Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijack LOG


  • Please log in to reply
19 replies to this topic

#1 lezbfranz

lezbfranz

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 17 June 2005 - 06:42 AM

I have ran Adware and Search and Destroy and here is my HijackThis LOG:

Logfile of HijackThis v1.97.7
Scan saved at 6:31:45 AM, on 6/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
c:\windows\system32\galyxm.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\nnrflw.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\mt-io800.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\mswmtf.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Aprps\CxtPls.exe
C:\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://google.com/
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [o90+]I" igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nnrflw.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [0 44}5C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nnrflw.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [37sh3sh] mt-io800.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [wxpjuzh] c:\windows\system32\galyxm.exe r
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Iw3nRiN8j] mswmtf.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...bridge-c283.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF2C1F36-2C51-4356-B13A-051EC07CD210} (RamSoft Web Installer) - http://192.168.50.135/powerreader/PRInstall.cab

I need HELP!!!!
THANKS!
Denise

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 18 June 2005 - 12:06 PM

Hi Denise,

Welcome to BC. Just a sec and I'll be right back with you.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 18 June 2005 - 12:47 PM

You are using an outdated version of HijackThis. Click on the link below and follow the steps in that tutorial to install the latest version of HijackThis:
How to post a HijackThis Log

You can of course skip step 1. But be sure to follow steps 2 through 4 and use the links in the tutorial to download the self-extracting HijackThis. When you get to step 5, come back to this topic and use the Add Reply button to paste your log into a reply to this post. But don't scan to make a new log until after you have done the following.

1. Run AdAware and Spybot Search & Destroy in Safe Mode. Be sure to update them before moving to Safe Mode and please review the following tutorials to make sure these programs are configured correctly and if you need help in getting to safe mode:

Ad-Aware Tutorial

Spybot - S&D Tutorial


How to Boot Into Safe Mode

2. Once that is complete, please run at least two of the following online free scans:

Kaspersky OnLine
eTrust Antivirus Web Scanner
Panda ActiveScan
BitDefender
TrendMicro's HouseCall

Now scan again with HijackThis 1.99.1 and post a new log.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#4 lezbfranz

lezbfranz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 21 June 2005 - 09:07 AM

OK---my computer was completely crashing ---I could'nt use Internet Explorer so couldn't use the online scans soooo upgraded to XP Professional and tried to start over. I scanned in safemode Adware & SD then Hijackthis, then went to scan online and now everytime I open IE or Mozilla ---black screen! So I did the scans again and copied my Hijack log and I am emailing from another computer! I NEED HELP!!!

Here is the new LOG:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:40 AM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\efjxbnj.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [37sh3sh] cfgfd.exe
O4 - HKLM\..\Run: [oplqsr] c:\windows\system32\efjxbnj.exe r
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {DF2C1F36-2C51-4356-B13A-051EC07CD210} (RamSoft Web Installer) - http://192.168.50.135/powerreader/PRInstall.cab
O18 - Protocol: bw+0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {A966E983-F927-4038-BEC6-1D4A014B2415} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RamSoft Cache (RamSoftCacheServer1) (RamSoftCacheServer1) - Unknown owner - C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe




Probably contaminated this computer too! UGHHH! I hope you can respond quickly!! THANKS for Any help!

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 21 June 2005 - 12:51 PM

Sorry to hear of these problems and that you have upgraded your machine without being asked to do so. That's not advisable to do on a severely infected system and may have made it so that we won't be able to recover it. Malware removal is tricky and you should only do what is advised and report back any problems you may have.

Let's try to get rid of the Nail/Aurora infection and uninstall the backweb app that may be what's interfering with your internet access and see how it goes.

Probably contaminated this computer too!

Is the computer you're on networked with the the infected PC you're posting about? If so, since you don't seem to be running any antivirus, it could well be infected too. But as long as it isn't having problems, let's not try to fix it yet so we can use it to clean up your other PC. I would advise that you not do any online banking or other activities of a sensitive nature on either machine and disconnect them from each other until we get you straigtened out.

I'm going to need you to download some tools in order to help you. Not sure why you are getting a black screen with your browsers--and I'm assuming you have access to your desktop and Task Bar--but here are three things to try to transfer the needed files to the infected logon.

1. Run System Restore and choose a Restore Point prior to when you ran the online scans--if that is when you noticed the black screens. Try a day or two before. If this works, stop here, scan again with HijackThis in normal mode and post it back here and let me know.

2. If that is not successful, go to your Control Panel and create a new user account with Adminitrative priviledges. Connect to the net and see if you can use your browsers. If you have your setup files for it, try to reinstall Mozilla/Firefox. For easier access you can save the files to your Shared Documents folder or create a folder for them in you C\: drive. You will need to be logged in to the affected account to fix the infection.

3. If all else fails, use the PC you are currently posting from and save the files to a floppy or USB drive. If all you have is a CD/DVD drive, copy those files to your hard drive before trying to install and run them.

Now proceed with the following. Again, you must be logged into the affected account for this to work and just add in the steps of transferring the needed files so they are accessable from that account.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files if you have access to the net. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Download the following file and save it to your desktop:
http://www.mvps.org/winhelp2002/DelDomains.inf

Reboot your computer into Safe Mode.

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Now open your Add/Remove Programs applet from your Control Panel. Uninstall Desktop Messenger and ISTbar--anything that sounds like IST.

Scan again with HijackThis and put a check by the following--don't be concerned if some of these entries aren't there as Ewido may already have eliminated them::

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [37sh3sh] cfgfd.exe
O4 - HKLM\..\Run: [oplqsr] c:\windows\system32\efjxbnj.exe r
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

All lines in the log that begin with 018

O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

Right-click on the deldomains.inf file and select Install.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. Please let me know if you are having any problems especially with carrying out these instructions and if you are able to use your browsers again.

There will most likely be more to do and we will have to take this in stages.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#6 lezbfranz

lezbfranz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 21 June 2005 - 09:37 PM

Ok--I am back on my computie! Sorry ----I realized after my panic and desperation cause I couldn't get anything to work so upgraded! Anyway I am back and I have the HiJack log and the Ewido Report:

Logfile of HijackThis v1.99.1
Scan saved at 9:30:28 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {DF2C1F36-2C51-4356-B13A-051EC07CD210} (RamSoft Web Installer) - http://192.168.50.135/powerreader/PRInstall.cab
O20 - Winlogon Notify: draw32 - draw32.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RamSoft Cache (RamSoftCacheServer1) (RamSoftCacheServer1) - Unknown owner - C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE

EWIDO REPORT

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:05:51 PM, 6/21/2005
+ Report-Checksum: 999EDAC5

+ Date of database: 6/22/2005
+ Version of scan engine: v3.0

+ Duration: 53 min
+ Scanned Files: 79758
+ Speed: 24.78 Files/Second
+ Infected files: 77
+ Removed files: 75
+ Files put in quarantine: 75
+ Files that could not be opened: 0
+ Files that could not be cleaned: 2

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Beth Nail\Cookies\beth nail@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Cookies\beth nail@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Cookies\beth nail@sexsearchcom[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Cookies\beth nail@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.POP.dl -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Local Settings\Temp\OHM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Local Settings\Temp\TYU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Local Settings\Temp\VCD\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Local Settings\Temp\XFG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Beth Nail\Local Settings\Temp\YWZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\HijackThis\hijackthis\backup-20040328-155707-318.dll -> Spyware.MyWebSearch -> Cleaned with backup
C:\HijackThis\hijackthis\backup-20040329-115325-871.dll -> Spyware.MediaTickets.a -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP0\A0000002.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP0\A0000006.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP0\A0000008.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP0\A0000021.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP0\A0000024.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP0\A0000026.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000046.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000080.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000081.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000195.EXE -> Spyware.MyWebSearch -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000196.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000203.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000370.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000376.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000389.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0001018.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0001374.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0001377.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002373.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002377.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002391.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002394.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002397.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002407.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002410.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002411.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002413.sys -> Backdoor.Haxdoor.bp -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002415.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002422.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0002425.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0003422.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0003425.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0004422.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0004425.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0005422.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0005425.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0005437.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0005440.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0005441.sys -> Backdoor.Haxdoor.bp -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0005443.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0005444.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\assest.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\cerbmod.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\QDow.dll -> TrojanDownloader.QDown.d -> Cleaned with backup
C:\WINDOWS\frennk.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.ay -> Cleaned with backup
C:\WINDOWS\mstasks2.exe -> Backdoor.Haxdoor.by -> Cleaned with backup
C:\WINDOWS\sasent.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\sasetup.dll -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\WINDOWS\SYSTEM32\BO2802040113.dll -> Spyware.VirtualBouncer.d -> Cleaned with backup
C:\WINDOWS\SYSTEM32\c43b1s.dll -> Backdoor.Ruledor.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\cfgfd.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\WINDOWS\SYSTEM32\cm.dll -> Backdoor.Haxdoor.bp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\dktibs.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\SYSTEM32\draw32.dll -> Backdoor.Haxdoor.bp -> Error during cleaning
C:\WINDOWS\SYSTEM32\hm.sys -> Backdoor.Haxdoor.bp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ilsnel32.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\WINDOWS\SYSTEM32\memlow.sys -> Backdoor.Haxdoor.bb -> Cleaned with backup
C:\WINDOWS\SYSTEM32\pdwmis.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vdnt32.sys -> Backdoor.Haxdoor.bp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vtd_16.exe -> Backdoor.Haxdoor.by -> Error during cleaning
C:\WINDOWS\SYSTEM32\wd.sys -> Backdoor.Haxdoor.bb -> Cleaned with backup
C:\WINDOWS\toolbar.exe -> Trojan.LowZones.y -> Cleaned with backup


::Report End


THANK YOU SOOO MUCH! And THANKS for going easy on my brain fart! I will be waiting to hear what else needs to be cleaned up---I know you are right there is lots more here!!

THANK YOU!!
SMILES! :thumbsup: :flowers:

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 21 June 2005 - 11:15 PM

Hi Denise,

Wow, that looks a lot better, I think you are eventually going to be OK, but you aren't out of the woods completely yet.

Could you let me know if you are posting from the infected PC now and if so what you did to get back online?

It's going to take me a bit to research what needs to be done to get rid of what you have left, so in the meantime you really need to secure your system. I want you to install an antivirus and make sure the SP2 firewall is on and I will recommend some better free firewalls later.

I recommend AVG to start off with. Since it's free, you can always uninstall it and use the antivirus of your choice without making any monetary comitments.

So please do the following, and we'll do little more cleaning:

1. Download AVG Free. It should come with the latest updates, so don't install it just yet.

2. Open AdAware. Click on the Globe and download any updates that are available. Then close it.

3. Reboot your computer into Safe Mode.

4. Install Avg and run a full system scan.

5. Run AdAware. Allow both scanners to remove all they find.

6. This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

7. Go to your Control Panel and set it to Classic View if it's not already there. Double click the four colored shield to open Security Center. Toward the bottom click the Windows Firewall link and make sure the Firewall in On.

8. Reboot back into normal mode, scan again with HijackThis, and post a new log.

If you have Internet Explorer available, you can also go to Tools>Windows Updates and make sure you are fully up to date, as even SP2 has several patches out now and not having them could cause you to be re-infected.

And don't worry about brain farts, they happen to me too. :thumbsup:

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#8 lezbfranz

lezbfranz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 June 2005 - 11:24 AM

Whew! I did all that but could not activate Windows Firewall---I tried opening the Security Center and it shows the firewall off and recommends going to the Windows Firewall to turn it on but I can't even run that---it says "Due to unidentified problem, Windows cannot display Windows Firewall Settings." I even did the Windows Update you suggest--still same problem. Anyway here is my new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:18:09 AM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {DF2C1F36-2C51-4356-B13A-051EC07CD210} (RamSoft Web Installer) - http://192.168.50.135/powerreader/PRInstall.cab
O20 - Winlogon Notify: draw32 - draw32.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RamSoft Cache (RamSoftCacheServer1) (RamSoftCacheServer1) - Unknown owner - C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE

THANKS! You ROCK!!!

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 22 June 2005 - 01:11 PM

OK, you'v got some pretty insidious malware still hanging on that is going to take some doing to get rid of. It may be what has messed with the Windows Firewall or that might be because of the upgrade you did.

Do a search of All Files and Folders for alg.exe to see if you still have a viable file and post back the location (filepath) of each instance found. You should have the active file in your system folder:
C:\WINDOWS\system32\alg.exe

Right click on this one and open the Properties and let me know the date that it was last modified and accessed.

I don't like the idea of you not having a firewall while on the net, but let's see if we can get rid of haxdoor and buddies first. When you have some spare time look at the features pages of these free firewalls and decide which one you might like to install and read up on firewalls--altho I use Kerio myself, Sygate would probably be the best choice.

Sygate Personal Firewall
Kerio Personal Firewall
ZoneAlarm

Understanding and Using Firewalls

Now let's try this.

1. Download Silentrunners from this page:

http://www.silentrunners.org/sr_scriptuse.html

Read over the instructions on that page. I don't think AVG has a script blocker, but if you do get a warning, the script is not malicious.

Run the SilentRunners.vbs file and post the contents of the text file in you next reply to this post.

2. Download http://www.bleepingcomputer.com/files/pfind.php

Create a folder C:\pfind and extract pfind-new.zip into it.

Open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.

These files will be searching for files and in certain areas, so give them some time to run and be patient.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#10 lezbfranz

lezbfranz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 June 2005 - 05:40 PM

I am connected through a router---if that helps!

Here is what you needed:

C:\I386\alg.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\alg.exe

C:\WINDOWS\system32\alg.exe
Modified: 8-4-2004
Accessed: Today 6-22-2005

Silentrunners Report:

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [file not found]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" [file not found]
"ntddetect" = "C:\WINDOWS\System32\ntddetect.exe" [file not found]
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"]
"Dell|Alert" = "C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [empty string]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"QBCD Autorun" = "D:\autorun.exe restart IE_SEQUENCE first" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"LVCOMSX" = "C:\WINDOWS\System32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D28-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [file not found]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{1EBC3533-B289-409F-9924-B84B3F0717D2}" = "AceFTP Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\ACEFTP~1\FTPCntxt.dll" ["Visicom Media Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}" = "*i" (unwriteable string)
-> {CLSID}\InProcServer32\(Default) = "*b" (unwriteable string) [file not found]
INFECTION WARNING! "{FB153DCE-822E-47ec-8D00-2706E7864B37}" = "*i" (unwriteable string)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\KB290333.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! draw32\DLLName = "draw32.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\BN\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "none" [file not found]


Startup items in "BN" & "All Users" startup folders:
-----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Palm\HOTSYNC.EXE" ["Palm, Inc."]
"HPAiODevice(hp psc 900 series) - 1" -> shortcut to: "C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe -DeviceID 1031095091" ["Hewlett-Packard Co."]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft Corporation"]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{07B18EA9-A523-4961-B6BB-170DE4475CCA}" = "My &Way Speedbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll" ["Yahoo! Inc."]

"{07B18EA9-A523-4961-B6BB-170DE4475CCA}" = "My &Way Speedbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\ = "My Way Speedbar Quick View" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
RamSoft Cache (RamSoftCacheServer1), RamSoftCacheServer1, "C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE RamSoftCacheServer1" [empty string]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
store.com+escribe.com/health/atkins/bb/+escripts.com+escriptsmd.com+esearch.com+esearchhomes.com+esftp.com+esftp.com/+esgic*online+esgic*plus+Eshirt+eshirt.it+eshop-til-you-drop.com+eshop-til-you-drop.com_3/%3Fov11+eshop.arcor.ne+eshop.panasonic.co.uk+eshopone.com+eshoppen.de+eshy.com+esignal.com+esioffers.com+esioffers.com/campaigns/abraham/index.html%3F+esioffers.com/campaigns/abraham/index2.html%3F+esioffers.com/campaigns/deroos+esioffers.com/campaigns/deroos/index.html%3F+esioffers.com/campaigns/omm+esioffers.com/campaigns/omm/index.html%3F+esioffers.com/campaigns/rga_hi2+esioffers.com/campaigns/thansson/index.html%3F+esj*towers+Eskilstuna*hotel+eskimo.com/~jlubin/disabled/web-desi.htm+esmartliving.com+esmartloan.com+esmarttax.com+esmoke.com+esmokes.com+esociety.com/default+Esoterisme+espa%25c3%25b1ol*casino+espace*champerret+espacegsm.com+espacio%2Bde%2Bdisco+espana.intercasino.com+espanol*translator+espasoft.net/menus/var-tecno.shtml+Esperanza*Resort+Esplanade*Hotel+ESPN*Gameplan+espn*magazine+espn*subscription+ESPN%2BFull%2BCourt+ESPN%2BGame%2BPlan+espn%2Bthe%2Bmagazine+espn.com+espn.go.com/magazine+espn.sportszone.com+espnmag.com+ESPNmagazine+espoir+espoke.com+esponsors.ws+Espoo*hotel+esportbike.com+ESPRESSO+espresso*machine+espresso*machines+espressomaschinen+esprit+esprit*lotus+esprit*shop+esprit%2Blease%2Blotus+esprit-online-shop.com+esprit.de+esquin.com+esquire*magazine+esquire.com+esreg.eversave.com+essayadvice.com+essaycrawler.com+essayedge.com+essayfarm.com+essaymill.com+essays-essays.com+Essays-Express.com+essays-heaven.com+essays4college.com+essays4us.com+essaysmagic.com+essaysontime.com+essaysparadise.com+essayspecialist.com+essaysrus.com+essaysunlimited.com+essaytown.com+Esseborne*Manor+esseltedataline.dk+Essen*Hotel+Essen*hotels+essental.com+essental.com/fleet.htm+Essential*Elements+essential*oil+essential*oils+essential%2Bfatty%2Bacids%2Badd+essential%2Bfatty%2Bacids%2Badhd+essential%2Boil+essentialapparel.com+essentialloans.com+essentialoil.com+essentialsofmusic.com+essentialsurf.com+essentialtravel.co.uk+Essex*Hotel+Essex*House+essex%2Bhouse%2Bhotel+essexlearningcenter.com/workshop/2595.html+Essington*hotel+esspa.com+establish*credit+estad%25c3%25adsticas+Estalagem%2BDo%2BSado+estate*planning+estate%2Bflorida%2Binstitute%2Breal+estate%2Bflorida%2Bkey%2Breal+estate%2Bflorida%2Breal%2Btampa+Estate%2Btax%2Bplanning+estatecontest.com+estee%2Blauder%2Bcologne+Estee%2BLauder%2BNew+estee%2Blauder%2Bperfume+estelle*reyna+estellereyna.com/eg/shop.htm+estepona+Estepona*Hotel+Estes%2BPark%2BKOA+Estes%2BPark%2BLodging+esticker.com+estonia*call+estore.sjf.com+Estoril*Hotel+estoril*lisboa+Estoril*Sol+Estoril*Travel+estradiol+Estradiol*ELISA+Estradiol%2BELISA%2BKit+estratto.com+estrella*inn+Estrella%2BDel%2BMar+estrellas.com+Estremadura*hotel+Estrogen*Blocker+EstrogenBlocker+Estuary*Motel+estudentloan.com+estudentloan.com/+esubmitfactory.com/creditsecrets/+esummit.us/netbranch+esurance*+esurance.com+esurance.com/+esure.com+esure.com/+esylvan+esylvan.com+et%2Balors+et.tv.yahoo.com+etablissement%2Bcredit%2Bconsommation+etailgifts.com/napa.asp+etats%2Bunis%2Btravail+etdbw.com+etdbw.com/+etdbw.com/fh/fortishealth/discountplan.jsp+etdbw.com/fh/fortishealth/index.jsp+etdbw.com/fh/ss/servlet/main+eteam2000+eteam2000.com+eteams+eteamz+eteeonline.com+eterm.com+eternaloasis.com/desktop-stripper/+eternalsnow.com+eternalsnow.com/+eternity*ring+Eternity%2Bfor%2Bmen+eternityring+Ethan*Allen+ethan%2Bfrome+ethiopianpersonals.com+ethnic*food+ethnic*grocer+ethnic%2Bphone%2Bsex+ethnic-grocery.com+ethnicarts.org/clickdaily/+ethnicarts.org/contactinformation/+ethnicdarlings.com+ethnicfood+ethnicgift+ethnicgrocer.com+ethnicsexsites.com+etienneaigner.com+etn.nl+etntelephone.com+Etobicoke*hotel+Etoile*Park+Etoile*pereire+etoile.co.uk/Love/Love.html+eton*hotel+etonline.com/+etop.co.uk+etoys.com+etoys.com/Results.html/N/2044/ls/home+etoys.com/s/shopcart+etrade.com+etrailerpart.com+etravel.net+Etretat*hotel+etronics.com+etronics.com/addtocart+etrucker.com/apps/jobfinder/start.asp+etrucker.net+etrusco*palace+etsi.org+etsp.co.uk+ettafficers.com+ettalongbikeshop.com.au+Etters*hotel+ettervidereutdanning+Ettington%2BPark%2BHotel+etui*lins+etyres.co.uk+etyreservice+EU-Neuwagen+eu.forzieri.com+eu.forzieri.com/usa/dept.asp%3Fl%3Dusa&c%3Dusa&dept%255Fid%3D999903&iwsid+eu.sullivanboutique.com/euboutique.html+Euboea*hotels+Eucalypt*Ridge+Euclid%2BHigh%2BSchool+eudoramail.com+eufares.com+eugene*hotel+Eugene*lodging+Eugene*Travel+Eugene*Trip+eugene%2Bmover%2B%25c2%25a0+Eukanuba*Adult+Eukanuba*Kitten+Eukanuba*senior+Eupen*hotels+Eur%2BSuite%2BHotel+eurail+eurail.com+Eureka*hotel+Eureka*hotels+eureka*inn+Eureka*Lodging+Eureka*Trip+Eureka%2BHigh%2BSchool+eureka%2Bsprings%2Bhotel+eureka%2Bsprings%2Blodging+Eureka%2BSprings%2BVacation+eureka-java-gold.com+eurekaranch.com+euro*dell+euro*hostel+euro*motel+Euro*rail+euro*relais+Euro%2BHotel%2BPraha+euro-finanz-direkt.de/+euro-hotels.com+euro-part.com+euro.dell.com+euro.dell.com/content/default.aspx%3Fc%3Dat+euro.dell.com/content/default.aspx%3Fc%3Dbe+euro.dell.com/content/default.aspx%3Fc%3Ddk+euro.dell.com/content/default.aspx%3Fc%3Des+euro.dell.com/content/default.aspx%3Fc%3Dfr+euro.dell.com/content/default.aspx%3Fc%3Dit+euro.dell.com/content/default.aspx%3Fc%3Dnl+euro.dell.com/content/default.aspx%3Fc%3Dno&l%3Dno+euro.dell.com/content/default.aspx%3Fc%3Dse+euro.dell.com/content/default.aspx%3Fc%3Duk+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dat+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dbe+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dde+euro.dell.com/dellstore/basket/main.asp%3Fs%3Ddk+euro.dell.com/dellstore/basket/main.asp%3Fs%3Des+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dfr+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dit+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dnl+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dno+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dse+euroase+eurobadgirls.com+eurobatteries.com+eurobatteries.com/sitepages/digcambat.asp+eurobed+eurobet.com+eurobetpoker.com+Eurobuilding*Hotel+eurocall.com+eurocave.com+eurochallenges.com+eurocredit-online.com+eurodestination.com/+eurodestinations.co.uk+eurodestinations.com+eurohostel+eurohotelguide.com+eurojet-cartridges.co.uk+eurokreditcenter.de/+eurolines.com+eurolingua.com+eurolove.com+euroloveliness.com+euronav.co.uk+euronetwork.co.uk+Europ*Hotel+europa*belfast+Europa*Centro+europa*fluege+Europa*Gatwick+Europa*Hotel+Europa*International+europacasino.com+europaeiske.dk+Europark*Hotel+europc.co.uk+europcar.co.uk+europcar.com+europcar.no+europcar.se+europe*airfare+europe*airline+europe*call+Europe*cruise+europe*flight+europe*hotel+Europe*Liege+Europe*map+Europe*maps+Europe*picture+europe*ticket+europe*tour+europe*travel+europe*trip+europe*vacation+Europe*vacations+europe%2Bcalling%2Bcard+europe%2Bcalling%2Bcards+europe%2Bphone%2Bcard+europe%2Bphone%2Bcards+europe-hotels.com+europe-train-ticket.com+europe.hotelsbycity.com+european*airfare+european*airline+European*casino+european*cosmetic+european*cruise+european*dvd+european*fashion+european*flight+european*flights+european*game+european*gaming+european*hotel+european*immigrants+European*Inn+european*make-up+european*music+european*roulette+european*shoe+european*tour+european*train+european*travel+european*vacation+european*vacations+european%2Bfootball%2Bbett+european%2Bskin%2Bcare+european%2Bskin%2Bclean+european%2Bsoccer%2Bbett+European%2Bvacation%2Bpackages+european-poker.com/frontpage/index.php+europeanflight+europeanhotel+europeanmusic+europeanpaintings.com/+europeanrailguide.com/+europeantravel+europeanvacation+europeforvisitors.com+europehotel+Europeiska*TLD+Europeiska%2Btop%2Blevel%2Bdomain+EuropeiskaTLD+Europeiskatopleveldomain+europeonrail.com+europeonrail.com/+europevacation+eurorail+eurorail*pass+eurorelais.be+eurorelais.com+eurosex+eurosimm.com+eurosportwetten.com+eurostar*travel+Eurotel*Victoria+eurotip+eurotravel.se/se+eurotravelling.net+eurotrip.com+eurovacations.com+eurovan%2Bmv%2Bvolkswagen+eurowings.de+eurway.com+eurythmics+Euston%2BPlaza%2BHotel+euston%2Bsquare%2Bhotel+euwagen24.de+eva*air+evaair+evalentin.com+Evalue*code+Evander%2BChilds%2BHigh%2BSchool+evangelism+Evans*hotel+Evans%2BHigh%2BSchool+evansgarden.com+Evanston*hotel+evanston*hotels+Evansville*hotel+Evansville*hotels+Evansville%2BHigh%2BSchool+evansville%2Bmover%2B%25c2%25a0+evelyn*waugh+even%2Bskin%2Btone+evening*classes+evening*dress+evening*dresses+evening*gown+evening*handbag+evening*purse+evening*shoes+evening*wear+evening%2Bcomputer%2Bclass+evening%2Bengineering%2Bclass+evening%2Bengineering%2Bcourse+evening%2Bin%2Bparis%2Bperfume+evening%2Btechnical%2Bcourse+evening%2Btechnical%2Bschool+evening%2Btechnology%2Bclass+evening%2Bvocational%2Bclass+evening%2Bvocational%2Bcourse+evening%2Bvocational%2Bschool+event*coordination+event*management+event*organization+event*planner+event*planning+Event*Registration+event*setup+event*wizard+event%2Bin%2Bvegas+event%2Bplanners%2Bbay%2Barea+event%2Bplanners%2Bmarin+event%2Bplanners%2Boakland+event%2Bplanners%2Bsan%2Bfrancisco+event%2Bplanners%2Bsan%2Bjose+event-planner.com+event411.com+eventinventory.com/search/pubsearch.cfm%3Fclient%3D2777&restart%3Dyes&e%3D1072+eventplanner.com+events.countmein.com+events.date.com/travel_home+everbank+everbank.com+everdial.com+everestnews.altrec.com/shop/dir/0/133/+Everett*hotel+Everglades*Hotel+everglaze.de/shop/swarovski_kristall+Evergreen*hotel+Evergreen*hotels+Evergreen*Lodge+Evergreen*Windbreak+everlastinglove.com+everlastsportswear.com+everquest+eversave.com+evertek.com+everwonder.com/david/scooby+every-appliance.co.uk+everybodycansing/curric.html+everycdljob.com+everycdljobonline.com+everyday*wealth+everydayprint.com+everydaywealth+everydaywealth.com+everydriverjob.com+everydrivingjob.com+everyedge.com+everyfranchise.com+everyhole.com+everyjobintrucking.com+everyonedoesit.com+everyowneroperatorjob.com+everything*teen+everything.se+everythingautomotive+everythingboats.com+everythingelementary.com+everythingfortruckers.com+everythingfortruckers.com/jobs.html+everythinggreen.com+everythingipod.com+everythingmothersday.com+everythingnyc.com+everythingofficefurniture.com+everythingphonesex.com/+everyticket.com+everyticket.com/theater/mamma_mia_tickets+everytruckdrivingjob.com+everytruckingjob.com+everytruckjob+evesham*hotels+Evian-les-Bains*hotel+evidence*eliminator+evidence*eliminator.com+evidence*eraser+evidence-eliminator.com+evidenceeliminator+evidenceeliminator.com+evinco.com+Evinrude+evisionmgr.com+evisionmgr.com/chat+Eviston*House+evita.de+evitamins.com/product.asp%3Fpid%3D1913+evitamins.com/product.asp%3Fpid%3D247+Evora*Hotel+evorahotel+evoucher%2Btax%2Bturbo+Evreux*Hotel+evropashop.com+ew.com/ew/+ewacars.com+ewarrantys.com+ewebcart.com/cgi-bin/cart.pl%3Fmerchant%3D2204+eWebMed.com+eweddingbands.com+ewinner.com+ewmortgage.com+eworld24.de+ex%2Balumnos+ex%2Bhonda%2Bl%2Bodyssey+ex%2Bhonda%2Bpassport+ex%2Bhonda%2Bpilot+ex%2Bkia%2Bsedona+ex-alumnos+exa-med.com+exactbags.com+exadrine.com+Exagon*Park+exalumnos+examination*gloves+exampleessays.com+Exanta+excalabur*hotel+excalabur%2Blas%2Bvegas+excaliber*casino+excaliber*hotel+excaliber*vegas+excaliber%2Bhotel%2Blas%2Bvegas+excaliber%2Blas%2Bvegas+excalibur*casino+excalibur*hotel+excalibur*resort+excalibur*vegas+excalibur%2Bcasino%2Blas%2Bvegas+excalibur%2Bhotel%2Blas%2Bvegas+excalibur%2Bin%2Blas%2Bvegas+excalibur%2Blas%2Bvegas+excalibur.casinocity.com+excalibur.casinocity.com/+excaliburlasvegas.com+excallibur*hotel+excel*airline+excel*airway+excel*flight+excel*spreadsheet+excel*tip+excel*travel+excel-communications.biz+excel-orders.com+excel-vba.com+excel.com+excelairways.com+excelbusinesstools.com/solutions.htm+excelcomm.com+excelexgold.com/books/abc1_etheric/abc1_etheric_maintext.htm+excelir.com+excelkurs+excellentdentalplan.com+excellnow.com+Excelsior*hotel+Excelsior%2BPalace%2BTerme+exceltip+excercise*equipment+excess*hair+excess*inventory+excess%2Bbody%2Bhair+excess%2Bfacial%2Bhair+excess%2Btummy%2Bfat+exchangeauthority.com+exchangeprofessionals.com+exciteisp.no+excitement.com+exclaim.freepersonals.cc+exclamation-debt-consolidation.org+exclamationpersonals.com/+exclamationsslots.com/+exclusive*accessor+exclusive%2Bhotels%2Bparis+exclusivebuyersagents.com+exclusivepro.com+excursion*ford+execstyle.com+execstyle.com/fashion.asp+executive*coach+executive*coaches+executive*coaching+executive*gift+executive*gifts+Executive*House+Executive*Inn+Executive*Residence+Executive%2BAirport%2BPlaza+Executive%2BHouse%2BHotel+Executive%2BInn%2BRivermont+executive%2Bwealth%2Bmanagement+Executive%2BWest%2BHotel+executivegift+executivejewishdating.com+exed.hbs.edu/programs/abs/+exedra+exedra%2Bhotel%2Brome+exercise+exercise*bike+exercise*buddy+exercise*dat+exercise*equipment+exercise*machine+exercise*mat+exercise*partner+exercise*plan+exercise*pool+exercise*program+exercise*tape+exercise*video+exercise%2Band%2Bfitness+exercise%2Band%2Bpregnancy+exercise%2Bduring%2Bpregnancy+exercise%2Bfanny%2Bpack+exercise-n-fitness.com+exercise-n-fitness.com/+exercise.about.com+exercise.about.com/cs/abs/tp/abexercises.htm+exerciseequipment+exercisevideo+Exeter*Hotel+Exeter*hotels+Exeter*Inn+exfoliate*skin+exhaust*muffler+Exhaust*Repair+exhibitionist+exhilaration.co.uk+exit*killer+exitkiller+exitotravel+exitotravel.com+exitravel.com+exlibris.se+Exmore*hotels+exodus.co.uk+exofficio.com+exotic*dancer+exotic*dancers+exotic*dancewear+Exotic*Footwear+exotic*stripper+exotic*travel+exotic*vacation+exotic%2Bdance%2Bvideo+exotic%2Bdancer%2Bshoe+exotic%2Berotic+Exotic%2BLeather%2Blingerie+exotic%2Bmassage%2Boil+exotic%2Bsex+exoticautoinc.com+exoticcloset.com+exoticdancelessons.com+ExoticFootwear+exoticgardens.com+exoticlady.net+ExoticLeatherlingerie+exoticredheads.com+exotics-usa.com+exotictravel+exoticvacation+exoticwooddash.com+expat%2Bhealth%2Binsurance+expatriation*USA+expatriation%2B%25c3%25a9tats%2Bunis+expatriation%2Betats%2Bunis+expectant*mother+expectant*parent+expectantmothersguide.com+expedia*travel+expedia*uk+expedia.ca+expedia.co.uk+expedia.co.uk/daily/deals+expedia.co.uk/pub/agent.dll%3Fqscr%3Dcmsh+expedia.com+expedia.com/daily/deals/hotel/Las/default.asp+expedia.com/daily/guides/cruise/Bahamas/default.asp%3Frfrr%3D-26914+expedia.com/daily/guides/p/LAS+expedia.com/daily/guides/p/LAS/+expedia.com/daily/guides/t/hawaii+expedia.com/daily/home/+expedia.com/daily/vacations/europe+expedia.com/pub/agent.dll+expedia.com/pub/agent.dll%3Fqscr%3Dcarw+expedia.com/pub/agent.dll%3Fqscr%3Dfltw+expedia.com/pub/agent.dll%3Fqscr%3Dhtwv+expedia.de+expedia.fr+expedia.it+expedia.nl+expediacom+expediade+expediarx.com+expeditersonline.com+expedition*cruise+expedition*ford+expedition*online+expekt.com+expensive*jean+experian*credit+experian.com+experian.com/consumer/index.htm+experience*gift+expert*diet+expert*satellite+expert%2Bpress%2Brelease+expert-gun-appraisals.com+expert-quotes.net+expertappliance.com+expertcredit.com+expertpills.com/+expertrating.com+expertsatellite+expertsatellite.com+expertsatellite.com/catalog/+expertsatellite.com/catalog/defaultdirecway+expertsatellite.com/catalog/shopping_cart.php+expertsoncredit.com+expired%2Bdomain%2Bsearch+explicit*ebony+explicit*gay+explicit*sex+explicit*voyeur+explicitsex+exploding%2Bgolf%2Bball+explore-mex.com+explorecancun.com+explorefaith.org+explorer*ford+Explorer*Hotel+explorer*online+explorer*sport+explorer%2Bsport%2Btrac+explorica.com+exploringcareers.org+expo*hotel+expo*valencia+expo%2Bhotel%2Bbarcelona+Expo%2BHotel%2BValencia+expocursos.com+Expos*bet+Expos*gamble+Expos*wager+Exposbet+Exposgamble+expository*writing+exposure%2Bto%2Bradioactive%2BIodine+exposuretoradioactiveIodine+Exposwager+Express*Barajas+express*cash+express*delta+express*essen+express*gift+express*kredit+express*l%25c3%25a5n+express*loan+express*loans+express*meds+express*money+express*options+Express%2BScripts%2BMembers+express-advertising.com+express-quote.net+express-res.com+express-scripts.com+express-toners.com+express.com*w2+expressbirthdayplanning.com+expresscashonline.com+expresschemist.co.uk+expresscreditcenter.com+expressgift+EXPRESSIT+expressit.com+expressl%25c3%25a5n+expressmedicines.com+expressonlinepharmacy.com+expresspapers.com+expressprofitsonline.com+expressrefunds.com+expresstoners.com+expresstools.co.uk+Expressway*Inn+expresswhitening.com+exquisiterugs.com+extagen+extagen.com+extagencapsules.com+extend*life+extended*size+Extended*StayAmerica+extended*warranties+extended*warranty+extended%2Bauto%2Bwarranties+extended%2Bcar%2Bwarranties+extended%2Bcar%2Bwarranty+extended%2Bstay%2Bjacksonville+extended%2Bwarranty+extended-warranty.info+extended-warranty.info/carwarranty+extendedstaynetwork.com+extendedwarrantyprovider+extendedwarrantyprovider.com+extendedwarrantysavings.com+extendlife+extension*hair+extension*programs+extension.iastate.edu/e-set/+Extenze+Exton*hotel+Exton*Travel+Exton*Trip+extra*cash+extra*clean+extra*income+extra*money+extra%2Bincome%2Bat%2Bhome+extra%2Bincome%2Bfrom%2Bhome+extra%2Blarge%2Bclothing+extra%2Blarge%2Bmens+extra%2Blarge%2Bmenswear+extra%2Breading%2Bhelp+Extra-Sensitive*condom+Extra-Strength*condom+extradrugs.biz+extraincome+extralargetv.com+extrapris.com/datorer/apple_datorer.html+extraterrestrial*property+extratouchflorists.com+Extremadura*hotel+extreme*anal+extreme*biking+extreme*cumshots+extreme*cycling+extreme*hardcore+extreme*sex+extreme*sexs+extreme*sport+extreme%2Banal%2Bsex+extremefood.com+extremehalloween.com+extremehalloween.com/+extremephonecards.com+extremepie.com+extremesexxx.com+extremesn.com/thermoedge.html+extremetech.com+extstay.com+Exuviance%2Bby%2BNeoStrata+exxxpress.com+exxzero.com/+eye*care+eye*cream+eye*glasses+eye*makeup+eye*sight+eyeblaster.com+eyebrow*comb+eyebrow*jewelry+eyebrow*piercing+eyebrowpiercing+eyecare+eyechange.com+eyecloud.com+eyeglass*frames+eyeglasses.com+EyeHome*Digital+eyelash*yarn+eyemakeup+eyeoncredit.com+eyeoncredit.com/frequent/index.html+eyestorm.com/+EyeTV*200+Eyewear*Displays+eyewearcentre.com+eyicom.com+ez%2Bbingo+ez%2Bpayday%2Bloan+ez%2Bpop%2Btent%2Bup+ez%2Bwin%2Bbingo+ez-credit-repair.com+ez-credit-repair.com/+ez-debt.biz+ez-mortgageleads.com+ez-web-hosting.com+ez-weightloss.com+ez-weightloss.com/ez-weightloss/producthollywooddiet.html+ez2breathe.com+ezbets.com+ezc.goldlimit.com/+ezdate.net+ezdetective.com+ezdrive+ezdvd+ezdvdcopy+ezdvdcopy.com+Eze*hotel+Eze*hotels+ezgalaxy.com+ezgamblingdirectory.net+ezhealthquotes.com+eziba.com+ezine*ads+ezine*advertising+ezine*directory+ezine*promotion+ezine*publisher+ezine*publishing+ezine*software+ezinfocenter.com+ezinkjets.com+ezklean.com+ezloandocs.com+ezmusicburner.com/+ezopinioncash.com+ezpaydaycash.com+ezpaydaycash.com/+ezpreapproval.com+ezprescribe.com+ezprints.com+ezquotesearch.com+ezshirt.com+ezslotscasino.com+ezsmoke.net+ezsmokes.biz+Ezsportsbetting+ezsportsbetting.com+ezsportsbettingonline.com+ezsweeps.com+eztaxmachine.com+eztobacco.com+eztowork.com+eztowork.com/+ezvcd+ezwatchstore.com+ezydvd.com.au+F%25c3%25a4rgade*linser+F%25c3%25b6rdr%25c3%25b6jnings*kr%25c3%25a4m+F%25c3%25b6rdr%25c3%25b6jningskr%25c3%25a4m+f%25c3%25b6rmedling%2Bav%2Bannons+f%25c3%25b6rmedling%2Bav%2Bgrat+f%25c3%25b6rs%25c3%25a4kra+F%2B150+f%2Bscott%2Bfitzgerald+f-150+f-school.com+f-secure.com+f150*ford*+f150online.com+f16.aaacafe.ne.jp/~siso/sisolab/G-Tune/2003A_G-Tune.html+f1trading.com+f5000+f5000iii+faa*alcohol+faa*drug+faa%2Bdrug%2Bprogram+faa%2Bdrug%2Btest+faa%2Bdrug%2Btesting+fabao.com+fabdir.com+fabjob.com+fabric*fleece+fabric*online+fabric*store+fabric*swatch+fabric%2Bhammock%2Bonline+fabric%2Bhammock%2Btoy+fabric-at-discount.com+fabric.com+fabricbycotton.com+fabricclub.com+fabricdecor+fabrics.net+fabricstore+fabulousfurs.com+fabulousoffers.com/ctu+FabulousPoker.com+fabulousporn+fabulousporn.com+fabulousskin.com+facade.com+face*care+face*cleanser+face*cream+face*cum+face*mask+face*moisturizer+face*sitting+face*soap+face%2Bjacket%2Bnorth+Face%2BLift%2Bsystem+facecare+facecum+facefacts.com+FaceLiftsystem+facelink.com+facemask+faceofsiberia.com+facesit+facesitting+facethejury.com/+facial*acne+facial*cleanser+facial*cream+facial*cum+facial*cumshot+facial*cumshots+facial*hair+facial*mask+facial*product+facial*toner+facial*waxing+facial%2Bcum+facial%2Bcum%2Bshot%2Bvideo+facial%2Bgrowth%2Bhair%2Binhibitor+Facial%2Bhair%2Bremoval+facial%2Bhair%2Bremoval%2Bcream+facial%2Bhair%2Bremoval%2Bpermanent+facial%2Bhair%2Bremoval%2Bproduct+facial%2Bhair%2Bremover+facial%2Bscar+facial%2Bvein+facialbuffet.com+facialcream+facialcum+facialcumshot+facialcumshots+facialmag.com+facials*cumshot+facials*xxx+facials101.com+facilidate.com+fackelmann+facklitteratur+fact*finder+factfinder+factoring*companies+factoring*company+factory*warranty+factory%2Bdirect%2Bwindow+factorydirectcraft.com+facts%2Babout%2Bstress+facture*detaillee+facture*telephone+fafsa.ed.gov+Fag*litteratur+fagernes*hotel+Fagersta*hotel+Faglitteratur+Fahrrad+fahrradhose+Fahrzeug*Versicherung+failure%2Bto%2Bpay+fair%2Bdebt%2Bcollection+fair%2Bdebt%2Bcollection%2Bact+fair%2Bdebt%2Bcollection%2Bpractice+Fairbanks*hotel+fairbet.org+fairbet.org/+fairbride.com+faircasinos.com+Fairdealsports+fairdealsports.com+Fairfax*hotel+fairfax*hotels+Fairfax*Travel+Fairfield*Pagosa+Fairfield*resort+Fairfield*Trip+Fairfield*Vacation+fairfield*williamsburg+fairfield%2Bexecutive%2Binn+Fairfield%2BInn%2BBangor+Fairfield%2BInn%2BBloomington+Fairfield%2BInn%2BBroadway+fairfield%2Binn%2Bbuena%2Bpark+Fairfieldhotel+fairfieldresorts+fairfieldresorts.com+Fairhaven*hotel+Fairlawn*hotel+fairmont*banff+fairmont*hotel+fairmont*orchid+Fairmont*Tremblant+Fairmont*Waterfront+Fairmont%2BAcapulco%2BPrincess+fairmont%2Bbanff%2Bsprings+fairmont%2Bbanff%2Bsprings%2Bhotel+Fairmont%2BCopley%2BPlaza%2BHotel+Fairmont%2BEmpress%2BHotel+fairmont%2Bglitter%2Bbay+Fairmont%2BHigh%2BSchool+fairmont%2Bhotel%2Bvancouver+Fairmont%2BJasper%2BPark%2BLodge+Fairmont%2BLe%2BManoir%2BRichelieu+fairmont%2Bolympic%2Bhotel%2Bseattle+fairmont%2Bpierre%2Bmarques+fairmont%2Broyal%2Byork+Fairmont%2BVacation%2BVilla+fairport*hotels+Fairview*hotel+Fairview*Inn+Fairview%2BHigh%2BSchool+Fairway*Hotel+Fairway*Inn+Fairway*Villas+fairway*wood+Fairways%2Bof%2Bthe%2BMountains+fairwaysandgreens.com.au/shop/+Fairwind%2BHotel%2Band%2BSuites+Fairy%2BTale%2Btheme%2Bwedding+fairyland.com.my/download_game.htm+fairyland.in.th/guide/index.php+fairylove.kiev.ua+Faith*hotels+faith.co.uk+faix*schade+faix-schade+fajardo*inn+Fake*Bags+fake*bake+fake*degree+fake*gucci+fake*handbag+Fake*HandBags+fake*loui+fake*louie+fake*louis+fake*luis+fake*lv+fake*nude+fake*nudes+fake*orgasm+fake*purse+fake*teeth+fake*tits+Fake*tombstone+fake*vuitton+fake*watches+fake%2Bbird%2Bpoop+fake%2Bbullet%2Bhole+fake%2Bceleb%2Bnude+fake%2Bcelebrity%2Bjewelry+fake%2Bdesigner%2Bhandbag+fake%2Bdiamond%2Bring+fake%2Bfur%2Bcoat+fake%2Bfur%2Bthrow+fake%2Blotto%2Bticket+fake%2Blouie%2Bvuitton+fake%2Blouis%2Bvuitton+fake%2Blouis%2Bvuitton%2Bhandbag+fake%2Blouis%2Bvuitton%2Bpurse+fake%2Blouis%2Bvuitton%2Bwallet+fake%2Bluis%2Bvitton+fake%2Bnude%2Bceleb+fake%2Bnude%2Bcelebrity+fake%2Bparking%2Bticket+fake%2Bsmashed%2Bwindshield+fake%2Btan+fakebake4salons.com+fakehandbag+faking*orgasm+faking*orgasms+Fakta*b%25c3%25b8k+Fakta*bok+Faktab%25c3%25b8k+Faktabok+Falcon*hotel+Falcon*motel+Falcon*Point+falconcpa.com+Falconer*hotel+falconerspharmacy.com+Falesia*Hotel+falk.de+Falkirk*hotel+Falkirk*hotels+Fall%2BCreek%2BInn+fall%2Bin%2Blove+fallers.com+Fallon*Trip+Falmouth*hotel+falmouth*hotels+Falmouth*Inn+Falmouth*Trip+Falmouth*Vacation+false*advertising+false*billing+Falsled*Kro+Falster*hotel+Falun*hotel+Falun*hotels+fameindex.co.uk+famiciclovir+familiedvdclub+Families%2BFirst%2BVacation%2BHomes+familiesathome.net+family*accommodation+family*accommodations+family*activity+family*adventure+family*ancestry+family*atlas+family*book+family*crest+family*cruise+family*dental*plan+family*genealogy+family*health+family*healthcare+family*heritage+family*histories+family*history+family*hotel+family*inn+family*insur+Family*Insurance+family*items+family*lawyer+family*lodging+family*medicalcare+family*mobility+family*motto+family*names+family*organizations+family*organizer+family*origin+family*pet+family*planning+family*records+family*report+family*reunion+family*rights+family*saving+family*search+family*software+family*travel+Family*Tree+family*trees+family*trip+family*vacation+family*vacations+family*website+Family%2Bcare%2Bhealth%2Bplan+family%2Bcredit%2Bcounseling%2Bservice+family%2Bdental%2Binsurance+family%2Bdental%2Bplan+family%2Bhealth%2Bbenefit+family%2Bhealth%2Bcare+family%2Bhealth%2Binsur+family%2Bhealth%2Binsurance+family%2Bhealth%2Binsurance%2Bcoverage+family%2Bhealth%2Bplan+family%2Bhistory%2Bsoftware+Family%2Blife%2Barticle+family%2Bmedical%2Bcare+family%2Bmedical%2Bcoverage+family%2Bmedical%2Binsurance+family%2Bmedical%2Bplan+family%2Btree%2Bcreat+family%2Btree%2Bdownload+family%2Btree%2Bmak+family%2Btree%2Bmaker+family%2Btree%2Bsoftware+family%2Bwealth%2Bmanagement+family-friendly-fun.com/files/*attentiondeficitaddadhd.html+family.org+familyadvantage.com+familyadvantage.org+familyadventures.com+familybook+familycar.com+familycar.com/nextcar.htm+familychristian.com+familychristian.com/shop/product.asp%3FProdID%3D1849+familycircle.com/home/homepage.jsp+familyclick.com+familyconnect.com+familycordblood.com+familycredit.org+familycredit.org/+familycredithelp.org+familycrest+familycruise+familydebt.com+familydoctor.org/men.xml+familyeducation.com+familyeducation.com/subchannel/*0,2794,23-122,00.html+familyeducation.com/subchannel/0,2794,23-122,00.html+familyfirst.net/marriage/beforeido+familyhaven.com+familyhealthinsurance+familyhistory+familyhistory.com+familylife.com+familylife.com/singles.asp+familymeds.com+familymeds.com/familymeds/prescpage.asp%3F+familymobility.com+familyorigin+familysearch+familysearch.org+familyshoppingbag.com+familysoftware+familysweeps.net+familysweeps.net/pacman.html+familytree.com+familytreedna.com+familytreelegends.com+familytreelegends.com/+Famous*Crime+famous*immigrants+Famous*Mugshot+famous%2Bblack%2Bporn%2Bstar+famous%2Birish%2Bimmigrants+Famous%2BMug%2BShot+famous3d.com+famousfootwear.com/shop/womens.asp+famousplayers.com+famouspornstars.com+famtreesoftware.com+famvir+fan-zone.com+fanbay.net+fanbuzz.com+fancifull.com+fancy*glassware+fandango.com+fannie*mae+fannie*may+FANNIEMAE+fanniemae.com+fanniemae.com/index.jhtml+fanniemay+fanny*mae+fannymae+fansedge.com+fansedge.com/Basket+fanstory.com+fantagraphics.com+Fantasia+fantasiawear.com+fantasticfacials.com+fantastique*dvd+fantasty*football+fantasty*game+fantasy*baseball+fantasy*basketball+fantasy*books+fantasy*carnival+fantasy*daggers+fantasy*fame+fantasy*football+fantasy*hockey+fantasy*inn+fantasy*league+fantasy*lingerie+fantasy*sex+fantasy*sports+fantasy*star+fantasy*team+fantasy*wig+fantasy%2Bbaseball%2Bkeeper%2Bleague+fantasy%2Bbaseball%2Bleague+fantasy%2Bbaseball%2Bmanager+fantasy%2Bbaseball%2Bpool+fantasy%2Bcarnival%2Bcruise+fantasy%2Bfootball%2Bbetting+fantasy%2Bhockey%2Bleague+fantasy%2Bhockey%2Bsport+fantasy%2Bnba%2Bsport+fantasy%2Bpremiership%2Bsport%2Buk+fantasy%2Bracing%2Bleague+fantasy%2Bsport%2Bgame+fantasy%2Bsport%2Bstatistic+fantasy%2Bsports%2Bleague+fantasy-cruises.com+fantasybaseballcafe.com+fantasybaseballcentral.com+fantasycars.com+fantasyfire.com+fantasyfit.com/whatisff.html+fantasyfootballcafe.com+fantasygames.sportingnews.com/football+fantasyinsights.com+fantasylatina.com+fantasymatch.com+fantasyphonegirls.com+fantasysex+fantasysmackdown.com+fantasysports+fantasysportscasts.com+fantasyspringsresort.com/+fantasytan.com+fantasytoyland.com+fantasyware.com+fantazialingerie.co.uk+fantones.net+fao*Schwarz+Fao.com+faoSchwarz+faoschwarz.com+Far%2BRockaway%2BHigh%2BSchool+Far%2BView%2BLodge+far-sited.com+farbige*kontaktlinsen+farbige*Linsen+farblinsen+fare+farechase.com+faredata.net+farefinder+fareline.com+faremax.com+fareseek+fareseek.com+faresrus.com+Fargede*lins+Fargedelins+Fargo*Holiday+Fargo*hotel+Fargo*Tourism+Fargo*Travel+Fargo*Trip+Fargo*Vacation+farm*bleeping+farm*house+farm*sluts+farm%2Bphat%2Bshoes+farm.freakview.com+farmacy*online+farmcott.co.uk+farmers*almanac+farmers.com+farmers.com/+farmers.com/FarmComm/insurance/index.html+farmgoodsforkids.com+farmhouse+Farmington*hotel+farmington*hotels+Farmington*Inn+Farmington*Travel+Faro*Holiday+Faro*Hotel+Faro*Hotels+Faro*Mazatlan+Faro*resort+Faro*Tourism+Faro*travel+Faro*Trip+Faro*Vacation+faro*viejo+Farol%2BDesign%2BHotel+faroutcasino.com+faroutcasino.com/+Farragut*School+Farragut%2BHigh%2BSchool+Farrell%2BHigh%2BSchool+fart*gag+fart*gift+fart*joke+fart*machine+fart*prank+fart*spray+fart*store+fart%2Bnoise%2Bmaker+fart%2Bsound%2Beffect+farthammer.com+farting*machine+fartmart.com+Farum*hotel+Farvede*lins+Farvedelins+Fasano*hotel+Fasano*hotels+fascination*carnival+fascination%2Bcarnival%2Bcruise+fascination-perfumery.co.uk+fashion*accessories+fashion*accessory+fashion*degree+fashion*design+fashion*designer+fashion*designers+fashion*handbag+fashion*jewelry+fashion*magazine+fashion*merchandising+fashion*mobile+fashion*moda+fashion*outlet+Fashion*Parties+fashion*phone+fashion*school+fashion*shopping+fashion*telefon+fashion*wear+fashion%2Babbigliamento%2Bmoda%2Bitaliana+fashion%2Bmade%2Bitaly+fashion.about.com+fashion.admcity.com/silk-1+fashion.at+fashionaccessories+fashionaccessory+fashionapparel+fashionbit.com+fashionbrokers.com+fashionbrokers.com/shopping_mall/shopbybrand+fashiondesigner+fashiondivanyc.com+fashionfabricsclub.com+fashionfactory.dk+fashionheaven.com+fashionknockoffs.com+fashionmobile+fashionphone+fashionshowroom.com+fashionstore.nl+fashiontelefon+fashiontreasures.com/designer_handbags_purses.htm+fasions.com+fasoft.com/+fasoft.com/what_is.shtm+FAST*ADSL+fast*advance+fast*cash+fast*computer+fast*degrees+Fast*Flip+fast*funds+fast*internet+Fast*IP-adresse+fast*loan+fast*money+fast*online+fast*payday+fast*payouts+fast*porn+fast*reward+fast*seduction+fast*sex+fast*web+fast*weightloss+fast%2B$500%2Bcash%2Badvance+fast%2Badvance%2Bpay+fast%2Bcash%2Bloan+fast%2Bcash%2Bnow+fast%2Bcash%2Bonline+fast%2Bcash%2Bpayday%2Badvance+fast%2Bcash%2Bpayday%2Bloan+fast%2Bcash%2Bpersonal%2Bloan+fast%2Bcash%2Bsurvey+fast%2Bcash%2Btoday+fast%2Bdial%2Bup+fast%2Beasy%2Bloan+fast%2Beasy%2Bweight%2Bloss+Fast%2Bfood%2Bnutrition+fast%2Bhair%2Bgrowth+fast%2Bhealthy%2Bweight%2Bloss+fast%2Binternet%2Bconnection+Fast%2BIP%2Badresse+fast%2Bloan%2Bapproval+fast%2BMortgage%2BQuote+fast%2Bmuscle%2Bgrowth+fast%2Bonline%2Bpayday%2Bloan+fast%2Bpayday%2Badvance+fast%2Bpayday%2Bloan+fast%2Bweight%2Bloss+fast%2Bweight%2Bloss%2Bdiet+fast%2Bweight%2Bloss%2Bprogram+fast%2Bweight%2Bloss%2Btechnique+fast-funds-online.com+fast-pack.com+fast-payday-loan-online.com+fastap.org+fastap.org/fastap+fastbookreports.com+fastcash+fastcash.com+fastcashanytime.com+fastcashinrealestateforeclosures+fastcashinrealestateforeclosures.com+fastdater.com+fastdates.com+fastdating.nl+fastdissertations.com+faster*computer+faster*dialup+faster*download+faster*internet+faster%2Bdial%2Bup+faster%2Bhair%2Bgrowth+faster%2Binternet%2Bconnection+faster%2Binternet%2Bspeed+fastercredit+fastercredit.com+fastfixdirect.co.uk+fastfloors.com+fastfloors.com/catalog/search2.asp%3FFloorTypeID%3D102+fasthosts.co.uk/+fastimpressions.com.au+fastin+fastin*diet+fastin*drug+fastin*info+FastIPadresse+fastlanehealth.com+fastlaneloans.com+fastloan+fastloans+fastmlmleads.com+fastmoney+fastMortgageQuote+fastodds.com+fastonlineapproval.com+fastonlinefinance.co.uk+fastpay.com+fastpitch*bat+Fastpitch*equipment+Fastpitch*gear+fastporn+fastprinters.com+fastreward+fastrx.com+fastsize.com+fastsize.com/enlarger/+fasttracksports.com+fastun+fastweb+fastweb.com+fastweb.monster.com+fastweightloss+fat*blaster+fat*block+fat*blocker+fat*blockers+fat*burn+fat*burner+fat*burning+fat*bleep+fat*eliminat+fat*bleep+fat*loss+fat*personals+fat*porn+fat*pussy+fat*skin+fat*supplement+fat%2Banal%2Bsex+fat%2Basian%2Bporn+fat%2Basian%2Bpussy+fat%2Bass%2Bblack%2Bwoman+fat%2Bass%2Bwoman+fat%2Bblack%2Bporn+fat%2Bblack%2Bpussy+fat%2Bblack%2Bwoman+fat%2Bblack%2Bwoman%2Bbleeping+fat%2Bblack%2Bwoman%2Bpic+fat%2Bblack%2Bwoman%2Bporn+Fat%2BBurner%2BPill+fat%2Bbuster%2Bprogram+fat%2Bchick%2Bporn+fat%2Bebony%2Bass+fat%2Bbleep+fat%2Bhorny%2Bwoman+fat%2Bloss%2Bprogram+fat%2Bnaked%2Bchick+fat%2Bnaked%2Bwoman%2Bpic+fat%2Bnaked%2Bwoman%2Bpicture+fat%2Bold%2Bsex+fat%2Bold%2Bwhore+fat%2Bold%2Bwoman%2Bsex+fat%2Bpeople%2Bporn+fat%2Bpussy+fat%2Breducing%2Blotion+fat%2Bsex+fat%2Bsexy%2Bwoman+fat%2Bwhite%2Bwoman+fat%2Bwoman%2Bbutt+fat%2Bwoman%2Bbleep+fat%2Bwoman%2Bbleeping+fat%2Bwoman%2Bhardcore+fat%2Bwoman%2Bhaving%2Bsex+fat%2Bwoman%2Bin%2Bbikini+fat%2Bwoman%2Bin%2Bthong+fat%2Bwoman%2Bmasturbating+fat%2Bwoman%2Bmovie+fat%2Bwoman%2Bnude+fat%2Bwoman%2Bnude%2Bpic+fat%2Bwoman%2Bphoto+fat%2Bwoman%2Bpic+fat%2Bwoman%2Bpicture+fat%2Bwoman%2Bporn+fat%2Bwoman%2Bpussy+fat%2Bwoman%2Bsex+fat%2Bwomen%2Bnaked+fat%2Bwomen%2Bsex+fat%2Bxxx%2Bwoman+fatblaster+fatburn+fatburner+FatBurnerPill+fatburning+fatcow.com+father%2527s%2Bday%2Bgift+father*shirt+father*t-shirt+Father%2BJudge%2BHigh%2BSchool+fathers*day+fathers%2Bday%2Bgifts+fathersday+fatigue*prevent+fatigue*problem+fatigue*solution+Fatima*Hotel+fatloss+fatsupplement+fattonys-blackjack.com+fattonys-roulette.com+fatty*acids+fatty%2Bacids%2Badd+fatty%2Bacids%2Badhd+fatty%2Bacids%2Bfor%2Badd+fatty%2Bacids%2Bfor%2Badhd+fatvanish.com+fatwallet.com+Faubourg*Hotel+faulkner%2Buniversity%2Bonline%2Bclasses+faux*handbag+faux%2Bfur%2Bcoat+faux%2Bfur%2Bthrow+faux%2Blouis%2Bvuitton+faux%2Bpearl%2Bbracelet+faux%2Bpearl%2Bearring+faux%2Bpearl%2Bnecklace+favor*bag+favor*box+favor*ribbon+favor%2Bfor%2Bwedding+favorbag+favorbox+favorforwedding+Favorita*Inn+favorite*team+favoriteplaces.net+favoriterx.com+favorribbon+favors*direct+favors%2Bfor%2Bwedding+favors-to-treasure.com+favorsdirect.com+favorsforwedding+fawcette.com/dotnetmag+fawco.com+Fawsley*Hall+fax*adsl+fax*cartridge+fax*machine+fax*ribbon+fax*software+fax*suppl+fax*supplies+fax*toner+fax%2Bmachine%2Bcartridge+faxribbon+faxworldcom.com+fayetteville*hotels+Fayetteville*Inn+Fayetteville%2BHigh%2BSchool+fbound+fcfus.com+fcpgroton.com+FCUK+FDA%2Bapproved%2Bdrug+fdl-life.com+fdm.dk+fdm.micro-site.dk/+fdnygifts.com+fdu.edu+fdu.edu/centers/cps/childadolescent.html+fdu.quinstreet.com/offline/form.jsp%3FCLK%3D4031914025619954&+fe%2Bsanta%2Bsheraton%2Bsuite+Fear%25c2%25a0of%25c2%25a0Public%25c2%25a0Speak+fear%2Bof%2Bpublic%2Bspeaking+Fearrington*House+feather*boa+Feather*Shuttlecocks+feather-boa+Featherbed*Inn+featherboa+Feathers*Hotel+Feathers*Inn+featherweight+featureprice.com+Fechin*Inn+federal*attorney+federal*auction+federal*grant+federal*grants+federal*law+Federal*lawyer+federal*loan+federal*money+federal*pension+federal*scholarship+federal%2Bconsolidation%2Bstudent%2Bloan+federal%2Bdefense%2Battorney+federal%2Bdefense%2Blawyer+federal%2Bdirect%2Bloan+federal%2Bgovernment%2Bloan+federal%2Bgovernment%2Blost%2Bmoney+federal%2Bincome%2Btax+federal%2Bincome%2Btax%2Bform+federal%2Bsmall%2Bbusiness%2Bloan+federal%2Bstudent%2Bgrant+federal%2Bstudent%2Bloan+federal%2Btax%2Bform+federal%2Btax%2Breturn+federal%2Btax%2Btable+federal%2Bunclaimed%2Bproperty+federaldebtservice.com+federalfirearmslicense.com+federalgrant+federalgrantsource.com+federalloan+federalmoney+federalmortgagecenters.com+federalreserve.gov/pubs/homeline/+federalscholarship+federatedinsurance.com/+fedex*tramadol+fedex*valium+fedex*xanax+fedmoney.com+fedmoney.org+fedusa.com+feeappraiser.com+feel*better+feel*good+feel*health+feel*sexy+feel%2Byounger%2Bpill+feel%2Byounger%2Btreatment+feelgoodcounseling.com/*Natural_Remedies_for_ADHD.htm+feelgoodcounseling.com/ChildADD.htm+feelgreatpills.com+feelingfat.net+feelingsexylingerie.com/lingerie.htm+feelyoungerpill+feelyoungertreatment+feet*sex+fegli+feingold.org+feinkost*bestellen+feinkost*online+feinkost*versand+feinkost-versand+feinkostversand+felix*hotel+fellatio+fellatio*techniques+fellatio*tip+fel

Edited by Papakid, 23 June 2005 - 02:34 AM.


#11 lezbfranz

lezbfranz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 June 2005 - 05:42 PM

Looks like the Pfind has more stuff when I posted it ----I will post it here by itself to see what turns up:


Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder
C:\WINDOWS\jaaste.dll: UPX!
C:\WINDOWS\KB290333.dll: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\kyf.dat: amma%2520mia+entertainment.com/index.cfm%3Fmodule%3Dshopcart+entertainment.ebay.com/1249%3FssPageName%3DMOPS5:HMD05+entertainment.excite.com/celebgossip/+entertainmentearth.com/checkout-payment.asp+enterweb.org+entirelypets.com+entrepreneur+entrepreneur*business+entrepreneur*online+entrepreneur.com+entrepreneur.com/bizoppzone/0,4997,,00.html+entrepreneur.com/homeoffice/0,6289,,00.html+entrepreneurbusiness+entrepreneurial*opportunities+entreprenuer*magazine+entriestosweepstake+enuate+enviar*mensajes+enviro-shield.com+environmental*group+environmental*protection+environmentalist+envision-sbs.com+envoi*fleurs+Envoutements+Envoy*Club+envoy*gmc+enzite+enzyte+enzyte-bleep-pill.com+enzyte.com+eodel.com+eonline.com+eonline.com/Celebs/+eonline.com/News/+eonline.com/On/CelebsUncensored/+eonline.com/On/Enews/+ep1010+epa%2Bfor%2Badd+epa%2Bfor%2Badhd+epanel.marketfacts.com+epartysite.com+epaychecks.com+epcbuyer.com+Epe*hotel+Epe*hotels+Epen*hotels+ebleepenlargement.com+epeopleplace.com+epersonals.ab.ca+epersonals.com+epersonals.com/index+epersonals.com/index.php+epfl.net/slrc/ssh/finding_money.html+epharmacist.com+epharmacy+epharmacy.com.au+ephedra*free+ephedra*pill+ephedra*product+ephedra%2Bbased%2Bdiet%2Bpill+ephedra%2Bdiet%2Bpill+Ephedra%2BFree%2BFat%2BBurn+Ephedra%2BFree%2BFatBurn+ephedra-free+ephedrabaseddietpill+ephedradietpill+ephedrafree+EphedraFree%2BFat%2BBurn+EphedraFreeFatBurn+ephedrine+ephedrine*free+ephedrine*product+Ephrata*hotel+ephys.com+epi-centers.com+epic4health.com+epicmenswear.com+epicurean-kitchen.com.au/links/Home_Or_Office_Delivery/+epicurious.com+epigee.org/guide+Epinal*hotel+epinions.com/auto+epinions.com/auto_Make-Acura+epinions.com/auto_Make-Audi+epinions.com/auto_Make-BMW+epinions.com/auto_Make-Cadilla+epinions.com/auto_Make-Chevrolet+epinions.com/auto_Make-Chrysler+epinions.com/auto_Make-Dodge+epinions.com/auto_Make-Ford+epinions.com/auto_Make-Honda+epinions.com/auto_Make-Hyundai+epinions.com/auto_Make-Isuzu+epinions.com/auto_Make-Jeep+epinions.com/auto_Make-Kia+epinions.com/auto_Make-Lexus+epinions.com/auto_Make-Lincoln+epinions.com/auto_Make-Mazda+epinions.com/auto_Make-Mercedes+epinions.com/auto_Make-Mitsubishi+epinions.com/auto_Make-New_Cars+epinions.com/auto_Make-Nissan+epinions.com/auto_Make-Oldsmobile+epinions.com/auto_Make-Pontiac+epinions.com/auto_Make-Porsche+epinions.com/auto_Make-Saab+epinions.com/auto_Make-Saturn+epinions.com/auto_Make-Subaru+epinions.com/auto_Make-Toyota+epinions.com/auto_Make-Volkswagen+epinions.com/auto_Make-Volvo+epinions.com/hmgd-Small_Appliances-All-Ronco_Showtime_Rotisserie_Oven_ST5000_322024+epinions.com/register+epiphone*casino+epli.com+eplus*handy+eplussizeclothes.com+epoll.com+epost*online+ePostbox+ePower%2Band%2BProfit+epowerandprofits.com+epoweredprofessionals.com+eprank.com+epregnancy.com+eprepaidcard.com+eprescribe.com+epromos.com+eps-na.com/mer_login.php+epsom%2Bsalt%2Bbath+Epson+Epson*blekk+epson*cartridge+epson*cartridges+epson*ink+Epson*Laser+epson*paper+epson*printer+epson*printers+epson*refill+Epson*S020+Epson*scann+epson*skriv+epson*stylus+epson*suppl+epson*t008201+epson*tinta+epson*tinte+epson*tintenpatron+epson*toner+Epson%2B1280%2BInk+epson%2B2200%2Bcartridges+Epson%2B2200%2BInk+epson%2B3000%2Bink+epson%2B660%2Bink+Epson%2B740%2BInk+epson%2B7600%2Bink+Epson%2B777%2BInk+epson%2B780%2Bink+epson%2B785%2Bink+epson%2B820%2Bink+Epson%2B820%2BInk%2BCartridge+epson%2B825%2Bink+Epson%2B880%2BInk+epson%2B900%2Bink+epson%2B9600%2Bink+Epson%2BBlack%2BInk%2BCartridge+epson%2Bc40%2Bink+epson%2Bc42%2Bink+epson%2Bc42ux%2Bink+epson%2Bc60%2Bcartridge+Epson%2BC60%2BInk+epson%2Bc62%2Bink+Epson%2BC80%2BInk+Epson%2BC80%2BInk%2BCartridge+Epson%2BC80%2BInk%2BCartridges+epson%2Bc82%2Bink+epson%2Bc82%2Bink%2Bcartridges+Epson%2BCompatible%2BInk+Epson%2BCompatible%2BInk%2BCartridges+epson%2Bcx5200%2Bink+epson%2Binkjet%2Bcartridge+epson%2Bphoto%2Bpaper+epson%2Bphoto%2Bquality%2Bpaper+epson%2Bstylus%2B600%2Bink+epson%2Bstylus%2B740%2Bink+epson%2Bstylus%2B820+epson%2Bstylus%2Bc42ux%2Bink+Epson%2BStylus%2BC60+Epson%2BStylus%2BC62+epson%2Bstylus%2Bc62%2Bink+Epson%2BStylus%2BC80+Epson%2BStylus%2BC82+epson%2Bstylus%2Bc82%2Bink+epson%2Bstylus%2Bcartridge+epson%2Bstylus%2Bink+Epson%2BStylus%2BPhoto+Epson%2BStylus%2BPhoto%2B820+epson.fi+epsonskriv+epstein%2Bbarr%2Bvirus+EQ%2Btest+equal*rights+Equal%2BHousing%2BLender+equalean+equallyyoked.com+equallyyoked.com/howdoijoin.html+equestrian%2527s*t-shirt+equestrian%2527s*tshirt+equestrian%2527s%2Bt%2Bshirt+equestrian*t-shirt+equestrian*tshirt+equestrian%2Bt%2Bshirt+equestriansingles.com+equestriantshirt+equifaxtransunionexperiancredit.+equilter.com+equipment*auction+equipment*exercise+equipment*sports+equipment%2Bloan+EQUIPOISE+equipos%2Bde%2Boficina+Equitable%2BLife%2BInsurance+equitable.com+equitable.com/+equitalk.co.uk+equitree.com+equity+equity*compensation+equity*edge+equity*financing+equity*home+equity*lender+equity*line+equity*loan+equity*mortgage+Equity*Residential+equity%2Bline+equity%2Bline%2Bof%2Bcredit+Equity%2Bmortgage+equity%2Brelease%2Bloan+equity_line+equitydirect.com+equityline+equityloan+equitymaster.com+equitynational.com+equityoneauto.com+equitystation.com+equitytrading.com+equote+er-usedcomputersales.com+eracom-kl.com/cheapcars.html+erase*cache+erase*cookie+erase*debt+erase*email+erase*file+erase*hair+Erase*porn+erase%2Badult%2Bcontent+erase%2Badult%2Bmaterial+erasedebt+eraseporn+erasingbadcredit.com+erasingbadcredit.com/+Erasmus%2BHall%2BHigh%2BSchool+erasure+erbal*product+erbalenergy.com+erbalproduct+ercdebt.com+ercgroup.com+ercgroup.com/+erd4ds.com+Erding*hotel+erealty.com+erect*nipples+erecthard.com+erectile*dysfunction+erectile%2Bdisorder%2Btreatment+erectile-difficulty.com+erectile-dysfunction-impotence.org+erectile-sexual-dysfunction.com+erectiledisfunction.tv+ErectileDysfunction+erection*enhanc+erection*enhancement+erection*enhancer+erection*frequen+erection*problem+erection*spray+erectionenhancer.com+erectionoil.com+erectionproblem+erects.biz/index.php%3Fid%3D42+erektions*kr%25c3%25a4m+erektionskr%25c3%25a4m+Erektionsst%25c3%25b6rungen+eretailing.cc/clickshop/anti_cellulite_cream+Eretria*Hotel+Eretria*Village+ereward.com+erewhon+Erfurt+Erfurt*Hotel+Erfurt*hotels+ergife%2Bpalace%2Bhotel+ergo*mouse+ergocube.com/pcmouse.html+ergodesk+ergogenesis+ergokomfort.com/keybrdsmice.htm+ergolounger+ergomagic+ergonomic*chair+ergonomic*computer+ergonomic*exercise+ergonomic*footrest+ergonomic*keyboard+ergonomic*monitor+ergonomic*mouse+ergonomic*product+ergonomic*solution+ergonomic*tool+ergonomic%2Bcomputer%2Bchair+ergonomic%2Bdesk%2Bchair+ergonomic%2Boffice%2Bchair+ergonomic%2Btask%2Bchair+ergonomics+ergonomics*monitor+ergonomics*mouse+ergorest+ergoweb.com+erhomes.com+Eric*Clapton+eric%2Bclapton+Erice*hotel+ericec.org+ericfacility.net+Erick*hotel+ericsson+Ericsson*handy+Ericsson*mobiltelefon+Ericsson*T610+ericsson.com+ericsson.com/cdmasystems+ericsson.com/mobilityworld+Erie*Holiday+Erie*hotel+Erie*lodging+Erie*Resort+Erie*Tourism+Erie*Travel+Erie*Trip+Erie*Vacation+erieinsurance.com+eritrea*call+Erkan%2B&%2BStefan+Erkrath*hotels+Erlangen*hotel+erniehalter.com+eroica.com+eros*escort+eros-dallas.com+eros-guide.com+eros-houston.com+eros-toronto.com+eros-usa.com+eroscillator+erosdallasescorts.com+erosguide.com+eroshouston.com+eroshoustonescorts.com+erotic*ads+erotic*anal+erotic*anime+erotic*book+erotic*chat+erotic*clothing+erotic*confession+erotic*dates+erotic*dice+erotic*enema+erotic*fantasy+erotic*gay+Erotic*Gifts+erotic*girls+erotic*goth+erotic*hypnosis+erotic*letters+erotic*lingerie+erotic*links+erotic*manga+erotic*masochism+erotic*men+erotic*movie+erotic*movies+erotic*personal+erotic*personals+erotic*phonesex+erotic*pix+erotic*play+erotic*poem+erotic*poetry+erotic*screensaver+erotic*sex+Erotic*Shopping+erotic*short+erotic*singles+erotic*slave+erotic*spanking+erotic*stories.com+erotic*thumbnail+erotic*toy+erotic*toys+erotic*video+erotic*videos+erotic*voyeurism+erotic*wallpaper+erotic*women+erotic*writing+erotic%2Banal%2Bsex+erotic%2Banimation+erotic%2Banime+erotic%2Bchat+erotic%2Bcouple+erotic%2Bdancer+erotic%2Benema+erotic%2Bhypnosis+erotic%2Bmodel+erotic%2Bphone%2Bsex+erotic%2Bphoto%2Bpersonals+erotic%2Bscreensaver+erotic%2Bsex+erotic%2Bsex%2Bstories+erotic%2Bsite+erotic%2Bstories+erotic%2Bstory+erotic%2Bstory%2Barchive+erotic%2Btoons+erotic-screensaver.com+erotica*asian+erotica*mpeg+erotica*photo+erotica*pic+erotica*sex+Erotica*Stories+erotica*video+erotica%2Bstory+erotica-readers.com+erotica-uk.com+erotica.com+eroticaforher.com+eroticaforwomen.com+eroticanational.com/+eroticastories+eroticaudio+eroticblvd.com+eroticchat+eroticfilm+eroticfilms+eroticherbal.com+eroticlingerie+eroticlive.net+eroticmovie+eroticmovies+eroticmoviestation.com+erotico+eroticos+eroticphonesluts.com+eroticphoto+eroticphotography+eroticphotos+eroticpics+eroticpicture+eroticpictures+eroticsex+eroticsexstories+eroticshopping.com+eroticsites+eroticstories+eroticstory+erotictales+erotictext+eroticvideo+eroticvideos+eroticwomen+eroticworld+eroticwrestling+eroticwriting+eroticy.com+erotik*bilder+erotik*foto+erotik*fotografie+erotik*fotos+erotik*picture+erotik*porno+erotik*shop+erotik*versand+Erotik-Drogerie+Erotik-Literatur+erotika+erotiks+erotikshop+erotische+erotisk*video+erotiska*sak+erotiska*tillbeh%25c3%25b6r+erotiskasak+erpcareer.com+errx.com+Erskine%2BBridge%2BHotel+Erwin*hotel+erwin*m%25c3%25bcller+erwin*m%25c3%25bcller.de+erwin*mueller+erwin*mueller.de+erwinm%25c3%25bcller+erwinm%25c3%25bcller.de+erwinmueller+erwinmueller.de+eRx4u.com+Erythromycin+Erzherzog*Johann+es%2B300+es%2Bdell+es%2Bgalant%2Bmitsubishi+es%2Bhotel%2Brome+es%2Blancer%2Bmitsubishi+es%2Bmazda%2Btribute+es.blinddater.com+es1500+es2300+es2350+es6000+es91000+esalesbiz.com/extra/+esalesbiz.com/extra/download.htm+esalton.com+esansoft.com+Esc%25c3%25a1neres+escada*purse+escalada+Escalade+escalade*ext+escalade*online+Escambia%2BHigh%2BSchool+Escanaba*hotels+escape*club+escape*ford*+escapeartist.com+escapeartist.com/nz/nz.htm+escapefiction.co.uk+escentual.co.uk+Escondido*hotel+Escondido*Travel+Escondido*Trip+escooter+escort*adult+escort*agency+Escort*Directory+escort*girl+escort*ottawa+escort*paris+escort*review+escort*service+escort*services+escort*tampa+escort*transsexual+escort*uk+escort*woman+escort%2Baffiliate%2Bprogram+escort%2Bradar%2Bdetector+escort%2Bwashington%2Bdc+escort-finder.com+escort-nirvana.nl+escort-service-listing.com+escorted*tour+escortedhawaiitours.com+escortescorts.com+escortradar.com+escorts*atlanta+escorts*austin+escorts*boston+escorts*chicago+escorts*cleveland+escorts*dallas+escorts*denver+escorts*detroit+escorts*houston+escorts*kansas+escorts*miami+escorts*orlando+escorts*pensacola+escorts*philadelphia+escorts*phoenix+escorts*pittsburgh+escorts*portland+escorts*reno+escorts*seattle+escorts*tampa+escorts*toronto+escorts*vancouver+escorts%2Blas%2Bvegas+escorts%2Blos%2Bangeles+escorts%2Bnew%2Bjersey+escorts%2Bnew%2Borleans+escorts%2Bnew%2Byork+escorts%2Bsan%2Bdiego+escorts%2Bsan%2Bfrancisco+escorts%2Bwashington%2Bd.c.+escortsdallas.com+escortservice+escortservices+escortstore.com+escribe.com/health/atkins/bb/+escripts.com+escriptsmd.com+esearch.com+esearchhomes.com+esftp.com+esftp.com/+esgic*online+esgic*plus+Eshirt+eshirt.it+eshop-til-you-drop.com+eshop-til-you-drop.com_3/%3Fov11+eshop.arcor.ne+eshop.panasonic.co.uk+eshopone.com+eshoppen.de+eshy.com+esignal.com+esioffers.com+esioffers.com/campaigns/abraham/index.html%3F+esioffers.com/campaigns/abraham/index2.html%3F+esioffers.com/campaigns/deroos+esioffers.com/campaigns/deroos/index.html%3F+esioffers.com/campaigns/omm+esioffers.com/campaigns/omm/index.html%3F+esioffers.com/campaigns/rga_hi2+esioffers.com/campaigns/thansson/index.html%3F+esj*towers+Eskilstuna*hotel+eskimo.com/~jlubin/disabled/web-desi.htm+esmartliving.com+esmartloan.com+esmarttax.com+esmoke.com+esmokes.com+esociety.com/default+Esoterisme+espa%25c3%25b1ol*casino+espace*champerret+espacegsm.com+espacio%2Bde%2Bdisco+espana.intercasino.com+espanol*translator+espasoft.net/menus/var-tecno.shtml+Esperanza*Resort+Esplanade*Hotel+ESPN*Gameplan+espn*magazine+espn*subscription+ESPN%2BFull%2BCourt+ESPN%2BGame%2BPlan+espn%2Bthe%2Bmagazine+espn.com+espn.go.com/magazine+espn.sportszone.com+espnmag.com+ESPNmagazine+espoir+espoke.com+esponsors.ws+Espoo*hotel+esportbike.com+ESPRESSO+espresso*machine+espresso*machines+espressomaschinen+esprit+esprit*lotus+esprit*shop+esprit%2Blease%2Blotus+esprit-online-shop.com+esprit.de+esquin.com+esquire*magazine+esquire.com+esreg.eversave.com+essayadvice.com+essaycrawler.com+essayedge.com+essayfarm.com+essaymill.com+essays-essays.com+Essays-Express.com+essays-heaven.com+essays4college.com+essays4us.com+essaysmagic.com+essaysontime.com+essaysparadise.com+essayspecialist.com+essaysrus.com+essaysunlimited.com+essaytown.com+Esseborne*Manor+esseltedataline.dk+Essen*Hotel+Essen*hotels+essental.com+essental.com/fleet.htm+Essential*Elements+essential*oil+essential*oils+essential%2Bfatty%2Bacids%2Badd+essential%2Bfatty%2Bacids%2Badhd+essential%2Boil+essentialapparel.com+essentialloans.com+essentialoil.com+essentialsofmusic.com+essentialsurf.com+essentialtravel.co.uk+Essex*Hotel+Essex*House+essex%2Bhouse%2Bhotel+essexlearningcenter.com/workshop/2595.html+Essington*hotel+esspa.com+establish*credit+estad%25c3%25adsticas+Estalagem%2BDo%2BSado+estate*planning+estate%2Bflorida%2Binstitute%2Breal+estate%2Bflorida%2Bkey%2Breal+estate%2Bflorida%2Breal%2Btampa+Estate%2Btax%2Bplanning+estatecontest.com+estee%2Blauder%2Bcologne+Estee%2BLauder%2BNew+estee%2Blauder%2Bperfume+estelle*reyna+estellereyna.com/eg/shop.htm+estepona+Estepona*Hotel+Estes%2BPark%2BKOA+Estes%2BPark%2BLodging+esticker.com+estonia*call+estore.sjf.com+Estoril*Hotel+estoril*lisboa+Estoril*Sol+Estoril*Travel+estradiol+Estradiol*ELISA+Estradiol%2BELISA%2BKit+estratto.com+estrella*inn+Estrella%2BDel%2BMar+estrellas.com+Estremadura*hotel+Estrogen*Blocker+EstrogenBlocker+Estuary*Motel+estudentloan.com+estudentloan.com/+esubmitfactory.com/creditsecrets/+esummit.us/netbranch+esurance*+esurance.com+esurance.com/+esure.com+esure.com/+esylvan+esylvan.com+et%2Balors+et.tv.yahoo.com+etablissement%2Bcredit%2Bconsommation+etailgifts.com/napa.asp+etats%2Bunis%2Btravail+etdbw.com+etdbw.com/+etdbw.com/fh/fortishealth/discountplan.jsp+etdbw.com/fh/fortishealth/index.jsp+etdbw.com/fh/ss/servlet/main+eteam2000+eteam2000.com+eteams+eteamz+eteeonline.com+eterm.com+eternaloasis.com/desktop-stripper/+eternalsnow.com+eternalsnow.com/+eternity*ring+Eternity%2Bfor%2Bmen+eternityring+Ethan*Allen+ethan%2Bfrome+ethiopianpersonals.com+ethnic*food+ethnic*grocer+ethnic%2Bphone%2Bsex+ethnic-grocery.com+ethnicarts.org/clickdaily/+ethnicarts.org/contactinformation/+ethnicdarlings.com+ethnicfood+ethnicgift+ethnicgrocer.com+ethnicsexsites.com+etienneaigner.com+etn.nl+etntelephone.com+Etobicoke*hotel+Etoile*Park+Etoile*pereire+etoile.co.uk/Love/Love.html+eton*hotel+etonline.com/+etop.co.uk+etoys.com+etoys.com/Results.html/N/2044/ls/home+etoys.com/s/shopcart+etrade.com+etrailerpart.com+etravel.net+Etretat*hotel+etronics.com+etronics.com/addtocart+etrucker.com/apps/jobfinder/start.asp+etrucker.net+etrusco*palace+etsi.org+etsp.co.uk+ettafficers.com+ettalongbikeshop.com.au+Etters*hotel+ettervidereutdanning+Ettington%2BPark%2BHotel+etui*lins+etyres.co.uk+etyreservice+EU-Neuwagen+eu.forzieri.com+eu.forzieri.com/usa/dept.asp%3Fl%3Dusa&c%3Dusa&dept%255Fid%3D999903&iwsid+eu.sullivanboutique.com/euboutique.html+Euboea*hotels+Eucalypt*Ridge+Euclid%2BHigh%2BSchool+eudoramail.com+eufares.com+eugene*hotel+Eugene*lodging+Eugene*Travel+Eugene*Trip+eugene%2Bmover%2B%25c2%25a0+Eukanuba*Adult+Eukanuba*Kitten+Eukanuba*senior+Eupen*hotels+Eur%2BSuite%2BHotel+eurail+eurail.com+Eureka*hotel+Eureka*hotels+eureka*inn+Eureka*Lodging+Eureka*Trip+Eureka%2BHigh%2BSchool+eureka%2Bsprings%2Bhotel+eureka%2Bsprings%2Blodging+Eureka%2BSprings%2BVacation+eureka-java-gold.com+eurekaranch.com+euro*dell+euro*hostel+euro*motel+Euro*rail+euro*relais+Euro%2BHotel%2BPraha+euro-finanz-direkt.de/+euro-hotels.com+euro-part.com+euro.dell.com+euro.dell.com/content/default.aspx%3Fc%3Dat+euro.dell.com/content/default.aspx%3Fc%3Dbe+euro.dell.com/content/default.aspx%3Fc%3Ddk+euro.dell.com/content/default.aspx%3Fc%3Des+euro.dell.com/content/default.aspx%3Fc%3Dfr+euro.dell.com/content/default.aspx%3Fc%3Dit+euro.dell.com/content/default.aspx%3Fc%3Dnl+euro.dell.com/content/default.aspx%3Fc%3Dno&l%3Dno+euro.dell.com/content/default.aspx%3Fc%3Dse+euro.dell.com/content/default.aspx%3Fc%3Duk+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dat+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dbe+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dde+euro.dell.com/dellstore/basket/main.asp%3Fs%3Ddk+euro.dell.com/dellstore/basket/main.asp%3Fs%3Des+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dfr+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dit+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dnl+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dno+euro.dell.com/dellstore/basket/main.asp%3Fs%3Dse+euroase+eurobadgirls.com+eurobatteries.com+eurobatteries.com/sitepages/digcambat.asp+eurobed+eurobet.com+eurobetpoker.com+Eurobuilding*Hotel+eurocall.com+eurocave.com+eurochallenges.com+eurocredit-online.com+eurodestination.com/+eurodestinations.co.uk+eurodestinations.com+eurohostel+eurohotelguide.com+eurojet-cartridges.co.uk+eurokreditcenter.de/+eurolines.com+eurolingua.com+eurolove.com+euroloveliness.com+euronav.co.uk+euronetwork.co.uk+Europ*Hotel+europa*belfast+Europa*Centro+europa*fluege+Europa*Gatwick+Europa*Hotel+Europa*International+europacasino.com+europaeiske.dk+Europark*Hotel+europc.co.uk+europcar.co.uk+europcar.com+europcar.no+europcar.se+europe*airfare+europe*airline+europe*call+Europe*cruise+europe*flight+europe*hotel+Europe*Liege+Europe*map+Europe*maps+Europe*picture+europe*ticket+europe*tour+europe*travel+europe*trip+europe*vacation+Europe*vacations+europe%2Bcalling%2Bcard+europe%2Bcalling%2Bcards+europe%2Bphone%2Bcard+europe%2Bphone%2Bcards+europe-hotels.com+europe-train-ticket.com+europe.hotelsbycity.com+european*airfare+european*airline+European*casino+european*cosmetic+european*cruise+european*dvd+european*fashion+european*flight+european*flights+european*game+european*gaming+european*hotel+european*immigrants+European*Inn+european*make-up+european*music+european*roulette+european*shoe+european*tour+european*train+european*travel+european*vacation+european*vacations+european%2Bfootball%2Bbett+european%2Bskin%2Bcare+european%2Bskin%2Bclean+european%2Bsoccer%2Bbett+European%2Bvacation%2Bpackages+european-poker.com/frontpage/index.php+europeanflight+europeanhotel+europeanmusic+europeanpaintings.com/+europeanrailguide.com/+europeantravel+europeanvacation+europeforvisitors.com+europehotel+Europeiska*TLD+Europeiska%2Btop%2Blevel%2Bdomain+EuropeiskaTLD+Europeiskatopleveldomain+europeonrail.com+europeonrail.com/+europevacation+eurorail+eurorail*pass+eurorelais.be+eurorelais.com+eurosex+eurosimm.com+eurosportwetten.com+eurostar*travel+Eurotel*Victoria+eurotip+eurotravel.se/se+eurotravelling.net+eurotrip.com+eurovacations.com+eurovan%2Bmv%2Bvolkswagen+eurowings.de+eurway.com+eurythmics+Euston%2BPlaza%2BHotel+euston%2Bsquare%2Bhotel+euwagen24.de+eva*air+evaair+evalentin.com+Evalue*code+Evander%2BChilds%2BHigh%2BSchool+evangelism+Evans*hotel+Evans%2BHigh%2BSchool+evansgarden.com+Evanston*hotel+evanston*hotels+Evansville*hotel+Evansville*hotels+Evansville%2BHigh%2BSchool+evansville%2Bmover%2B%25c2%25a0+evelyn*waugh+even%2Bskin%2Btone+evening*classes+evening*dress+evening*dresses+evening*gown+evening*handbag+evening*purse+evening*shoes+evening*wear+evening%2Bcomputer%2Bclass+evening%2Bengineering%2Bclass+evening%2Bengineering%2Bcourse+evening%2Bin%2Bparis%2Bperfume+evening%2Btechnical%2Bcourse+evening%2Btechnical%2Bschool+evening%2Btechnology%2Bclass+evening%2Bvocational%2Bclass+evening%2Bvocational%2Bcourse+evening%2Bvocational%2Bschool+event*coordination+event*management+event*organization+event*planner+event*planning+Event*Registration+event*setup+event*wizard+event%2Bin%2Bvegas+event%2Bplanners%2Bbay%2Barea+event%2Bplanners%2Bmarin+event%2Bplanners%2Boakland+event%2Bplanners%2Bsan%2Bfrancisco+event%2Bplanners%2Bsan%2Bjose+event-planner.com+event411.com+eventinventory.com/search/pubsearch.cfm%3Fclient%3D2777&restart%3Dyes&e%3D1072+eventplanner.com+events.countmein.com+events.date.com/travel_home+everbank+everbank.com+everdial.com+everestnews.altrec.com/shop/dir/0/133/+Everett*hotel+Everglades*Hotel+everglaze.de/shop/swarovski_kristall+Evergreen*hotel+Evergreen*hotels+Evergreen*Lodge+Evergreen*Windbreak+everlastinglove.com+everlastsportswear.com+everquest+eversave.com+evertek.com+everwonder.com/david/scooby+every-appliance.co.uk+everybodycansing/curric.html+everycdljob.com+everycdljobonline.com+everyday*wealth+everydayprint.com+everydaywealth+everydaywealth.com+everydriverjob.com+everydrivingjob.com+everyedge.com+everyfranchise.com+everyhole.com+everyjobintrucking.com+everyonedoesit.com+everyowneroperatorjob.com+everything*teen+everything.se+everythingautomotive+everythingboats.com+everythingelementary.com+everythingfortruckers.com+everythingfortruckers.com/jobs.html+everythinggreen.com+everythingipod.com+everythingmothersday.com+everythingnyc.com+everythingofficefurniture.com+everythingphonesex.com/+everyticket.com+everyticket.com/theater/mamma_mia_tickets+everytruckdrivingjob.com+everytruckingjob.com+everytruckjob+evesham*hotels+Evian-les-Bains*hotel+evidence*eliminator+evidence*eliminator.com+evidence*eraser+evidence-eliminator.com+evidenceeliminator+evidenceeliminator.com+evinco.com+Evinrude+evisionmgr.com+evisionmgr.com/chat+Eviston*House+evita.de+evitamins.com/product.asp%3Fpid%3D1913+evitamins.com/product.asp%3Fpid%3D247+Evora*Hotel+evorahotel+evoucher%2Btax%2Bturbo+Evreux*Hotel+evropashop.com+ew.com/ew/+ewacars.com+ewarrantys.com+ewebcart.com/cgi-bin/cart.pl%3Fmerchant%3D2204+eWebMed.com+eweddingbands.com+ewinner.com+ewmortgage.com+eworld24.de+ex%2Balumnos+ex%2Bhonda%2Bl%2Bodyssey+ex%2Bhonda%2Bpassport+ex%2Bhonda%2Bpilot+ex%2Bkia%2Bsedona+ex-alumnos+exa-med.com+exactbags.com+exadrine.com+Exagon*Park+exalumnos+examination*gloves+exampleessays.com+Exanta+excalabur*hotel+excalabur%2Blas%2Bvegas+excaliber*casino+excaliber*hotel+excaliber*vegas+excaliber%2Bhotel%2Blas%2Bvegas+excaliber%2Blas%2Bvegas+excalibur*casino+excalibur*hotel+excalibur*resort+excalibur*vegas+excalibur%2Bcasino%2Blas%2Bvegas+excalibur%2Bhotel%2Blas%2Bvegas+excalibur%2Bin%2Blas%2Bvegas+excalibur%2Blas%2Bvegas+excalibur.casinocity.com+excalibur.casinocity.com/+excaliburlasvegas.com+excallibur*hotel+excel*airline+excel*airway+excel*flight+excel*spreadsheet+excel*tip+excel*travel+excel-communications.biz+excel-orders.com+excel-vba.com+excel.com+excelairways.com+excelbusinesstools.com/solutions.htm+excelcomm.com+excelexgold.com/books/abc1_etheric/abc1_etheric_maintext.htm+excelir.com+excelkurs+excellentdentalplan.com+excellnow.com+Excelsior*hotel+Excelsior%2BPalace%2BTerme+exceltip+excercise*equipment+excess*hair+excess*inventory+excess%2Bbody%2Bhair+excess%2Bfacial%2Bhair+excess%2Btummy%2Bfat+exchangeauthority.com+exchangeprofessionals.com+exciteisp.no+excitement.com+exclaim.freepersonals.cc+exclamation-debt-consolidation.org+exclamationpersonals.com/+exclamationsslots.com/+exclusive*accessor+exclusive%2Bhotels%2Bparis+exclusivebuyersagents.com+exclusivepro.com+excursion*ford+execstyle.com+execstyle.com/fashion.asp+executive*coach+executive*coaches+executive*coaching+executive*gift+executive*gifts+Executive*House+Executive*Inn+Executive*Residence+Executive%2BAirport%2BPlaza+Executive%2BHouse%2BHotel+Executive%2BInn%2BRivermont+executive%2Bwealth%2Bmanagement+Executive%2BWest%2BHotel+executivegift+executivejewishdating.com+exed.hbs.edu/programs/abs/+exedra+exedra%2Bhotel%2Brome+exercise+exercise*bike+exercise*buddy+exercise*dat+exercise*equipment+exercise*machine+exercise*mat+exercise*partner+exercise*plan+exercise*pool+exercise*program+exercise*tape+exercise*video+exercise%2Band%2Bfitness+exercise%2Band%2Bpregnancy+exercise%2Bduring%2Bpregnancy+exercise%2Bfanny%2Bpack+exercise-n-fitness.com+exercise-n-fitness.com/+exercise.about.com+exercise.about.com/cs/abs/tp/abexercises.htm+exerciseequipment+exercisevideo+Exeter*Hotel+Exeter*hotels+Exeter*Inn+exfoliate*skin+exhaust*muffler+Exhaust*Repair+exhibitionist+exhilaration.co.uk+exit*killer+exitkiller+exitotravel+exitotravel.com+exitravel.com+exlibris.se+Exmore*hotels+exodus.co.uk+exofficio.com+exotic*dancer+exotic*dancers+exotic*dancewear+Exotic*Footwear+exotic*stripper+exotic*travel+exotic*vacation+exotic%2Bdance%2Bvideo+exotic%2Bdancer%2Bshoe+exotic%2Berotic+Exotic%2BLeather%2Blingerie+exotic%2Bmassage%2Boil+exotic%2Bsex+exoticautoinc.com+exoticcloset.com+exoticdancelessons.com+ExoticFootwear+exoticgardens.com+exoticlady.net+ExoticLeatherlingerie+exoticredheads.com+exotics-usa.com+exotictravel+exoticvacation+exoticwooddash.com+expat%2Bhealth%2Binsurance+expatriation*USA+expatriation%2B%25c3%25a9tats%2Bunis+expatriation%2Betats%2Bunis+expectant*mother+expectant*parent+expectantmothersguide.com+expedia*travel+expedia*uk+expedia.ca+expedia.co.uk+expedia.co.uk/daily/deals+expedia.co.uk/pub/agent.dll%3Fqscr%3Dcmsh+expedia.com+expedia.com/daily/deals/hotel/Las/default.asp+expedia.com/daily/guides/cruise/Bahamas/default.asp%3Frfrr%3D-26914+expedia.com/daily/guides/p/LAS+expedia.com/daily/guides/p/LAS/+expedia.com/daily/guides/t/hawaii+expedia.com/daily/home/+expedia.com/daily/vacations/europe+expedia.com/pub/agent.dll+expedia.com/pub/agent.dll%3Fqscr%3Dcarw+expedia.com/pub/agent.dll%3Fqscr%3Dfltw+expedia.com/pub/agent.dll%3Fqscr%3Dhtwv+expedia.de+expedia.fr+expedia.it+expedia.nl+expediacom+expediade+expediarx.com+expeditersonline.com+expedition*cruise+expedition*ford+expedition*online+expekt.com+expensive*jean+experian*credit+experian.com+experian.com/consumer/index.htm+experience*gift+expert*diet+expert*satellite+expert%2Bpress%2Brelease+expert-gun-appraisals.com+expert-quotes.net+expertappliance.com+expertcredit.com+expertpills.com/+expertrating.com+expertsatellite+expertsatellite.com+expertsatellite.com/catalog/+expertsatellite.com/catalog/defaultdirecway+expertsatellite.com/catalog/shopping_cart.php+expertsoncredit.com+expired%2Bdomain%2Bsearch+explicit*ebony+explicit*gay+explicit*sex+explicit*voyeur+explicitsex+exploding%2Bgolf%2Bball+explore-mex.com+explorecancun.com+explorefaith.org+explorer*ford+Explorer*Hotel+explorer*online+explorer*sport+explorer%2Bsport%2Btrac+explorica.com+exploringcareers.org+expo*hotel+expo*valencia+expo%2Bhotel%2Bbarcelona+Expo%2BHotel%2BValencia+expocursos.com+Expos*bet+Expos*gamble+Expos*wager+Exposbet+Exposgamble+expository*writing+exposure%2Bto%2Bradioactive%2BIodine+exposuretoradioactiveIodine+Exposwager+Express*Barajas+express*cash+express*delta+express*essen+express*gift+express*kredit+express*l%25c3%25a5n+express*loan+express*loans+express*meds+express*money+express*options+Express%2BScripts%2BMembers+express-advertising.com+express-quote.net+express-res.com+express-scripts.com+express-toners.com+express.com*w2+expressbirthdayplanning.com+expresscashonline.com+expresschemist.co.uk+expresscreditcenter.com+expressgift+EXPRESSIT+expressit.com+expressl%25c3%25a5n+expressmedicines.com+expressonlinepharmacy.com+expresspapers.com+expressprofitsonline.com+expressrefunds.com+expresstoners.com+expresstools.co.uk+Expressway*Inn+expresswhitening.com+exquisiterugs.com+extagen+extagen.com+extagencapsules.com+extend*life+extended*size+Extended*StayAmerica+extended*warranties+extended*warranty+extended%2Bauto%2Bwarranties+extended%2Bcar%2Bwarranties+extended%2Bcar%2Bwarranty+extended%2Bstay%2Bjacksonville+extended%2Bwarranty+extended-warranty.info+extended-warranty.info/carwarranty+extendedstaynetwork.com+extendedwarrantyprovider+extendedwarrantyprovider.com+extendedwarrantysavings.com+extendlife+extension*hair+extension*programs+extension.iastate.edu/e-set/+Extenze+Exton*hotel+Exton*Travel+Exton*Trip+extra*cash+extra*clean+extra*income+extra*money+extra%2Bincome%2Bat%2Bhome+extra%2Bincome%2Bfrom%2Bhome+extra%2Blarge%2Bclothing+extra%2Blarge%2Bmens+extra%2Blarge%2Bmenswear+extra%2Breading%2Bhelp+Extra-Sensitive*condom+Extra-Strength*condom+extradrugs.biz+extraincome+extralargetv.com+extrapris.com/datorer/apple_datorer.html+extraterrestrial*property+extratouchflorists.com+Extremadura*hotel+extreme*anal+extreme*biking+extreme*cumshots+extreme*cycling+extreme*hardcore+extreme*sex+extreme*sexs+extreme*sport+extreme%2Banal%2Bsex+extremefood.com+extremehalloween.com+extremehalloween.com/+extremephonecards.com+extremepie.com+extremesexxx.com+extremesn.com/thermoedge.html+extremetech.com+extstay.com+Exuviance%2Bby%2BNeoStrata+exxxpress.com+exxzero.com/+eye*care+eye*cream+eye*glasses+eye*makeup+eye*sight+eyeblaster.com+eyebrow*comb+eyebrow*jewelry+eyebrow*piercing+eyebrowpiercing+eyecare+eyechange.com+eyecloud.com+eyeglass*frames+eyeglasses.com+EyeHome*Digital+eyelash*yarn+eyemakeup+eyeoncredit.com+eyeoncredit.com/frequent/index.html+eyestorm.com/+EyeTV*200+Eyewear*Displays+eyewearcentre.com+eyicom.com+ez%2Bbingo+ez%2Bpayday%2Bloan+ez%2Bpop%2Btent%2Bup+ez%2Bwin%2Bbingo+ez-credit-repair.com+ez-credit-repair.com/+ez-debt.biz+ez-mortgageleads.com+ez-web-hosting.com+ez-weightloss.com+ez-weightloss.com/ez-weightloss/producthollywooddiet.html+ez2breathe.com+ezbets.com+ezc.goldlimit.com/+ezdate.net+ezdetective.com+ezdrive+ezdvd+ezdvdcopy+ezdvdcopy.com+Eze*hotel+Eze*hotels+ezgalaxy.com+ezgamblingdirectory.net+ezhealthquotes.com+eziba.com+ezine*ads+ezine*advertising+ezine*directory+ezine*promotion+ezine*publisher+ezine*publishing+ezine*software+ezinfocenter.com+ezinkjets.com+ezklean.com+ezloandocs.com+ezmusicburner.com/+ezopinioncash.com+ezpaydaycash.com+ezpaydaycash.com/+ezpreapproval.com+ezprescribe.com+ezprints.com+ezquotesearch.com+ezshirt.com+ezslotscasino.com+ezsmoke.net+ezsmokes.biz+Ezsportsbetting+ezsportsbetting.com+ezsportsbettingonline.com+ezsweeps.com+eztaxmachine.com+eztobacco.com+eztowork.com+eztowork.com/+ezvcd+ezwatchstore.com+ezydvd.com.au+F%25c3%25a4rgade*linser+F%25c3%25b6rdr%25c3%25b6jnings*kr%25c3%25a4m+F%25c3%25b6rdr%25c3%25b6jningskr%25c3%25a4m+f%25c3%25b6rmedling%2Bav%2Bannons+f%25c3%25b6rmedling%2Bav%2Bgrat+f%25c3%25b6rs%25c3%25a4kra+F%2B150+f%2Bscott%2Bfitzgerald+f-150+f-school.com+f-secure.com+f150*ford*+f150online.com+f16.aaacafe.ne.jp/~siso/sisolab/G-Tune/2003A_G-Tune.html+f1trading.com+f5000+f5000iii+faa*alcohol+faa*drug+faa%2Bdrug%2Bprogram+faa%2Bdrug%2Btest+faa%2Bdrug%2Btesting+fabao.com+fabdir.com+fabjob.com+fabric*fleece+fabric*online+fabric*store+fabric*swatch+fabric%2Bhammock%2Bonline+fabric%2Bhammock%2Btoy+fabric-at-discount.com+fabric.com+fabricbycotton.com+fabricclub.com+fabricdecor+fabrics.net+fabricstore+fabulousfurs.com+fabulousoffers.com/ctu+FabulousPoker.com+fabulousporn+fabulousporn.com+fabulousskin.com+facade.com+face*care+face*cleanser+face*cream+face*cum+face*mask+face*moisturizer+face*sitting+face*soap+face%2Bjacket%2Bnorth+Face%2BLift%2Bsystem+facecare+facecum+facefacts.com+FaceLiftsystem+facelink.com+facemask+faceofsiberia.com+facesit+facesitting+facethejury.com/+facial*acne+facial*cleanser+facial*cream+facial*cum+facial*cumshot+facial*cumshots+facial*hair+facial*mask+facial*product+facial*toner+facial*waxing+facial%2Bcum+facial%2Bcum%2Bshot%2Bvideo+facial%2Bgrowth%2Bhair%2Binhibitor+Facial%2Bhair%2Bremoval+facial%2Bhair%2Bremoval%2Bcream+facial%2Bhair%2Bremoval%2Bpermanent+facial%2Bhair%2Bremoval%2Bproduct+facial%2Bhair%2Bremover+facial%2Bscar+facial%2Bvein+facialbuffet.com+facialcream+facialcum+facialcumshot+facialcumshots+facialmag.com+facials*cumshot+facials*xxx+facials101.com+facilidate.com+fackelmann+facklitteratur+fact*finder+factfinder+factoring*companies+factoring*company+factory*warranty+factory%2Bdirect%2Bwindow+factorydirectcraft.com+facts%2Babout%2Bstress+facture*detaillee+facture*telephone+fafsa.ed.gov+Fag*litteratur+fagernes*hotel+Fagersta*hotel+Faglitteratur+Fahrrad+fahrradhose+Fahrzeug*Versicherung+failure%2Bto%2Bpay+fair%2Bdebt%2Bcollection+fair%2Bdebt%2Bcollection%2Bact+fair%2Bdebt%2Bcollection%2Bpractice+Fairbanks*hotel+fairbet.org+fairbet.org/+fairbride.com+faircasinos.com+Fairdealsports+fairdealsports.com+Fairfax*hotel+fairfax*hotels+Fairfax*Travel+Fairfield*Pagosa+Fairfield*resort+Fairfield*Trip+Fairfield*Vacation+fairfield*williamsburg+fairfield%2Bexecutive%2Binn+Fairfield%2BInn%2BBangor+Fairfield%2BInn%2BBloomington+Fairfield%2BInn%2BBroadway+fairfield%2Binn%2Bbuena%2Bpark+Fairfieldhotel+fairfieldresorts+fairfieldresorts.com+Fairhaven*hotel+Fairlawn*hotel+fairmont*banff+fairmont*hotel+fairmont*orchid+Fairmont*Tremblant+Fairmont*Waterfront+Fairmont%2BAcapulco%2BPrincess+fairmont%2Bbanff%2Bsprings+fairmont%2Bbanff%2Bsprings%2Bhotel+Fairmont%2BCopley%2BPlaza%2BHotel+Fairmont%2BEmpress%2BHotel+fairmont%2Bglitter%2Bbay+Fairmont%2BHigh%2BSchool+fairmont%2Bhotel%2Bvancouver+Fairmont%2BJasper%2BPark%2BLodge+Fairmont%2BLe%2BManoir%2BRichelieu+fairmont%2Bolympic%2Bhotel%2Bseattle+fairmont%2Bpierre%2Bmarques+fairmont%2Broyal%2Byork+Fairmont%2BVacation%2BVilla+fairport*hotels+Fairview*hotel+Fairview*Inn+Fairview%2BHigh%2BSchool+Fairway*Hotel+Fairway*Inn+Fairway*Villas+fairway*wood+Fairways%2Bof%2Bthe%2BMountains+fairwaysandgreens.com.au/shop/+Fairwind%2BHotel%2Band%2BSuites+Fairy%2BTale%2Btheme%2Bwedding+fairyland.com.my/download_game.htm+fairyland.in.th/guide/index.php+fairylove.kiev.ua+Faith*hotels+faith.co.uk+faix*schade+faix-schade+fajardo*inn+Fake*Bags+fake*bake+fake*degree+fake*gucci+fake*handbag+Fake*HandBags+fake*loui+fake*louie+fake*louis+fake*luis+fake*lv+fake*nude+fake*nudes+fake*orgasm+fake*purse+fake*teeth+fake*tits+Fake*tombstone+fake*vuitton+fake*watches+fake%2Bbird%2Bpoop+fake%2Bbullet%2Bhole+fake%2Bceleb%2Bnude+fake%2Bcelebrity%2Bjewelry+fake%2Bdesigner%2Bhandbag+fake%2Bdiamond%2Bring+fake%2Bfur%2Bcoat+fake%2Bfur%2Bthrow+fake%2Blotto%2Bticket+fake%2Blouie%2Bvuitton+fake%2Blouis%2Bvuitton+fake%2Blouis%2Bvuitton%2Bhandbag+fake%2Blouis%2Bvuitton%2Bpurse+fake%2Blouis%2Bvuitton%2Bwallet+fake%2Bluis%2Bvitton+fake%2Bnude%2Bceleb+fake%2Bnude%2Bcelebrity+fake%2Bparking%2Bticket+fake%2Bsmashed%2Bwindshield+fake%2Btan+fakebake4salons.com+fakehandbag+faking*orgasm+faking*orgasms+Fakta*b%25c3%25b8k+Fakta*bok+Faktab%25c3%25b8k+Faktabok+Falcon*hotel+Falcon*motel+Falcon*Point+falconcpa.com+Falconer*hotel+falconerspharmacy.com+Falesia*Hotel+falk.de+Falkirk*hotel+Falkirk*hotels+Fall%2BCreek%2BInn+fall%2Bin%2Blove+fallers.com+Fallon*Trip+Falmouth*hotel+falmouth*hotels+Falmouth*Inn+Falmouth*Trip+Falmouth*Vacation+false*advertising+false*billing+Falsled*Kro+Falster*hotel+Falun*hotel+Falun*hotels+fameindex.co.uk+famiciclovir+familiedvdclub+Families%2BFirst%2BVacation%2BHomes+familiesathome.net+family*accommodation+family*accommodations+family*activity+family*adventure+family*ancestry+family*atlas+family*book+family*crest+family*cruise+family*dental*plan+family*genealogy+family*health+family*healthcare+family*heritage+family*histories+family*history+family*hotel+family*inn+family*insur+Family*Insurance+family*items+family*lawyer+family*lodging+family*medicalcare+family*mobility+family*motto+family*names+family*organizations+family*organizer+family*origin+family*pet+family*planning+family*records+family*report+family*reunion+family*rights+family*saving+family*search+family*software+family*travel+Family*Tree+family*trees+family*trip+family*vacation+family*vacations+family*website+Family%2Bcare%2Bhealth%2Bplan+family%2Bcredit%2Bcounseling%2Bservice+family%2Bdental%2Binsurance+family%2Bdental%2Bplan+family%2Bhealth%2Bbenefit+family%2Bhealth%2Bcare+family%2Bhealth%2Binsur+family%2Bhealth%2Binsurance+family%2Bhealth%2Binsurance%2Bcoverage+family%2Bhealth%2Bplan+family%2Bhistory%2Bsoftware+Family%2Blife%2Barticle+family%2Bmedical%2Bcare+family%2Bmedical%2Bcoverage+family%2Bmedical%2Binsurance+family%2Bmedical%2Bplan+family%2Btree%2Bcreat+family%2Btree%2Bdownload+family%2Btree%2Bmak+family%2Btree%2Bmaker+family%2Btree%2Bsoftware+family%2Bwealth%2Bmanagement+family-friendly-fun.com/files/*attentiondeficitaddadhd.html+family.org+familyadvantage.com+familyadvantage.org+familyadventures.com+familybook+familycar.com+familycar.com/nextcar.htm+familychristian.com+familychristian.com/shop/product.asp%3FProdID%3D1849+familycircle.com/home/homepage.jsp+familyclick.com+familyconnect.com+familycordblood.com+familycredit.org+familycredit.org/+familycredithelp.org+familycrest+familycruise+familydebt.com+familydoctor.org/men.xml+familyeducation.com+familyeducation.com/subchannel/*0,2794,23-122,00.html+familyeducation.com/subchannel/0,2794,23-122,00.html+familyfirst.net/marriage/beforeido+familyhaven.com+familyhealthinsurance+familyhistory+familyhistory.com+familylife.com+familylife.com/singles.asp+familymeds.com+familymeds.com/familymeds/prescpage.asp%3F+familymobility.com+familyorigin+familysearch+familysearch.org+familyshoppingbag.com+familysoftware+familysweeps.net+familysweeps.net/pacman.html+familytree.com+familytreedna.com+familytreelegends.com+familytreelegends.com/+Famous*Crime+famous*immigrants+Famous*Mugshot+famous%2Bblack%2Bporn%2Bstar+famous%2Birish%2Bimmigrants+Famous%2BMug%2BShot+famous3d.com+famousfootwear.com/shop/womens.asp+famousplayers.com+famouspornstars.com+famtreesoftware.com+famvir+fan-zone.com+fanbay.net+fanbuzz.com+fancifull.com+fancy*glassware+fandango.com+fannie*mae+fannie*may+FANNIEMAE+fanniemae.com+fanniemae.com/index.jhtml+fanniemay+fanny*mae+fannymae+fansedge.com+fansedge.com/Basket+fanstory.com+fantagraphics.com+Fantasia+fantasiawear.com+fantasticfacials.com+fantastique*dvd+fantasty*football+fantasty*game+fantasy*baseball+fantasy*basketball+fantasy*books+fantasy*carnival+fantasy*daggers+fantasy*fame+fantasy*football+fantasy*hockey+fantasy*inn+fantasy*league+fantasy*lingerie+fantasy*sex+fantasy*sports+fantasy*star+fantasy*team+fantasy*wig+fantasy%2Bbaseball%2Bkeeper%2Bleague+fantasy%2Bbaseball%2Bleague+fantasy%2Bbaseball%2Bmanager+fantasy%2Bbaseball%2Bpool+fantasy%2Bcarnival%2Bcruise+fantasy%2Bfootball%2Bbetting+fantasy%2Bhockey%2Bleague+fantasy%2Bhockey%2Bsport+fantasy%2Bnba%2Bsport+fantasy%2Bpremiership%2Bsport%2Buk+fantasy%2Bracing%2Bleague+fantasy%2Bsport%2Bgame+fantasy%2Bsport%2Bstatistic+fantasy%2Bsports%2Bleague+fantasy-cruises.com+fantasybaseballcafe.com+fantasybaseballcentral.com+fantasycars.com+fantasyfire.com+fantasyfit.com/whatisff.html+fantasyfootballcafe.com+fantasygames.sportingnews.com/football+fantasyinsights.com+fantasylatina.com+fantasymatch.com+fantasyphonegirls.com+fantasysex+fantasysmackdown.com+fantasysports+fantasysportscasts.com+fantasyspringsresort.com/+fantasytan.com+fantasytoyland.com+fantasyware.com+fantazialingerie.co.uk+fantones.net+fao*Schwarz+Fao.com+faoSchwarz+faoschwarz.com+Far%2BRockaway%2BHigh%2BSchool+Far%2BView%2BLodge+far-sited.com+farbige*kontaktlinsen+farbige*Linsen+farblinsen+fare+farechase.com+faredata.net+farefinder+fareline.com+faremax.com+fareseek+fareseek.com+faresrus.com+Fargede*lins+Fargedelins+Fargo*Holiday+Fargo*hotel+Fargo*Tourism+Fargo*Travel+Fargo*Trip+Fargo*Vacation+farm*bleeping+farm*house+farm*sluts+farm%2Bphat%2Bshoes+farm.freakview.com+farmacy*online+farmcott.co.uk+farmers*almanac+farmers.com+farmers.com/+farmers.com/FarmComm/insurance/index.html+farmgoodsforkids.com+farmhouse+Farmington*hotel+farmington*hotels+Farmington*Inn+Farmington*Travel+Faro*Holiday+Faro*Hotel+Faro*Hotels+Faro*Mazatlan+Faro*resort+Faro*Tourism+Faro*travel+Faro*Trip+Faro*Vacation+faro*viejo+Farol%2BDesign%2BHotel+faroutcasino.com+faroutcasino.com/+Farragut*School+Farragut%2BHigh%2BSchool+Farrell%2BHigh%2BSchool+fart*gag+fart*gift+fart*joke+fart*machine+fart*prank+fart*spray+fart*store+fart%2Bnoise%2Bmaker+fart%2Bsound%2Beffect+farthammer.com+farting*machine+fartmart.com+Farum*hotel+Farvede*lins+Farvedelins+Fasano*hotel+Fasano*hotels+fascination*carnival+fascination%2Bcarnival%2Bcruise+fascination-perfumery.co.uk+fashion*accessories+fashion*accessory+fashion*degree+fashion*design+fashion*designer+fashion*designers+fashion*handbag+fashion*jewelry+fashion*magazine+fashion*merchandising+fashion*mobile+fashion*moda+fashion*outlet+Fashion*Parties+fashion*phone+fashion*school+fashion*shopping+fashion*telefon+fashion*wear+fashion%2Babbigliamento%2Bmoda%2Bitaliana+fashion%2Bmade%2Bitaly+fashion.about.com+fashion.admcity.com/silk-1+fashion.at+fashionaccessories+fashionaccessory+fashionapparel+fashionbit.com+fashionbrokers.com+fashionbrokers.com/shopping_mall/shopbybrand+fashiondesigner+fashiondivanyc.com+fashionfabricsclub.com+fashionfactory.dk+fashionheaven.com+fashionknockoffs.com+fashionmobile+fashionphone+fashionshowroom.com+fashionstore.nl+fashiontelefon+fashiontreasures.com/designer_handbags_purses.htm+fasions.com+fasoft.com/+fasoft.com/what_is.shtm+FAST*ADSL+fast*advance+fast*cash+fast*computer+fast*degrees+Fast*Flip+fast*funds+fast*internet+Fast*IP-adresse+fast*loan+fast*money+fast*online+fast*payday+fast*payouts+fast*porn+fast*reward+fast*seduction+fast*sex+fast*web+fast*weightloss+fast%2B$500%2Bcash%2Badvance+fast%2Badvance%2Bpay+fast%2Bcash%2Bloan+fast%2Bcash%2Bnow+fast%2Bcash%2Bonline+fast%2Bcash%2Bpayday%2Badvance+fast%2Bcash%2Bpayday%2Bloan+fast%2Bcash%2Bpersonal%2Bloan+fast%2Bcash%2Bsurvey+fast%2Bcash%2Btoday+fast%2Bdial%2Bup+fast%2Beasy%2Bloan+fast%2Beasy%2Bweight%2Bloss+Fast%2Bfood%2Bnutrition+fast%2Bhair%2Bgrowth+fast%2Bhealthy%2Bweight%2Bloss+fast%2Binternet%2Bconnection+Fast%2BIP%2Badresse+fast%2Bloan%2Bapproval+fast%2BMortgage%2BQuote+fast%2Bmuscle%2Bgrowth+fast%2Bonline%2Bpayday%2Bloan+fast%2Bpayday%2Badvance+fast%2Bpayday%2Bloan+fast%2Bweight%2Bloss+fast%2Bweight%2Bloss%2Bdiet+fast%2Bweight%2Bloss%2Bprogram+fast%2Bweight%2Bloss%2Btechnique+fast-funds-online.com+fast-pack.com+fast-payday-loan-online.com+fastap.org+fastap.org/fastap+fastbookreports.com+fastcash+fastcash.com+fastcashanytime.com+fastcashinrealestateforeclosures+fastcashinrealestateforeclosures.com+fastdater.com+fastdates.com+fastdating.nl+fastdissertations.com+faster*computer+faster*dialup+faster*download+faster*internet+faster%2Bdial%2Bup+faster%2Bhair%2Bgrowth+faster%2Binternet%2Bconnection+faster%2Binternet%2Bspeed+fastercredit+fastercredit.com+fastfixdirect.co.uk+fastfloors.com+fastfloors.com/catalog/search2.asp%3FFloorTypeID%3D102+fasthosts.co.uk/+fastimpressions.com.au+fastin+fastin*diet+fastin*drug+fastin*info+FastIPadresse+fastlanehealth.com+fastlaneloans.com+fastloan+fastloans+fastmlmleads.com+fastmoney+fastMortgageQuote+fastodds.com+fastonlineapproval.com+fastonlinefinance.co.uk+fastpay.com+fastpitch*bat+Fastpitch*equipment+Fastpitch*gear+fastporn+fastprinters.com+fastreward+fastrx.com+fastsize.com+fastsize.com/enlarger/+fasttracksports.com+fastun+fastweb+fastweb.com+fastweb.monster.com+fastweightloss+fat*blaster+fat*block+fat*blocker+fat*blockers+fat*burn+fat*burner+fat*burning+fat*bleep+fat*eliminat+fat*bleep+fat*loss+fat*personals+fat*porn+fat*pussy+fat*skin+fat*supplement+fat%2Banal%2Bsex+fat%2Basian%2Bporn+fat%2Basian%2Bpussy+fat%2Bass%2Bblack%2Bwoman+fat%2Bass%2Bwoman+fat%2Bblack%2Bporn+fat%2Bblack%2Bpussy+fat%2Bblack%2Bwoman+fat%2Bblack%2Bwoman%2Bbleeping+fat%2Bblack%2Bwoman%2Bpic+fat%2Bblack%2Bwoman%2Bporn+Fat%2BBurner%2BPill+fat%2Bbuster%2Bprogram+fat%2Bchick%2Bporn+fat%2Bebony%2Bass+fat%2Bbleep+fat%2Bhorny%2Bwoman+fat%2Bloss%2Bprogram+fat%2Bnaked%2Bchick+fat%2Bnaked%2Bwoman%2Bpic+fat%2Bnaked%2Bwoman%2Bpicture+fat%2Bold%2Bsex+fat%2Bold%2Bwhore+fat%2Bold%2Bwoman%2Bsex+fat%2Bpeople%2Bporn+fat%2Bpussy+fat%2Breducing%2Blotion+fat%2Bsex+fat%2Bsexy%2Bwoman+fat%2Bwhite%2Bwoman+fat%2Bwoman%2Bbutt+fat%2Bwoman%2Bbleep+fat%2Bwoman%2Bbleeping+fat%2Bwoman%2Bhardcore+fat%2Bwoman%2Bhaving%2Bsex+fat%2Bwoman%2Bin%2Bbikini+fat%2Bwoman%2Bin%2Bthong+fat%2Bwoman%2Bmasturbating+fat%2Bwoman%2Bmovie+fat%2Bwoman%2Bnude+fat%2Bwoman%2Bnude%2Bpic+fat%2Bwoman%2Bphoto+fat%2Bwoman%2Bpic+fat%2Bwoman%2Bpicture+fat%2Bwoman%2Bporn+fat%2Bwoman%2Bpussy+fat%2Bwoman%2Bsex+fat%2Bwomen%2Bnaked+fat%2Bwomen%2Bsex+fat%2Bxxx%2Bwoman+fatblaster+fatburn+fatburner+FatBurnerPill+fatburning+fatcow.com+father%2527s%2Bday%2Bgift+father*shirt+father*t-shirt+Father%2BJudge%2BHigh%2BSchool+fathers*day+fathers%2Bday%2Bgifts+fathersday+fatigue*prevent+fatigue*problem+fatigue*solution+Fatima*Hotel+fatloss+fatsupplement+fattonys-blackjack.com+fattonys-roulette.com+fatty*acids+fatty%2Bacids%2Badd+fatty%2Bacids%2Badhd+fatty%2Bacids%2Bfor%2Badd+fatty%2Bacids%2Bfor%2Badhd+fatvanish.com+fatwallet.com+Faubourg*Hotel+faulkner%2Buniversity%2Bonline%2Bclasses+faux*handbag+faux%2Bfur%2Bcoat+faux%2Bfur%2Bthrow+faux%2Blouis%2Bvuitton+faux%2Bpearl%2Bbracelet+faux%2Bpearl%2Bearring+faux%2Bpearl%2Bnecklace+favor*bag+favor*box+favor*ribbon+favor%2Bfor%2Bwedding+favorbag+favorbox+favorforwedding+Favorita*Inn+favorite*team+favoriteplaces.net+favoriterx.com+favorribbon+favors*direct+favors%2Bfor%2Bwedding+favors-to-treasure.com+favorsdirect.com+favorsforwedding+fawcette.com/dotnetmag+fawco.com+Fawsley*Hall+fax*adsl+fax*cartridge+fax*machine+fax*ribbon+fax*software+fax*suppl+fax*supplies+fax*toner+fax%2Bmachine%2Bcartridge+faxribbon+faxworldcom.com+fayetteville*hotels+Fayetteville*Inn+Fayetteville%2BHigh%2BSchool+fbound+fcfus.com+fcpgroton.com+FCUK+FDA%2Bapproved%2Bdrug+fdl-life.com+fdm.dk+fdm.micro-site.dk/+fdnygifts.com+fdu.edu+fdu.edu/centers/cps/childadolescent.html+fdu.quinstreet.com/offline/form.jsp%3FCLK%3D4031914025619954&+fe%2Bsanta%2Bsheraton%2Bsuite+Fear%25c2%25a0of%25c2%25a0Public%25c2%25a0Speak+fear%2Bof%2Bpublic%2Bspeaking+Fearrington*House+feather*boa+Feather*Shuttlecocks+feather-boa+Featherbed*Inn+featherboa+Feathers*Hotel+Feathers*Inn+featherweight+featureprice.com+Fechin*Inn+federal*attorney+federal*auction+federal*grant+federal*grants+federal*law+Federal*lawyer+federal*loan+federal*money+federal*pension+federal*scholarship+federal%2Bconsolidation%2Bstudent%2Bloan+federal%2Bdefense%2Battorney+federal%2Bdefense%2Blawyer+federal%2Bdirect%2Bloan+federal%2Bgovernment%2Bloan+federal%2Bgovernment%2Blost%2Bmoney+federal%2Bincome%2Btax+federal%2Bincome%2Btax%2Bform+federal%2Bsmall%2Bbusiness%2Bloan+federal%2Bstudent%2Bgrant+federal%2Bstudent%2Bloan+federal%2Btax%2Bform+federal%2Btax%2Breturn+federal%2Btax%2Btable+federal%2Bunclaimed%2Bproperty+federaldebtservice.com+federalfirearmslicense.com+federalgrant+federalgrantsource.com+federalloan+federalmoney+federalmortgagecenters.com+federalreserve.gov/pubs/homeline/+federalscholarship+federatedinsurance.com/+fedex*tramadol+fedex*valium+fedex*xanax+fedmoney.com+fedmoney.org+fedusa.com+feeappraiser.com+feel*better+feel*good+feel*health+feel*sexy+feel%2Byounger%2Bpill+feel%2Byounger%2Btreatment+feelgoodcounseling.com/*Natural_Remedies_for_ADHD.htm+feelgoodcounseling.com/ChildADD.htm+feelgreatpills.com+feelingfat.net+feelingsexylingerie.com/lingerie.htm+feelyoungerpill+feelyoungertreatment+feet*sex+fegli+feingold.org+feinkost*bestellen+feinkost*online+feinkost*versand+feinkost-versand+feinkostversand+felix*hotel+fellatio+fellatio*techniques+fellatio*tip+fellows.com+FELONY*CHARGE+felpa*sportive+felpa%2Bvendita%2Bon%2Bline+femailcreations.com+female*arousal+female*bald+female*baldness+female*bisexual+female*bondage+female*clean+female*cleaner+female*cleaning+female*condom+female*cum+female*domination+female*ejaculation+female*enhancement+female*enhancer+female*erotica+female*escort+female*escorts+female*hormone+female*impotence+female*intercourse+female*libido+female*masterbation+female*orgasm+female*pheromone+female*pleasure+female*product+female*seduction+female*sex+female*single+female*stripper+female*testosterone+female*viagra+female*xxx+female%2Banal%2Bsex+female%2Bbody%2Bbuilding+female%2Bbondage+female%2Bdomination+female%2Bejaculation+female%2Benhancement%2Bproduct+female%2Bexotic%2Bdancers+female%2Bgenital%2Bshaving+female%2Bhair%2Bloss+female%2Bhairy%2Barmpit+female%2Blibido%2Benhanc+female%2Bmasturbation+female%2Borgasm+female%2Borgasm%2Benhanc+female%2Bpattern%2Bbaldness+female%2Bpornography+female%2Bsex+female%2Bsex%2Bdoll+Female%2BSex%2BDrive%2BEnhance+female%2Bsex%2Benhance+female%2Bsexual%2Benhanc+Female%2BSexual%2BEnhancers+female%2Bsexual%2Bpleasure+female%2BSexual%2BStamina+female%2Bshaving%2Bpubic%2Bhair+female%2Bstrip%2Bpoker+femaleadvantage.com+femaleadvantage.com/+femalecasualwear.com+FemaleCondom+femaleejaculation+femaleenhancementproduct+femaleenhancer+femalemasturbation+femalemuscleerotica.net/+females*bi+females*find+females*meet+femalesex+FemaleSexDriveEnhance+femaleSexualStamina+femalesingle+femaleviagra+femdom*personals+femenique+femenique.com+femenique.com/order.htm+femhealth.com+femina.com+feminine*product+feminine*razor+femme+femme*Blousons+femme*Chemises+femme*Gilets+femme*Jupes+femme*Pulls+femme*Robes+femme*Vestes+femme%2BPantalons%2Bet%2Bpantacourts+femme%2Bparkas%2Bet%2Bimpers+femme%2BShorts%2Bet%2BBermudas+femme%2BT-Shirts%2Bet%2Bd%25c3%25a9bardeurs+femmerusse.com+fender*guitar+fender%2Belectric%2Bguitar+fender%2Bguitar+fender%2Bguitars+fenderguitar+fendi*accessor+fendi*bag+fendi*bags+fendi*baquette+fendi*handbag+fendi*purse+fendi*purses+fendi*replica+FENDI*SUNGLASSES+fendi*wallets+fendi.com+fendimetrazine+fenfluramine*adiepx+fenfluramine*adiex+fenfluramine*adipax+fenfluramine*adipe+fenfluramine*adipex+fenfluramine*adipx+fenfluramine*adipxe+fenfluramine*adpex+fenfluramine*adpiex+fenfluramine*aidpex+fenfluramine*aipex+fenfluramine*bantril+fenfluramine*Bantrol+fenfluramine*bintril+fenfluramine*bomtril+fenfluramine*Bondril+fenfluramine*bonntril+fenfluramine*bontrall+fenfluramine*bontril+fenfluramine*bontrill+fenfluramine*bontrol+fenfluramine*Bontrol-Sr+fenfluramine*bontryl+fenfluramine*daipex+fenfluramine*Deedrex+fenfluramine*Didrecs+fenfluramine*Didrex+fenfluramine*Didrix+fenfluramine*Didryx+fenfluramine*dipex+fenfluramine*Dydrex+fenfluramine*vontril+fenfluramine%2BBontril%2BPDM+feng*shue+feng*shui+Feng%2BShui%2Bbell+feng%2Bshui%2Bcraft+feng%2Bshui%2Bcure+feng%2Bshui%2Bhome+feng%2Bshui%2Bitem+feng%2Bshui%2Bproduct+Feng%2BShui%2BQuestion+Feng%2BShui%2Bremed+feng%2Bshui%2Bshop+Feng%2BShui%2BShop%2Bon-line+Feng%2BShui%2BShop%2Bonline+Feng%2BShui%2Bstuff+feng%2Bshui%2Btip+Feng%2BShui%2BTool+Feng%2BShui%2BWorld%2BMagazine+feng-shui.eu.com+fengshue+fengshui+fengshui*craft+FengShui*item+FengShui*on-line+FengShui*online+fengshui*product+fengshui*shop+fengshuicraft+fengshuicure+fengshuiproduct+FengShuiremed+fengshuishop+FengShuistuff+fengshuithatworks.co.uk+fengshuiweb.co.uk+fenicia*hotel+fenix*hotel+Fentanyl*ELISA+Fentanyl%2BELISA%2BKit+fentek-ind.com+fentek-ind.com/ergmouse.htm+fentermetrazine+fentermine+Fenton*Glass+Fenton*Trip+Fenwick*Inn+feoricet+Ferien+ferien*appartment+ferien%2Bappartment%2Bsuche+ferien.de+ferien.no/bilutleie.html+Ferienanlage+Feriendomizil+ferienh%25c3%25a4user+Ferienhaus+Ferienhaus*mieten+ferienhaus*online+Ferienhaus*suchen+ferienhaus*Vermittlung+ferienhaus*verzeichnis+ferienhaus%2Bonline%2Bmieten+Ferienh
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\tdbOs.dll: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u1
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\BN\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\BN\Application Data folder

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 23 June 2005 - 02:27 AM

Jeez, Louise, that dat file is something else! :thumbsup: I'll edit that partial pfind out so we don't have to scroll so much. Edit: Nevermind there is some kind of strange eternal loop thing going on with that.

OK, let's try this:

Print out or copy these intructions to Notepad as you won't have access to this page in safe mode.

1. Download killbox from here:

KillBox

Unzip the folder to your desktop.

2. Download and unzip HSFix to a folder of its own from one of these locations
http://www.atribune.org/downloads/HSFix.zip
http://users.pandora.be/bluepatchy/HSFix.exe
Dont use it yet.

3. Download the file clear.reg attached below.

4. Reboot your computer into Safe Mode

5. Open the Hsfix folder and run the hsfix.bat, wait untill its finished.

6. Go to Start>Run and type in services.msc and press Enter.

Look for the following service in the main pane and double-click to open its Properties.

.NET Framework Service

Click the Stop button if it's not grayed out.

In the Startup type field, click the little blue arrow to reveal the drop down menu and choose Disabled.

Click OK.

7. Scan again with HijackThis 1.99.1. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked:

O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O20 - Winlogon Notify: draw32 - draw32.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

8. Start Killbox.exe

*Select the Delete on reboot option.
*Copy the complete text in bold below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\KB290333.dll
C:\WINDOWS\jaaste.dll
C:\WINDOWS\SYSTEM32\kyf.dat
C:\WINDOWS\SYSTEM32\tdbOs.dll
C:\WINDOWS\SYSTEM32\draw32.dll
C:\WINDOWS\SYSTEM32\vtd_16.exe


*Go to the File menu of Killbox, and choose "Paste from Clipboard".
*Click the "Delete File" button that is a red-and-white X. When asked if you want to delete these files say Yes. When asked if you want to reboot now, say No.
*Exit Killbox.

9. Double click on clear.reg and allow it to merge with your registry.

10 Reboot back to normal mode. Post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt, run pfind again and post that log as well.

Sorry it's taken me so long to get back to you. We'll deal with the firewall and some other stuff later.

This reg file is meant to be run only on lezbfranz's system and no one else's.

Attached Files


Edited by Papakid, 23 June 2005 - 02:42 AM.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#13 lezbfranz

lezbfranz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 23 June 2005 - 08:02 AM

Is the clearreg setup to know my account name? I tried to open it to look at it and make sure but guess I can't without running it---so stopped!

Thanks!

#14 lezbfranz

lezbfranz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 23 June 2005 - 08:38 AM

OKIE DOKIE! I only found 04-HKCU\..\Run:[ntddetect] from the list you gave me. Here are the logs:

HijackLOG

Logfile of HijackThis v1.99.1
Scan saved at 8:23:17 AM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart IE_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {DF2C1F36-2C51-4356-B13A-051EC07CD210} (RamSoft Web Installer) - http://192.168.50.135/powerreader/PRInstall.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RamSoft Cache (RamSoftCacheServer1) (RamSoftCacheServer1) - Unknown owner - C:\Program Files\RamSoft\PowerReader\Servers\RamSoftCacheServer1\prcacheservice.EXE

HSFixLOG


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate


PFIND LOG

Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u1
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\Beth Nail\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\Beth Nail\Application Data folder



:thumbsup:

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 23 June 2005 - 10:14 AM

Hi Denise,

Not sure what you mean about the reg file, but it has nothing to do with any accounts. If you haven't already, just save it to your desktop and run it on your infected machine. My little note was to anyone else who reads this topic and thinks it could fix their problem.

Good news. The HJT log is clean now. Good job! How's it running?

Go ahead and run Silent Runners again and post that log and let me check it.

Also you have some stray leftovers that can be cleaned up, most of them are harmless. For example, looks like you had Norton installed at one time since Live Update still appears in your scheduled tasks. So do this also please:

Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.

If you aren't geting unusual popups or any other strange behavior, you need to immediately change all the passwords you use on your machine as this trojan steals info and includes a keylogger. I've got a basic setup and don't really know much about routers, but I would think it hasn't done the job with all the infections your system had and a software firewall would be preferable.

I'm going to be pretty busy on and offline today. But will try to check in on you either tonight or in the morning. There is a reg file that might fix the Windows Firewall I'll need to run down, but I would suggest that you install a software firewall at the first opportunity.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users