Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Dawn Issue And Infection


  • Please log in to reply
13 replies to this topic

#1 radiokaos

radiokaos

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 17 March 2007 - 05:16 AM

Hello to all:

May have caught a virus or some mal. I'm getting the dredded Spy Dawn pop up and infection. I ran Spybot and Adaware with current update. Listed below is a current scan with hijackthis, I will try spybot and adware after reboot. Any suggestions or tweaking that I could do would be great, my system is so bogged down I don't know what to do.

Thanks
Radiokaos

Logfile of HijackThis v1.99.1
Scan saved at 2:51:18 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\GIANT Company Software\Spam

Inspector\siService.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0

\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GIANT Company Software\Spam

Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam

Inspector\siSpamFilterEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Intuit\QuickBooks

Pro\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462

\GoogleToolbarNotifier.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\DOCUME~1\JERRYG~1\LOCALS~1\Temp\Rar$EX03.968\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,CustomizeSearch = res://C:\PROGRA~1

\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext

= http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage",

"http://www.yahoo.com"); (C:\Documents and Settings\Jerry

Green\Application

Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%

5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jerry

Green\Application

Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-

7695ECA05670} - C:\Program Files\Yahoo!

\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} -

C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-

2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

- C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} -

C:\Program Files\Video Access ActiveX Object\isadd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-

CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-

FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton

Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no

file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-

7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company

Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [qsnO36R] srvga11n.exe
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32

\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [fe4aa3b56d13] C:\WINDOWS\system32\certmgr9.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program

Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Amgh] C:\documents and settings\jerry

green\local settings\temp\Amgh.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton

SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program

Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [bB4ERWd2S] msedlg.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero

BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462

\GoogleToolbarNotifier.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair

Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program

Files\BigFix\BigFix.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86

\CheckIt86.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton

SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk =

C:\Program Files\Intuit\QuickBooks

Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program

Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09

\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-

F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-

F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-

2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-

47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-

B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file

missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-

B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe

(file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-

12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file

missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1

-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

(file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-

00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-

A9046DEA8A21} - C:\Program Files\Microsoft

Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) - http://go.microsoft.com/fwlink/?

linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec

AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC.../bin/AvSniff.ca

b
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter

Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet

Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl

Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1

-0-3-12.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.symantec.com/sscv6/SharedC...ommon/bin/cabsa.

cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer

Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos

Easy Upload Tool Class) -

http://us.dl1.yimg.com/download.yahoo.com/...ls/ydropper/ydr

opper1_3us.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader

Class) -

http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx

Class) - https://music.msn.com/client/msnmusax2317.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec

Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google -

C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1

\Symantec\LIVEUP~1\LUCOMS~1.EXE

Edited by radiokaos, 17 March 2007 - 05:16 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 17 March 2007 - 05:58 AM

Welcome to the BleepingComputer HijackThis forum radiokaos :thumbsup:

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary. If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

********************************

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

********************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply,along with a new Hijackthis log please.
Posted Image
Posted Image

#3 radiokaos

radiokaos
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 17 March 2007 - 06:10 AM

Here you go...thanks for your help...I did get 2 prompts from NAV while running smitfruad

SmitFraudFix v2.148

Scan done at 3:58:27.68, Sat 03/17/2007
Run from C:\Documents and Settings\Jerry Green\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\geplxss.dll FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Jerry Green


C:\Documents and Settings\Jerry Green\Application Data



Logfile of HijackThis v1.99.1
Scan saved at 4:02:38 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siClientUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMain.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Jerry Green\Application Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jerry Green\Application Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [qsnO36R] srvga11n.exe
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [fe4aa3b56d13] C:\WINDOWS\system32\certmgr9.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Amgh] C:\documents and settings\jerry green\local settings\temp\Amgh.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [bB4ERWd2S] msedlg.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax2317.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Thanks again for your fast response

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 17 March 2007 - 06:57 AM

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report,and a new Hijack This log into your next reply.
Posted Image
Posted Image

#5 radiokaos

radiokaos
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 17 March 2007 - 11:47 PM

Thank you so much for your input...Is there also a way to clean up a little to so can free up some resources?

Here are my logs...thank you so much for all of your help

SmitFraudFix v2.148

Scan done at 20:41:31.75, Sat 03/17/2007
Run from C:\Documents and Settings\Jerry Green\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"="apathies"

[HKEY_CLASSES_ROOT\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINDOWS\system32\geplxss.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINDOWS\system32\geplxss.dll"


Killing process


hosts

127.0.0.1 localhost
127.0.0.1 desktop.kazaa.com
127.0.0.1 www.altnetp2p.com
127.0.0.1 alpha.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
127.0.0.1 www.brilliantdigital.com
127.0.0.1 www.b3d.com
127.0.0.1 media.altnet.com
127.0.0.1 www.altnet.com
127.0.0.1 dev.bde.com.au
127.0.0.1 update.kazaa.com
127.0.0.1 bravo.kazaa.com
127.0.0.1 puma.kazaa.com
127.0.0.1 www.kazaa-gold.com
127.0.0.1 kazaagold.com
127.0.0.1 www.kazaa-download.de
127.0.0.1 www.mp3downloadhq.com
127.0.0.1 www.easymusicdownload.com
127.0.0.1 easymusicdownload.com
127.0.0.1 www.mp3madeeasy.com
127.0.0.1 www.monstershare.com
127.0.0.1 monstershare.com
127.0.0.1 www.kazaa-plus.net
127.0.0.1 kazaa-plus.net
127.0.0.1 www.kazaa-plus.com
127.0.0.1 www.edonkey.com
127.0.0.1 www.kazaa-file-sharing-downloads.com
127.0.0.1 www.kazaaplatinum.com
127.0.0.1 www.madeformusic.com
127.0.0.1 www.ikazaa.net
127.0.0.1 ikazaa.net
127.0.0.1 www.mp3u.com
127.0.0.1 www.mp3specialty.com
127.0.0.1 music-download-world.com
127.0.0.1 song-download-world.com
127.0.0.1 www.flixs.net
127.0.0.1 www.ishareit.net
127.0.0.1 www.ishareit.com
127.0.0.1 www.download-doctor.com
127.0.0.1 www.ezmp3download.com
127.0.0.1 www.kazaamedia.com
127.0.0.1 mp3-network.com
127.0.0.1 www.mp3-network.com
127.0.0.1 www.mp3grandcentral.net
127.0.0.1 www.mp333.com
127.0.0.1 www.kazaamate.com
127.0.0.1 www.emule.biz
127.0.0.1 www.kazaam8.tk
127.0.0.1 www.rippro.com
127.0.0.1 www.kaaza.com
127.0.0.1 secure.webstartz.com
127.0.0.1 www.kazaalite.de
127.0.0.1 www.kazza.de
127.0.0.1 kazza.com
127.0.0.1 www.kazaalite.at
127.0.0.1 www.kazaalite.ch
127.0.0.1 www.kazaa-hilfe.de
127.0.0.1 www.edonkey-2000.de
127.0.0.1 www.edonkey-bot.de
127.0.0.1 www.edonkey-edonkey2000.de
127.0.0.1 www.edonkey-hilfe.de
127.0.0.1 www.edonkey-morpheus-forum.de
127.0.0.1 www.emule-hilfe.de
127.0.0.1 www.file-sharing-forum.de
127.0.0.1 www.filesharing-forum.de
127.0.0.1 www.imesh-download.de
127.0.0.1 www.kazaa-kaza.de
127.0.0.1 www.kazaa-lite.info
127.0.0.1 www.kazaa-lite-download.de
127.0.0.1 www.1md.de
127.0.0.1 www.mariodolzer.de
127.0.0.1 www.morpheus-forum.de
127.0.0.1 www.overnet-download.de
127.0.0.1 www.overnet-hilfe.de
127.0.0.1 www.winmx-download.de
127.0.0.1 www.winmx-hilfe.de
127.0.0.1 www.download-und-hilfe.de
127.0.0.1 www.filesharing-hilfe-forum.de
127.0.0.1 www.musik-download.biz
127.0.0.1 www.mp3downloads.ch
127.0.0.1 www.songfly.com
127.0.0.1 www.kazaa.nl
127.0.0.1 1stsoftwaredownloads.com
127.0.0.1 morpheus-download-morpheus.com
127.0.0.1 www.icisnet.org
127.0.0.1 software.global-netcom.de
127.0.0.1 www.filesharing-download.de
127.0.0.1 www.p2p.tm
127.0.0.1 www.filesharing-center.de
127.0.0.1 www.filesharing-tools.de
127.0.0.1 kazaa-download-kazaa.com
127.0.0.1 www.interscilsa.com
127.0.0.1 www.dvd-download-free.com
127.0.0.1 www.howtominibooks.com
127.0.0.1 www.internetmovies.com
127.0.0.1 www.rippro.net
127.0.0.1 www.musicmoviesbooks.com
127.0.0.1 www.kazaalite.org
127.0.0.1 www.getmp3music.com
127.0.0.1 www1.ishareit.com
127.0.0.1 www.filesharing-software.de
127.0.0.1 www.firewarez.com
127.0.0.1 www.k-lite.co.uk
127.0.0.1 kazzaa.info
127.0.0.1 www.morpheusp2p.com
127.0.0.1 www.mudima.com
127.0.0.1 www.download-central.com
127.0.0.1 kazaaplatinum.com
127.0.0.1 www.dingosoft.net
127.0.0.1 www.kazaa-advance.com
127.0.0.1 www.downloads-unlimited.com
127.0.0.1 klserver.port5.com
127.0.0.1 rippro.net
127.0.0.1 www.findkazaalite.com
127.0.0.1 www.freegoldkazaa.com
127.0.0.1 www.freekazaalite.com
127.0.0.1 www.kazaalitekpp.com
127.0.0.1 kazaa.filez.ws
127.0.0.1 www.kazaalite-download.com
127.0.0.1 www.every.biz
127.0.0.1 123banners.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.es.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.free6.com
127.0.0.1 ad.it.doubleclick.net
127.0.0.1 ad.iwin.com
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ad.kr.doubleclick.net
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.se.doubleclick.net
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.trafficmp.com
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.webprovider.com
127.0.0.1 ad08.focalink.com
127.0.0.1 ad1.adcept.net
127.0.0.1 ad1.icorp.net
127.0.0.1 ad1.looksmart.com
127.0.0.1 ad1.peel.com
127.0.0.1 ad2.adcept.net
127.0.0.1 ad2.looksmart.com
127.0.0.1 ad2.peel.com
127.0.0.1 ad3.adcept.net
127.0.0.1 ad3.peel.com
127.0.0.1 ad4.peel.com
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcreatives.imaginemedia.com
127.0.0.1 addb.looksmart.com
127.0.0.1 adevents.msn.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adfarm.mediaplex.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adimage.blm.net
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimages.go.com
127.0.0.1 adimages.imaginemedia.com
127.0.0.1 adimg.egroups.com
127.0.0.1 admedia.xoom.com
127.0.0.1 admonitor.net
127.0.0.1 adpick.switchboard.com
127.0.0.1 adproject.net
127.0.0.1 adremote.pathfinder.com
127.0.0.1 adres.internet.com
127.0.0.1 ads.adflight.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.admonitor.net
127.0.0.1 ads.adroar.com
127.0.0.1 ads.astalavista.us
127.0.0.1 ads.bfast.com
127.0.0.1 ads.box.sk
127.0.0.1 ads.burstnet.com
127.0.0.1 ads.cdfreaks.com
127.0.0.1 ads.chrbanner.com
127.0.0.1 ads.clickagents.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.dai.net
127.0.0.1 ads.datais.com
127.0.0.1 ads.enliven.com
127.0.0.1 ads.eu.msn.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.fool.com
127.0.0.1 ads.fortunecity.com
127.0.0.1 ads.fortunecity.fr
127.0.0.1 ads.freeze.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.god.co.uk
127.0.0.1 ads.guardianunlimited.co.uk
127.0.0.1 ads.hitcents.com
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.i12.de
127.0.0.1 ads.i33.com
127.0.0.1 ads.ign.com
127.0.0.1 ads.imaginemedia.com
127.0.0.1 ads.indya.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.irover.com
127.0.0.1 ads.ixo.com
127.0.0.1 ads.jpost.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.killerapp.com
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.linksponsor.com
127.0.0.1 ads.looksmart.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.lycos.de
127.0.0.1 ads.madison.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.mediaturf.net
127.0.0.1 ads.msn.com
127.0.0.1 ads.musiccity.com
127.0.0.1 ads.netomia.com
127.0.0.1 ads.netpumper.com
127.0.0.1 ads.newcity.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.rediff.com
127.0.0.1 ads.satyamonline.com
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.startpath.com
127.0.0.1 ads.station.sony.com
127.0.0.1 ads.tiscali.fr
127.0.0.1 ads.tripod.com
127.0.0.1 ads.tucows.com
127.0.0.1 ads.vcommunities.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads02.focalink.com
127.0.0.1 ads03.focalink.com
127.0.0.1 ads04.focalink.com
127.0.0.1 ads05.focalink.com
127.0.0.1 ads06.focalink.com
127.0.0.1 ads07.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads1.ad-flow.com
127.0.0.1 ads1.speedbit.com
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads13.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads15.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.speedbit.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.speedbit.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads4.speedbit.com
127.0.0.1 ads5.gamecity.net
127.0.0.1 ads5.speedbit.com
127.0.0.1 ads6.speedbit.com
127.0.0.1 ads7.speedbit.com
127.0.0.1 ads8.speedbit.com
127.0.0.1 adserv.bravenet.com
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.internetfuel.com
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adserver.adtech.de
127.0.0.1 adserver.affiliation.com
127.0.0.1 adserver.akqa.net
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.directforce.net
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.gorillanation.com
127.0.0.1 adserver.humanux.com
127.0.0.1 adserver.imaginemedia.com
127.0.0.1 adserver.isonews.com
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.lunarpages.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver.tweakers.net
127.0.0.1 adserver.ugo.com
127.0.0.1 adserver.webads.nl
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adserver2.imaginemedia.com
127.0.0.1 adsubstract
127.0.0.1 ads-ussj1.focalink.com
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 adulttds.com
127.0.0.1 aglink.mircx.com
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 asm3.z1.adserver.com
127.0.0.1 au.ads.link4ads.com
127.0.0.1 bach.aureate.com
127.0.0.1 badservant.guj.de
127.0.0.1 banner.50megs.com
127.0.0.1 banner.adverity.com
127.0.0.1 banner.commissionpartner.com
127.0.0.1 banner.de
127.0.0.1 banner.easyspace.com
127.0.0.1 banner.free6.com
127.0.0.1 banner.i-3.de
127.0.0.1 banner.media-system.de
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 bannerad.ipgnet.com
127.0.0.1 bannerads.de
127.0.0.1 bannerfarm.ace.advertising.com
127.0.0.1 bannerimages.0catch.com
127.0.0.1 bannermaster.geektech.com
127.0.0.1 banner-net.com
127.0.0.1 bannerpower.com
127.0.0.1 banners.adultfriendfinder.com
127.0.0.1 banners.easydns.com
127.0.0.1 banners.free6.com
127.0.0.1 banners.hotlinks.net
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.nextcard.com
127.0.0.1 banners.pennyweb.com
127.0.0.1 banners.valuead.com
127.0.0.1 banners.webmasterplan.com
127.0.0.1 banners.wunderground.com
127.0.0.1 bannervip.webjump.com
127.0.0.1 banzai.moodlogic.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 beseen.com
127.0.0.1 beseen.looksmart.com
127.0.0.1 beseen5.looksmart.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 beseenad1.looksmart.com
127.0.0.1 beseenad2.looksmart.com
127.0.0.1 beseenad3.looksmart.com
127.0.0.1 beseenadx.looksmart.com
127.0.0.1 bfast.com
127.0.0.1 bins.lop.com
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 botw.topbucks.com
127.0.0.1 bsads.looksmart.com
127.0.0.1 by.advertising.com
127.0.0.1 c1.thecounter.com
127.0.0.1 c2.thecounter.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 califia.imaginemedia.com
127.0.0.1 cash4banner.com
127.0.0.1 cash4banner.de
127.0.0.1 cds.mediaplex.com
127.0.0.1 cgi.sexlist.com
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 clickagents.com
127.0.0.1 clicks.about.com
127.0.0.1 clicks.nastydollars.com
127.0.0.1 clicks.oxcash.com
127.0.0.1 clit5.sextracker.com
127.0.0.1 code02.pbtech.net
127.0.0.1 commonwealth.riddler.com
127.0.0.1 connect.online-dialer.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 counter.hitbox.com
127.0.0.1 counter1.sextracker.com
127.0.0.1 counter10.sextracker.com
127.0.0.1 counter11.sextracker.com
127.0.0.1 counter12.sextracker.com
127.0.0.1 counter13.sextracker.com
127.0.0.1 counter14.sextracker.com
127.0.0.1 counter15.sextracker.com
127.0.0.1 counter16.sextracker.com
127.0.0.1 counter2.sextracker.com
127.0.0.1 counter3.sextracker.com
127.0.0.1 counter4.sextracker.com
127.0.0.1 counter5.sextracker.com
127.0.0.1 counter6.sextracker.com
127.0.0.1 counter7.sextracker.com
127.0.0.1 counter8.sextracker.com
127.0.0.1 counter9.sextracker.com
127.0.0.1 crs.akamai.com
127.0.0.1 crux.songline.com
127.0.0.1 ct.iac-online.de
127.0.0.1 de.netstatpro.net
127.0.0.1 desktop.grokster.com
127.0.0.1 dialer.offshoreclicks.com
127.0.0.1 doubleclick.net
127.0.0.1 download1.0190-dialer.com
127.0.0.1 download1.libereco.net
127.0.0.1 download2.0190-dialer.com
127.0.0.1 econnect.libereco.net
127.0.0.1 ehg.hitbox.com
127.0.0.1 ehg-commjun.hitbox.com
127.0.0.1 erie.smartage.com
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 everyone.net
127.0.0.1 exchange-it.com
127.0.0.1 exitfuel.com
127.0.0.1 exitmoney.com
127.0.0.1 fast.mediacharger.com
127.0.0.1 focalink.com
127.0.0.1 fp.valueclick.com
127.0.0.1 fragmentserv.iac-online.de
127.0.0.1 free.bleep-portal.com
127.0.0.1 freeadultlottery.com
127.0.0.1 freeasiahardcore.com
127.0.0.1 freebieclub.com
127.0.0.1 freebigcocks.net
127.0.0.1 freecelebnudity.com
127.0.0.1 freefarmpics.com
127.0.0.1 freegaybears.net
127.0.0.1 freegaylottery.com
127.0.0.1 freenaughtyteens.com
127.0.0.1 freepass.elitecities.com
127.0.0.1 fs.dai.net
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 global.msads.net
127.0.0.1 gm.preferences.com
127.0.0.1 go.ezgreen.com
127.0.0.1 got2goshop.com
127.0.0.1 goto.trafficmultiplier.com
127.0.0.1 gp.dejanews.com
127.0.0.1 hacker-spider.de
127.0.0.1 hc2.humanclick.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 hit.hotlog.ru
127.0.0.1 hitbox.com
127.0.0.1 hitmatic.com
127.0.0.1 hitsfrom.popuprush.com
127.0.0.1 hotfreewebcams.com
127.0.0.1 hypercount.com
127.0.0.1 ifcol.exitfuel.com
127.0.0.1 image.click2net.com
127.0.0.1 image.eimg.com
127.0.0.1 images.sexlist.com
127.0.0.1 images2.nytimes.com
127.0.0.1 imageserv.adtech.de
127.0.0.1 img.lop.com
127.0.0.1 img.mediaplex.com
127.0.0.1 impnl.tradedoubler.com
127.0.0.1 internetfuel.com
127.0.0.1 itn.adbureau.net
127.0.0.1 jcms.cydoor.com
127.0.0.1 jeeves.flycast.com
127.0.0.1 jobkeys.ngadcenter.net
127.0.0.1 kansas.valueclick.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 linkbuddies.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 liveadvert.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 looksmartclicks.com
127.0.0.1 lop.com
127.0.0.1 lsads.looksmart.com.au
127.0.0.1 m.doubleclick.net
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 marketing-internet.com
127.0.0.1 maxexp.com
127.0.0.1 maximumcash.com
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 media.carpediem.fr
127.0.0.1 media.expedia.com
127.0.0.1 media.fastclick.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 media.preferences.com
127.0.0.1 media20.fastclick.net
127.0.0.1 mediacharger.com
127.0.0.1 mediamgr.ugo.com
127.0.0.1 mediaplex.com
127.0.0.1 megacash.de
127.0.0.1 megawebcams.tv
127.0.0.1 mercury.rmuk.co.uk
127.0.0.1 millenium-hitz.com
127.0.0.1 mjxads.internet.com
127.0.0.1 mojofarm.sjc.mediaplex.com
127.0.0.1 monitor.looksmart.com
127.0.0.1 monsterhitz.to
127.0.0.1 musiccity.streamcastnetwork.com
127.0.0.1 n24.de
127.0.0.1 nbc.adbureau.net
127.0.0.1 network.realmedia.com
127.0.0.1 newads.cmpnet.com
127.0.0.1 newsticker.shortnews.de
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nitrous.exitfuel.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 oad.realmedia.com
127.0.0.1 oas.benchmark.fr
127.0.0.1 onresponse.com
127.0.0.1 oz.valueclick.com
127.0.0.1 p.wtlive.com
127.0.0.1 paycounter.com
127.0.0.1 ph-ad04.focalink.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 php.offshoreclicks.com
127.0.0.1 pluto.beseen.com
127.0.0.1 pop.mircx.com
127.0.0.1 popup.found404.com
127.0.0.1 porn-attack.com
127.0.0.1 portal.hostultra.com
127.0.0.1 proxy.ladot.com
127.0.0.1 pub.epiknet.org
127.0.0.1 pub.infiniland.com
127.0.0.1 pub.ketix.com
127.0.0.1 pub.telmedia.fr
127.0.0.1 pub.weborama.fr
127.0.0.1 publish.hometown.aol.co.uk
127.0.0.1 realads.realmedia.com
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 redirect.iac-online.de
127.0.0.1 regio.adlink.de
127.0.0.1 responsemedia-ad.flycast.com
127.0.0.1 retaildirect.realmedia.com
127.0.0.1 rmads.eu.msn.com
127.0.0.1 rs.webmasterplan.com
127.0.0.1 s0.bluestreak.com
127.0.0.1 s1.bluestreak.com
127.0.0.1 s2.bluestreak.com
127.0.0.1 s2.focalink.com
127.0.0.1 s3.bluestreak.com
127.0.0.1 s4.bluestreak.com
127.0.0.1 s5.bluestreak.com
127.0.0.1 s6.bluestreak.com
127.0.0.1 s7.bluestreak.com
127.0.0.1 s8.bluestreak.com
127.0.0.1 sbee.com
127.0.0.1 script.weborama.fr
127.0.0.1 search.kazaa.com
127.0.0.1 secserv.imgis.com
127.0.0.1 servedby.advertising.com
127.0.0.1 servedby.advertwizard.com
127.0.0.1 server.hamster.com
127.0.0.1 server-uk.imrworldwide.com
127.0.0.1 sexpromote.com
127.0.0.1 sextracker.com
127.0.0.1 sh4banner.de
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 shop.freepush.com
127.0.0.1 shortwin.de
127.0.0.1 specialoffers.aol.com
127.0.0.1 spezialreporte.de
127.0.0.1 spin.spinbox.net
127.0.0.1 sprinks-clicks.about.com
127.0.0.1 spylog.com
127.0.0.1 srv1.bannercommunity.de
127.0.0.1 srv2.bannercommunity.de
127.0.0.1 srv3.bannercommunity.de
127.0.0.1 static.admaximize.com
127.0.0.1 stats.superstats.com
127.0.0.1 stats3.porntrack.com
127.0.0.1 statse.webtrendslive.com
127.0.0.1 suissa-ad.flycast.com
127.0.0.1 survey.proactive.nl
127.0.0.1 sview.avenuea.com
127.0.0.1 t0.extreme-dm.com
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 tour01.bangbus.com
127.0.0.1 tpl1.realtracker.com
127.0.0.1 tracker.clicktrade.com
127.0.0.1 trinityacquisitions.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 tuerck.de.counted.com
127.0.0.1 twistedhumor.com
127.0.0.1 ugo.eu-adcenter.net
127.0.0.1 uk1.linksynergy.com
127.0.0.1 uk2.linksynergy.com
127.0.0.1 uk3.linksynergy.com
127.0.0.1 uk4.linksynergy.com
127.0.0.1 uk5.linksynergy.com
127.0.0.1 us.adserver.yahoo.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 valueclick.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 vant.guj.de
127.0.0.1 venus.goclick.com
127.0.0.1 view.accendo.com
127.0.0.1 view.avenuea.com
127.0.0.1 vis1.sexlist.com
127.0.0.1 vis2.sexlist.com
127.0.0.1 vis3.sexlist.com
127.0.0.1 vis4.sexlist.com
127.0.0.1 vis5.sexlist.com
127.0.0.1 visit.referralware.com
127.0.0.1 visite.weborama.fr
127.0.0.1 vnu.eu-adcenter.net
127.0.0.1 w0.extreme-dm.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w117.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 web2.deja.com
127.0.0.1 webads.bizservers.com
127.0.0.1 weblist.de
127.0.0.1 webpdp.gator.com
127.0.0.1 webxprod.qualcomm.com
127.0.0.1 www.0190-dialer.com
127.0.0.1 www.12traffic.de
127.0.0.1 www.1for1.com
127.0.0.1 www.3turtles.com
127.0.0.1 www.404errorpage.com
127.0.0.1 www.7adpower.com
127.0.0.1 www.7host.com
127.0.0.1 www.activeannonce.com
127.0.0.1 www.adbucks.com
127.0.0.1 www.adexit.com
127.0.0.1 www.adexit.de
127.0.0.1 www.adforce.com
127.0.0.1 www.admex.com
127.0.0.1 www.adnetz.net
127.0.0.1 www.adserver.com
127.0.0.1 www.adserver.net
127.0.0.1 www.adsmart.com
127.0.0.1 www.adsmart.net
127.0.0.1 www.adultbizvoice.com
127.0.0.1 www.adultclicks.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.adverity.com
127.0.0.1 www.adverlead.com
127.0.0.1 www.adverline.com
127.0.0.1 www.adverline.fr
127.0.0.1 www.advertising.com
127.0.0.1 www.advertwizard.com
127.0.0.1 www.adviews-sponsor.de
127.0.0.1 www.alexchiu.com
127.0.0.1 www.alladvantage.com
127.0.0.1 www.allclicks.com
127.0.0.1 www.amateur-galleries.com
127.0.0.1 www.amazingpops.com
127.0.0.1 www.at-nude-teens.net
127.0.0.1 www.bannerads.de
127.0.0.1 www.beseen.com
127.0.0.1 www.bfast.com
127.0.0.1 www.boonsolutions.com
127.0.0.1 www.brutalextreme.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.cash1x1.de
127.0.0.1 www.cash2002.de
127.0.0.1 www.cash4banner.com
127.0.0.1 www.cash4banner.de
127.0.0.1 www.cashcount.com
127.0.0.1 www.cashfiesta.com
127.0.0.1 www.cashradio.com
127.0.0.1 www.cashsurfers.com
127.0.0.1 www.casinoglamour.com
127.0.0.1 www.cellularphones.com
127.0.0.1 www.cibleclick.com
127.0.0.1 www.cj.com
127.0.0.1 www.click2sexy.com
127.0.0.1 www.click-fr.com
127.0.0.1 www.clickxchange.com
127.0.0.1 www.clictrafic.com
127.0.0.1 www.coinpromo.com
127.0.0.1 www.cometcursor.com
127.0.0.1 www.cometsystems.net
127.0.0.1 www.commission-junction.com
127.0.0.1 www.cr4.com
127.0.0.1 www.crazypopups.com
127.0.0.1 www.crxwarez.net
127.0.0.1 www.cydoor.com
127.0.0.1 www.daz.com
127.0.0.1 www.dgm2.com
127.0.0.1 www.directvalue.nl
127.0.0.1 www.drawnsex.com
127.0.0.1 www.eads.com
127.0.0.1 www.e-bannerx.com
127.0.0.1 www.eclic.net
127.0.0.1 www.fastclick.net
127.0.0.1 www.fastmetasearch.com
127.0.0.1 www.flycast.co.uk
127.0.0.1 www.flycast.com
127.0.0.1 www.found404.com
127.0.0.1 www.fpctraffic.com
127.0.0.1 www.freeadultlottery.com
127.0.0.1 www.freeasiahardcore.com
127.0.0.1 www.free-banners.com
127.0.0.1 www.freebigcocks.net
127.0.0.1 www.freecelebnudity.com
127.0.0.1 www.freefarmpics.com
127.0.0.1 www.freegaybears.net
127.0.0.1 www.freegaylottery.com
127.0.0.1 www.freenaughtyteens.com
127.0.0.1 www.freestats.com
127.0.0.1 www.frontpagecash.com
127.0.0.1 www.bleep-portal.com
127.0.0.1 www.gamingclub.com
127.0.0.1 www.gator.co.uk
127.0.0.1 www.gator.com
127.0.0.1 www.gator.net
127.0.0.1 www.genhit.com
127.0.0.1 www.getsearches.com
127.0.0.1 www.gopopup.com
127.0.0.1 www.greetingwishes.com
127.0.0.1 www.grokster.com
127.0.0.1 www.hardcorepornos.org
127.0.0.1 www.hightrafficads.com
127.0.0.1 www.hit-parade.com
127.0.0.1 www.hitsme.com
127.0.0.1 www.hotfreewebcams.com
127.0.0.1 www.imaginemedia.com
127.0.0.1 www.lastconsole.com
127.0.0.1 www.linkshare.com
127.0.0.1 www.liveadvert.com
127.0.0.1 www.lo-litas.com
127.0.0.1 www.looksmartclicks.com
127.0.0.1 www.lop.com
127.0.0.1 www.lottoforever.com
127.0.0.1 www.mediaplex.com
127.0.0.1 www.megacash.de
127.0.0.1 www.megawebcams.tv
127.0.0.1 www.milfhunter.com
127.0.0.1 www.modchip.com
127.0.0.1 www.mod-chip.com
127.0.0.1 www.money4exit.de
127.0.0.1 www.my-stats.com
127.0.0.1 www.netbroadcaster.com
127.0.0.1 www.netflip.com
127.0.0.1 www.netgravity.com
127.0.0.1 www.newtopsites.com
127.0.0.1 www.nic.co.il
127.0.0.1 www.nudelinkz.com
127.0.0.1 www.oneandonlynetwork.com
127.0.0.1 www.onresponse.com
127.0.0.1 www.paidpopup.de
127.0.0.1 www.piratos.de
127.0.0.1 www.popdown.de
127.0.0.1 www.popupad.net
127.0.0.1 www.popuptraffic.com
127.0.0.1 www.postmasterbannernet.com
127.0.0.1 www.prepaidliving.com
127.0.0.1 www.qksrv.net
127.0.0.1 www.qualityhitz.com
127.0.0.1 www.qualypromos.com
127.0.0.1 www.radiate.com
127.0.0.1 www.radiofreecash.com
127.0.0.1 www.rankyou.com
127.0.0.1 www.reference-sexe.com
127.0.0.1 www.sbee.com
127.0.0.1 www.sbvr.com
127.0.0.1 www.searchtraffic.com
127.0.0.1 www.service-url.de
127.0.0.1 www.sexfranco.com
127.0.0.1 www.sexfreelist.com
127.0.0.1 www.sexlist.com
127.0.0.1 www.sexpromote.com
127.0.0.1 www.sexspy.com
127.0.0.1 www.sexstudio24.de
127.0.0.1 www.sextracker.com
127.0.0.1 www.sextraffic.org
127.0.0.1 www.sexyfreehost.com
127.0.0.1 www.sexyplugin.com
127.0.0.1 www.simplecounter.net
127.0.0.1 www.slutzoo.com
127.0.0.1 www.sonixwarez.com
127.0.0.1 www.sponsor2002.de
127.0.0.1 www.targetshop.com
127.0.0.1 www.techiwarehouse.com
127.0.0.1 www.teknosurf.com
127.0.0.1 www.teknosurf2.com
127.0.0.1 www.teknosurf3.com
127.0.0.1 www.theadultwire.com
127.0.0.1 www.topwarez-fr.com
127.0.0.1 www.toys-galleries.com
127.0.0.1 www.trafficbox.net
127.0.0.1 www.trafficmonetizer.com
127.0.0.1 www.unionwarez.com
127.0.0.1 www.valueclick.com
127.0.0.1 www.valuesponsor.com
127.0.0.1 www.warez33.com
127.0.0.1 www.warezfield.com
127.0.0.1 www.web3000.co.uk
127.0.0.1 www.web3000.com
127.0.0.1 www.webads.nl
127.0.0.1 www.webferret.com
127.0.0.1 www.webhancer.com
127.0.0.1 www.webhancer.net
127.0.0.1 www.weblist.de
127.0.0.1 www.websitefinancing.com
127.0.0.1 www.wedoo.com
127.0.0.1 www.win24.de
127.0.0.1 www.wingowin.com
127.0.0.1 www.wtlive.com
127.0.0.1 www.xiti.com
127.0.0.1 www.xpostx.com
127.0.0.1 www.xxxdisplay.com
127.0.0.1 www.xxxfreeamateurs.com
127.0.0.1 www.xxxteenclub.de
127.0.0.1 www.youmakemoney.com
127.0.0.1 www.zeloop.net
127.0.0.1 www2.burstnet.com
127.0.0.1 www2.consumercreditusa.com
127.0.0.1 www3.netgravity.com
127.0.0.1 www4.netgravity.com
127.0.0.1 www4.trix.net
127.0.0.1 www80.valueclick.com
127.0.0.1 xads.infospace.com
127.0.0.1 xads.zedo.com
127.0.0.1 xxxfreeamateurs.com
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 zac.netgravity.com
127.0.0.1 img.thebugs.ws
127.0.0.1 pet.thebugs.ws
127.0.0.1 mt45.mtree.com
127.0.0.1 www.porncow.com
127.0.0.1 download.alexa.com
127.0.0.1 count.exit.exchange.com
127.0.0.1 www.classmates.com
127.0.0.1 bidclix.net
127.0.0.1 www.media-ads.org
127.0.0.1 www.aitsafe.com
127.0.0.1 service.bfast.com
127.0.0.1 spweb.whenu.com
127.0.0.1 www.getweathercast.com
127.0.0.1 www.clock-sync.com
127.0.0.1 secure.goodthinxx.com
127.0.0.1 port.goodthinxx.com
127.0.0.1 chochux.offshoreclicks.com
127.0.0.1 go.offshoreclicks.com
127.0.0.1 click.atdmt.com
127.0.0.1 dropcharge.stardialer.de
127.0.0.1 download.stardialer.de
127.0.0.1 www.outwar.com
127.0.0.1 outwar.com
127.0.0.1 www.pornstarguru.com
127.0.0.1 www.popstarwar.com
127.0.0.1 www.monsterwar.net
127.0.0.1 www.gangsterwar.com
127.0.0.1 srch.lop.com
127.0.0.1 clickcash.webpower.com
127.0.0.1 install.serviceurl.de
127.0.0.1 aim1.radiate.com
127.0.0.1 aim2.radiate.com
127.0.0.1 aim3.radiate.com
127.0.0.1 www.flyswat.com
127.0.0.1 www.flyswat.net
127.0.0.1 www.flyswat.org
127.0.0.1 www.flyswat.co.uk
127.0.0.1 www.cometsystems.com
127.0.0.1 www.cometzone.com
127.0.0.1 www.livecursors.com
127.0.0.1 aim1.adsoftware.com
127.0.0.1 aim2.adsoftware.com
127.0.0.1 aim3.adsoftware.com
127.0.0.1 aim4.adsoftware.com
127.0.0.1 aim5.adsoftware.com
127.0.0.1 www.conducent.com
127.0.0.1 www.conducent.co.uk
127.0.0.1 www.mathlogic.com
127.0.0.1 www.adsoftware.com
127.0.0.1 www.gohip.com
127.0.0.1 www.lolitafree.de
127.0.0.1 www.exitblaze.com
127.0.0.1 hop.clickbank.net
127.0.0.1 www.w3exit.com
127.0.0.1 ads.flabber.nl
127.0.0.1 servlets.kliks.nl
127.0.0.1 affiliates.kliks.nl
127.0.0.1 ads.revenue.net
127.0.0.1 pops.freeze.com
127.0.0.1 adlog.com.com
127.0.0.1 ads.techtv.com
127.0.0.1 ads.tripod.lycos.co.uk
127.0.0.1 adserv.happypuppy.com
127.0.0.1 ads.ipowerweb.com
127.0.0.1 www.hitboss.com
127.0.0.1 dbbsrv.com
127.0.0.1 download.globaldialer.net
127.0.0.1 www.passthison.com
127.0.0.1 tafmaster.com
127.0.0.1 www.xtra.fm
127.0.0.1 www.mp3bank.nl
127.0.0.1 www.paypopup.com

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\geplxss.dll Deleted
C:\Program Files\Video Access ActiveX Object\ Deleted

Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Here is my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 9:39:29 PM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siClientUI.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMain.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Jerry Green\Application Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jerry Green\Application Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [qsnO36R] srvga11n.exe
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [fe4aa3b56d13] C:\WINDOWS\system32\certmgr9.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Amgh] C:\documents and settings\jerry green\local settings\temp\Amgh.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [bB4ERWd2S] msedlg.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax2317.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 18 March 2007 - 05:30 AM

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open. Look at the bottom of the window. To the right of Attributes, check the box that says Read-only.
4) Click Apply/OK.

**************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [qsnO36R] srvga11n.exe
O4 - HKLM\..\Run: [fe4aa3b56d13] C:\WINDOWS\system32\certmgr9.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Amgh] C:\documents and settings\jerry green\local settings\temp\Amgh.exe
O4 - HKCU\..\Run: [bB4ERWd2S] msedlg.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab


Find and delete if present:
srvga11n.exe
msedlg.exe

C:\WINDOWS\system32\certmgr9.exe
C:\Program Files\AutoUpdate
C:\documents and settings\jerry green\local settings\temp<-Delete everything inside this temp folder.

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#7 radiokaos

radiokaos
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 22 March 2007 - 09:15 PM

Thank you so much for your input....

HOWEVER, I'm having total problems just booting up my computer.....the following issues are listed below

1. Computer trys to boot up and then gives log on screen once logging on the computer restarts

2. Was able to get into safe mode but don't know what to do.

3. While booting up for the first time in safe mode I had a blue screen in XP
ERROR IRQL_Not Less or Equal

4. During start up the computer gives me a fail floppy drive and hit f1 or del for bios..

5. It keeps stating that it needs the bios security disable so it can upgrade. I never download any BIOS update.

Any input would be great I'm stuck with out a computer that has some important files on.

Thanks again for any help or support

#8 radiokaos

radiokaos
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 23 March 2007 - 12:56 PM

Can someone give me some insight as to what I can do? I can only boot in safe mode and I'm not sure what program to run. I'm stuck using laptop right now. Any help would be great.

Thanks
Radiokaos

#9 radiokaos

radiokaos
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 24 March 2007 - 01:50 PM

Sorry for posting twice. I appreicate all of the help and support so far. Here is a new hijack scan. Any input would be very helpful. Should I run avg even though I still have current boot up issus?

Logfile of HijackThis v1.99.1
Scan saved at 11:42:07 AM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [qsnO36R] srvga11n.exe
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [fe4aa3b56d13] C:\WINDOWS\system32\certmgr9.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Amgh] C:\documents and settings\jerry green\local settings\temp\Amgh.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax2317.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE



I was getting ready to follow the above instructions however my system is now requesting a bios update. I have not enable the update due to uncertainity. In startup I'm also getting a missing flopy as well. My current system will only open in safe under adim. Thanks once again for your time and effort.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 24 March 2007 - 02:21 PM

Sounds like you're pc has developed other more serious issues totally unrelated to what we are doing.

Should I run avg even though I still have current boot up issus?

Yes do that,post back when you've finished please,let me know whats happening.
Posted Image
Posted Image

#11 radiokaos

radiokaos
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 24 March 2007 - 05:04 PM

Thank you so much for your fast reply....

I ran AVG, and cleared what I could in dormant files.

Still no luck on the boot up process, same errors (bios update waiting, and no floppy)

Still get the IRQ not less or equal to blue screen

Able to boot in safe mode.

Should I revert to an earlier date on windows when it opens in safe mode?

Here is my most recent run of hijackthis

Thanks again for all of your help and time...

Logfile of HijackThis v1.99.1
Scan saved at 2:59:14 PM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Jerry Green\Application Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jerry Green\Application Data\Mozilla\Profiles\default\6j6vuwwt.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [bB4ERWd2S] msedlg.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax2317.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 25 March 2007 - 07:17 AM

You could try the following,it might work,give it a try:
Start up in Safe Mode,select 'Safe Mode with Command Prompt'.
At the prompt type or copy and paste:
%systemroot%\system32\restore\rstrui.exe
Then press Enter,follow the onscreen instructions.
Posted Image
Posted Image

#13 radiokaos

radiokaos
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 25 March 2007 - 08:04 AM

No luck tried it and still same issues below, any other suggestions

1. Bad Flopy (hard to believe since the floppy is never used)

2. BIOS update needed (I never download any bios update)

Any help would be great, I have avoided all other sites for info, your site and mod have there act together.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 25 March 2007 - 01:16 PM

I suggest you start a new topic here explaining in detail the problem you're having.
Windows XP Home and Professional:
http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users