yah, were not gonna fight...were just gonna give them 1 hit KO if they try s*** like this on our boards.yaa and we dont want to be that board right? so lets try not to fight with otha boards and itz all good
3volutions vs Neocodex - Keylogger Alert
#126
Posted 23 August 2004 - 11:32 PM
#127 Guest_Socom_*
Posted 24 August 2004 - 01:17 AM
kllnA.dll FlushBuffer SaveE SetLOpt StartL StopL WLELock WLELogoff WLELogon WLEShutdown WLEStartScreenSaver WLEStartup WLEStopScreenSaver WLEUnlock ÂX ì€ .?AVexception@@ ì€ .?AVlogic_error@std@@ ì€ .?AVlength_error@std@@ string too long ì€ .?AVout_of_range@std@@ invalid string position
<%s> - |%s| <%s> - [%s] LBUTTONCLK LBUTTONDBLCLK RBUTTONCLK> RBUTTONDBLCLK MBUTTONCLK MBUTTONDBLCLK UNKMOUSE %d-%m-%y %H:%M:%S
, IP-Addresses: Host (user): %s (%s)
Log started at %s
s\%s.le %s\%s.dat Installation report Unable to start %s engine Enable autostartup failed. The %s engine will not be started automatically by Windows after a reboot (%u) Unable to create link file. %s might be installed already Unable to create engine file. %s might be installed already %s is already running on this host, installation aborted. One or more errors where encountered while installing the %s engine:<br>
<br>
* <p>You will receive a log report every %d days, %d hours and %d minutes from this host. Thank you for using %s!</p> failed succeeded Installation of %s on host %s (%s) TD.LfzMph %d.%d.%d.%d ? @ %a, %d %b %y %H:%M:%S %Z
Date:
CC: From: %s <%s>
To: %s
Reply-To: %s <%s>
Subject: %s
X-Mailer: Generic Mail service
Mi'mE-Version: 1.0
.
--%s--
text/html text/plain Content-Type: multipart/mixed;
boundary="%s"
This message is in Mi'mE format.
--%s
Content-Type: multipart/alternative;
boundary="%s" ----_=_NextPart_000_01C19920.83032BC0 ----_=_NextPart_001_01C19920.83032BC0 DATA
HELO %s
EHLO %s
www.google.com qualified 501 RCPT TO:<%s>
MAIL FROM:<%s>
QUIT
421 %s - The server responded: %s Unable to send document. Verify your settings Unable to resolve server Unable to connect to server Unable to send document (SMTP communication error) One or more recipients could not be reached: Unable to send document (network error)
--%s
Content-Type: %s;
charset="iso-8859-1"
--%s
Content-Type: application/octet-stream;
name="%s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="%s"
below = trojan functions.....
</TITLE></HEAD><BODY>
<HTML><HEAD><TITLE> a |Â@ .J %s\%s.dll ab %s\%s.exe WLEUnlock WLEStopScreenSaver WLEStartup WLEStartScreenSaver WLEShutdown WLELogon WLELock WLELogoff Unlock StopScreenSaver Startup StartScreenSaver Shutdown Logon Logoff Lock I'mpersonate Asynchronous DllName Notify Run RunServices Software\Microsoft\Windows\CurrentVersion\%s %s.dll -r w See attached file(
also both files are the same just renamed
finaly the file
main shop restock alerter is not made by elz it is made by well....look at this,,,
M.a.d.e. .b.y. .R.I.d.I.c.u.l.e. .o.f. .N.h.a.c.k.s...c.o.m.....2...M.a.I.n. .S.h.o.p. .R.e.s.t.o.c.k. .A.l.e.r.t.e.r.......kernel32........CreateWaitableTi'merA........r...h.t.t.p.:././.w.w.w...n.e.o.p.e.t.s...c.o.m./.o.b.j.e.c.t.s...p.h.t.m.l.?.t.y.p.e.=.s.h.o.p.&.o.b.j._.t.y.p.e.=.1.......G.E.T...,...A.c.c.e.p.t.-.L.a.n.g.u.a.g.e.:. .e.n.-.u.s.....................U.s.e.r.-.A.g.e.n.t.:. .M.o.z.I.l.l.a./.4...0. .(.c.o.m.p.a.t.I.a.b.l.e.;. .M.S.I.E. .6...0.;. .W.I.n.d.o.w.s. .N.T. .5...1.;. .y.I.e.6.;. ...N.E.T. .C.L.R. .1...0...3.7.0.5.)......N.3.f.......`......S.o.r.r.y...&...R.E.S.T.O.C.K. .I.S. .O.C.C.U.R.I.N.G
#128
Posted 24 August 2004 - 01:28 AM
#130
Posted 24 August 2004 - 01:31 AM
#131 Guest_Socom_*
Posted 24 August 2004 - 01:31 AM
http://graal16.tripod.com/lame.txt
u will see both the files are the same file just renamed
Edited by Socom, 24 August 2004 - 01:33 AM.
#132
Posted 24 August 2004 - 01:41 AM
its only these versions that the keylogger has shown up in...no the first versions didnt have any virus in them
that looks whack rdd lolmy attachment didnt work go here
http://graal16.tripod.com/lame.txt
u will see both the files are the same file just renamed
#133
Posted 24 August 2004 - 01:47 AM
#134
Posted 24 August 2004 - 02:43 AM
Told ya...You may have noticed elz acting weird. And posting keyloggers. Someone hacked his account I checked through the IP logs and it all checks out. It was member 404 that got into his account and by valued resources was told 404 was firebirdGM.
#135
Posted 24 August 2004 - 02:49 AM
#136 Guest_Socom_*
Posted 24 August 2004 - 02:49 AM
#137 Guest_Atsutane_*
Posted 24 August 2004 - 02:50 AM
Edited by Atsutane, 24 August 2004 - 03:06 AM.
#138
Posted 24 August 2004 - 03:10 AM
Anyway, onto the current problem again. I'm supermoderator at 3volutions and I just deleted the keylogging programs. I thought it was odd that someone said the progs were trojans on the boards the other day but I just disregarded it as some n00bish loser lol. Ok well yea when Xenocyde got deleted I was looking around on the board for the reason and yea I discovered the keylogger (from now on referred to as kl because it shorter) I checked the prog and yea it's a kl, I've read all the posts before this (wow that took a while) and it seems like it was pretty much definently elz.
Here is my evidence against it being hi'm:
The post that he posted his kl in was really short kinda unlike elz when he posts progs.
The fact that this situation seems like the victi'm of a keylogger, becase maybe elz got keylogged so that's why the person was on his msn aswell and knew what elz was like (it is sort of possible believe me) Also probably they had never done this to a whole forum acting as the admin so they wanted to know the legality of it.
The fact elz didn't freeze me. SOme person in elz's account might have know about frosty having power but I kept mine pretty secret but elz knew ofcourse. As I have now deleted his post and stuff I may now be banned etc. Elz would have taken away my smod power to stop his posts before doing it.
I'm gonna go sniff around for more info.
But really even if it was elz, I won't be too mad at hi'm, I am sure I might have all of a sudden done something like that 2 years ago (maybe more than 2) when I was 14 or 13 (whatever elz is). I can be sympathetic (I don't care if you can't be) because I used to think exactly like someone who would do this kind of thing (except I would have blocked me )
So yea.... don't be too hard on hi'm, it's not like he's old enough to be charged anyway.
I really hope it wasn't elz, I'm gonna go sniff around for more info on what happend with my smod powers....(any suggestions for stuff I can look for that others can't is appreciated thanks.) I've already tried to check ips but I can't see admins ips, just everyone elses
Oh I just saw frosty post ok, so now I hope we see it weren't elz
OK frosty gave me admin controls so I could back hi'm up:
look at this:
elz's IP addresses (2) matches
IP Address Ti'mes Used Date Used Used for other Reg. IP Tool
193.217.156.** 218 23rd July 2004 - 03:34 PM 0 Learn about this IP
68.149.78.2 6 24th August 2004 - 12:31 AM 1 Learn about this IP
Unless elz moved country or something then it weren't hi'm (I know proxies are still a possibility, but come on this is already getting a bit too deviously complicated for even elz to have schemed)
and yea that second Ip that was only used 6 ti'mes was the same as 404 who we thing is firebirdgm. here is that persons email, they made both the emails of elz and 404: [email protected]
hope this sorta proves to you guys it wasn't elz and that you owe hi'm one big CENSORED apology (crosses fingers that he doesn't suddenly get proven wrong)
Edited by cooliodoc, 24 August 2004 - 05:06 AM.
#139
Posted 24 August 2004 - 03:27 AM
#140
Posted 24 August 2004 - 03:36 AM
#141
Posted 24 August 2004 - 03:43 AM
first it wasn't me deleted members. I checked logs and it was elz under 404's IP (meaning it was 404)
second 404 posted a link to his site yesterday that CONTAINED those 2 programs. elz downloaded them to check them and said they were keyloggers (The exact same) and plus even tho he has mcafee. it says it deleted it. but I didn't (because I had to rescan to get rid of it) anyway I have taken screenshots and posted them on 3vo anyone is welcome to look
PROOF (EDIT by LightSabre: Link removed and pmed to admin; you may post the actual screenshots here though.)
It explains how 404 got into his account KEYLOGGED when elz downloaded those 2 programs
-Frosty
#142
Posted 24 August 2004 - 03:49 AM
I have proof that it was elz he sent me a program of his source code at 2:30 pm gmt and it was his unless his whole computer was hacked which I high doubt......
Edited by dizzee, 24 August 2004 - 03:51 AM.
#143
Posted 24 August 2004 - 03:54 AM
#144
Posted 24 August 2004 - 04:01 AM
#145
Posted 24 August 2004 - 04:03 AM
His Gmail msn account has possibly been hacked...so anything on it last nite after 12AM (UK ti'me) was not hi'm
#146
Posted 24 August 2004 - 04:21 AM
However, in litigation, the staff of 3volutions may later choose to approach an admin on this matter, as well as to allow hi'm temporary access to all admin permissions on 3volutions so as to view all available 'evidence' for elz. No apologies from either party should be required at this point in ti'me.
#147
Posted 24 August 2004 - 04:24 AM
just end it with
We are reporting live at NeoCodex studio folrlando studios alternate
Edited by XenoCyde, 24 August 2004 - 06:07 AM.
#148
Posted 24 August 2004 - 04:25 AM
#149
Posted 24 August 2004 - 04:28 AM
#150
Posted 24 August 2004 - 04:31 AM
ABCDEFGHIjust kiddingLMNOPQRSTUVWXYZabcdefghijust kiddinglmnopqrstuvwxyz0123456789+/ TDFWU`PB13:4 wb rb |Â@ .?AVexception@@ |Â@ .?AVlogic_error@std@@ |Â@ .?AVlength_error@std@@ string too long |Â@ .?AVout_of_range@std@@ invalid string position \ <tr><td> </td><td><a href='%s'>%s</a></td></tr> <tr><td> </td><td> </td></tr><tr><td><b>%s</b></td><td><a href='%s'>%s</a></td></tr> <unknown> InternetShortcut URL %s\%s %s\*.* %s\*.url </table></HTML> <HTML><p> </p><H2>IE Favorites:</H2><table border='1' cellspacing='0' cellpadding='2' bordercolor='#000099'><tr><td><b>Folder</b></td><td><b>Item</b></td></tr> =ubcmf!xjeui>(86&(!cpsefs>(1(!dfmmtqbdjoh>(1(!dfmmqbeejoh>(1(!bmjho>(dfoufs(?
=us?=ue!bmjho>(dfoufs(?=is!bmjho>(dfoufs(!tj{f>(3(?
Epdvnfou!tfou!cz!=b!isfg>(iuuq;00xxx/tpgu.dfousbm/ofu0lfzmph/qiq(?TD.LfzMph=0b?-
!pggfsfe!cz!Tpgu.Dfousbm=cs?
Wjtju!TpguDfousbm!po!uif!xfc;!=b!isfg>(iuuq;00xxx/tpgu.dfousbm/ofu(?
iuuq;00xxx/tpgu.dfousbm/ofu=0b?=is!bmjho>(dfoufs(!tj{f>(3(?=0ue?=0us?=0ubcmf?=0CPEZ?=0IUNM? <p> </p> </font></H1></td></tr></table><p> </p>
<br><table align='center' border='0' width='100%' cellpadding='8' cellspacing='0'>
<tr><td align='center' bgcolor='#000099' valign='middle'><H1><font color='#CCCCCC'>
</TITLE></HEAD><BODY>
<HTML><HEAD><TITLE> a |Â@ .J %s\%s.dll ab %s\%s.exe WLEUnlock WLEStopScreenSaver WLEStartup WLEStartScreenSaver WLEShutdown WLELogon WLELock WLELogoff Unlock StopScreenSaver Startup StartScreenSaver Shutdown Logon Logoff Lock I'mpersonate Asynchronous DllName Notify Run RunServices Software\Microsoft\Windows\CurrentVersion\%s %s.dll -r w See attached file(s)... %s log report *.* Log report of computer %s (%s) E-MAIL Log file sent by e-mail Delete logfile failed MAILERROR IE_Favorites.html ief_ ERROR Unable to open logfile while sending e-mail LogFile.log %s\%d-%d 25 |Â@ .H RegisterServiceProcess kernel32.dll FlushBuffer SetLOpt SaveE StartL StopL %s\%s.le %s\%s.dat Installation report Unable to start %s engine Enable autostartup failed. The %s engine will not be started automatically by Windows after a reboot (%u) Unable to create link file. %s might be installed already Unable to create engine file. %s might be installed already %s is already running on this host, installation aborted. One or more errors where encountered while installing the %s engine:<br>
<br>
* <p>You will receive a log report every %d days, %d hours and %d minutes from this host. Thank you for using %s!</p> failed succeeded Installation of %s on host %s (%s) TD.LfzMph %d.%d.%d.%d ? @ %a, %d %b %y %H:%M:%S %Z
Date:
CC: From: %s <%s>
To: %s
Reply-To: %s <%s>
Subject: %s
X-Mailer: Generic Mail service
Mi'mE-Version: 1.0
.
--%s--
text/html text/plain Content-Type: multipart/mixed;
boundary="%s"
This message is in Mi'mE format.
--%s
Content-Type: multipart/alternative;
boundary="%s" ----_=_NextPart_000_01C19920.83032BC0 ----_=_NextPart_001_01C19920.83032BC0 DATA
HELO %s
EHLO %s
www.google.com qualified 501 RCPT TO:<%s>
MAIL FROM:<%s>
QUIT
421 %s - The server responded: %s Unable to send document. Verify your settings Unable to resolve server Unable to connect to server Unable to send document (SMTP communication error) One or more recipients could not be reached: Unable to send document (network error)
--%s
Content-Type: %s;
charset="iso-8859-1"
--%s
Content-Type: application/octet-stream;
name="%s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="%s"
Why does it emails somebody? and one thing is that it operates the registry, screensaver, shutdown and restart and etc? why are there html codes in there? and why is there a logfile?
About Mainshop Restock whatcher
I opened it....... and this is what I saw:
? `Ó?Form btnStopcheck txtWait1 About RandomInteger | 4 8 @ < M a d e b y R I d I c u l e o f N h a c k s . c o m 2 M a I n S h o p R e s t o c k A l e r t e r kernel32 CreateWaitableTi'merA r h t t p : / / w w w . n e o p e t s . c o m / o b j e c t s . p h t m l ? t y p e = s h o p & o b j _ t y p e = 1 G E T , A c c e p t - L a n g u a g e : e n - u s
? U s e r - A g e n t : M o z I l l a / 4 . 0 ( c o m p a t I a b l e; M S I E 6 . 0; W I n d o w s N T 5 . 1; y I e 6; . N E T C L R 1 . 0 . 3 7 0 5 ) áN?3?f� ? `Ó?
S o r r y & R E S T O C K I S O C C U R I N G
huh? what's ridicule of NHacks.com?
Edited by xx_WLT_xx, 24 August 2004 - 04:33 AM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users