So I ran through this 404 page reported to be involved with hijackers a few times and ended up with intell32.exe installed , sitting in my systray telling me "your computer is infected !" I'm so lucky.



and the desktop looking like this :



The "Click here" part doesnt work for me either , so I cant even give them any of my money..

---------------------------------
Sites / IP's logged :
---------------------------------



--------------------------------------


Outpost HTTP Log1:
http://www.bluetack.co.uk/H4X0RZ/hijacks/h...llbilly_log.txt

--------------------------------------

Files used :

on.exe
windows\downloaded program files\open.exe
a.bat
local settings/temp/oiho.exe
loader83.exe
WINDOWS\system32\intell32.exe
WINDOWS\system32\wppp.html
WINDOWS\uninstIU.exe
WINDOWS\System32\oleext.dll
WINDOWS\System32\oleext32.dll


Inside on.exe :




On reboot wininet.dll will be renamed/replaced by oleext32.dll

C:\WINDOWS\System32\oleext32.dll





----------------------------
Hijack this log entries :
----------------------------






---------------------------------------

www.tendomain.com

10 Domains

www.Barberpole.biz
www.Car8au.com
www.Exitrafic.net
www.Gomduri.info
www.K-time.info
www.Korearent114.com
www.Search4best.net
www.Searchingwww.net
www.Tendomain.com
www.Usedsale.info

218.38.13.220
218.38.13.0 - 218.38.13.255
Hanaro Telecom Inc.
Shindongah Bldg, 43, Taepyeongno2-ga, Jung-gu
SEOUL
100-733
Korea, Republic of

----------------------------------

www.britroadsters.com
www.pfl-enlarge.com

5348 domains

63.241.136.205
hosting105.secureserver.net
63.240.0.0 - 63.242.255.255
CERFnet

----------------------------------

66.235.192.134

186 Domains

66.235.192.0 - 66.235.223.255
iPowerWeb, Inc

-----------------------------------

www.karupsgirls.net

64.202.166.208
64.202.160.0 - 64.202.191.255
Go Daddy Software, Inc.

-----------------------------------

dl.ad-ware.cc

www.Cool-bookmark.com
www.Searcher.ws
www.Startpage.ws
www.The-right-start.com
www.The-startpage.com

195.225.177.22
ip177-22.netcathost.com
195.225.176.0 - 195.225.179.255
NetcatHosting
Ukraine

----------------------------------

alfaportal.com

69.31.85.154
69.31.80.0 - 69.31.87.255
Pilosoft, Inc

Domain servers:
NS1.HARDCOREOVER.COM - 66.250.130.200
NS2.HARDCOREOVER.COM - 69.31.80.114

Administrative Contact:
Magel, Irgi
na Prikope 16
Praha, PG 16300
CZ
723101427

--------------------------------

hxxp://82.179.170.11/dia489/

82.179.170.11
82.179.160.0 - 82.179.175.255
netname: RUNNET-ILCA1
descr: ICS TM, JSC
descr: 70 Bolshoy pr. V.O.
descr: 199002 St.-Petersburg
country: RU

---------------------------
Happy snaps :
---------------------------


















@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


More info here on infection and removal:

Win32.Alemod.H
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=43729

http://securityresponse.symantec.com/avcen...ophijack.c.html

http://www.greatis.com/appdata/d/_/_sysdir...dll_Removal.htm


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

-- PSGuard Hijack Part 2 --

Ok , I ran through a bad porn link that was reported to have something nasty loading..

Actually the first hijacks load in about 3 seconds after opening the porn site page:

This is what I got so far, note: you will need to log in to see the pictures , otherwise guests will only see the links to click on.



Courtesy of PSGuard:




PSguard with the clickable hijacked deskop wallpaper going to psguard.com... winlogon style 32 hijacked via CWS , about:blank for a homepage , a whole bunch of spyware domains and wildcard IP addresses added to IE zones , CWS BHO that replaced/eradicated the Spywall BHO and some other assorted crap..

I collected most of the temp files as they were being created , before they were deleted to get a look inside them and looks like they are all programs.

-------------------------------------------------------

http://www.whois.sc/nastyteenie.com

Record Type: IP Address
IP Location: Saudi Arabia - Makkah - Jeddah - Global Net Access Llc
Reverse IP: Web server hosts 4 websites (reverse ip tool requires free login)
Reverse DNS: not set

Domain name: nastyteenie.com
Registrant Contact:
Kim Nerem
+1.7456803929023
Fax: +1.7456803929023
373A Stemperton ave
New York, NY 45628
US

Name Servers:
ns1.yeahhardcore.com 72.9.224.194
ns2.yeahhardcore.com 72.9.224.195

Creation date: 23 Feb 2005 03:22:08
Expiration date: 23 Feb 2006 03:22:08


============================

Sites logged so far , from last to first cause Outpost logs go upside down:

razespyware.net 69.50.167.162
updatescenter.com 69.50.160.250
.www.search2k.net69.50.166.106
infsecurity.com 69.50.188.51
.www.psguard.com 206.161.200.34
.www.winprotections.com 69.50.166.108
.www.search2k.net 69.50.166.106
.www.spy-trooper.com 69.50.170.83
.www.winprotections.com 69.50.166.108
alfaportal.com 69.31.85.154
download.psguard.com 209.8.30.242
alfaportal.com 69.31.85.154
2pursuit.com 206.161.205.212
alfaportal.com 69.31.85.154
pentahosting.net 69.50.188.51
.www.nastyteenie.com 72.9.224.196


Nice popups :


Sites added to my restricted sites zones , maybe its the opposition.. http and https entries for each domain name.

*.coolporngalleries.com
*.loadcash.biz
*.s13.tempx.cc
*.sexpics.biz
*.trackhits.cc
*.tracktraff.cc
*.vparivalka.com
*.vv7.al.57e.net
*.win-eto.com
*.xawn.biz
205.177.*.*
69.31.*.*
85.255.*.*
70.84.89.*
195.95.218.*
205.188.250.*
69.50.*.*
195.255.*.*
81.9.3.*
82.179.*.*
66.235.*.*
66.230.*.*
82.179.*.*

======================================


First outbound connection made was to this site , good old atrivo-hell :



69.50.188.51
pentahosting.net
69.50.160.0 - 69.50.191.255
InterCage, Inc.

.www.Infsecurity.com
.www.Pentahosting.net

http://www.whois.sc/infsecurity.com
http://www.whois.sc/pentahosting.net

Domain Name: PENTAHOSTING.NET
Registrant:
LMC
Stan Cooper
3-6 ST. MARTINS SQUARE, apt 25
London
null,WC2H 7HL
GB
Tel. +44.2079308641
Creation Date: 23-Aug-2005
Expiration Date: 23-Aug-2006
Domain servers in listed order:
ns1.pentahosting.net
ns2.pentahosting.net


Domain Name: INFSECURITY.COM
Registrant:
LMC
Stan Cooper
3-6 ST. MARTINS SQUARE, apt 25
London
null,WC2H 7HL
GB
Tel. +44.2079308641
Creation Date: 23-Aug-2005
Expiration Date: 23-Aug-2006
Domain servers in listed order:
ns1.infsecurity.com
ns2.infsecurity.com




======================

Logfile of HijackThis v1.99.1
Scan saved at 17:28:46, on 20/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\System Safety Monitor\SysSafe.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\intell32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Security\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Devils Workshop 666
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\System32\hp10E8.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - C:\Program Files\SpyWall\TrlIETool.dll (file missing)
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: www.bluetack.co.uk
O15 - Trusted Zone: www.outpostfirewall.com
O15 - Trusted Zone: www.spywarewarrior.com
O20 - Winlogon Notify: style32 - C:\WINDOWS\q1674734_disk.dll
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe


###################################


Here's where the b*stard thing deleted my Spywall BHO [ was not enabled at the time , for harvesting reasons ] and replaced it with some other registy entry of it's own:



O20 - Winlogon Notify: style32 - C:\WINDOWS\q1674734_disk.dll
http://castlecops.com/o20list-2.html

###################################

New sites are still coming in with each new popup , so I'll leave the infectiion running for as long as possible so I can get them all..




Files involved / collected that I have found so far:


PSGuardinstall.exe
intell32.exe
mscornet.exe
mssearchnet.exe
nvctrl.exe
q1674734_disk.dll
d.bat
msvol.tlb
ncompat.tlb
wppp.html
hp45F2.tmp
hp10E8.tmp
ldB9F0.tmp
oleext.dll
more temp files...


======================

Contents of d.bat



---------------------

The temp files are programs.

One example:



====================




Also had a file running called dxole32.exe , but couldnt find it after:



May be more still , havent checked through the dirmon and inctrl logs completely yet.

--

Spytrooper Success Stories





--

That's a very interesting read, thanks Moore.

If I understand correctly, the entire malware package was initiated just from the single site? I see it's also interesting that PSGuard was identifying a trojan it came bundled with, heh. There are a few more files in relation to PSGuard that you might or might not find. There are also quite a few registry keys associated with that crapware. It WILL insert itself as a startup process if you try to delete it (so it can try to reinstall itself automatically). That d.bat file looks awfully familiar from my run-in with the program.

In relation to this file: q1674734_disk.dll, you might want to see if there is a related file with an .exe and also one without the _disk.dll hidden in your Program Files and Windows directories somewhere. I found one in Prefetch, System, System32, and in C:\Program Files\Common Files\PSGuard.