Post by: homepham on January 23, 2005, 03:15:58 AM
I indeed need help from experts to show me what should I select on my Hijack scan log file. Your help is greatly appreciated.
Logfile of HijackThis v1.99.0
Scan saved at 10:27:14 PM, on 1/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Hy Pham\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on January 23, 2005, 06:40:58 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
This is good for 30 days
Install it and Restart your computer when prompted
Don't run a scan yet
When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3
Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to freeze at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location
After saving the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION
If anything found could you post the Scandump.txt
Also post a fresh Hijackthis log, thanks
Post by: Guest on January 23, 2005, 11:10:45 PM
Thanks you for looking reading my post and your reply.
I haven't started the process that you mentioned in your reply yet. I wonder if you can tell me is there any virus or any strange suspidious thing in my log file that I posted above.
If you noticed something strange in my Hijack log file, would it be simple to fix it by selecting it and delete it.
I wonder why I have to do such thing complicated as you suggested above. Please advise me.
Thanks a lot for your helps.
Post by: guestolo on January 23, 2005, 11:17:47 PM
You just have some entries that are unknown, we can fix them with Hijackthis
But to ensure that there is nothing else we miss, it would probably be best to Install
TDS-3
I installed it myself>>The trial version to see what it's like
It's easy to install>>Download from the first link I gave you
Install it and Restart the computer
Come back here and RIGHT CLICK on the second link and select Save target as
Save it to the C:\Program Files\TDS-3 folder
Allowing it to overwrite the older radius database
After that is installed run the Full system scan from the instructions above
Post by: guestolo on January 23, 2005, 11:33:51 PM
and you save the scandump.txt file could you please Restart your computer again
Also, I just noticed this in your log
C:\Documents and Settings\Hy Pham\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
I need you to save Hijackthis to a permanent folder
I'll supply a download link for you to redownload it
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Remember to post the Scandump.txt file too, thanks
Post by: Guest on January 24, 2005, 12:39:31 AM
Thanks for your advices. I've moved my Hijackthis to a permanent folder under C:/Program/Hijackthis. And here is a new log file generated after I ran Hijack. I've also tried your earlier advices by down loading the program follow your links provided.
The first link it turned out to be Spyware Doctor program. I downloaded anyway. After I scaned my computer, it won't alow me to fix the problem since it ask me to register and buy the software. I'll also list the result of the scan from this here too.
The second link is TDS-3 which I loaded under C:/Programs/
Here is the scans of both programs will be separated by a string of "============================="
The log file of Hijack scan is :
Logfile of HijackThis v1.99.0
Scan saved at 8:25:30 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
=================================================
the log file of Spy Doctor is:
Scan Results:
scan start: 1/23/2005 8:05:55 PM
scan stop: 1/23/2005 8:06:28 PM
scanned items: 14589
found items: 0
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Scan Results:
scan start: 1/23/2005 8:09:58 PM
scan stop: 1/23/2005 8:11:11 PM
scanned items: 46332
found items: 4
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Trojan drsnsrch HKLM\Software\Vendor\xml High
Virtual Bouncer HKLM\SOFTWARE\Wise Solutions\Wise Installation System\Repair\C:/Program Files/VBouncer/INSTALL.LOG Medium
Twain-tech C:\Documents and Settings\Hy Pham\Desktop\..\Local Settings\temp\dummy.htm Elevated
DelfinProject C:\keys.ini Elevated
Thanks again and please advise.
Post by: guestolo on January 24, 2005, 12:58:59 AM
The first link I posted you too was too TDS-3 Anti-trojan software
The second link I posted was the radius database update files for TDS-3
That's very interesting
Are you sure you tried that link I posted above?
I had no intention of getting you too install Spyware Doctor
Go ahead and uninstall it......
I don't use it myself so I don't recommend it
Sorry for the mishap
That link I posted is the installer for tds-3
I'm sure of that, something may have a hold of your host file
The second link did you no good, because you didn't have TDS-3 installed
The first link--If saved to the desktop should of shown as a tds3 Setup Icon
Can you do me a favor please
Open Hijackthis>>Open the Misc tools Section
Open the Hosts file manager
Click the "Open in Notepad"
Copy and paste back here the whole contents of the Hosts notepad file
Post by: Guest on January 24, 2005, 01:12:47 AM
# copyright © 1993-1999 microsoft corp.
#
# this is a sample hosts file used by microsoft tcp/ip for windows.
#
# this file contains the mappings of ip addresses to host names. each
# entry should be kept on an individual line. the ip address should
# be placed in the first column followed by the corresponding host name.
# the ip address and the host name should be separated by at least one
# space.
#
# additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# for example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.Email Removed
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.enliven.com
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.linkexchange.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.imdb.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 www.nrsite.com
127.0.0.1 ad-up.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 adbot.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.filez.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 advert.heise.de
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 207-87-18-203.wsmg.digex.net
127.0.0.1 garden.ngadcenter.net
127.0.0.1 ogilvy.ngadcenter.net
127.0.0.1 responsemedia-ad.flycast.com
127.0.0.1 suissa-ad.flycast.com
127.0.0.1 ugo.eu-adcenter.net
127.0.0.1 vnu.eu-adcenter.net
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.webprovider.com
127.0.0.1 ad08.focalink.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcreatives.imaginemedia.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimg.egroups.com
127.0.0.1 admedia.xoom.com
127.0.0.1 adremote.pathfinder.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.bfast.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.fool.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.madison.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.web.Email Removed
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads02.focalink.com
127.0.0.1 ads03.focalink.com
127.0.0.1 ads04.focalink.com
127.0.0.1 ads05.focalink.com
127.0.0.1 ads06.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads5.gamecity.net
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 au.ads.link4ads.com
127.0.0.1 banner.media-system.de
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 banners.easydns.com
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.wunderground.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 califia.imaginemedia.com
127.0.0.1 cds.mediaplex.com
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 counter.hitbox.com
127.0.0.1 crux.songline.com
127.0.0.1 erie.smartage.com
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 fp.valueclick.com
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 gm.preferences.com
127.0.0.1 gp.dejanews.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 image.click2net.com
127.0.0.1 image.eimg.com
127.0.0.1 images2.nytimes.com
127.0.0.1 jobkeys.ngadcenter.net
127.0.0.1 kansas.valueclick.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 media.preferences.com
127.0.0.1 mercury.rmuk.co.uk
127.0.0.1 mojofarm.sjc.mediaplex.com
127.0.0.1 nbc.adbureau.net
127.0.0.1 newads.cmpnet.com
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 realads.realmedia.com
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 retaildirect.realmedia.com
127.0.0.1 s2.focalink.com
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 spin.spinbox.net
127.0.0.1 static.admaximize.com
127.0.0.1 stats.superstats.com
127.0.0.1 sview.avenuea.com
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 tracker.clicktrade.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 view.accendo.com
127.0.0.1 view.avenuea.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 web2.deja.com
127.0.0.1 webads.bizservers.com
127.0.0.1 www.postmasterbannernet.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.admex.com
127.0.0.1 www.alladvantage.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.commission-junction.com
127.0.0.1 www.eads.com
127.0.0.1 www.freestats.com
127.0.0.1 www.imaginemedia.com
127.0.0.1 www.netdirect.nl
127.0.0.1 www.oneandonlynetwork.com
127.0.0.1 www.targetshop.com
127.0.0.1 www.teknosurf2.com
127.0.0.1 www.teknosurf3.com
127.0.0.1 www.valueclick.com
127.0.0.1 www.websitefinancing.com
127.0.0.1 www2.burstnet.com
127.0.0.1 www4.trix.net
127.0.0.1 www80.valueclick.com
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 ads.forbes.net
127.0.0.1 ads.newcity.com
127.0.0.1 ads.ign.com
127.0.0.1 adserver.ign.com
127.0.0.1 ads.scifi.com
127.0.0.1 adengine.theglobe.com
127.0.0.1 ads.tucows.com
127.0.0.1 adcontent.gamespy.com
127.0.0.1 ads4.advance.net
127.0.0.1 ads1.advance.net
127.0.0.1 eur.yimg.com
127.0.0.1 us.a1.yimg.com
127.0.0.1 ad.harmony-central.com
127.0.0.1 sg.yimg.com
127.0.0.1 adverity.adverity.com
127.0.0.1 ads.bloomberg.com
127.0.0.1 mojofarm.mediaplex.com
127.0.0.1 ads.mysimon.com
127.0.0.1 ad.img.yahoo.co.kr
127.0.0.1 adimages.go.com
127.0.0.1 kr-adimage.lycos.co.kr
127.0.0.1 ad.kimo.com.tw
127.0.0.1 ads.paxnet.co.kr
127.0.0.1 ads.paxnet.com
127.0.0.1 ads.eu.msn.com
127.0.0.1 ads.admonitor.net
127.0.0.1 wwa.hitbox.com
127.0.0.1 ads.nytimes.com
127.0.0.1 ads.erotism.com
127.0.0.1 banner.rootsweb.com
127.0.0.1 ads.ole.com
127.0.0.1 adimg1.chosun.com
127.0.0.1 ss.mtree.com
127.0.0.1 adpulse.ads.targetnet.com
127.0.0.1 adserver.ugo.com
127.0.0.1 ad.sales.olympics.com
127.0.0.1 m2.doubleclick.net
127.0.0.1 ph-ad21.focalink.com
127.0.0.1 focusin.ads.targetnet.com
127.0.0.1 www.datais.com
127.0.0.1 oas.mmd.ch
127.0.0.1 pub-g.ifrance.com
127.0.0.1 ads.bianca.com
127.0.0.1 wap.adlink.de
127.0.0.1 click.adlink.de
127.0.0.1 banner.adlink.de
127.0.0.1 hurricane.adlink.de
127.0.0.1 west.adlink.de
127.0.0.1 scand.adlink.de
127.0.0.1 regio.adlink.de
127.0.0.1 direct.adlink.de
127.0.0.1 classic.adlink.de
127.0.0.1 adlui001.adlink.de
127.0.0.1 banner1.adlink.de
127.0.0.1 click.mp3.com
127.0.0.1 adcodes.bla-bla.com
127.0.0.1 icover.realmedia.com
127.0.0.1 ca.fp.sandpiper.net
127.0.0.1 adfarm.mediaplex.com
127.0.0.1 ads.tmcs.net
127.0.0.1 amedia.techies.com
127.0.0.1 www.exchange-it.com
127.0.0.1 www.ad.tomshardware.com
127.0.0.1 ad.tomshardware.com
127.0.0.1 ads.currantbun.com
127.0.0.1 phoenix-adrunner.mycomputer.com
127.0.0.1 ads15.focalink.com
127.0.0.1 ads13.focalink.com
127.0.0.1 adserver.colleges.com
127.0.0.1 ads.nwsource.com
127.0.0.1 ads.guardianunlimited.co.uk
127.0.0.1 ads.newsint.co.uk
127.0.0.1 ads.starnews.com
127.0.0.1 www.linksynergy.com
127.0.0.1 ieee-images.adbureau.net
127.0.0.1 connect.247media.ads.link4ads.com
127.0.0.1 ads.newsdigital.net
127.0.0.1 arc5.msn.com
127.0.0.1 arc4.msn.com
127.0.0.1 arc3.msn.com
127.0.0.1 arc2.msn.com
127.0.0.1 arc1.msn.com
127.0.0.1 ads.discovery.com
127.0.0.1 im.800.com
127.0.0.1 img.cmpnet.com
127.0.0.1 ad7.internetadserver.com
127.0.0.1 ads.dai.net
127.0.0.1 ads.cbc.ca
127.0.0.1 www75.valueclick.com
127.0.0.1 ads.clearbluemedia.com
127.0.0.1 ti.click2net.com
127.0.0.1 www.onresponse.com
127.0.0.1 ads.list-universe.com
127.0.0.1 advert.bayarea.com
127.0.0.1 www3.pagecount.com
127.0.0.1 www.netsponsors.com
127.0.0.1 adthru.com
127.0.0.1 ads.newtimes.com
127.0.0.1 ads.ugo.com
127.0.0.1 ads.belointeractive.com
127.0.0.1 wwb.hitbox.com
127.0.0.1 comtrack.comclick.com
127.0.0.1 www.24pm-affiliation.com
127.0.0.1 www.click-fr.com
127.0.0.1 www.cibleclick.com
127.0.0.1 reply.mediatris.net
127.0.0.1 cgi.declicnet.com
127.0.0.1 pubs.mgn.net
127.0.0.1 ads.mcafee.com
127.0.0.1 ads1.ad-flow.com
127.0.0.1 ad.be.doubleclick.net
127.0.0.1 ad.adtraq.com
127.0.0.1 ad.sg.doubleclick.net
127.0.0.1 adpop.theglobe.com
127.0.0.1 ads-03.tor.focusin.ads.targetnet.com
127.0.0.1 ads.adflight.com
127.0.0.1 ads.detelefoongids.nl
127.0.0.1 ads.ecircles.com
127.0.0.1 ads.god.co.uk
127.0.0.1 ads.hyperbanner.net
127.0.0.1 ads.jpost.com
127.0.0.1 ads.netmechanic.com
127.0.0.1 ads.webcash.nl
127.0.0.1 adserver.netcast.nl
127.0.0.1 adserver.webads.com
127.0.0.1 adserver.webads.nl
127.0.0.1 adserver1.realtracker.com
127.0.0.1 adserver2.realtracker.com
127.0.0.1 adserver3.realtracker.com
127.0.0.1 delivery1.ads.telegraaf.nl
127.0.0.1 holland.hyperbanner.net
127.0.0.1 images.webads.nl
127.0.0.1 sc.clicksupply.com
127.0.0.1 service.bfast.com
127.0.0.1 www.ad4ex.com
127.0.0.1 www.bannercampaign.com
127.0.0.1 www.cyberbounty.com
127.0.0.1 www.netvertising.be
127.0.0.1 www.speedyclick.com
127.0.0.1 www.webads.nl
127.0.0.1 ads.snowball.com
127.0.0.1 ads.amazingmedia.com
127.0.0.1 www10.valueclick.com
127.0.0.1 js1.hitbox.com
127.0.0.1 rd1.hitbox.com
127.0.0.1 mt37.mtree.com
127.0.0.1 ads.gameanswers.com
127.0.0.1 ads7.udc.advance.net
127.0.0.1 www23.valueclick.com
127.0.0.1 ads.fortunecity.com
127.0.0.1 banners.nextcard.com
127.0.0.1 ads.iwon.com
127.0.0.1 www.qksrv.net
127.0.0.1 clickserve.cc-dt.com
127.0.0.1 ads-b.focalink.com
127.0.0.1 ad2.peel.com
127.0.0.1 ads.floridatoday.com
127.0.0.1 stats.adultrevenueservice.com
127.0.0.1 ads18.bpath.com
127.0.0.1 ph-ad06.focalink.com
127.0.0.1 global.msads.net
127.0.0.1 pluto1.iserver.net
127.0.0.1 ads1.intelliads.com
127.0.0.1 primetime.ad.asap-asp.net
127.0.0.1 ads.stileproject.com
127.0.0.1 di.image.eshop.msn.com
127.0.0.1 www.blissnet.net
127.0.0.1 www.consumerinfo.com
127.0.0.1 ads.rottentomatoes.com
127.0.0.1 k5ads.osdn.com
127.0.0.1 actionsplash.com
127.0.0.1 campaigns.f2.com.au
127.0.0.1 adserver.news.com.au
127.0.0.1 servedby.advertising.com
127.0.0.1 java.yahoo.com
127.0.0.1 ad.howstuffworks.com
127.0.0.1 ads.1for1.com
127.0.0.1 images.ads.fairfax.com.au
127.0.0.1 ads.devx.com
127.0.0.1 utils.mediageneral.com
127.0.0.1 banners.friendfinder.com
127.0.0.1 adserver.matchcraft.com
127.0.0.1 www.dnps.com
127.0.0.1 creative.whi.co.nz
127.0.0.1 rmedia.boston.com
127.0.0.1 webaffiliate.covad.com
127.0.0.1 ad.iwin.com
127.0.0.1 www.nailitonline2.com
127.0.0.1 mds.centrport.net
127.0.0.1 oas.dispatch.com
127.0.0.1 adserver.ads360.com
127.0.0.1 banners.adultfriendfinder.com
127.0.0.1 ads.as4x.tmcs.net
127.0.0.1 ads.clickagents.com
127.0.0.1 banners.chek.com
127.0.0.1 zi.r.tv.com
127.0.0.1 ph-ad19.focalink.com
127.0.0.1 ads.greensboro.com
127.0.0.1 ad2.adcept.net
127.0.0.1 ads.colo.kiva.net
127.0.0.1 adsrv.iol.co.za
127.0.0.1 mjxads.internet.com
127.0.0.1 adimage.asiaone.com.sg
127.0.0.1 ads.vnuemedia.com
127.0.0.1 affiliate.doteasy.com
127.0.0.1 m.tribalfusion.com
127.0.0.1 oas.lee.net
127.0.0.1 www.banneroverdrive.com
127.0.0.1 ad3.peel.com
127.0.0.1 ad1.peel.comwww.xbn.ru
127.0.0.1 adserver.snowball.com
127.0.0.1 media15.fastclick.net
127.0.0.1 ads5.advance.net
127.0.0.1 ads3.advance.net
127.0.0.1 ads2.advance.net
127.0.0.1 ads.advance.net
127.0.0.1 usbytecom.orbitcycle.com
127.0.0.1 adbanner.sweepsclub.com
127.0.0.1 oas.villagevoice.com
127.0.0.1 www.ad-flow.com
127.0.0.1 ads.guardian.co.uk
127.0.0.1 ads.hitcents.com
127.0.0.1 media19.fastclick.net
127.0.0.1 a.tribalfusion.com
127.0.0.1 ads.nypost.com
127.0.0.1 ads.premiumnetwork.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 adserver.hispavista.com
127.0.0.1 ads.musiccity.com
127.0.0.1 banners.revenuelink.com
127.0.0.1 ads1.sptimes.com
127.0.0.1 adserver.bizland-inc.net
127.0.0.1 ads.adtegrity.net
127.0.0.1 media13.fastclick.net
127.0.0.1 adserver.ukplus.co.uk
127.0.0.1 ads.live365.com
127.0.0.1 ads.fredericksburg.com
127.0.0.1 banners.affiliatefuel.com
127.0.0.1 ar.atwola.com
127.0.0.1 ads.bigcitytools.com
127.0.0.1 netshelter.adtrix.com
127.0.0.1 y.ibsys.com
127.0.0.1 adserver.nydailynews.com
127.0.0.1 s0b.bluestreak.com
127.0.0.1 images.scripps.com
127.0.0.1 images.cybereps.com
127.0.0.1 altfarm.mediaplex.com
127.0.0.1 krd.realcities.com
127.0.0.1 www3.bannerspace.com
127.0.0.1 view.atdmt.com
127.0.0.1 ads7.advance.net
127.0.0.1 ad.abcnews.com
127.0.0.1 ads.newsquest.co.uk
127.0.0.1 secure.webconnect.net
127.0.0.1 ads.nandomedia.com
127.0.0.1 banners.babylon-x.com
127.0.0.1 media17.fastclick.net
127.0.0.1 techreview-images.adbureau.net
127.0.0.1 ads.exhedra.com
127.0.0.1 ad.trafficmp.com
127.0.0.1 realmedia-a800.d4p.net
127.0.0.1 banner.northsky.com
127.0.0.1 ftp.nacorp.com
127.0.0.1 www.digitalbettingcasinos.com
127.0.0.1 c1.zedo.com
127.0.0.1 ads4.condenet.com
127.0.0.1 www.brilliantdigital.com
127.0.0.1 desktop.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
127.0.0.1 www.b3d.com
127.0.0.1 neighborhood.standard.net
127.0.0.1 ads.telegraph.co.uk
127.0.0.1 spinbox.techtracker.com
127.0.0.1 toads.osdn.com
127.0.0.1 ads.themes.org
127.0.0.1 adserver.trb.com
127.0.0.1 media.fastclick.net
127.0.0.1 banner.easyspace.com
127.0.0.1 www.banner2u.com
127.0.0.1 ads.thestar.com
127.0.0.1 ads.digitalmedianet.com
127.0.0.1 www.fineclicks.com
127.0.0.1 ads.mdchoice.com
127.0.0.1 ad.horvitznewspapers.net
127.0.0.1 adtegrity.thruport.com
127.0.0.1 a.mktw.net
127.0.0.1 ads.pennyweb.com
127.0.0.1 www3.ad.tomshardware.com
127.0.0.1 www4.ad.tomshardware.com
127.0.0.1 www6.ad.tomshardware.com
127.0.0.1 www8.ad.tomshardware.com
127.0.0.1 www15.ad.tomshardware.com
127.0.0.1 ads.forbes.com
127.0.0.1 ads.desmoinesregister.com
127.0.0.1 adserver.tribuneinteractive.com
127.0.0.1 bannerads.anytimenews.com
127.0.0.1 ads1.condenet.com
127.0.0.1 adserver.anm.co.uk
127.0.0.1 zrap.zdnet.com.com
127.0.0.1 bidclix.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 coreg.flashtrack.net
127.0.0.1 rmads.msn.com
127.0.0.1 ads.icq.com
127.0.0.1 cb.icq.com
127.0.0.1 cf.icq.com
127.0.0.1 www2.newtopsites.com
127.0.0.1 adserv.internetfuel.com
127.0.0.1 images.fastclick.net
127.0.0.1 adserver.securityfocus.com
127.0.0.1 www.avsads.com
127.0.0.1 banners.moviegoods.com
127.0.0.1 ads.bitsonthewire.com
127.0.0.1 ads.iambic.com
127.0.0.1 sfads.osdn.com
127.0.0.1 fl01.ct2.comclick.com
127.0.0.1 adserver.phillyburbs.com
127.0.0.1 marketing.nyi.net
127.0.0.1 www.netflip.com
127.0.0.1 image.imgfarm.com
127.0.0.1 ads.viaarena.com
127.0.0.1 phpads2.cnpapers.com
127.0.0.1 ads.astalavista.us
127.0.0.1 banner.coza.com
127.0.0.1 adcreative.tribuneinteractive.com
127.0.0.1 ads.democratandchronicle.com
127.0.0.1 adlog.com.com
127.0.0.1 adimg.com.com
127.0.0.1 adimage.bankrate.com
127.0.0.1 ads.mediadevil.com
127.0.0.1 imageserv.adtech.de
127.0.0.1 ad.se.doubleclick.net
127.0.0.1 ads.cashsurfers.com
127.0.0.1 ads.specificpop.com
127.0.0.1 z1.adserver.com
127.0.0.1 images.bizrate.com
127.0.0.1 q.pni.com
127.0.0.1 ad01.mediacorpsingapore.com
127.0.0.1 adimage.asia1.com.sg
127.0.0.1 images.newsx.cc
127.0.0.1 www.adireland.com
127.0.0.1 ads.iafrica.com
127.0.0.1 ads.nyi.net
127.0.0.1 geoads.osdn.com
127.0.0.1 www.crisscross.com
127.0.0.1 netcomm.spinbox.net
127.0.0.1 ads.videoaxs.com
127.0.0.1 mediamgr.ugo.com
127.0.0.1 adserver.pollstar.com
127.0.0.1 information.gopher.com
127.0.0.1 ads.adviva.net
127.0.0.1 adsrv.bankrate.com
127.0.0.1 a207.p.f.qz3.net
127.0.0.1 ehg-bestbuy.hitbox.com
127.0.0.1 ehg-intel.hitbox.com
127.0.0.1 ehg-espn.hitbox.com
127.0.0.1 ehg-macromedia.hitbox.com
127.0.0.1 ehg-dig.hitbox.com
127.0.0.1 speed.pointroll.com
127.0.0.1 amch.questionmarket.com
127.0.0.1 ads.gamespy.com
127.0.0.1 spd.atdmt.com
127.0.0.1 ads.columbian.com
127.0.0.1 clickit.go2net.com
127.0.0.1 vpdc.ru4.com
127.0.0.1 ads.developershed.com
127.0.0.1 ads.globeandmail.com
127.0.0.1 ads.nerve.com
127.0.0.1 iv.doubleclick.net
127.0.0.1 ads2.condenet.com
127.0.0.1 www.burstnet.com
127.0.0.1 ads5.canoe.ca
127.0.0.1 askmen.thruport.com
127.0.0.1 adsrv2.gainesvillesun.com
127.0.0.1 ads.theolympian.com
127.0.0.1 ads.courierpostonline.com
127.0.0.1 i.timeinc.net
127.0.0.1 oasads.whitepages.com
127.0.0.1 rad.msn.com
127.0.0.1 serve.thisbanner.com
127.0.0.1 images.trafficmp.com
127.0.0.1 www.kaplanindex.com
127.0.0.1 kaplanindex.com
127.0.0.1 1.httpdads.com
127.0.0.1 spinbox.maccentral.com
127.0.0.1 akaads-abc.starwave.com
127.0.0.1 webad.ajeeb.com
127.0.0.1 ads.granadamedia.com
127.0.0.1 oas.uniontrib.com
127.0.0.1 ads.wnd.com
127.0.0.1 a3.suntimes.com
127.0.0.1 tmsads.tribune.com
127.0.0.1 ads.peel.com
127.0.0.1 ads.mh5.com
127.0.0.1 ad.usatoday.com
127.0.0.1 adserver.digitalpartners.com
127.0.0.1 ads.mediaturf.net
127.0.0.1 ads4.clearchannel.com
127.0.0.1 ads.clearchannel.com
127.0.0.1 ads2.clearchannel.com
127.0.0.1 ads.jacksonsun.com
127.0.0.1 servads.aip.org
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 adng.ascii24.com
127.0.0.1 engage.speedera.net
127.0.0.1 ads.msn-ppe.com
127.0.0.1 ad.openfind.com.tw
127.0.0.1 adi.mainichi.co.jp
127.0.0.1 ads.northjersey.com
127.0.0.1 ad.moscowtimes.ru
127.0.0.1
127.0.0.1 ad1.aaddzz.com
127.0.0.1 ds.eyeblaster.com
127.0.0.1 adserver.digitalpartners.com
127.0.0.1 oas.uniontrib.com
127.0.0.1 ads.statesmanjournal.com
127.0.0.1 ads.centralohio.com
Post by: Guest on January 24, 2005, 01:32:28 AM
I'm truly sorry that I did make a mistake on your direction of your advices on your first reply. I've corrected and I'm in the proces of running the TDS-3 now. Please wait for my scan completed and will inform you my scan log file form.
Thanks again and sorry for the confusing.
Post by: guestolo on January 24, 2005, 01:44:13 AM
It is blocking sites ads by adding the
127.0.0.1 before each domain
But something definitely went wrong with the installation of TDS-3
Let's try some fixes in your log
Uninstall SpywareDoctor and restart your computer after it's removed
Back in Windows
Download and Install this small program
to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install it for now but >>Don't run a scan yet
A great little utility to assist in cleaning those temp folders, hold onto this
Download and UNZIP to a folder Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")
We'll need this later
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe
Print the rest of this out or save to a Notepad file on your desktop
I need you to close down all browser windows
Also know how to start in safe mode----Link explains below if you need it
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\") <--If that's not your preferred start page, fix it
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe
O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Find and delete these files or folders if they exist
C:\WINDOWS\System32\adczciim.dll <--file
C:\WINDOWS\System32\suuvn.dll <--file
C:\WINDOWS\SysCheckBop32 <--file
C:\WINDOWS\ms059994820905.exe <--file
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe <--file
sorwks.exe
sndtsrv.exe <--files, do a search for them
C:/Program Files/VBouncer <--folder
C:\Program Files\Spyware Doctor <--folder
Stay in safe mode and open up HOSTER
Click the "Restore Original Hosts"
Open up Windows CleanUp..probably accessed from START>>ALL Programs>>Cleanup
Click the CleanUp button
Let it finish scanning for files, when it's done, it will prompt you too log off
Don't, Restart back to Normal mode
Back in Normal mode
Can you try that link to TDS-3 again
When installing it should let you know it's Setup for Diamond CS TDS-3
Don't install it if it's not TDS-3
Restart after it is installed and then update it with the second link I supplied earlier
Remember to right click on the second link and save it to
C:\Program Files\TDS-3 folder
Run the Full system scan
Post the scandump.txt from the instructions I supplied earlier
Fix all Postive Identified items
Restart your computer
Post back a fresh Hijackthis log afterwards
Do whatever you can and then post back a new log
Also post the scandump.txt
Post by: guestolo on January 24, 2005, 01:46:02 AM
Remember you have to update TDS-3 properly or it won't be right up to date
I would download Hoster too, we can get you a custom host file later
When your done with the above instructions
and you have posted back a fresh Hijackthis log and scandump.txt
Could you also do this for me
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as FindFile.bat
Save it on the Desktop
Quote
dir C:\WINDOWS\System32\w?aclt.exe /a h > files.txt
notepad files.txt
Double click on FindFile.bat
Notepad will open, can you copy and paste the whole contents of the files.txt back here
Post by: Guest on January 24, 2005, 02:22:02 AM
Thanks you so much for your efforts to help me killing the viruses. Your help is again greatly appreciated.
Here are my log files from TDS-3 scan dump and Hijack fresh log file sepparated by '=========================='
TDS-3 scan dump:
Scan Control Dumped @ 22:01:10 23-01-05
RegVal Trace: Worm.3DStars: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [SystemCheck=C:\WINDOWS\SysCheckBop32]
Positive identification: Adware.BetterInternet
File: c:\documents and settings\hy pham\local settings\temp\drtemp\mm_reco.exe
Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\o7wfs56d\d_15_0[1]
Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\o7wfs56d\d_17_0[1]
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\qfybopwx\s5[1]
Positive identification: RAT.Agent.ay
File: c:\program files\common files\tlspuslo\ptrlndqm\oqambddt.exe
Positive identification: RAT.Agent.ay
File: c:\program files\common files\tlspuslo\tsdllupucc\bfaobcbao.exe
Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\windows\system32\adczciim.dll
Positive identification <Adv>: Possible WebDownloader
File: c:\windows\system32\cp18.exe
Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\windows\system32\xacqzncf.dll
==============================================
Here is my fresh Hijack scan log file:
Logfile of HijackThis v1.99.0
Scan saved at 10:06:38 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler V3.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
============================================
Also why does my hijack file continue showing the executeable file such as C:\WINDOWS\ms059994820905.exe
This file always runs in the background process. I noticed it when I hit CTRL-ALT-DEL . I would appreciate if you can explain to me if this is a virus or anything.
Thanks again.
Post by: guestolo on January 24, 2005, 02:25:36 AM
Can you try the fixes I posted above and then post back a fresh hijackthis log
Also the files.txt from the Findfile.bat
Well we're at it
Could you Download and save to desktop
VX2 Finder.exe (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Open up VX2 Finder and click the "Click to Find VX2.BetterInternet"
Let it finish scanning, it won't take long
Then make a log and post it back here too, thanks
Thanks
I may not see your new hijackthis log until tomorrow, but we should be able to get you totally clean then
But ensure you look over this whole thread and try and do all the fixes I asked
Post back the required logs afterwards, thanks
Also, we'll get some free tools on your computer to prevent this from happening again
Post by: Guest on January 25, 2005, 01:17:11 AM
Here is my Hijackthis log scan file:
Logfile of HijackThis v1.99.0
Scan saved at 12:09:31 AM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
==========================
By the way, you suggested me yesterday that I should delete the executable file "w?aclt.exe" in C:\WINDOWS\System32. I looked that up in the directory and found that the file name is "wuaclt.exe". The "?" mark replace the letter "u". I wonder if you realy meant to delete this file? I also look it up on Internet for further information and I found that this file is indeed from Microsoft XP for autoupdate programs. Please let me know should I delete the file or not? I also notice this file was written on to the directory the same day that I got virus.
Post by: guestolo on January 25, 2005, 01:53:12 AM
One last time-----Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Restart your computer
Quote
By the way, you suggested me yesterday that I should delete the executable file "w?aclt.exe" in C:\WINDOWS\System32. I looked that up in the directory and found that the file name is "wuaclt.exe". The "?" mark replace the letter "u". I wonder if you realy meant to delete this file? I also look it up on Internet for further information and I found that this file is indeed from Microsoft XP for autoupdate programs. Please let me know should I delete the file or not? I also notice this file was written on to the directory the same day that I got virus.Hold up,
Here's what I asked you to do
I asked you to kill this process in Hijackthis process manager
C:\WINDOWS\System32\w?aclt.exe
Then I asked you to do this
"Could you also do this for me
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as FindFile.bat
Save it on the Desktop"
Quote
dir C:\WINDOWS\System32\w?aclt.exe /a h > files.txt
notepad files.txt
Double click on FindFile.bat
Notepad will open, can you copy and paste the whole contents of the files.txt back here
Could you still do that for me
I made no mention of deleting wuauclt.exe
I know there is a legit file, I want to find out if there is also a bad file with a similiar name
I also asked you to do this, "I want to ensure you have no VX2.betterinternet infection
Could you Download and save to desktop
VX2 Finder.exe (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Open up VX2 Finder and click the "Click to Find VX2.BetterInternet"
Let it finish scanning, it won't take long
Then make a log and post it back here too, thanks"
Could you please post the info I asked for and include a fresh Hijackthis log, thanks
Post by: Guest on January 25, 2005, 02:31:54 AM
Again thanks for your helps and the efforts that you or maybe people in your group that constantly helping me to resolve the viurses on my computer.
First of all, I'm sorry that I deleted the file "w?aclt.exe" file before I read your last reply to me. However, I later follow your instruction to create the bat file to capture the content of the "w?aclt.exe" but I already deleted before then. Therefore, the result is file not found. It's my fault I know it is sad excuse.
Secondly, here is the log file as the result of VX2finder scan:
=================
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
===========================
Thanks to you and your group.
Post by: guestolo on January 25, 2005, 02:33:37 AM
It sounds like you got rid of a nasty file anyways
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />VX2 finder came up clean
You can manually delete it
Post by: Guest on January 25, 2005, 02:45:11 AM
What do you mean by I can manualy delete it? Would you please elaborate it? What file should I manualy delete it?
I also followed your earlier instructions by check the entry "O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)" and let Hijack fix it. However, Hijack couldn't be able to clean/fix it. The same entry showed up again on the next scan.
Please help me out. Here is the Hijack scan:
==================================
Logfile of HijackThis v1.99.0
Scan saved at 10:14:52 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
=================================
Thanks
Post by: guestolo on January 25, 2005, 03:03:35 AM
I see this still in your log
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
Nothing major, but a leftover we should get rid of
Spyweeper's protection may be getting in the way
Can you do me a favor
I'll try and do this with the least amount of restarts
Open SPYBOT
Click on Mode at the top
Click the Advanced mode>>>YES to the prompt
Open TOOLS
SYSTEM STARTUP
Uncheck this from running on startup
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
We're just temporarily disabling it from running on startup
When that's done
If everything is running better
you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows ensure you Enable system Restore
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Your way behind on Windows updates>>>>>IF you have a legitimate version
of Windows installed there's no reason to be so far behind
Could you for now
Install Service Pack 1a, you can install SP2 at a later time if you would like
This provides security updates for your machine
Once Installed you will be prompted to restart your computer. Reboot and Go back to Windows updates and check for and install Latest Critical updates
As I mentioned, don't install Service Pack 2 or Recommended updates
If you decide to install SP2 in the near future (Which is very much recommended)
We should takes some steps to ensure your computer is prepared
Heres a link to Service Pack 1a
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx\")
After you have SP1a installed and you have restarted and checked again at Windows updates for criticals
Go back and enable Spysweepers protection
For additional protection
against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!
Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Both don't run in the background, consider them silent Spyware Blockers
You may choose not to install IE-Spyad>>I see you use Firefox
But IE is so Integrated into Windows you may still choose to use it
Post back another log and let me know how everything is running?
Post by: Guest on January 25, 2005, 04:11:43 AM
Thanks again for looking into this.
I've followed your instructions and did some steps (not all steps). I proceeded to the steps and stopped just at before proceed to Windows updates since I don't have a legitimate version of Windows installed.
I followed your instructions but couldn't deleted the entry "O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)".
Here is my fresh Hijackthis log file:
=======================
Logfile of HijackThis v1.99.0
Scan saved at 11:55:29 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
===========================
Thanks again!
Post by: guestolo on January 25, 2005, 11:11:38 PM
Quote
since I don't have a legitimate version of Windows installed
Make sure that if you don't have a third party firewall installed
You at minimum enable XP's firewall
Ensure that you installed SpywareBlaster and IE-Spyad
Scan everything that you download with your Anti-Virus
Make sure your AV is always kept up to date
I would also install SpywareGuard for Real time protections against Spyware
http://www.javacoolsoftware.com/spywareguard.html (http://\"http://www.javacoolsoftware.com/spywareguard.html\")
DON'T install this yet, as it can deter from removing that leftover BHO
Can you do me a favor
Could you please go to this link
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\") and scroll down to
Registry Search Tool
Download,UNZIP and run "RegSrch.vbs" >>Allow this to run, even if prompted from your AV
Copy and paste this in the dialog box:
{49370EE5-C91C-33ED-07BE-B72A45CA6F68}
Hit OK
After a while a prompt will come up.(About 10 seconds) Click OK to write the results to wordpad or notepad and post them
Post by: homepham on January 26, 2005, 02:39:23 AM
I followed your instructions and ran Registy Search Tool twice but it couldn't find the instance of string {49370EE5-C91C-33ED-07BE-B72A45CA6F68}
Last night, I used Windows search tool searching for this string in C: drive. The tool ran for whole night. I stopped it in the morning.
It's strange!
Please advise! Thanks again for your helps.
Post by: guestolo on January 26, 2005, 06:40:14 PM
There is no file related to the BHO, so it's just a left over Registry string
Not doing no harm, just wonder why we can't remove it
If you get any warning from any Security related program that something is making a change, allow the change
Post by: Guest on January 27, 2005, 01:00:31 AM
Thanks again for helping me cleaning up these viruses.
The log file starts from here:
==========================
Logfile of HijackThis v1.99.0
Scan saved at 8:42:34 PM, on 1/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
=====================
The log file ends here:
Thank you.
Post by: guestolo on January 27, 2005, 07:29:59 PM
Since we couldn't find it with RegSrch or your own search I'm convinced that SpySweeper is still getting in the way
I don't have SpySweeper, there must be an option to Disable it's Real time protection
Restart your computer >> Ensure Spysweeper isn't running, you can check with another scan with Hijackthis
Fix this entry with Hijackthis
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
Restart your computer
And then enable Spysweeper again
Let me know how that works for you
But everything else looks good
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: homepham on January 28, 2005, 03:01:39 AM
Thanks again for helping me dealing with viruses!
I followed your instructions exactly. However, I found that there is no chance. Here is the fresh log file.
=============================
Logfile of HijackThis v1.99.0
Scan saved at 10:45:35 PM, on 1/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ (http://\"http://www.m-w.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
=============================
Thank you.
Post by: guestolo on January 28, 2005, 03:03:35 AM
/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> If I can figure out something I'll post back
But before I leave for the night
Can you open Spybot>>>Mode>>advanced mode>>>
Tools>>BHO's
Is it listed there?
If it is can you find any info on it?
Post by: Guest on January 28, 2005, 03:27:33 AM
Please do not pull your hair! There is no such thing perfect in this world.
I'm happy with my computer now in regarding to virues free.
You have helped me so much dealing with the viruses on my computer. Without your help I would have to reformat the drive already. I almost would do so. However, I would like to learn something new from you so that I can communicate with you better in the future if my computer gets hit by virus again.
There are a few thing that you advised me by down loading free virus protection. I haven't done that. I'll do that in the next couple days.
From now on, I'll sometimes visit this web site just to admire you for all of your replies to others to feel that there are someone with good heart out there.
Your help is greatly appreciated! Thanks for your time and efforts. I respect your experty! and ofcourse, you are a good guy!
Best Regards,
Homepham
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: Guest on January 28, 2005, 03:47:48 AM
You're right on!
========================================
Can you open Spybot>>>Mode>>advanced mode>>>
Tools>>BHO's
Is it listed there?
========================================
Yes, I found the entry in there. Please instruct me what should I do with it.
================================
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html (http://\"http://www.adobe.com/products/acrobat/readstep2.html\")
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 11/3/2003 1:17:44 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/3/2003 1:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 0.6.0.0
{49370EE5-C91C-33ED-07BE-B72A45CA6F68} ()
BHO name:
CLSID name:
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/ (http://\"http://spybot.eon.net.au/\")
info source: Patrick M. Kolla
Path: C:\PROGRA~1\ANTI-V~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 12:03:00 AM
Date (last access): 1/27/2005 11:08:50 PM
Date (last write): 5/12/2004 12:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3
{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/ (http://\"http://www.symantec.com/nav/nav_9xnt/\")
info source: TonyKlein
Path: C:\Program Files\anti-virus\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 7/4/2004 4:47:16 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/14/2002 11:09:06 PM
Filesize: 112248
Attributes: archive
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
CRC32: 04DD2C8F
Version: 0.9.0.5
{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/ (http://\"http://www.symantec.com/nav/nav_9xnt/\")
info source: TonyKlein
Path: C:\Program Files\anti-virus\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 7/4/2004 4:47:16 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/14/2002 11:09:06 PM
Filesize: 112248
Attributes: archive
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
CRC32: 04DD2C8F
Version: 0.9.0.5
{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/ (http://\"http://www.symantec.com/nav/nav_9xnt/\")
info source: TonyKlein
Path: C:\Program Files\anti-virus\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 7/4/2004 4:47:16 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/14/2002 11:09:06 PM
Filesize: 112248
Attributes: archive
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
CRC32: 04DD2C8F
Version: 0.9.0.5
========================================
Thanks
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on January 28, 2005, 02:14:52 PM
{49370EE5-C91C-33ED-07BE-B72A45CA6F68} ()
BHO name:
CLSID name:
and then use the Remove button to remove it?
You may still have to have SpySweepers protection disabled
Restart your computer
If you do another scan with hijackthis is it gone?
By the way, the two programs I recommended installing
SpywareBlaster and IE-Spyad>>both free
They're not really Virus protection
Consider them both Silent Spyware Blockers
They don't run in the background
Both put entries in your Registry>>>They're both worth using
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> SpywareGuard is the only one that uses minimal resources
If you install it --- Check for updates>>>It doesn't and won't update that much but check for updates once a month anyways