Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Bar & Home Page Hijack


  • Please log in to reply
13 replies to this topic

#1 beg4mercy

beg4mercy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 21 February 2007 - 01:14 AM

I keep getting a fake google search page after I use my google search bar. Help Please.

Logfile of HijackThis v1.99.1
Scan saved at 10:08:11 PM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\inet20126\socks.exe
C:\WINNT\inet20126\free.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\inet20126\wpcem.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\systems.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [c1adc88f0c11] C:\WINNT\system32\amstream.exe
O4 - HKLM\..\Run: [4JFQFD83F6S@DL] C:\WINNT\system32\Htw0Uz0.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINNT\inet20126\socks.exe
O4 - HKLM\..\Run: [Microsoft WWW] C:\WINNT\inet20126\free.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINNT\inet20126\svchost.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:51 PM

Posted 21 February 2007 - 11:46 AM

Hello beg4mercy, my name is David, welcome to BC!

My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you are infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

I've research the entries, and found this information, in case you find it useful:

Trojan-Proxy.Win32.Xorpix.Fam is a family of trojans that allow a remote attacker to control the infected machine and use it to direct traffic to the internet without the user's knowledge. The Xorpix trojans lower the security of the machine by terminating process of security applications such as firewalls and anti-virus programs. Xorpix may also download additional malware from the internet. The infected machine may become part of a network of infected machines and used by the attacker to send spam or perform other malicious activities.

So, that's the first thing, I recommend you change your passwords.
Here are useful links, in case you wish to read more on the infection you have:
http://research.sunbelt-software.com/threa...;threatid=44436

In fact your system is so riddled with infection, I should give you an option to reformat. The problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

You are dealing with some very nasty pieces of malware...
These allow hackers to remotely control your computer, steal critical system information and Download and Execute files

Though the infectionst may be identified and can be killed, because of it's functionality, your PC is compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of malware, the best course of action would be a reformat and reinstall of the OS.
I think I would definately recommend that you reformat and start afresh with a PC you can trust.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Let me know what you wish to do - I understand that sometimes with this kind of topic, you might wish not to reformat as you want to keep all your files and do not want the inconvenience of starting afresh, but as I said before it's a good idea to start afresh - Don't forget all your files/folders can be backed-up onto a disc/USB drive.

Let me know what you want to do.
David

#3 beg4mercy

beg4mercy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 21 February 2007 - 09:37 PM

First off.....thanks for taking your time out to help. I only use this PC for fun. I do have tons of music, programs and movies on it and chose not to reformat. There's nothing of "value" on here at all. I don't have to check my bank account on here but I do pay a few bills every now and then. if my PC totally crashed I'd buy a new one and just have to start over. But, if you could help me salvage my way through this one I'd appreciate it. I consider myself a step below advanced user so somethings I've read in other topics I understand and some things I didn't. Just let me know where I begin.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:51 PM

Posted 22 February 2007 - 04:39 AM

Sure thing beg4mercy, no problem at all, I'm happy to try and fix this.
You have quite a number of infections, so we'll take one at a time.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

#5 beg4mercy

beg4mercy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 22 February 2007 - 09:40 PM

SmitFraudFix v2.144

Scan done at 18:18:23.32, Thu 02/22/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
127.0.0.1 www.altnet.com
127.0.0.1 search.kazaa.com
127.0.0.1 www.kazaaplus.com
127.0.0.1 ssa.kazaa.com
127.0.0.1 ssm.kazaa.com
127.0.0.1 www.cydoor.com
127.0.0.1 ads.kazaa.com
127.0.0.1 www.certifiedkazaa.com
127.0.0.1 puma.kazaa.com
127.0.0.1 www.bns2.net
127.0.0.1 www.bns1.net
127.0.0.1 www.rgs2.net
127.0.0.1 www.rgs1.net
127.0.0.1 www.cms2.net
127.0.0.1 www.cms1.net
127.0.0.1 cys3.net
127.0.0.1 cys2.net
127.0.0.1 cys1.net
127.0.0.1 www.kapsules.org
127.0.0.1 images.kazaa.com
127.0.0.1 desktop.kazaa.com
127.0.0.1 http://desktop.kazaa.com/us/kmdstart.htm?c...kmd&ver=260
127.0.0.1 www.altnetp2p.com
127.0.0.1 alpha.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
127.0.0.1 www.brilliantdigital.com
127.0.0.1 www.b3d.com
127.0.0.1 media.altnet.com
127.0.0.1 dev.bde.com.au
127.0.0.1 update.kazaa.com
127.0.0.1 bravo.kazaa.com
127.0.0.1 www.k-lite.tk
127.0.0.1 http://www.kazanon.com/
127.0.0.1 litetk.com
127.0.0.1 kazaa.ishareit.com
127.0.0.1 www.kazaagold.com
127.0.0.1 www.kazaa-gold.com
127.0.0.1 kazaagold.com
127.0.0.1 www.k-lite.com
127.0.0.1 www.kazaa-download.de
127.0.0.1 www.mp3downloadhq.com
127.0.0.1 www.easymusicdownload.com
127.0.0.1 easymusicdownload.com
127.0.0.1 www.mp3madeeasy.com
127.0.0.1 www.monstershare.com
127.0.0.1 monstershare.com
127.0.0.1 www.kazaa-plus.net
127.0.0.1 kazaa-plus.net
127.0.0.1 www.kazaa-plus.com
127.0.0.1 www.edonkey.com
127.0.0.1 www.kazaa-file-sharing-downloads.com
127.0.0.1 www.kazaaplatinum.com
127.0.0.1 www.madeformusic.com
127.0.0.1 www.ikazaa.net
127.0.0.1 ikazaa.net
127.0.0.1 www.ondemandmp3.com
127.0.0.1 www.mp3u.com
127.0.0.1 www.mp3specialty.com
127.0.0.1 music-download-world.com
127.0.0.1 song-download-world.com
127.0.0.1 www.flixs.net
127.0.0.1 www.ishareit.net
127.0.0.1 www.ishareit.com
127.0.0.1 www.download-doctor.com
127.0.0.1 www.ezmp3download.com
127.0.0.1 www.freesoftusa.com
127.0.0.1 www.kazaamedia.com
127.0.0.1 mp3-network.com
127.0.0.1 www.mp3-network.com
127.0.0.1 www.mp3grandcentral.net
127.0.0.1 www.mp333.com
127.0.0.1 www.kazaamate.com
127.0.0.1 www.emule.biz
127.0.0.1 www.kazaam8.tk
127.0.0.1 www.rippro.com
127.0.0.1 k-lite-legal.com
127.0.0.1 www.kaaza.com
127.0.0.1 secure.Webstartz.com
127.0.0.1 www.kazaalite.de
127.0.0.1 www.kazza.de
127.0.0.1 kazza.com
127.0.0.1 www.kazaalite.at
127.0.0.1 www.kazaalite.ch
127.0.0.1 www.kazaa-hilfe.de
127.0.0.1 www.edonkey-2000.de
127.0.0.1 www.edonkey-bot.de
127.0.0.1 www.edonkey-edonkey2000.de
127.0.0.1 www.edonkey-hilfe.de
127.0.0.1 www.edonkey-morpheus-forum.de
127.0.0.1 www.emule-hilfe.de
127.0.0.1 www.file-sharing-forum.de
127.0.0.1 www.filesharing-forum.de
127.0.0.1 www.imesh-download.de
127.0.0.1 www.kazaa-kaza.de
127.0.0.1 www.kazaa-lite.info
127.0.0.1 www.kazaa-lite-download.de
127.0.0.1 www.1md.de
127.0.0.1 www.mariodolzer.de
127.0.0.1 www.morpheus-forum.de
127.0.0.1 www.overnet-download.de
127.0.0.1 www.overnet-hilfe.de
127.0.0.1 www.winmx-download.de
127.0.0.1 www.winmx-hilfe.de
127.0.0.1 www.download-und-hilfe.de
127.0.0.1 www.filesharing-hilfe-forum.de
127.0.0.1 www.musik-download.biz
127.0.0.1 www.mp3downloads.ch
127.0.0.1 www.songfly.com
127.0.0.1 www.kazaa.nl
127.0.0.1 1stsoftwaredownloads.com
127.0.0.1 morpheus-download-morpheus.com
127.0.0.1 www.icisnet.org
127.0.0.1 software.global-netcom.de
127.0.0.1 www.filesharing-download.de
127.0.0.1 www.p2p.tm
127.0.0.1 www.filesharing-center.de
127.0.0.1 www.filesharing-tools.de
127.0.0.1 kazaa-download-kazaa.com
127.0.0.1 www.interscilsa.com
127.0.0.1 www.dvd-download-free.com
127.0.0.1 www.howtominibooks.com
127.0.0.1 www.internetmovies.com
127.0.0.1 www.rippro.net
127.0.0.1 www.musicmoviesbooks.com
127.0.0.1 www.kazaalite.org
127.0.0.1 www.getmp3music.com
127.0.0.1 www1.ishareit.com
127.0.0.1 www.filesharing-software.de
127.0.0.1 www.firewarez.com
127.0.0.1 www.k-lite.co.uk
127.0.0.1 kazzaa.info
127.0.0.1 www.morpheusp2p.com
127.0.0.1 www.mudima.com
127.0.0.1 www.download-central.com
127.0.0.1 kazaaplatinum.com
127.0.0.1 www.dingosoft.net
127.0.0.1 www.kazaa-advance.com
127.0.0.1 www.downloads-unlimited.com
127.0.0.1 klserver.port5.com
127.0.0.1 rippro.net
127.0.0.1 www.findkazaalite.com
127.0.0.1 www.freegoldkazaa.com
127.0.0.1 www.freekazaalite.com
127.0.0.1 www.kazaalitekpp.com
127.0.0.1 kazaa.filez.ws
127.0.0.1 www.kazaalite-download.com
127.0.0.1 www.kazaavip.com
127.0.0.1 compgenie.host.sk
127.0.0.1 www.musicdownloadcenter.com
127.0.0.1 www.kazza-lite.net
127.0.0.1 1ca.cqcounter.com
127.0.0.1 2001-007.com
127.0.0.1 ad-logics.com
127.0.0.1 ad.trafficmp.com
127.0.0.1 adclient.rottentomatoes.com
127.0.0.1 adcodes.aim4media.com
127.0.0.1 adcounter.globeandmail.com
127.0.0.1 adcounter.theglobeandmail.com
127.0.0.1 admanmail.com
127.0.0.1 ads.specificpop.com
127.0.0.1 ads.tiscali.com
127.0.0.1 ads.tiscali.it
127.0.0.1 adtech.de
127.0.0.1 anm.intelli-direct.com
127.0.0.1 askmen.thruport.com
127.0.0.1 banner.0catch.com
127.0.0.1 bilbo.counted.com
127.0.0.1 bluestreak.com
127.0.0.1 c1.statcounter.com
127.0.0.1 c1.thecounter.com
127.0.0.1 c1.xxxcounter.com
127.0.0.1 c2.gostats.com
127.0.0.1 c2.thecounter.com
127.0.0.1 c3.gostats.com
127.0.0.1 c3.thecounter.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 cashcounter.com
127.0.0.1 cgi.hotstat.nl
127.0.0.1 click.atdmt.com
127.0.0.1 click.fivemtn.com
127.0.0.1 click.payserve.com
127.0.0.1 click.silvercash.com
127.0.0.1 clit13.sextracker.com
127.0.0.1 clit15.sextracker.com
127.0.0.1 clit2.sextracker.com
127.0.0.1 clit6.sextracker.com
127.0.0.1 clit8.sextracker.com
127.0.0.1 clk.aboxdeal.com
127.0.0.1 cnn.entertainment.printthis.clickability.com
127.0.0.1 collector.deepmetrix.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 count.paycounter.com
127.0.0.1 counter.aaddzz.com
127.0.0.1 counter.bloke.com
127.0.0.1 counter.digits.com
127.0.0.1 counter.hitslink.com
127.0.0.1 counter.rambler.ru
127.0.0.1 counter.yadro.ru
127.0.0.1 counter10.bravenet.com
127.0.0.1 counter12.sextracker.com
127.0.0.1 counter13.sextracker.com
127.0.0.1 counter14.sextracker.com
127.0.0.1 counter15.sextracker.com
127.0.0.1 counter16.bravenet.com
127.0.0.1 counter17.bravenet.com
127.0.0.1 counter19.bravenet.com
127.0.0.1 counter2.freeware.de
127.0.0.1 counter2.hitslink.com
127.0.0.1 counter2.sextracker.com
127.0.0.1 counter26.bravenet.com
127.0.0.1 counter27.bravenet.com
127.0.0.1 counter3.sextracker.com
127.0.0.1 counter32.bravenet.com
127.0.0.1 counter34.bravenet.com
127.0.0.1 counter39.bravenet.com
127.0.0.1 counter4.sextracker.com
127.0.0.1 counter41.bravenet.com
127.0.0.1 counter43.bravenet.com
127.0.0.1 counter45.bravenet.com
127.0.0.1 counter47.bravenet.com
127.0.0.1 counter49.bravenet.com
127.0.0.1 counter5.sextracker.com
127.0.0.1 counter50.bravenet.com
127.0.0.1 counter6.sextracker.com
127.0.0.1 counter7.sextracker.com
127.0.0.1 counter8.bravenet.com
127.0.0.1 counter9.sextracker.com
127.0.0.1 counters.honesty.com
127.0.0.1 counters.xaraonline.com
127.0.0.1 data.coremetrics.com
127.0.0.1 data.webads.co.nz
127.0.0.1 dclk.themarketer.com
127.0.0.1 delivery.loopingclick.com
127.0.0.1 directads.mcafee.com
127.0.0.1 dwclick.com
127.0.0.1 ebay.doubleclick.net
127.0.0.1 economisttestcollect.insightfirst.com
127.0.0.1 ehg-amerix.hitbox.com
127.0.0.1 ehg-ati.hitbox.com
127.0.0.1 ehg-bestbuy.hitbox.com
127.0.0.1 ehg-bskyb.hitbox.com
127.0.0.1 ehg-cafepress.hitbox.com
127.0.0.1 ehg-cbs.hitbox.com
127.0.0.1 ehg-closetmaid.hitbox.com
127.0.0.1 ehg-crain.hitbox.com
127.0.0.1 ehg-dig.hitbox.com
127.0.0.1 ehg-eckounlimited.hitbox.com
127.0.0.1 ehg-foundation.hitbox.com
127.0.0.1 ehg-foxsports.hitbox.com
127.0.0.1 ehg-groceryworks.hitbox.com
127.0.0.1 ehg-idg.hitbox.com
127.0.0.1 ehg-ignitemedia.hitbox.com
127.0.0.1 ehg-liveperson.hitbox.com
127.0.0.1 ehg-mindshare.hitbox.com
127.0.0.1 ehg-mybc.hitbox.com
127.0.0.1 ehg-oreilley.hitbox.com
127.0.0.1 ehg-oreilly.hitbox.com
127.0.0.1 ehg-sonybssc.hitbox.com
127.0.0.1 ehg-sonyelec.hitbox.com
127.0.0.1 ehg-sonyny.hitbox.com
127.0.0.1 ehg-space.hitbox.com
127.0.0.1 ehg-sportsline.hitbox.com
127.0.0.1 ehg-techtarget.hitbox.com
127.0.0.1 ehg-tigerdirect.hitbox.com
127.0.0.1 ehg-uniontrib.hitbox.com
127.0.0.1 ehg-viacom.hitbox.com
127.0.0.1 ehg-wachovia.hitbox.com
127.0.0.1 ehg.commjun.hitbox.com
127.0.0.1 ehg.mindshare.hitbox.com
127.0.0.1 fastclick.net
127.0.0.1 fastcounter.bcentral.com
127.0.0.1 fcstats.bcentral.com
127.0.0.1 flycast.com
127.0.0.1 g-wizzads.net
127.0.0.1 gator.com
127.0.0.1 gcrim.cincinnati.com
127.0.0.1 gcrim.flatoday.com
127.0.0.1 gcrim.idehostatesman.com
127.0.0.1 gcrim.tennessean.com
127.0.0.1 gcrim.thedailyjournal.com
127.0.0.1 gcrim.thejournalnews.com
127.0.0.1 gostats.com
127.0.0.1 gtcc1.acecounter.com
127.0.0.1 hc2.humanclick.com
127.0.0.1 hit2.hotlog.ru
127.0.0.1 hit37.chark.dk
127.0.0.1 hit37.chart.dk
127.0.0.1 hit39.chart.dk
127.0.0.1 hit5.hotlog.ru
127.0.0.1 hitbox.com
127.0.0.1 hits.webstat.com
127.0.0.1 http300.edge.ru4.com
127.0.0.1 imp.clickability.com
127.0.0.1 impit.tradedouble.com
127.0.0.1 insightfirst.com
127.0.0.1 int.sitestat.com
127.0.0.1 jkearns.freestats.com
127.0.0.1 kt4.kliptracker.com
127.0.0.1 linktrack.bravenet.com
127.0.0.1 log.btopenworld.com
127.0.0.1 logs.comics.com
127.0.0.1 logs.eresmas.com
127.0.0.1 logv18.xiti.com
127.0.0.1 logv32.xiti.com
127.0.0.1 logv4.xiti.com
127.0.0.1 m1.nedstatbasic.net
127.0.0.1 media101.sitebrand.com
127.0.0.1 mediatrack.revenue.net
127.0.0.1 mt122.mtree.com
127.0.0.1 multi1.rmuk.co.uk
127.0.0.1 mvs.mediavantage.de
127.0.0.1 nedstat.s0.nl
127.0.0.1 nl.sitestat.com
127.0.0.1 okcounter.com
127.0.0.1 p.reuters.com
127.0.0.1 partner.alerts.aol.com
127.0.0.1 paxito.sitetracker.com
127.0.0.1 perso.estat.com
127.0.0.1 pmg.ad-logics.com
127.0.0.1 postclick.adcentriconline.com
127.0.0.1 prof.estat.com
127.0.0.1 s10.sitemeter.com
127.0.0.1 s11.sitemeter.com
127.0.0.1 s12.sitemeter.com
127.0.0.1 s13.sitemeter.com
127.0.0.1 s14.sitemeter.com
127.0.0.1 s15.sitemeter.com
127.0.0.1 s16.sitemeter.com
127.0.0.1 s17.sitemeter.com
127.0.0.1 s18.sitemeter.com
127.0.0.1 s2.statcounter.com
127.0.0.1 scrooge.channelcincinnati.com
127.0.0.1 scrooge.channeloklahoma.com
127.0.0.1 scrooge.click10.com
127.0.0.1 scrooge.clickondetroit.com
127.0.0.1 scrooge.nbcsandiego.com
127.0.0.1 scrooge.newsnet5.com
127.0.0.1 scrooge.thebostonchannel.com
127.0.0.1 scrooge.thedenverchannel.com
127.0.0.1 scrooge.theindychannel.com
127.0.0.1 scrooge.thekansascitychannel.com
127.0.0.1 scrooge.theomahachannel.com
127.0.0.1 scrooge.wesh.com
127.0.0.1 scrooge.wftv.com
127.0.0.1 scrooge.wsoctv.com
127.0.0.1 scrooge.wtov9.com
127.0.0.1 servedby.valuead.com
127.0.0.1 sm1.sitemeter.com
127.0.0.1 sm2.sitemeter.com
127.0.0.1 sm3.sitemeter.com
127.0.0.1 sm4.sitemeter.com
127.0.0.1 sm5.sitemeter.com
127.0.0.1 sm6.sitemeter.com
127.0.0.1 sm7.sitemeter.com
127.0.0.1 sm8.sitemeter.com
127.0.0.1 sm9.sitemeter.com
127.0.0.1 sovereign.sitetracker.com
127.0.0.1 spinbox.maccentral.com
127.0.0.1 ss.tiscali.com
127.0.0.1 ss.tiscali.it
127.0.0.1 st.sageanalyst.net
127.0.0.1 stat.onestat.com
127.0.0.1 stat.webmedia.pl
127.0.0.1 stat.www.fi
127.0.0.1 stat1.z-stat.com
127.0.0.1 stat3.cybermonitor.com
127.0.0.1 statik.topica.com
127.0.0.1 stats.absol.co.za
127.0.0.1 stats.clickability.com
127.0.0.1 stats.groupninetyfour.com
127.0.0.1 stats.idsoft.com
127.0.0.1 stats.jippii.com
127.0.0.1 stats.klsoft.com
127.0.0.1 stats.revenue.net
127.0.0.1 stats.surfaid.ihost.com
127.0.0.1 stats.www.ibm.com
127.0.0.1 stats1.clicktracks.com
127.0.0.1 superstats.com
127.0.0.1 targetnet.com
127.0.0.1 tates.freestats.com
127.0.0.1 the.sextracker.com
127.0.0.1 track.directleads.com
127.0.0.1 track.domainsponsor.com
127.0.0.1 track.ft.com
127.0.0.1 track.homestead.com
127.0.0.1 tracker.clicktrade.com
127.0.0.1 tracker.tradedoubler.com
127.0.0.1 tracking.iol.co.za
127.0.0.1 truehits1.gits.net.th
127.0.0.1 u3102.47.spylog.com
127.0.0.1 u3608.20.spylog.com
127.0.0.1 u4056.56.spylog.com
127.0.0.1 u574.07.spylog.com
127.0.0.1 u977.40.spylog.com
127.0.0.1 valueclick.com
127.0.0.1 valueclick.net
127.0.0.1 vsii.spindox.net
127.0.0.1 w104.hitbox.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w128.hitbox.com
127.0.0.1 w131.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 web1.realtracker.com
127.0.0.1 web2.realtracker.com
127.0.0.1 web3.realtracker.com
127.0.0.1 web4.realtracker.com
127.0.0.1 webcounter.goweb.de
127.0.0.1 webhit.aftenposten.no
127.0.0.1 webhit.afterposten.no
127.0.0.1 webmasterkai.sitetracker.com
127.0.0.1 webpdp.gator.com
127.0.0.1 www.2001-007.com
127.0.0.1 www.247realmedia.com
127.0.0.1 www.addfreestats.com
127.0.0.1 www.bigbadted.com
127.0.0.1 www.bluestreak.com
127.0.0.1 www.clickclick.com
127.0.0.1 www.clixgalore.com
127.0.0.1 www.directgrowthhormone.com
127.0.0.1 www.dwclick.com
127.0.0.1 www.emaildeals.biz
127.0.0.1 www.estats4all.com
127.0.0.1 www.fxcounters.com
127.0.0.1 www.gator.com
127.0.0.1 www.hitbox.com
127.0.0.1 www.naturalgrowthstore.biz
127.0.0.1 www.nedstat.com
127.0.0.1 www.popuptrafic.com
127.0.0.1 www.premiumsmail.net
127.0.0.1 www.rightstats.com
127.0.0.1 www.specificclick.com
127.0.0.1 www.specificpop.com
127.0.0.1 www.statcount.com
127.0.0.1 www.statcounter.com
127.0.0.1 www.statsession.com
127.0.0.1 www.v61.com
127.0.0.1 www.web-stat.com
127.0.0.1 www.whereugetxxx.com
127.0.0.1 www1.addfreestats.com
127.0.0.1 www101.coolsavings.com
127.0.0.1 www2.addfreestats.com
127.0.0.1 www2.pagecount.com
127.0.0.1 www3.addfreestats.com
127.0.0.1 www3.click-fr.com
127.0.0.1 www6.click-fr.com
127.0.0.1 www60.valueclick.com
127.0.0.1 www7.counter.bloke.com
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 ad.br.doubleclick.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fi.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.it.doubleclick.net
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ad.se.doubleclick.net
127.0.0.1 ad.sg.doubleclick.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.za.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 doubleclick.com
127.0.0.1 doubleclick.net
127.0.0.1 iv.doubleclick.net
127.0.0.1 ln.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 m1.doubleclick.net
127.0.0.1 m2.doubleclick.net
127.0.0.1 m3.doubleclick.net
127.0.0.1 m4.doubleclick.net
127.0.0.1 m5.doubleclick.net
127.0.0.1 m6.doubleclick.net
127.0.0.1 m7.doubleclick.net
127.0.0.1 m8.doubleclick.net
127.0.0.1 m9.doubleclick.net
127.0.0.1 rd.intl.doubleclick.net
127.0.0.1 devfw.imrworldwide.com
127.0.0.1 fe1-au.imrworldwide.com
127.0.0.1 fe1-fi.imrworldwide.com
127.0.0.1 fe1-it.imrworldwide.com
127.0.0.1 fe2-au.imrworldwide.com
127.0.0.1 fe3-au.imrworldwide.com
127.0.0.1 fe3-gc.imrworldwide.com
127.0.0.1 fe3-uk.imrworldwide.com
127.0.0.1 fe4-uk.imrworldwide.com
127.0.0.1 imrworldwide.com
127.0.0.1 ninemsn.imrworldwide.com
127.0.0.1 rc-au.imrworldwide.com
127.0.0.1 redsheriff.com
127.0.0.1 server-au.imrworldwide.com
127.0.0.1 server-br.imrworldwide.com
127.0.0.1 server-ca.imrworldwide.com
127.0.0.1 server-de.imrworldwide.com
127.0.0.1 server-dk.imrworldwide.com
127.0.0.1 server-fi.imrworldwide.com
127.0.0.1 server-fr.imrworldwide.com
127.0.0.1 server-hk.imrworldwide.com
127.0.0.1 server-it.imrworldwide.com
127.0.0.1 server-jp.imrworldwide.com
127.0.0.1 server-no.imrworldwide.com
127.0.0.1 server-nz.imrworldwide.com
127.0.0.1 server-se.imrworldwide.com
127.0.0.1 server-sg.imrworldwide.com
127.0.0.1 server-stockh.imrworldwide.com
127.0.0.1 server-uk.imrworldwide.com
127.0.0.1 server-us.imrworldwide.com
127.0.0.1 telstra.imrworldwide.com
127.0.0.1 www.imrworldwide.com
127.0.0.1 www.imrworldwide.com.au
127.0.0.1 www.redsheriff.com
127.0.0.1 102.112.2o7.net
127.0.0.1 192.168.112.2o7.net
127.0.0.1 ancestrymsn.112.2o7.net
127.0.0.1 angmar.112.2o7.net
127.0.0.1 angts.112.2o7.net
127.0.0.1 angvac.112.2o7.net
127.0.0.1 canwest.112.2o7.net
127.0.0.1 cbaol.112.2o7.net
127.0.0.1 cbsncaasports.112.2o7.net
127.0.0.1 cbspgatour.112.2o7.net
127.0.0.1 cbsspln.112.2o7.net
127.0.0.1 cfrfa.112.2o7.net
127.0.0.1 classifiedscanada.112.2o7.net
127.0.0.1 cnetnews.112.2o7.net
127.0.0.1 denverpost.112.2o7.net
127.0.0.1 dischannel.112.2o7.net
127.0.0.1 execulink.112.2o7.net
127.0.0.1 f2nsmh.112.2o7.net
127.0.0.1 f2ntheage.112.2o7.net
127.0.0.1 georgewbush.112.2o7.net
127.0.0.1 georgewbushcom.112.2o7.net
127.0.0.1 gpaper108.112.2o7.net
127.0.0.1 gpaper109.112.2o7.net
127.0.0.1 gpaper110.112.2o7.net
127.0.0.1 gpaper111.112.2o7.net
127.0.0.1 gpaper112.112.2o7.net
127.0.0.1 gpaper113.112.2o7.net
127.0.0.1 gpaper114.112.2o7.net
127.0.0.1 gpaper115.112.2o7.net
127.0.0.1 gpaper116.112.2o7.net
127.0.0.1 gpaper117.112.2o7.net
127.0.0.1 gpaper118.112.2o7.net
127.0.0.1 gpaper119.112.2o7.net
127.0.0.1 gpaper120.112.2o7.net
127.0.0.1 gpaper121.112.2o7.net
127.0.0.1 gpaper122.112.2o7.net
127.0.0.1 gpaper123.112.2o7.net
127.0.0.1 gpaper124.112.2o7.net
127.0.0.1 gpaper125.112.2o7.net
127.0.0.1 gpaper126.112.2o7.net
127.0.0.1 gpaper127.112.2o7.net
127.0.0.1 gpaper128.112.2o7.net
127.0.0.1 gpaper129.112.2o7.net
127.0.0.1 gpaper133.112.2o7.net
127.0.0.1 gpaper138.112.2o7.net
127.0.0.1 gpaper144.112.2o7.net
127.0.0.1 gpaper147.112.2o7.net
127.0.0.1 gpaper151.112.2o7.net
127.0.0.1 gpaper154.112.2o7.net
127.0.0.1 gpaper158.112.2o7.net
127.0.0.1 gpaper164.112.2o7.net
127.0.0.1 gpaper166.112.2o7.net
127.0.0.1 gpaper176.112.2o7.net
127.0.0.1 gpaper177.112.2o7.net
127.0.0.1 gpaper180.112.2o7.net
127.0.0.1 gpaper183.112.2o7.net
127.0.0.1 gpaper202.112.2o7.net
127.0.0.1 gpaper204.112.2o7.net
127.0.0.1 hchrmain.112.2o7.net
127.0.0.1 homesclick.112.2o7.net
127.0.0.1 hpglobal.112.2o7.net
127.0.0.1 hphqglobal.112.2o7.net
127.0.0.1 intelglobal.112.2o7.net
127.0.0.1 laxpsd.112.2o7.net
127.0.0.1 mgtbo.112.2o7.net
127.0.0.1 mlbglobal.112.2o7.net
127.0.0.1 mngidmn.112.2o7.net
127.0.0.1 mngislctrib.112.2o7.net
127.0.0.1 mxmacromedia.112.2o7.net
127.0.0.1 neber.112.2o7.net
127.0.0.1 nmcommancomedia.112.2o7.net
127.0.0.1 nmkawartha.112.2o7.net
127.0.0.1 nmminneapolis.112.2o7.net
127.0.0.1 nmsacramento.112.2o7.net
127.0.0.1 novellcom.112.2o7.net
127.0.0.1 nytbglobe.112.2o7.net
127.0.0.1 nytglobe.112.2o7.net
127.0.0.1 nythglobe.112.2o7.net
127.0.0.1 nytimesglobal.112.2o7.net
127.0.0.1 nytimesnonsampled.112.2o7.net
127.0.0.1 nytimesnoonsampled.112.2o7.net
127.0.0.1 nytrlakeland.112.2o7.net
127.0.0.1 nytrsarasota.112.2o7.net
127.0.0.1 pulpantagraph.112.2o7.net
127.0.0.1 rckymtnnws.112.2o7.net
127.0.0.1 thinkgeek.112.2o7.net
127.0.0.1 verisonwildcard.112.2o7.net
127.0.0.1 2.marketbanker.com
127.0.0.1 207-87-18-203.wsmg.digex.net
127.0.0.1 3ad.doubleclick.net
127.0.0.1 a.as-eu.falkag.net
127.0.0.1 a.as-us.falkag.net
127.0.0.1 a.mktw.net
127.0.0.1 a.tribalfusion.com
127.0.0.1 a.websponsors.com
127.0.0.1 a3.suntimes.com
127.0.0.1 abcnews.footprint.net
127.0.0.1 ac.rnm.ca
127.0.0.1 actionflash.com
127.0.0.1 actionsplash.com
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 ad-souk.com
127.0.0.1 ad.3au.doubleclick.net
127.0.0.1 ad.71i.de
127.0.0.1 ad.abcnews.com
127.0.0.1 ad.aboutwebservices.com
127.0.0.1 ad.adex3.flycast.com
127.0.0.1 ad.adition.de
127.0.0.1 ad.adition.net
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.aftonbladet.se
127.0.0.1 ad.asv.de
127.0.0.1 ad.deviantart.com
127.0.0.1 ad.es.doubleclick.net
127.0.0.1 ad.espn.starwave.com
127.0.0.1 ad.eurosport.com
127.0.0.1 ad.horvitznewspapers.net
127.0.0.1 ad.howstuffworks.com
127.0.0.1 ad.iwin.com
127.0.0.1 ad.leadcrunch.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.moscowtimes.ru
127.0.0.1 ad.nate.com
127.0.0.1 ad.network60.com
127.0.0.1 ad.preferences.com
127.0.0.1 ad.pro-advertising.com
127.0.0.1 ad.repubblica.it
127.0.0.1 ad.showbizz.net
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.smni.com
127.0.0.1 ad.suprnova.org
127.0.0.1 ad.tbn.ru
127.0.0.1 ad.tv2.no
127.0.0.1 ad.uk.tangozebra.com
127.0.0.1 ad.usatoday.com
127.0.0.1 ad.ve.doubleclick.net
127.0.0.1 ad.webprovider.com
127.0.0.1 ad01.focalink.com
127.0.0.1 ad01.mediacorpsingapore.com
127.0.0.1 ad02.focalink.com
127.0.0.1 ad03.focalink.com
127.0.0.1 ad04.focalink.com
127.0.0.1 ad05.focalink.com
127.0.0.1 ad06.focalink.com
127.0.0.1 ad07.focalink.com
127.0.0.1 ad08.focalink.com
127.0.0.1 ad09.focalink.com
127.0.0.1 ad1.hotel.com
127.0.0.1 ad1.lbn.ru
127.0.0.1 ad1.peel.com
127.0.0.1 ad10.focalink.com
127.0.0.1 ad11.focalink.com
127.0.0.1 ad12.focalink.com
127.0.0.1 ad13.focalink.com
127.0.0.1 ad14.focalink.com
127.0.0.1 ad15.focalink.com
127.0.0.1 ad16.focalink.com
127.0.0.1 ad17.focalink.com
127.0.0.1 ad18.focalink.com
127.0.0.1 ad19.focalink.com
127.0.0.1 ad2.hotel.com
127.0.0.1 ad2.lbn.ru
127.0.0.1 ad2.pamedia.com
127.0.0.1 ad2.peel.com
127.0.0.1 ad2.smni.com
127.0.0.1 ad3.lbn.ru
127.0.0.1 ad4.lbn.ru
127.0.0.1 ad5.lbn.ru
127.0.0.1 adbot.theonion.com
127.0.0.1 adcentric.randomseed.com
127.0.0.1 adcentriconline.com
127.0.0.1 adcontent.gamespy.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcreative.tribuneinteractive.com
127.0.0.1 adcycle.icpeurope.net
127.0.0.1 adex1.flycast.com
127.0.0.1 adex2.flycast.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adfarm.mediaplex.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adgraphics.theonion.com
127.0.0.1 adgroup.naver.com
127.0.0.1 adi.mainichi.co.jp
127.0.0.1 adimage.asia1.com.sg
127.0.0.1 adimage.asiaone.com
127.0.0.1 adimage.asiaone.com.sg
127.0.0.1 adimage.blm.net
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimages.go.com
127.0.0.1 adimages.mp3.com
127.0.0.1 adincl.gopher.com
127.0.0.1 adj1.thruport.com
127.0.0.1 adj10.thruport.com
127.0.0.1 adj11.thruport.com
127.0.0.1 adj12.thruport.com
127.0.0.1 adj13.thruport.com
127.0.0.1 adj14.thruport.com
127.0.0.1 adj15.thruport.com
127.0.0.1 adj16.thruport.com
127.0.0.1 adj16r1.thruport.com
127.0.0.1 adj17.thruport.com
127.0.0.1 adj18.thruport.com
127.0.0.1 adj2.thruport.com
127.0.0.1 adj3.thruport.com
127.0.0.1 adj4.thruport.com
127.0.0.1 adj5.thruport.com
127.0.0.1 adj6.thruport.com
127.0.0.1 adj7.thruport.com
127.0.0.1 adj8.thruport.com
127.0.0.1 adj9.thruport.com
127.0.0.1 adjuggler.yourdictionary.com
127.0.0.1 adman.freeze.com
127.0.0.1 admanager.btopenworld.com
127.0.0.1 admedia.xoom.com
127.0.0.1 admin.digitalacre.com
127.0.0.1 adnet.chicago.tribune.com
127.0.0.1 adnetwork.nextgen.net
127.0.0.1 adng.ascii24.com
127.0.0.1 adpepper.dk
127.0.0.1 adpick.switchboard.com
127.0.0.1 adpulse.ads.targetnet.com
127.0.0.1 adpush.dreamscape.com
127.0.0.1 adremote.pathfinder.com
127.0.0.1 adremote.timeinc.net
127.0.0.1 ads-direct.prodigy.net
127.0.0.1 ads.accelerator-media.com
127.0.0.1 ads.active.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 ads.adcorps.com
127.0.0.1 ads.addesktop.com
127.0.0.1 ads.addynamix.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.admonitor.net
127.0.0.1 ads.adsag.com
127.0.0.1 ads.adtegrity.net
127.0.0.1 ads.adviva.net
127.0.0.1 ads.adworldnetwork.com
127.0.0.1 ads.ah-ha.com
127.0.0.1 ads.allsites.com
127.0.0.1 ads.amazingmedia.com
127.0.0.1 ads.anm.co.uk
127.0.0.1 ads.as4x.tmcs.net
127.0.0.1 ads.as4x.tmcs.ticketmaster.ca
127.0.0.1 ads.asia1.com
127.0.0.1 ads.asia1.com.sg
127.0.0.1 ads.astalavista.us
127.0.0.1 ads.auctioncity.co.nz
127.0.0.1 ads.bangkokpost.co.th
127.0.0.1 ads.banner.t-online.de
127.0.0.1 ads.beliefnet.com
127.0.0.1 ads.belointeractive.com
127.0.0.1 ads.bfast.com
127.0.0.1 ads.bigcitytools.com
127.0.0.1 ads.bloomberg.com
127.0.0.1 ads.bluemountain.com
127.0.0.1 ads.bonnint.net
127.0.0.1 ads.box.sk
127.0.0.1 ads.businessweek.com
127.0.0.1 ads.camrecord.com
127.0.0.1 ads.canoe.ca
127.0.0.1 ads.cbc.ca
127.0.0.1 ads.champs-elysees.com
127.0.0.1 ads.channel4.com
127.0.0.1 ads.checkm8.co.za
127.0.0.1 ads.chumcity.com
127.0.0.1 ads.clickability.com
127.0.0.1 ads.clickad.com.pl
127.0.0.1 ads.clickagents.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.clickthru.net
127.0.0.1 ads.collegemix.com
127.0.0.1 ads.coopson.com
127.0.0.1 ads.courierpostonline.com
127.0.0.1 ads.cpsgsoftware.com
127.0.0.1 ads.democratandchronicle.com
127.0.0.1 ads.dennisnet.co.uk
127.0.0.1 ads.desmoinesregister.com
127.0.0.1 ads.developershed.com
127.0.0.1 ads.deviantart.com
127.0.0.1 ads.digital-digest.com
127.0.0.1 ads.digitalacre.com
127.0.0.1 ads.digitalhealthcare.com
127.0.0.1 ads.digitalmedianet.com
127.0.0.1 ads.discovery.com
127.0.0.1 ads.drf.com
127.0.0.1 ads.economist.com
127.0.0.1 ads.enliven.com
127.0.0.1 ads.euniverseads.com
127.0.0.1 ads.examiner.net
127.0.0.1 ads.exhedra.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.flabber.nl
127.0.0.1 ads.fool.com
127.0.0.1 ads.forbes.com
127.0.0.1 ads.fortunecity.com
127.0.0.1 ads.fredericksburg.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.ft.com
127.0.0.1 ads.gamespy.com
127.0.0.1 ads.gamespyid.com
127.0.0.1 ads.gateway.com
127.0.0.1 ads.globeandmail.com
127.0.0.1 ads.gorillanation.com
127.0.0.1 ads.granadamedia.com
127.0.0.1 ads.greenvilleonline.com
127.0.0.1 ads.guardian.co.uk
127.0.0.1 ads.guardianunlimited.co.uk
127.0.0.1 ads.hamptonroads.com
127.0.0.1 ads.hamtonroads.com
127.0.0.1 ads.hardwarezone.com
127.0.0.1 ads.heraldsun.com
127.0.0.1 ads.hitcents.com
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.icq.com
127.0.0.1 ads.ign.com
127.0.0.1 ads.illuminatednation.com
127.0.0.1 ads.indiatimes.com
127.0.0.1 ads.indystar.com
127.0.0.1 ads.inetdirectories.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.injersey.com
127.0.0.1 ads.iol.co.il
127.0.0.1 ads.isat-tech.com
127.0.0.1 ads.isoftmarketing.com
127.0.0.1 ads.jacksonville.com
127.0.0.1 ads.jeneauempire.com
127.0.0.1 ads.jpost.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.kleinman.com
127.0.0.1 ads.ksl.com
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.linksponsor.com
127.0.0.1 ads.linktracking.net
127.0.0.1 ads.list-universe.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.madison.com
127.0.0.1 ads.mcafee.com
127.0.0.1 ads.mdchoice.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.mediaturf.net
127.0.0.1 ads.mgnetwork.com
127.0.0.1 ads.mindsetnetwork.com
127.0.0.1 ads.mircx.com
127.0.0.1 ads.mm.ap.org
127.0.0.1 ads.mouseplanet.com
127.0.0.1 ads.mustangworks.com
127.0.0.1 ads.mytelus.com
127.0.0.1 ads.nandomedia.com
127.0.0.1 ads.nationalreview.com
127.0.0.1 ads.nerve.com
127.0.0.1 ads.newcity.com
127.0.0.1 ads.newsint.co.uk
127.0.0.1 ads.newsquest.co.uk
127.0.0.1 ads.newtimes.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.northjersey.com
127.0.0.1 ads.ntadvice.com
127.0.0.1 ads.nwsource.com
127.0.0.1 ads.nyjournalnews.com
127.0.0.1 ads.nypost.com
127.0.0.1 ads.nytimes.com
127.0.0.1 ads.omaha.com
127.0.0.1 ads.orsm.net
127.0.0.1 ads.osdn.com
127.0.0.1 ads.parrysound.com
127.0.0.1 ads.peel.com
127.0.0.1 ads.pennyweb.com
127.0.0.1 ads.pg.valueclick.net
127.0.0.1 ads.pilotonline.com
127.0.0.1 ads.pointroll.com
127.0.0.1 ads.premiumnetwork.com
127.0.0.1 ads.pressdemo.com
127.0.0.1 ads.prisacom.com
127.0.0.1 ads.pro-market.net
127.0.0.1 ads.queendom.com
127.0.0.1 ads.quicken.com
127.0.0.1 ads.rackshack.net
127.0.0.1 ads.realcities.com
127.0.0.1 ads.rediff.com
127.0.0.1 ads.register.com
127.0.0.1 ads.revenue.net
127.0.0.1 ads.roanoke.com
127.0.0.1 ads.rodale.com
127.0.0.1 ads.rondomondo.com
127.0.0.1 ads.savannahnow.com
127.0.0.1 ads.scabee.com
127.0.0.1 ads.schwabtrader.com
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.simtel.com
127.0.0.1 ads.sitemeter.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.snowball.com
127.0.0.1 ads.sohh.com
127.0.0.1 ads.space.com
127.0.0.1 ads.specificclick.com
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.spymac.net
127.0.0.1 ads.starbanner.com
127.0.0.1 ads.stephensmedia.com
127.0.0.1 ads.stileproject.com
127.0.0.1 ads.stupid.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.techtv.com
127.0.0.1 ads.telegraph.co.uk
127.0.0.1 ads.the15thinternet.com
127.0.0.1 ads.theglobeandmail.com
127.0.0.1 ads.theolympian.com
127.0.0.1 ads.thewebfreaks.com
127.0.0.1 ads.timesunion.com
127.0.0.1 ads.toronto.com
127.0.0.1 ads.townhall.com
127.0.0.1 ads.track.net
127.0.0.1 ads.traderonline.com
127.0.0.1 ads.tricityherald.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.tromaville.com
127.0.0.1 ads.tucows.com
127.0.0.1 ads.ucomics.com
127.0.0.1 ads.valuead.com
127.0.0.1 ads.vegas.com
127.0.0.1 ads.veloxia.com
127.0.0.1 ads.vnuemedia.com
127.0.0.1 ads.weather.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.compuserve.com
127.0.0.1 ads.webcoretech.com
127.0.0.1 ads.webmd.com
127.0.0.1 ads.websponsors.com
127.0.0.1 ads.whi.co.nz
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zap2it.com
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads01.hyperbanner.net
127.0.0.1 ads02.focalink.com
127.0.0.1 ads02.hyperbanner.net
127.0.0.1 ads03.focalink.com
127.0.0.1 ads03.hyperbanner.net
127.0.0.1 ads04.focalink.com
127.0.0.1 ads04.hyperbanner.net
127.0.0.1 ads05.focalink.com
127.0.0.1 ads05.hyperbanner.net
127.0.0.1 ads06.focalink.com
127.0.0.1 ads06.hyperbanner.net
127.0.0.1 ads07.focalink.com
127.0.0.1 ads07.hyperbanner.net
127.0.0.1 ads08.focalink.com
127.0.0.1 ads08.hyperbanner.net
127.0.0.1 ads09.focalink.com
127.0.0.1 ads09.hyperbanner.net
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads1.ad-flow.com
127.0.0.1 ads1.advance.net
127.0.0.1 ads1.advertwizard.com
127.0.0.1 ads1.ami-admin.com
127.0.0.1 ads1.canoe.ca
127.0.0.1 ads1.globeandmail.com
127.0.0.1 ads1.jev.co.za
127.0.0.1 ads1.realcities.com
127.0.0.1 ads1.revenue.net
127.0.0.1 ads1.sptimes.com
127.0.0.1 ads1.theglobeandmail.com
127.0.0.1 ads1.ucomics.com
127.0.0.1 ads1.udc.advance.net
127.0.0.1 ads1.updated.com
127.0.0.1 ads1.virtumundo.com
127.0.0.1 ads1.zdnet.com
127.0.0.1 ads10.focalink.com
127.0.0.1 ads10.hyperbanner.net
127.0.0.1 ads11.focalink.com
127.0.0.1 ads11.hyperbanner.net
127.0.0.1 ads12.focalink.com
127.0.0.1 ads12.hyperbanner.net
127.0.0.1 ads13.focalink.com
127.0.0.1 ads13.hyperbanner.net
127.0.0.1 ads14.bpath.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads14.hyperbanner.net
127.0.0.1 ads15.focalink.com
127.0.0.1 ads15.hyperbanner.net
127.0.0.1 ads16.focalink.com
127.0.0.1 ads16.hyperbanner.net
127.0.0.1 ads17.focalink.com
127.0.0.1 ads17.hyperbanner.net
127.0.0.1 ads18.focalink.com
127.0.0.1 ads18.hyperbanner.net
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.ad-flow.com
127.0.0.1 ads2.advance.net
127.0.0.1 ads2.advertwizard.com
127.0.0.1 ads2.canoe.ca
127.0.0.1 ads2.clickad.com
127.0.0.1 ads2.newtimes.com
127.0.0.1 ads2.osdn.com
127.0.0.1 ads2.realcities.com
127.0.0.1 ads2.udc.advance.net
127.0.0.1 ads2.virtumundo.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.ad-flow.com
127.0.0.1 ads3.advance.net
127.0.0.1 ads3.advertwizard.com
127.0.0.1 ads3.canoe.ca
127.0.0.1 ads3.freebannertrade.com
127.0.0.1 ads3.realcities.com
127.0.0.1 ads3.virtumundo.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads36.hyperbanner.net
127.0.0.1 ads4.ad-flow.com
127.0.0.1 ads4.advance.net
127.0.0.1 ads4.advertwizard.com
127.0.0.1 ads4.canoe.ca
127.0.0.1 ads4.clearchannel.com
127.0.0.1 ads4.realcities.com
127.0.0.1 ads4.virtumundo.com
127.0.0.1 ads5.ad-flow.com
127.0.0.1 ads5.advance.net
127.0.0.1 ads5.advertwizard.com
127.0.0.1 ads5.canoe.ca
127.0.0.1 ads5.udc.advance.net
127.0.0.1 ads5.virtumundo.com
127.0.0.1 ads6.ad-flow.com
127.0.0.1 ads6.advertwizard.com
127.0.0.1 ads7.ad-flow.com
127.0.0.1 ads7.advance.net
127.0.0.1 ads7.advertwizard.com
127.0.0.1 ads8.ad-flow.com
127.0.0.1 ads8.advertwizard.com
127.0.0.1 ads9.ad-flow.com
127.0.0.1 ads9.advertwizard.com
127.0.0.1 adsatt.abcnews.starwave.com
127.0.0.1 adsatt.espn.starwave.com
127.0.0.1 adserv.aip.org
127.0.0.1 adserv.bravenet.com
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.internetfuel.com
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adserv2.bravenet.com
127.0.0.1 adserve.viaarena.com
127.0.0.1 adserver.71i.de
127.0.0.1 adserver.adtech.de
127.0.0.1 adserver.aim4media.com
127.0.0.1 adserver.airmiles.ca
127.0.0.1 adserver.ancestry.com
127.0.0.1 adserver.anm.co.uk
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.digitalpartners.com
127.0.0.1 adserver.dnps.com
127.0.0.1 adserver.eham.net
127.0.0.1 adserver.eva2000.com
127.0.0.1 adserver.freenet.de
127.0.0.1 adserver.friendfinder.com
127.0.0.1 adserver.gamesquad.net
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.gorillanation.com
127.0.0.1 adserver.hardwareanalysis.com
127.0.0.1 adserver.harktheherald.com
127.0.0.1 adserver.hellasnet.gr
127.0.0.1 adserver.hg-computer.de
127.0.0.1 adserver.humanux.com
127.0.0.1 adserver.ign.com
127.0.0.1 adserver.ixm.co.uk
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.journalinteractive.com
127.0.0.1 adserver.linktrader.co.uk
127.0.0.1 adserver.lunarpages.com
127.0.0.1 adserver.m2kcore.com
127.0.0.1 adserver.matchcraft.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.news.com.au
127.0.0.1 adserver.newtimes.com
127.0.0.1 adserver.nydailynews.com
127.0.0.1 adserver.nzoom.com
127.0.0.1 adserver.phillyburbs.com
127.0.0.1 adserver.securityfocus.com
127.0.0.1 adserver.terra.com.br
127.0.0.1 adserver.thisislondon.co.uk
127.0.0.1 adserver.tilted.net
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver.trader.ca
127.0.0.1 adserver.trb.com
127.0.0.1 adserver.tribuneinteractive.com
127.0.0.1 adserver.ugo.com
127.0.0.1 adserver.yahoo.com
127.0.0.1 adserver01.ancestry.com
127.0.0.1 adserver1.backbeatmedia.com
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adserver2.creative.com
127.0.0.1 adsfac.net
127.0.0.1 adsintl.starwave.com
127.0.0.1 adsnew.userfriendly.org
127.0.0.1 adsr3pg.com.br
127.0.0.1 adsrc.bankrate.com
127.0.0.1 adsremote.scripps.com
127.0.0.1 adsrv.heraldtribune.com
127.0.0.1 adsrv.hpg.com.br
127.0.0.1 adsrv.iol.co.za
127.0.0.1 adsrv.news.com.au
127.0.0.1 adsrv.tuscaloosanews.com
127.0.0.1 adtag.sympatico.ca
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 adtracking.vinden.nlfrm
127.0.0.1 adv.bannercity.ru
127.0.0.1 adv.bbanner.it
127.0.0.1 adv.surinter.net
127.0.0.1 adv.wp.pl
127.0.0.1 adveng.hiasys.com
127.0.0.1 advert.bayarea.com
127.0.0.1 advertising.gfxartist.com
127.0.0.1 advertising.hiasys.com
127.0.0.1 adverts.ecn.co.uk
127.0.0.1 adviva.net
127.0.0.1 adx.adrenalinesk.sk
127.0.0.1 affiliate.aol.com
127.0.0.1 affiliate.cfdebt.com
127.0.0.1 ajcclassifieds.com
127.0.0.1 ak.imgfarm.com
127.0.0.1 akaads-espn.starwave.com
127.0.0.1 alliance.adbureau.net
127.0.0.1 altfarm.mediaplex.com
127.0.0.1 amch.questionmarket.com
127.0.0.1 americansingles.click-url.com
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 apps5.oingo.com
127.0.0.1 arsconsole.global-intermedia.com
127.0.0.1 as1.falkag.de
127.0.0.1 au.ads.link4ads.com
127.0.0.1 au.adserver.yahoo.com
127.0.0.1 aureate.com
127.0.0.1 banner.coza.com
127.0.0.1 banner.easyspace.com
127.0.0.1 banner.media-system.de
127.0.0.1 banner.northsky.com
127.0.0.1 banner.oddcast.com
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 banner2.inet-traffic.com
127.0.0.1 bannerads.anytimenews.com
127.0.0.1 bannerads.zwire.com
127.0.0.1 bannerimages.0catch.com
127.0.0.1 bannerpower.com
127.0.0.1 banners.affiliatefuel.com
127.0.0.1 banners.affiliatefuture.com
127.0.0.1 banners.bol.se
127.0.0.1 banners.directnic.com
127.0.0.1 banners.dnastudio.com
127.0.0.1 banners.easydns.com
127.0.0.1 banners.expressindia.com
127.0.0.1 banners.img.uol.com.br
127.0.0.1 banners.japantoday.com
127.0.0.1 banners.ksl.com
127.0.0.1 banners.linkbuddies.com
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.netcraft.com
127.0.0.1 banners.nextcard.com
127.0.0.1 banners.pennyweb.com
127.0.0.1 banners.tucson.com
127.0.0.1 banners.valuead.com
127.0.0.1 banners.webmasterplan.com
127.0.0.1 banners.wunderground.com
127.0.0.1 banners1.linkbuddies.com
127.0.0.1 banners2.castles.org
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 bell.adcentriconline.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 betterperformance.goldenopps.info
127.0.0.1 bfast.com
127.0.0.1 bidclix.net
127.0.0.1 bild.ivwbox.de
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 c1.zedo.com
127.0.0.1 c2.zedo.com
127.0.0.1 c3.zedo.com
127.0.0.1 c4.maxserving.com
127.0.0.1 c4.zedo.com
127.0.0.1 c5.zedo.com
127.0.0.1 c6.zedo.com
127.0.0.1 c7.zedo.com
127.0.0.1 cache.unicast.com
127.0.0.1 califia.imaginemedia.com
127.0.0.1 campaigns.f2.com.au
127.0.0.1 cashflowmarketing.com
127.0.0.1 cdn2.adsdk.com
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 clickcash.webpower.com
127.0.0.1 clickit.go2net.com
127.0.0.1 clicks.adultplex.com
127.0.0.1 clipserv.adclip.com
127.0.0.1 clk.cloudyisland.com
127.0.0.1 cmhtml.overture.com
127.0.0.1 cmn1lsm2.beliefnet.com
127.0.0.1 commerce.www.ibm.com
127.0.0.1 connect.247media.ads.link4ads.com
127.0.0.1 content.ad-flow.com
127.0.0.1 coreg.flashtrack.net
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 count.casino-trade.com
127.0.0.1 counter.hitbox.com
127.0.0.1 crux.songline.com
127.0.0.1 dart.chron.com
127.0.0.1 db4.net-filter.com
127.0.0.1 dev.adforum.com
127.0.0.1 djbanners.deadjournal.com
127.0.0.1 dl.ncbuy.com
127.0.0.1 dnads.directnic.com
127.0.0.1 ehg-acdsystems.hitbox.com
127.0.0.1 ehg-legonewyorkinc.hitbox.com
127.0.0.1 engage.everyone.net
127.0.0.1 engage.speedera.net
127.0.0.1 erie.smartage.com
127.0.0.1 espn.footprint.net
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 etype.adbureau.net
127.0.0.1 euniverseads.com
127.0.0.1 exits1.webquest.net
127.0.0.1 exits2.webquest.net
127.0.0.1 ezboard.bigbangmedia.com
127.0.0.1 faz.ivwbox.de
127.0.0.1 focusin.ads.targetnet.com
127.0.0.1 fp.valueclick.com
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 gavzad.keenspot.com
127.0.0.1 gcirm.burlingtonfreepress.com
127.0.0.1 gcirm.citizen-times.com
127.0.0.1 gcirm.dmregister.com
127.0.0.1 gcirm.gannett-tv.com
127.0.0.1 gcirm.lsj.com
127.0.0.1 gcirm.tennessean.com
127.0.0.1 gcrim.democratandchronicle.com
127.0.0.1 gcrim.theolympian.com
127.0.0.1 gm.preferences.com
127.0.0.1 got2goshop.com
127.0.0.1 goto.trafficmultiplier.com
127.0.0.1 gravitron.chron.com
127.0.0.1 grfx.mp3.com
127.0.0.1 gs1.idsales.co.uk
127.0.0.1 guptamedianetwork.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 http300.content.ru4.com
127.0.0.1 ieee.adbureau.net
127.0.0.1 if.bbanner.it
127.0.0.1 image.i1img.com
127.0.0.1 image.linkexchange.com
127.0.0.1 imageads.canoe.ca
127.0.0.1 images.ads.fairfax.com.au
127.0.0.1 images.clickfinders.com
127.0.0.1 images.cybereps.com
127.0.0.1 images.emapadserver.com
127.0.0.1 imageserv.adtech.de
127.0.0.1 imgserv.adbutler.com
127.0.0.1 imp.partner2profit.com
127.0.0.1 impact.cossette-webpact.com
127.0.0.1 impes.tradedoubler.com
127.0.0.1 impse.tradedoubler.com
127.0.0.1 inl.adbureau.net
127.0.0.1 itxt.vibrantmedia.com
127.0.0.1 ivwbox.de
127.0.0.1 jl29jd25sm24mc29.com
127.0.0.1 kansas.valueclick.com
127.0.0.1 kicker.ivwbox.de
127.0.0.1 klipmart.dvlabs.com
127.0.0.1 klipmart.forbes.com
127.0.0.1 knight.economist.com
127.0.0.1 lanzar.publicidadweb.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 links.dot.tk
127.0.0.1 linktracker.angelfire.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 lnads.osdn.com
127.0.0.1 load.focalex.com
127.0.0.1 lt.angelfire.com
127.0.0.1 m.tribalfusion.com
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 manuel.theonion.com
127.0.0.1 matrix.mediavantage.de
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 mds.centrport.net
127.0.0.1 media.adcentriconline.com
127.0.0.1 media.bonnint.net
127.0.0.1 media.fastclick.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 media1.fastclick.net
127.0.0.1 media10.fastclick.net
127.0.0.1 media11.fastclick.net
127.0.0.1 media12.fastclick.net
127.0.0.1 media13.fastclick.net
127.0.0.1 media2.fastclick.net
127.0.0.1 media2.travelzoo.com
127.0.0.1 media3.fastclick.net
127.0.0.1 media4.fastclick.net
127.0.0.1 media5.fastclick.net
127.0.0.1 media6.fastclick.net
127.0.0.1 media7.fastclick.net
127.0.0.1 media8.fastclick.net
127.0.0.1 media9.fastclick.net
127.0.0.1 mediacharger.com
127.0.0.1 messagia.adcentric.proximi-t.com
127.0.0.1 mii-image.adjuggler.com
127.0.0.1 mjx.ads.nwsource.com
127.0.0.1 mjxads.internet.com
127.0.0.1 mojofarm.mediaplex.com
127.0.0.1 mt58.mtree.com
127.0.0.1 nb.netbreak.com.au
127.0.0.1 nbc.adbureau.net
127.0.0.1 netcomm.spinbox.net
127.0.0.1 netshelter.adtrix.com
127.0.0.1 network.realmedia.com
127.0.0.1 newads.cmpnet.com
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nitrous.exitfuel.com
127.0.0.1 nitrous.internetfuel.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 nx-adv0005.247realmedia.com
127.0.0.1 nytadvertising.nytimes.com
127.0.0.1 oas-central.realmedia.com
127.0.0.1 oas-eu.247realmedia.com
127.0.0.1 oas.foxnews.com
127.0.0.1 oas.lee.net
127.0.0.1 oas.startribune.com
127.0.0.1 oas.villagevoice.com
127.0.0.1 oasads.whitepages.com
127.0.0.1 oascentral.abclocal.go.com
127.0.0.1 oascentral.adage.com
127.0.0.1 oascentral.bostonherald.com
127.0.0.1 oascentral.clearchannel.com
127.0.0.1 oascentral.construction.com
127.0.0.1 oascentral.crainsdetroit.com
127.0.0.1 oascentral.drphil.com
127.0.0.1 oascentral.foxnews.com
127.0.0.1 oascentral.sina.com
127.0.0.1 oascentral.sina.com.hk
127.0.0.1 oascentral.theonion.com
127.0.0.1 oascentral.theonionavclub.com
127.0.0.1 oascentral.thesmokinggun.com
127.0.0.1 oascentral.thespark.com
127.0.0.1 oascentral.wwe.com
127.0.0.1 oasis.zmh.zope.com
127.0.0.1 oassis.zmh.zope.com
127.0.0.1 offers.impower.com
127.0.0.1 onlineads.magicvalley.com
127.0.0.1 openad.travelnow.com
127.0.0.1 overflow.adsoftware.com
127.0.0.1 oz.valueclick.com
127.0.0.1 pagead.googlesyndication.com
127.0.0.1 pagead1.googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 partner.ah-ha.com
127.0.0.1 partner01.oingo.com
127.0.0.1 partner02.oingo.com
127.0.0.1 partner03.oingo.com
127.0.0.1 ph-ad01.focalink.com
127.0.0.1 ph-ad02.focalink.com
127.0.0.1 ph-ad03.focalink.com
127.0.0.1 ph-ad04.focalink.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad06.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad08.focalink.com
127.0.0.1 ph-ad09.focalink.com
127.0.0.1 ph-ad10.focalink.com
127.0.0.1 ph-ad11.focalink.com
127.0.0.1 ph-ad12.focalink.com
127.0.0.1 ph-ad13.focalink.com
127.0.0.1 ph-ad14.focalink.com
127.0.0.1 ph-ad15.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 ph-ad19.focalink.com
127.0.0.1 ph-ad20.focalink.com
127.0.0.1 phg.hitbox.com
127.0.0.1 phpads.cnpapers.com
127.0.0.1 phpads.macbidouille.com
127.0.0.1 popup.matchmaker.com
127.0.0.1 popups.ad-logics.com
127.0.0.1 popups.infostart.com
127.0.0.1 primetime.ad.primetime.net
127.0.0.1 ptrads.mp3.com
127.0.0.1 publicidades.redtotalonline.com
127.0.0.1 q.azcentral.com
127.0.0.1 realads.realmedia.com
127.0.0.1 red01.as-eu.falkag.net
127.0.0.1 red01.as-us.falkag.net
127.0.0.1 red02.as-eu.falkag.net
127.0.0.1 red02.as-us.falkag.net
127.0.0.1 red03.as-eu.falkag.net
127.0.0.1 red03.as-us.falkag.net
127.0.0.1 red04.as-eu.falkag.net
127.0.0.1 red04.as-us.falkag.net
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 regio.adlink.de
127.0.0.1 remotead.cnet.com
127.0.0.1 responsemedia-ad.flycast.com
127.0.0.1 rmedia.boston.com
127.0.0.1 rotabanner100.utro.ru
127.0.0.1 s0b.bluestreak.com
127.0.0.1 search.freeonline.com
127.0.0.1 secure-au.imrworldwide.com
127.0.0.1 secure.webconnect.net
127.0.0.1 securerunner.com
127.0.0.1 servads.aip.org
127.0.0.1 servedby.advertising.com
127.0.0.1 server.as5000.com
127.0.0.1 server.iad.liveperson.net
127.0.0.1 server01.popupmoney.com
127.0.0.1 sfads.osdn.com
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 shinystat.shiny.it
127.0.0.1 simg.zedo.com
127.0.0.1 skill.skilljam.com
127.0.0.1 specialoffers.aol.com
127.0.0.1 spiegel.ivwbox.de
127.0.0.1 spin.spinbox.net
127.0.0.1 spinbox.consumerreview.com
127.0.0.1 sponsor1.com
127.0.0.1 ssads.osdn.com
127.0.0.1 st.valueclick.com
127.0.0.1 stat.dealtime.com
127.0.0.1 static.admaximize.com
127.0.0.1 static.everyone.net
127.0.0.1 static.firehunt.com
127.0.0.1 stats2.dooyoo.com
127.0.0.1 suissa-ad.flycast.com
127.0.0.1 sview.avenuea.com
127.0.0.1 techreview-images.adbureau.net
127.0.0.1 techreview.adbureau.net
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 tmsads.tribune.com
127.0.0.1 topica.advertserve.com
127.0.0.1 touche.adcentric.proximi-t.com
127.0.0.1 tower.adexpedia.com
127.0.0.1 transfer.go.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 ttarget.adbureau.net
127.0.0.1 u0.extreme-dm.com
127.0.0.1 ugo.eu-adcenter.net
127.0.0.1 uk.i1.yimg.com
127.0.0.1 us.a1.yimg.com
127.0.0.1 us.adserver.yahoo.com
127.0.0.1 usads.vibrantmedia.com
127.0.0.1 utils.mediageneral.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 venus.goclick.com
127.0.0.1 view.atdmt.com
127.0.0.1 view.avenuea.com
127.0.0.1 view.iballs.a1.avenuea.com
127.0.0.1 vnu.eu-adcenter.net
127.0.0.1 w.extreme-dm.com
127.0.0.1 w0.extreme-dm.com
127.0.0.1 w1.extreme-dm.com
127.0.0.1 w2.extreme-dm.com
127.0.0.1 w3.extreme-dm.com
127.0.0.1 w4.extreme-dm.com
127.0.0.1 w5.extreme-dm.com
127.0.0.1 w6.extreme-dm.com
127.0.0.1 w7.extreme-dm.com
127.0.0.1 w8.extreme-dm.com
127.0.0.1 w9.extreme-dm.com
127.0.0.1 web.nyc.ads.juno.co
127.0.0.1 web1b.netreflector.com
127.0.0.1 webads.bizservers.com
127.0.0.1 weeklyad.target.com
127.0.0.1 wwbtads.com
127.0.0.1 www.3qqq.net
127.0.0.1 www.3turtles.com
127.0.0.1 www.404errorpage.com
127.0.0.1 www.5thavenue.com
127.0.0.1 www.ad-souk.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.ad.tomshardware.com
127.0.0.1 www.adbanner.gr
127.0.0.1 www.adforum.com
127.0.0.1 www.adimages.beeb.com
127.0.0.1 www.admex.com
127.0.0.1 www.adpepper.dk
127.0.0.1 www.adpowerzone.com
127.0.0.1 www.adreporting.com
127.0.0.1 www.ads.revenue.net
127.0.0.1 www.adsoftware.com
127.0.0.1 www.adtrix.com
127.0.0.1 www.affiliateclick.com
127.0.0.1 www.aureate.com
127.0.0.1 www.banner4all.dk
127.0.0.1 www.boonsolutions.com
127.0.0.1 www.bugsbanner.it
127.0.0.1 www.bulkclicks.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.buyhitscheap.com
127.0.0.1 www.click10.com
127.0.0.1 www.clickbank.com
127.0.0.1 www.clicktilluwin.com
127.0.0.1 www.clickxchange.com
127.0.0.1 www.coolsavings.com
127.0.0.1 www.cpabank.com
127.0.0.1 www.crazypopups.com
127.0.0.1 www.datatech.es
127.0.0.1 www.digimedia.com
127.0.0.1 www.direc-tory.tk
127.0.0.1 www.e-bannerx.com
127.0.0.1 www.eads.com
127.0.0.1 www.ehg-rr.hitbox.com
127.0.0.1 www.fast-adv.it
127.0.0.1 www.fineclicks.com
127.0.0.1 www.focalex.com
127.0.0.1 www.fusionbanners.com
127.0.0.1 www.gatoradvertisinginformationnetwork.com
127.0.0.1 www.getloan.com
127.0.0.1 www.gopopup.com
127.0.0.1 www.guesstheview.com
127.0.0.1 www.guptamedianetwork.com
127.0.0.1 www.hightrafficads.com
127.0.0.1 www.idealcasino.net
127.0.0.1 www.idirect.com
127.0.0.1 www.ijacko.net
127.0.0.1 www.indiads.com
127.0.0.1 www.interstitialzone.com
127.0.0.1 www.iwin.com
127.0.0.1 www.jetseeker.com
127.0.0.1 www.jl29jd25sm24mc29.com
127.0.0.1 www.joinfree.ro
127.0.0.1 www.leadgreed.com
127.0.0.1 www.linkhut.com
127.0.0.1 www.lottoforever.com
127.0.0.1 www.media2.travelzoo.com
127.0.0.1 www.merchantapp.com
127.0.0.1 www.my-stats.com
127.0.0.1 www.myaffiliateprogram.com
127.0.0.1 www.myuitm.com
127.0.0.1 www.netpalnow.com
127.0.0.1 www.netpaloffers.net
127.0.0.1 www.ontheweb.com
127.0.0.1 www.parsads.com
127.0.0.1 www.paypopup.com
127.0.0.1 www.popupad.net
127.0.0.1 www.popuptraffic.com
127.0.0.1 www.postmasterbannernet.com
127.0.0.1 www.radiate.com
127.0.0.1 www.rankyou.com
127.0.0.1 www.rtcode.com
127.0.0.1 www.securerunner.com
127.0.0.1 www.servedby.advertising.com
127.0.0.1 www.shoppingjobshere.com
127.0.0.1 www.smartadserver.com
127.0.0.1 www.speedyclick.com
127.0.0.1 www.sponsoradulto.com
127.0.0.1 www.subsitesadserver.co.uk
127.0.0.1 www.textbanners.net
127.0.0.1 www.top20free.com
127.0.0.1 www.treeloot.com
127.0.0.1 www.tutop.com
127.0.0.1 www.tuttosessogratis.org
127.0.0.1 www.ukbanners.com
127.0.0.1 www.uproar.com
127.0.0.1 www.utarget.co.uk
127.0.0.1 www.valueclick.com
127.0.0.1 www.virtumundo.com
127.0.0.1 www.webcashvideos.com
127.0.0.1 www.websponsors.com
127.0.0.1 www.whatuwhatuwhatuwant.com
127.0.0.1 www.windaily.com
127.0.0.1 www.winnerschoiceservices.com
127.0.0.1 www1.ad.tomshardware.com
127.0.0.1 www1.bannerspace.com
127.0.0.1 www10.ad.tomshardware.com
127.0.0.1 www10.indiads.com
127.0.0.1 www10.paypopup.com
127.0.0.1 www11.ad.tomshardware.com
127.0.0.1 www12.ad.tomshardware.com
127.0.0.1 www13.ad.tomshardware.com
127.0.0.1 www14.ad.tomshardware.com
127.0.0.1 www15.ad.tomshardware.com
127.0.0.1 www2.ad.tomshardware.com
127.0.0.1 www2.bannerspace.com
127.0.0.1 www3.ad.tomshardware.com
127.0.0.1 www3.bannerspace.com
127.0.0.1 www4.ad.tomshardware.com
127.0.0.1 www4.bannerspace.com
127.0.0.1 www5.ad.tomshardware.com
127.0.0.1 www5.bannerspace.com
127.0.0.1 www6.ad.tomshardware.com
127.0.0.1 www6.bannerspace.com
127.0.0.1 www7.ad.tomshardware.com
127.0.0.1 www7.bannerspace.com
127.0.0.1 www74.valueclick.com
127.0.0.1 www8.ad.tomshardware.com
127.0.0.1 www81.valueclick.com
127.0.0.1 www9.ad.tomshardware.com
127.0.0.1 xlonhcld.xlontech.net
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.adserver.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 zads.zedo.com
127.0.0.1 zdads.e-media.com
127.0.0.1 us.b1.yimg.com
127.0.0.1 us.c1.yimg.com
127.0.0.1 us.d1.yimg.com
127.0.0.1 us.e1.yimg.com
127.0.0.1 us.f1.yimg.com
127.0.0.1 us.g1.yimg.com
127.0.0.1 us.h1.yimg.com
127.0.0.1 us.j1.yimg.com
127.0.0.1 us.k1.yimg.com
127.0.0.1 us.l1.yimg.com
127.0.0.1 us.m1.yimg.com
127.0.0.1 us.n1.yimg.com
127.0.0.1 us.o1.yimg.com
127.0.0.1 us.p1.yimg.com
127.0.0.1 us.q1.yimg.com
127.0.0.1 us.r1.yimg.com
127.0.0.1 us.s1.yimg.com
127.0.0.1 us.t1.yimg.com
127.0.0.1 us.u1.yimg.com
127.0.0.1 us.v1.yimg.com
127.0.0.1 us.w1.yimg.com
127.0.0.1 us.x1.yimg.com
127.0.0.1 us.y1.yimg.com
127.0.0.1 us.z1.yimg.com
127.0.0.1 incestland.com
127.0.0.1 www.asiansforu.com
127.0.0.1 www.datanotary.com
127.0.0.1 www.entercasino.com
127.0.0.1 www.incestdot.com
127.0.0.1 www.incestgold.com
127.0.0.1 www.mangayhentai.com
127.0.0.1 www.realincestvideos.com
127.0.0.1 www.searchv.com
127.0.0.1 www.secretosx.com
127.0.0.1 www.seductiveamateurs.com
127.0.0.1 www.xxxnations.com
127.0.0.1 www.xxxnightly.com
127.0.0.1 www.xxxtoolbar.com

216.19.0.250 idenupdate.motorola.com

127.0.0.1 www.google.com

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\Video ActiveX Object\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



AND HERE THE recent HIJACK THIS LOG


Logfile of HijackThis v1.99.1
Scan saved at 6:31:16 PM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\inet20126\free.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\inet20126\wpcem.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\systems.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [c1adc88f0c11] C:\WINNT\system32\amstream.exe
O4 - HKLM\..\Run: [4JFQFD83F6S@DL] C:\WINNT\system32\Htw0Uz0.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft WWW] C:\WINNT\inet20126\free.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINNT\inet20126\svchost.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt0

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:51 PM

Posted 23 February 2007 - 04:48 AM

Hi there, the last Hijackthis log got cut off, can you please repost it. Thanks.

#7 beg4mercy

beg4mercy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 23 February 2007 - 09:47 AM

Sorry about that.

Logfile of HijackThis v1.99.1
Scan saved at 6:31:16 PM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\inet20126\free.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\inet20126\wpcem.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\systems.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [c1adc88f0c11] C:\WINNT\system32\amstream.exe
O4 - HKLM\..\Run: [4JFQFD83F6S@DL] C:\WINNT\system32\Htw0Uz0.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft WWW] C:\WINNT\inet20126\free.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINNT\inet20126\svchost.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:51 PM

Posted 23 February 2007 - 10:31 AM

No problem beg4mercy, let's get on with the fix.

You have many infections here, so this could be a multiple stage fix.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Please download, install, and update AVG antispyware
Load AVG antispyware and then click the Update tab at the top.
Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful"), close AVG.

Please download HostsXpert from the following link:
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\systems.dll
O4 - HKLM\..\Run: [c1adc88f0c11] C:\WINNT\system32\amstream.exe
O4 - HKLM\..\Run: [4JFQFD83F6S@DL] C:\WINNT\system32\Htw0Uz0.exe
O4 - HKLM\..\Run: [Microsoft WWW] C:\WINNT\inet20126\free.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINNT\inet20126\svchost.exe
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINNT\inet20126\svchost.exe
C:\WINNT\inet20126\free.exe
C:\WINNT\system32\Htw0Uz0.exe
C:\WINNT\system32\amstream.exe
C:\WINNT\system32\amstream.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

When you reboot, reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please find and delete this folder if present:
C:\WINNT\inet20126

Whilst still in safe mode, please open AVG antispyware.
Click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared. Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button.
AVG antispyware will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close AVG antispyware and reboot back into normal mode!
Please post the log in your next reply.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Also post a new Hijackthis log.

#9 beg4mercy

beg4mercy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 February 2007 - 12:26 AM

Ok.....everything done, step by step. No Pending File Rename Operation prompts came about after the first reboot.

AC3Filter (remove only)
Adobe Bridge 1.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AVG Anti-Spyware 7.5
AVI & MPEG Splitter 1.48
AVI/MPEG/RM/WMV Joiner 4.11
AviSynth 2.5
BitLord 1.1
Cool CD Burner
Cool Edit Pro 2.0
Data Lifeguard Tools
DivX
DivX 4.11 Codec
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB926239)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Internet Explorer Q903235
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_05
LimeWire
LimeWire 4.12.6
Lock my Folder
McAfee SecurityCenter
McAfee VirusScan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Word Viewer 2003
Microsoft PowerPoint Viewer 97
Microsoft User-Mode Driver Framework Feature Pack 1.0
MOBILedit! 1.67
MP4 Converter 1.0
MSXML 4.0 SP2 (KB927978)
Nimo Lite Pack v1.0 (Remove Only)
PSP Video 9 1.74
QuickCam
QuickTime
RealPlayer
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Ulead GIF Animator 5 ESD
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.6
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip
WM Recorder + RM Recorder 10.21
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME)
Yahoo! Address AutoComplete
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger
Yahoo! Toolbar







Logfile of HijackThis v1.99.1
Scan saved at 9:15:04 PM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\HPZipm12.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:51 PM

Posted 24 February 2007 - 04:29 AM

Ok, good work. :thumbsup:

Let's start by removing an older update of Java Runtime that you have in add/remove.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Java 2 Runtime Environment, SE v1.4.2_05

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Also, I need to see the log from AVG antispyware in your next post.

#11 beg4mercy

beg4mercy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 February 2007 - 04:36 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 24, 2007 1:31:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/02/2007
Kaspersky Anti-Virus database records: 257760
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\

Scan Statistics:
Total number of scanned objects: 65735
Number of viruses found: 8
Number of infected objects: 12 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:46:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5E4EAC50-E4B4-455B-80D4-F9D4B6C8F5BD} Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02032007-101938.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021192.exe Infected: Trojan.Win32.Agent.ws skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021193.exe Infected: Trojan.Win32.Agent.ws skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021194.exe Infected: Trojan-Spy.Win32.Agent.pr skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021195.exe Infected: Trojan-Spy.Win32.Agent.pr skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021196.exe Infected: Trojan-Spy.Win32.Agent.pr skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021197.exe Infected: Trojan-Downloader.Win32.Murlo.fa skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021198.exe Infected: Backdoor.Win32.Agent.alm skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021199.exe Infected: Backdoor.Win32.Agent.alm skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021201.exe Infected: Trojan-Proxy.Win32.Delf.an skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021202.exe Infected: Trojan-Proxy.Win32.Agent.jw skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021203.exe Infected: Trojan-Proxy.Win32.Small.bt skipped
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP108\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{E3DA7378-690E-469F-ABA9-F1F56DAA97FE}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\274793161.exe Infected: Trojan.Win32.Agent.zq skipped
C:\WINNT\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:02:07 PM 2/23/2007

+ Scan result:



C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CHER4T27\bho[2] -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021184.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP99\A0020895.exe -> Adware.BHO : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Internet Security -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Internet Security -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1482476501-1606980848-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Desktop\LicenseStores -> Adware.MidAddle : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM\Quarantine -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM\Reports -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM\ee.url -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM\klp.url -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM\pct.url -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM\popupe.url -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\Program Files\PAL SPYREM\spyrem.exe -> Adware.PALSpywareRemover : Cleaned with backup (quarantined).
C:\WINNT\system32\KDP1d27.dll -> Adware.SafeGuard : Cleaned with backup (quarantined).
C:\WINNT\Temp\laf7F.tmp -> Adware.WorldSecurityOnline : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CL6JOPA7\snap[1].exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\WINNT\snap.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\WINNT\system32\msvcrtd.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SXAF0R05\message2[1] -> Downloader.CWS.ak : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP100\A0020899.exe -> Downloader.CWS.ak : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP100\A0020900.exe -> Downloader.CWS.ak : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\~tmp0374.exe -> Downloader.Murlo.fa : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CL6JOPA7\crldr[1] -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP84\A0014158.exe -> Downloader.Zlob.aqz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP78\A0012006.dll -> Downloader.Zlob.bni : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP78\A0013042.dll -> Downloader.Zlob.bni : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP79\A0014004.dll -> Downloader.Zlob.bni : Cleaned with backup (quarantined).
C:\FINDnFIX\Files2\un.exe -> Hijacker.StartPage : Cleaned with backup (quarantined).
C:\!KillBox\svchost.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\svchost.exe.bak -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP101\A0020942.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP102\A0021067.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP104\A0021117.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP105\A0021131.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP105\A0021146.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP105\A0021169.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021186.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\Documents and Settings\coltman2004\Local Settings\Temporary Internet Files\Content.IE5\KT2BCD27\iframe_sn[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP102\A0021088.exe -> Not-A-Virus.RemoteAdmin.Win32.NirCmdLine.14 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\OEM.exe -> Proxy.Agent.jw : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\OEM.exe.bak -> Proxy.Agent.jw : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\gif\chgif2.exe -> Proxy.Delf.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\socks.exe -> Proxy.Small.bt : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\socks.exe.bak -> Proxy.Small.bt : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CL6JOPA7\launcher4219291488[1] -> Trojan.Agent.afs : Cleaned with backup (quarantined).
C:\!KillBox\free.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\free.exe.bak -> Trojan.Agent.ws : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\syswin.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1606980848-1957994488-500\Dc6\syswin.exe.bak -> Trojan.Agent.ws : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EB05F95A-8E51-484F-81EC-3E01FDAD3BAE}\RP106\A0021187.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Defender\FileTracker\{03943177-BA59-4F6E-869E-3B088C270894} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Defender\FileTracker\{395B0707-9E32-4E5A-B981-80BA536E32AF} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Defender\FileTracker\{415EFAA6-BFCE-403F-AF48-440170ADE2E9} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Defender\FileTracker\{654AEC6C-5E52-4490-AE0E-1F08929AF351} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Defender\FileTracker\{CAE899F5-2AB6-40B1-813D-B3016C9205E4} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{41D9753A-38C4-47F1-8C6B-9EBAFD78D620} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{67680656-A92D-4E57-9D61-F9B675A4D876} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9312F76A-445B-44DA-BB62-E936AF42C931} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A7F871FC-C8C6-4A08-983E-979120573C5F} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{CB99B628-15DA-4598-BB08-A3254F41576D} -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\WINNT\system32\drivers\etc\hosts.tim -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).
C:\rapport.txt -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).


::Report end

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:51 PM

Posted 24 February 2007 - 06:38 PM

Hey there, good work! :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Reboot a final time and let me know how the system is running! :flowers:
I see clean logs here now, but my best information comes from you..

#13 beg4mercy

beg4mercy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 25 February 2007 - 01:59 PM

It's running alot better. I appreciate your help greatly. Which spyware/adware scanners should I continuosly be running to prevent this from happening again? Also is my McAfee virus enough to stop viruses?

Logfile of HijackThis v1.99.1
Scan saved at 10:50:39 AM, on 2/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:51 PM

Posted 25 February 2007 - 05:21 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users