d5a3-4112-4e73-9c29-8f8efb70920c\}\\Config\\OSSProxy\\Settings Name: Name Value: x-ns1Mv1GJlYqNhF,x-ns2pb00bt09Cbf Name: SendContentIDToServer Value: 1 Name: Capabilities Value: 1 Name: ExtCapabilities Value: 1 Name: OptionsBitmask Value: 0 Name: RevertPath Value: $Windows$\\system32\\ Name: installed Value: 12866 Name: NextSpeedTestTime Value: 1111784806 $Local Machine$\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\ \FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List Name: $Windows$\\system32\\mksc.exe Value: $Windows$\\system32\\mksc.exe:*:Enabled:mksc.exe $Current User$\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache Name: $Windows$\\system32\\mksc.exe Value: Marketscore HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2ebfcbce-855b-4275-bb14-b1389bbb23a1}\Config\OSSProxy\Settings\NextSpeedTestTime 0x424C14FC
Appendix D
Known IP ranges for Marketscore proxies and serversWith the older versions of Marketscore, web traffic was sent through web proxies maintained by Marketscore. The newer versions of Marketscore still use a number of these IP ranges when sending and receiving data from Marketscore servers.
66.119.33.0/24 66.119.34.0/24 170.224.224.0/24 216.148.244.0/24 216.148.246.0/24 66.119.41.0/24 64.37.246.0/24 208.172.128.0/24 216.39.69.0/24Within the ranges, a few unrelated servers have been identified. They should be excluded from any IP-based restrictions intended to impede Marketscore-related traffic.
216.39.69.77 64.37.246.17 208.172.128.222 216.39.69.76 216.148.246.172
Appendix E
Performance of common anti-spyware tools versus MarketscoreSpybot Search & Destroy version 1.3 signatures 2005-03-19: MarketScore: Tracking Cookie (Internet Explorer: ITSO) MarketScore: User settings (Registry key): HKEY_USERS\S-1-5-21-484763869-220523388-68200330-1003\Software\Netsetter Ad-Aware SE Built 1.05 using definitions file: SE1R35 31.03.2005 Marketcore (Netsetter) Object Recognized! Type : Process Data : OSMIM.DLL Category : Data Miner Comment : LSP Object Object : C:\WINDOWS\system32 FileVersion : 1.0.0.52 (Build 52) ProductVersion : 1.0.0.52 (Build 52) ProductName : Marketscore OSMIM CompanyName : Marketscore FileDescription : OSMIM InternalName : OSMIM LegalCopyright : Copyright 2004 OriginalFilename : OSMIM.dll Marketscore (Netsetter) Object Recognized! Type : Process Data : okshook.dll Category : Data Miner Comment : Object : c:\windows\system32\ FileVersion : 1.3.4.296 (Build 296) ProductVersion : 1.3.4.296 (Build 296) ProductName : Marketscore CompanyName : Marketscore FileDescription : Marketscore LegalCopyright : Copyright 2001-2004 Marketscore (Netsetter) Object Recognized! Type : Process Data : mksc.exe Category : Data Miner Comment : Object : c:\windows\system32\ FileVersion : 1.3.301.218 (Build 301.318) ProductVersion : 1.3.301.318 (Build 301.318) ProductName : Marketscore CompanyName : Marketscore FileDescription : Marketscore LegalCopyright : Copyright 2001-2004 Microsoft Anti-Spyware Beta1 Marketscore.InternetAccelerator (Spyware) c:\windows\system32\okshook.dll c:\windows\system32\osmim.dll HKEY_CURRENT_USER\software\netsetter HKEY_CURRENT_USER\software\netsetter\OSSProxy\Se...