Author Topic: Need Help on My Hijack Virus Log File (Read 3598 times)

homepham · « **on:** January 23, 2005, 03:15:58 AM »

Hi

I indeed need help from experts to show me what should I select on my Hijack scan log file. Your help is greatly appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 10:27:14 PM, on 1/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Hy Pham\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #1 on:** January 23, 2005, 06:40:58 AM »

Let's work together to get your log clean

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
This is good for 30 days
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to freeze at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location

After saving the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

If anything found could you post the Scandump.txt

Also post a fresh Hijackthis log, thanks

Guest · « **Reply #2 on:** January 23, 2005, 11:10:45 PM »

Hi Guestolo,
Thanks you for looking reading my post and your reply.

I haven't started the process that you mentioned in your reply yet. I wonder if you can tell me is there any virus or any strange suspidious thing in my log file that I posted above.

If you noticed something strange in my Hijack log file, would it be simple to fix it by selecting it and delete it.

I wonder why I have to do such thing complicated as you suggested above. Please advise me.

Thanks a lot for your helps.

guestolo · « **Reply #3 on:** January 23, 2005, 11:17:47 PM »

It's not really that complicated at all

You just have some entries that are unknown, we can fix them with Hijackthis
But to ensure that there is nothing else we miss, it would probably be best to Install
TDS-3

I installed it myself>>The trial version to see what it's like

It's easy to install>>Download from the first link I gave you
Install it and Restart the computer

Come back here and RIGHT CLICK on the second link and select Save target as
Save it to the C:\Program Files\TDS-3 folder

Allowing it to overwrite the older radius database
After that is installed run the Full system scan from the instructions above

guestolo · « **Reply #4 on:** January 23, 2005, 11:33:51 PM »

When your done with the scan from TDS-3

and you save the scandump.txt file could you please Restart your computer again

Also, I just noticed this in your log
C:\Documents and Settings\Hy Pham\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

I need you to save Hijackthis to a permanent folder
I'll supply a download link for you to redownload it

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Remember to post the Scandump.txt file too, thanks

Guest · « **Reply #5 on:** January 24, 2005, 12:39:31 AM »

Hi Guestolo,

Thanks for your advices. I've moved my Hijackthis to a permanent folder under C:/Program/Hijackthis. And here is a new log file generated after I ran Hijack. I've also tried your earlier advices by down loading the program follow your links provided.

The first link it turned out to be Spyware Doctor program. I downloaded anyway. After I scaned my computer, it won't alow me to fix the problem since it ask me to register and buy the software. I'll also list the result of the scan from this here too.

The second link is TDS-3 which I loaded under C:/Programs/

Here is the scans of both programs will be separated by a string of "============================="

The log file of Hijack scan is :
Logfile of HijackThis v1.99.0
Scan saved at 8:25:30 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

=================================================
the log file of Spy Doctor is:
Scan Results:
scan start:    1/23/2005 8:05:55 PM
scan stop:    1/23/2005 8:06:28 PM
scanned items:    14589
found items:    0
found and ignored:    0
tools used:    General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner

   Infection Name    Location    Risk

Scan Results:
scan start:    1/23/2005 8:09:58 PM
scan stop:    1/23/2005 8:11:11 PM
scanned items:    46332
found items:    4
found and ignored:    0
tools used:    General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner

   Infection Name    Location    Risk
   Trojan drsnsrch    HKLM\Software\Vendor\xml    High
   Virtual Bouncer    HKLM\SOFTWARE\Wise Solutions\Wise Installation System\Repair\C:/Program Files/VBouncer/INSTALL.LOG    Medium
   Twain-tech    C:\Documents and Settings\Hy Pham\Desktop\..\Local Settings\temp\dummy.htm    Elevated
   DelfinProject    C:\keys.ini    Elevated

Thanks again and please advise.

guestolo · « **Reply #6 on:** January 24, 2005, 12:58:59 AM »

I have no idea what's going on at your end

The first link I posted you too was too TDS-3 Anti-trojan software
The second link I posted was the radius database update files for TDS-3

That's very interesting
Are you sure you tried that link I posted above?

I had no intention of getting you too install Spyware Doctor
Go ahead and uninstall it......
I don't use it myself so I don't recommend it

Sorry for the mishap
That link I posted is the installer for tds-3
I'm sure of that, something may have a hold of your host file

The second link did you no good, because you didn't have TDS-3 installed

The first link--If saved to the desktop should of shown as a tds3 Setup Icon

Can you do me a favor please
Open Hijackthis>>Open the Misc tools Section
Open the Hosts file manager
Click the "Open in Notepad"

Copy and paste back here the whole contents of the Hosts notepad file

Guest · « **Reply #7 on:** January 24, 2005, 01:12:47 AM »

Here it is:

# copyright © 1993-1999 microsoft corp.
#
# this is a sample hosts file used by microsoft tcp/ip for windows.
#
# this file contains the mappings of ip addresses to host names. each
# entry should be kept on an individual line. the ip address should
# be placed in the first column followed by the corresponding host name.
# the ip address and the host name should be separated by at least one
# space.
#
# additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# for example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.Email Removed
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.enliven.com
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.linkexchange.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.imdb.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 www.nrsite.com
127.0.0.1 ad-up.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 adbot.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.filez.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 advert.heise.de
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 207-87-18-203.wsmg.digex.net
127.0.0.1 garden.ngadcenter.net
127.0.0.1 ogilvy.ngadcenter.net
127.0.0.1 responsemedia-ad.flycast.com
127.0.0.1 suissa-ad.flycast.com
127.0.0.1 ugo.eu-adcenter.net
127.0.0.1 vnu.eu-adcenter.net
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.ca.doubleclick.net
127.0.0.1 ad.de.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.jp.doubleclick.net
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.nl.doubleclick.net
127.0.0.1 ad.no.doubleclick.net
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ad.webprovider.com
127.0.0.1 ad08.focalink.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcreatives.imaginemedia.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimg.egroups.com
127.0.0.1 admedia.xoom.com
127.0.0.1 adremote.pathfinder.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.bfast.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.fool.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.madison.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.web.Email Removed
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads02.focalink.com
127.0.0.1 ads03.focalink.com
127.0.0.1 ads04.focalink.com
127.0.0.1 ads05.focalink.com
127.0.0.1 ads06.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads5.gamecity.net
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 au.ads.link4ads.com
127.0.0.1 banner.media-system.de
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 banners.easydns.com
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.wunderground.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 califia.imaginemedia.com
127.0.0.1 cds.mediaplex.com
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 counter.hitbox.com
127.0.0.1 crux.songline.com
127.0.0.1 erie.smartage.com
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 fp.valueclick.com
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 gm.preferences.com
127.0.0.1 gp.dejanews.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 image.click2net.com
127.0.0.1 image.eimg.com
127.0.0.1 images2.nytimes.com
127.0.0.1 jobkeys.ngadcenter.net
127.0.0.1 kansas.valueclick.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 ln.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 media.preferences.com
127.0.0.1 mercury.rmuk.co.uk
127.0.0.1 mojofarm.sjc.mediaplex.com
127.0.0.1 nbc.adbureau.net
127.0.0.1 newads.cmpnet.com
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 realads.realmedia.com
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 retaildirect.realmedia.com
127.0.0.1 s2.focalink.com
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 spin.spinbox.net
127.0.0.1 static.admaximize.com
127.0.0.1 stats.superstats.com
127.0.0.1 sview.avenuea.com
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 tracker.clicktrade.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 view.accendo.com
127.0.0.1 view.avenuea.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 web2.deja.com
127.0.0.1 webads.bizservers.com
127.0.0.1 www.postmasterbannernet.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.admex.com
127.0.0.1 www.alladvantage.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.commission-junction.com
127.0.0.1 www.eads.com
127.0.0.1 www.freestats.com
127.0.0.1 www.imaginemedia.com
127.0.0.1 www.netdirect.nl
127.0.0.1 www.oneandonlynetwork.com
127.0.0.1 www.targetshop.com
127.0.0.1 www.teknosurf2.com
127.0.0.1 www.teknosurf3.com
127.0.0.1 www.valueclick.com
127.0.0.1 www.websitefinancing.com
127.0.0.1 www2.burstnet.com
127.0.0.1 www4.trix.net
127.0.0.1 www80.valueclick.com
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 ads.forbes.net
127.0.0.1 ads.newcity.com
127.0.0.1 ads.ign.com
127.0.0.1 adserver.ign.com
127.0.0.1 ads.scifi.com
127.0.0.1 adengine.theglobe.com
127.0.0.1 ads.tucows.com
127.0.0.1 adcontent.gamespy.com
127.0.0.1 ads4.advance.net
127.0.0.1 ads1.advance.net
127.0.0.1 eur.yimg.com
127.0.0.1 us.a1.yimg.com
127.0.0.1 ad.harmony-central.com
127.0.0.1 sg.yimg.com
127.0.0.1 adverity.adverity.com
127.0.0.1 ads.bloomberg.com
127.0.0.1 mojofarm.mediaplex.com
127.0.0.1 ads.mysimon.com
127.0.0.1 ad.img.yahoo.co.kr
127.0.0.1 adimages.go.com
127.0.0.1 kr-adimage.lycos.co.kr
127.0.0.1 ad.kimo.com.tw
127.0.0.1 ads.paxnet.co.kr
127.0.0.1 ads.paxnet.com
127.0.0.1 ads.eu.msn.com
127.0.0.1 ads.admonitor.net
127.0.0.1 wwa.hitbox.com
127.0.0.1 ads.nytimes.com
127.0.0.1 ads.erotism.com
127.0.0.1 banner.rootsweb.com
127.0.0.1 ads.ole.com
127.0.0.1 adimg1.chosun.com
127.0.0.1 ss.mtree.com
127.0.0.1 adpulse.ads.targetnet.com
127.0.0.1 adserver.ugo.com
127.0.0.1 ad.sales.olympics.com
127.0.0.1 m2.doubleclick.net
127.0.0.1 ph-ad21.focalink.com
127.0.0.1 focusin.ads.targetnet.com
127.0.0.1 www.datais.com
127.0.0.1 oas.mmd.ch
127.0.0.1 pub-g.ifrance.com
127.0.0.1 ads.bianca.com
127.0.0.1 wap.adlink.de
127.0.0.1 click.adlink.de
127.0.0.1 banner.adlink.de
127.0.0.1 hurricane.adlink.de
127.0.0.1 west.adlink.de
127.0.0.1 scand.adlink.de
127.0.0.1 regio.adlink.de
127.0.0.1 direct.adlink.de
127.0.0.1 classic.adlink.de
127.0.0.1 adlui001.adlink.de
127.0.0.1 banner1.adlink.de
127.0.0.1 click.mp3.com
127.0.0.1 adcodes.bla-bla.com
127.0.0.1 icover.realmedia.com
127.0.0.1 ca.fp.sandpiper.net
127.0.0.1 adfarm.mediaplex.com
127.0.0.1 ads.tmcs.net
127.0.0.1 amedia.techies.com
127.0.0.1 www.exchange-it.com
127.0.0.1 www.ad.tomshardware.com
127.0.0.1 ad.tomshardware.com
127.0.0.1 ads.currantbun.com
127.0.0.1 phoenix-adrunner.mycomputer.com
127.0.0.1 ads15.focalink.com
127.0.0.1 ads13.focalink.com
127.0.0.1 adserver.colleges.com
127.0.0.1 ads.nwsource.com
127.0.0.1 ads.guardianunlimited.co.uk
127.0.0.1 ads.newsint.co.uk
127.0.0.1 ads.starnews.com
127.0.0.1 www.linksynergy.com
127.0.0.1 ieee-images.adbureau.net
127.0.0.1 connect.247media.ads.link4ads.com
127.0.0.1 ads.newsdigital.net
127.0.0.1 arc5.msn.com
127.0.0.1 arc4.msn.com
127.0.0.1 arc3.msn.com
127.0.0.1 arc2.msn.com
127.0.0.1 arc1.msn.com
127.0.0.1 ads.discovery.com
127.0.0.1 im.800.com
127.0.0.1 img.cmpnet.com
127.0.0.1 ad7.internetadserver.com
127.0.0.1 ads.dai.net
127.0.0.1 ads.cbc.ca
127.0.0.1 www75.valueclick.com
127.0.0.1 ads.clearbluemedia.com
127.0.0.1 ti.click2net.com
127.0.0.1 www.onresponse.com
127.0.0.1 ads.list-universe.com
127.0.0.1 advert.bayarea.com
127.0.0.1 www3.pagecount.com
127.0.0.1 www.netsponsors.com
127.0.0.1 adthru.com
127.0.0.1 ads.newtimes.com
127.0.0.1 ads.ugo.com
127.0.0.1 ads.belointeractive.com
127.0.0.1 wwb.hitbox.com
127.0.0.1 comtrack.comclick.com
127.0.0.1 www.24pm-affiliation.com
127.0.0.1 www.click-fr.com
127.0.0.1 www.cibleclick.com
127.0.0.1 reply.mediatris.net
127.0.0.1 cgi.declicnet.com
127.0.0.1 pubs.mgn.net
127.0.0.1 ads.mcafee.com
127.0.0.1 ads1.ad-flow.com
127.0.0.1 ad.be.doubleclick.net
127.0.0.1 ad.adtraq.com
127.0.0.1 ad.sg.doubleclick.net
127.0.0.1 adpop.theglobe.com
127.0.0.1 ads-03.tor.focusin.ads.targetnet.com
127.0.0.1 ads.adflight.com
127.0.0.1 ads.detelefoongids.nl
127.0.0.1 ads.ecircles.com
127.0.0.1 ads.god.co.uk
127.0.0.1 ads.hyperbanner.net
127.0.0.1 ads.jpost.com
127.0.0.1 ads.netmechanic.com
127.0.0.1 ads.webcash.nl
127.0.0.1 adserver.netcast.nl
127.0.0.1 adserver.webads.com
127.0.0.1 adserver.webads.nl
127.0.0.1 adserver1.realtracker.com
127.0.0.1 adserver2.realtracker.com
127.0.0.1 adserver3.realtracker.com
127.0.0.1 delivery1.ads.telegraaf.nl
127.0.0.1 holland.hyperbanner.net
127.0.0.1 images.webads.nl
127.0.0.1 sc.clicksupply.com
127.0.0.1 service.bfast.com
127.0.0.1 www.ad4ex.com
127.0.0.1 www.bannercampaign.com
127.0.0.1 www.cyberbounty.com
127.0.0.1 www.netvertising.be
127.0.0.1 www.speedyclick.com
127.0.0.1 www.webads.nl
127.0.0.1 ads.snowball.com
127.0.0.1 ads.amazingmedia.com
127.0.0.1 www10.valueclick.com
127.0.0.1 js1.hitbox.com
127.0.0.1 rd1.hitbox.com
127.0.0.1 mt37.mtree.com
127.0.0.1 ads.gameanswers.com
127.0.0.1 ads7.udc.advance.net
127.0.0.1 www23.valueclick.com
127.0.0.1 ads.fortunecity.com
127.0.0.1 banners.nextcard.com
127.0.0.1 ads.iwon.com
127.0.0.1 www.qksrv.net
127.0.0.1 clickserve.cc-dt.com
127.0.0.1 ads-b.focalink.com
127.0.0.1 ad2.peel.com
127.0.0.1 ads.floridatoday.com
127.0.0.1 stats.adultrevenueservice.com
127.0.0.1 ads18.bpath.com
127.0.0.1 ph-ad06.focalink.com
127.0.0.1 global.msads.net
127.0.0.1 pluto1.iserver.net
127.0.0.1 ads1.intelliads.com
127.0.0.1 primetime.ad.asap-asp.net
127.0.0.1 ads.stileproject.com
127.0.0.1 di.image.eshop.msn.com
127.0.0.1 www.blissnet.net
127.0.0.1 www.consumerinfo.com
127.0.0.1 ads.rottentomatoes.com
127.0.0.1 k5ads.osdn.com
127.0.0.1 actionsplash.com
127.0.0.1 campaigns.f2.com.au
127.0.0.1 adserver.news.com.au
127.0.0.1 servedby.advertising.com
127.0.0.1 java.yahoo.com
127.0.0.1 ad.howstuffworks.com
127.0.0.1 ads.1for1.com
127.0.0.1 images.ads.fairfax.com.au
127.0.0.1 ads.devx.com
127.0.0.1 utils.mediageneral.com
127.0.0.1 banners.friendfinder.com
127.0.0.1 adserver.matchcraft.com
127.0.0.1 www.dnps.com
127.0.0.1 creative.whi.co.nz
127.0.0.1 rmedia.boston.com
127.0.0.1 webaffiliate.covad.com
127.0.0.1 ad.iwin.com
127.0.0.1 www.nailitonline2.com
127.0.0.1 mds.centrport.net
127.0.0.1 oas.dispatch.com
127.0.0.1 adserver.ads360.com
127.0.0.1 banners.adultfriendfinder.com
127.0.0.1 ads.as4x.tmcs.net
127.0.0.1 ads.clickagents.com
127.0.0.1 banners.chek.com
127.0.0.1 zi.r.tv.com
127.0.0.1 ph-ad19.focalink.com
127.0.0.1 ads.greensboro.com
127.0.0.1 ad2.adcept.net
127.0.0.1 ads.colo.kiva.net
127.0.0.1 adsrv.iol.co.za
127.0.0.1 mjxads.internet.com
127.0.0.1 adimage.asiaone.com.sg
127.0.0.1 ads.vnuemedia.com
127.0.0.1 affiliate.doteasy.com
127.0.0.1 m.tribalfusion.com
127.0.0.1 oas.lee.net
127.0.0.1 www.banneroverdrive.com
127.0.0.1 ad3.peel.com
127.0.0.1 ad1.peel.comwww.xbn.ru
127.0.0.1 adserver.snowball.com
127.0.0.1 media15.fastclick.net
127.0.0.1 ads5.advance.net
127.0.0.1 ads3.advance.net
127.0.0.1 ads2.advance.net
127.0.0.1 ads.advance.net
127.0.0.1 usbytecom.orbitcycle.com
127.0.0.1 adbanner.sweepsclub.com
127.0.0.1 oas.villagevoice.com
127.0.0.1 www.ad-flow.com
127.0.0.1 ads.guardian.co.uk
127.0.0.1 ads.hitcents.com
127.0.0.1 media19.fastclick.net
127.0.0.1 a.tribalfusion.com
127.0.0.1 ads.nypost.com
127.0.0.1 ads.premiumnetwork.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 adserver.hispavista.com
127.0.0.1 ads.musiccity.com
127.0.0.1 banners.revenuelink.com
127.0.0.1 ads1.sptimes.com
127.0.0.1 adserver.bizland-inc.net
127.0.0.1 ads.adtegrity.net
127.0.0.1 media13.fastclick.net
127.0.0.1 adserver.ukplus.co.uk
127.0.0.1 ads.live365.com
127.0.0.1 ads.fredericksburg.com
127.0.0.1 banners.affiliatefuel.com
127.0.0.1 ar.atwola.com
127.0.0.1 ads.bigcitytools.com
127.0.0.1 netshelter.adtrix.com
127.0.0.1 y.ibsys.com
127.0.0.1 adserver.nydailynews.com
127.0.0.1 s0b.bluestreak.com
127.0.0.1 images.scripps.com
127.0.0.1 images.cybereps.com
127.0.0.1 altfarm.mediaplex.com
127.0.0.1 krd.realcities.com
127.0.0.1 www3.bannerspace.com
127.0.0.1 view.atdmt.com
127.0.0.1 ads7.advance.net
127.0.0.1 ad.abcnews.com
127.0.0.1 ads.newsquest.co.uk
127.0.0.1 secure.webconnect.net
127.0.0.1 ads.nandomedia.com
127.0.0.1 banners.babylon-x.com
127.0.0.1 media17.fastclick.net
127.0.0.1 techreview-images.adbureau.net
127.0.0.1 ads.exhedra.com
127.0.0.1 ad.trafficmp.com
127.0.0.1 realmedia-a800.d4p.net
127.0.0.1 banner.northsky.com
127.0.0.1 ftp.nacorp.com
127.0.0.1 www.digitalbettingcasinos.com
127.0.0.1 c1.zedo.com
127.0.0.1 ads4.condenet.com
127.0.0.1 www.brilliantdigital.com
127.0.0.1 desktop.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
127.0.0.1 www.b3d.com
127.0.0.1 neighborhood.standard.net
127.0.0.1 ads.telegraph.co.uk
127.0.0.1 spinbox.techtracker.com
127.0.0.1 toads.osdn.com
127.0.0.1 ads.themes.org
127.0.0.1 adserver.trb.com
127.0.0.1 media.fastclick.net
127.0.0.1 banner.easyspace.com
127.0.0.1 www.banner2u.com
127.0.0.1 ads.thestar.com
127.0.0.1 ads.digitalmedianet.com
127.0.0.1 www.fineclicks.com
127.0.0.1 ads.mdchoice.com
127.0.0.1 ad.horvitznewspapers.net
127.0.0.1 adtegrity.thruport.com
127.0.0.1 a.mktw.net
127.0.0.1 ads.pennyweb.com
127.0.0.1 www3.ad.tomshardware.com
127.0.0.1 www4.ad.tomshardware.com
127.0.0.1 www6.ad.tomshardware.com
127.0.0.1 www8.ad.tomshardware.com
127.0.0.1 www15.ad.tomshardware.com
127.0.0.1 ads.forbes.com
127.0.0.1 ads.desmoinesregister.com
127.0.0.1 adserver.tribuneinteractive.com
127.0.0.1 bannerads.anytimenews.com
127.0.0.1 ads1.condenet.com
127.0.0.1 adserver.anm.co.uk
127.0.0.1 zrap.zdnet.com.com
127.0.0.1 bidclix.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 coreg.flashtrack.net
127.0.0.1 rmads.msn.com
127.0.0.1 ads.icq.com
127.0.0.1 cb.icq.com
127.0.0.1 cf.icq.com
127.0.0.1 www2.newtopsites.com
127.0.0.1 adserv.internetfuel.com
127.0.0.1 images.fastclick.net
127.0.0.1 adserver.securityfocus.com
127.0.0.1 www.avsads.com
127.0.0.1 banners.moviegoods.com
127.0.0.1 ads.bitsonthewire.com
127.0.0.1 ads.iambic.com
127.0.0.1 sfads.osdn.com
127.0.0.1 fl01.ct2.comclick.com
127.0.0.1 adserver.phillyburbs.com
127.0.0.1 marketing.nyi.net
127.0.0.1 www.netflip.com
127.0.0.1 image.imgfarm.com
127.0.0.1 ads.viaarena.com
127.0.0.1 phpads2.cnpapers.com
127.0.0.1 ads.astalavista.us
127.0.0.1 banner.coza.com
127.0.0.1 adcreative.tribuneinteractive.com
127.0.0.1 ads.democratandchronicle.com
127.0.0.1 adlog.com.com
127.0.0.1 adimg.com.com
127.0.0.1 adimage.bankrate.com
127.0.0.1 ads.mediadevil.com
127.0.0.1 imageserv.adtech.de
127.0.0.1 ad.se.doubleclick.net
127.0.0.1 ads.cashsurfers.com
127.0.0.1 ads.specificpop.com
127.0.0.1 z1.adserver.com
127.0.0.1 images.bizrate.com
127.0.0.1 q.pni.com
127.0.0.1 ad01.mediacorpsingapore.com
127.0.0.1 adimage.asia1.com.sg
127.0.0.1 images.newsx.cc
127.0.0.1 www.adireland.com
127.0.0.1 ads.iafrica.com
127.0.0.1 ads.nyi.net
127.0.0.1 geoads.osdn.com
127.0.0.1 www.crisscross.com
127.0.0.1 netcomm.spinbox.net
127.0.0.1 ads.videoaxs.com
127.0.0.1 mediamgr.ugo.com
127.0.0.1 adserver.pollstar.com
127.0.0.1 information.gopher.com
127.0.0.1 ads.adviva.net
127.0.0.1 adsrv.bankrate.com
127.0.0.1 a207.p.f.qz3.net
127.0.0.1 ehg-bestbuy.hitbox.com
127.0.0.1 ehg-intel.hitbox.com
127.0.0.1 ehg-espn.hitbox.com
127.0.0.1 ehg-macromedia.hitbox.com
127.0.0.1 ehg-dig.hitbox.com
127.0.0.1 speed.pointroll.com
127.0.0.1 amch.questionmarket.com
127.0.0.1 ads.gamespy.com
127.0.0.1 spd.atdmt.com
127.0.0.1 ads.columbian.com
127.0.0.1 clickit.go2net.com
127.0.0.1 vpdc.ru4.com
127.0.0.1 ads.developershed.com
127.0.0.1 ads.globeandmail.com
127.0.0.1 ads.nerve.com
127.0.0.1 iv.doubleclick.net
127.0.0.1 ads2.condenet.com
127.0.0.1 www.burstnet.com
127.0.0.1 ads5.canoe.ca
127.0.0.1 askmen.thruport.com
127.0.0.1 adsrv2.gainesvillesun.com
127.0.0.1 ads.theolympian.com
127.0.0.1 ads.courierpostonline.com
127.0.0.1 i.timeinc.net
127.0.0.1 oasads.whitepages.com
127.0.0.1 rad.msn.com
127.0.0.1 serve.thisbanner.com
127.0.0.1 images.trafficmp.com
127.0.0.1 www.kaplanindex.com
127.0.0.1 kaplanindex.com
127.0.0.1 1.httpdads.com
127.0.0.1 spinbox.maccentral.com
127.0.0.1 akaads-abc.starwave.com
127.0.0.1 webad.ajeeb.com
127.0.0.1 ads.granadamedia.com
127.0.0.1 oas.uniontrib.com
127.0.0.1 ads.wnd.com
127.0.0.1 a3.suntimes.com
127.0.0.1 tmsads.tribune.com
127.0.0.1 ads.peel.com
127.0.0.1 ads.mh5.com
127.0.0.1 ad.usatoday.com
127.0.0.1 adserver.digitalpartners.com
127.0.0.1 ads.mediaturf.net
127.0.0.1 ads4.clearchannel.com
127.0.0.1 ads.clearchannel.com
127.0.0.1 ads2.clearchannel.com
127.0.0.1 ads.jacksonsun.com
127.0.0.1 servads.aip.org
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 adng.ascii24.com
127.0.0.1 engage.speedera.net
127.0.0.1 ads.msn-ppe.com
127.0.0.1 ad.openfind.com.tw
127.0.0.1 adi.mainichi.co.jp
127.0.0.1 ads.northjersey.com
127.0.0.1 ad.moscowtimes.ru
127.0.0.1
127.0.0.1 ad1.aaddzz.com
127.0.0.1 ds.eyeblaster.com
127.0.0.1 adserver.digitalpartners.com
127.0.0.1 oas.uniontrib.com
127.0.0.1 ads.statesmanjournal.com
127.0.0.1 ads.centralohio.com

Guest · « **Reply #8 on:** January 24, 2005, 01:32:28 AM »

Hi Guestolo,

I'm truly sorry that I did make a mistake on your direction of your advices on your first reply. I've corrected and I'm in the proces of running the TDS-3 now. Please wait for my scan completed and will inform you my scan log file form.

Thanks again and sorry for the confusing.

guestolo · « **Reply #9 on:** January 24, 2005, 01:44:13 AM »

The hosts file looks alright if you added a custom host file
It is blocking sites ads by adding the
127.0.0.1 before each domain

But something definitely went wrong with the installation of TDS-3

Let's try some fixes in your log

Uninstall SpywareDoctor and restart your computer after it's removed

Back in Windows

Download and Install this small program
to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup
Install it for now but >>Don't run a scan yet
A great little utility to assist in cleaning those temp folders, hold onto this

Download and UNZIP to a folder Hoster by Toadbee
We'll need this later

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe

Print the rest of this out or save to a Notepad file on your desktop
I need you to close down all browser windows
Also know how to start in safe mode----Link explains below if you need it

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/ <--If that's not your preferred start page, fix it
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll

O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe

O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: PowerReg Scheduler V3.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your Computer in SAFE MODE

Find and delete these files or folders if they exist

C:\WINDOWS\System32\adczciim.dll <--file
C:\WINDOWS\System32\suuvn.dll <--file
C:\WINDOWS\SysCheckBop32 <--file
C:\WINDOWS\ms059994820905.exe <--file
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe <--file

sorwks.exe
sndtsrv.exe <--files, do a search for them

C:/Program Files/VBouncer <--folder
C:\Program Files\Spyware Doctor <--folder

Stay in safe mode and open up HOSTER
Click the "Restore Original Hosts"

Open up Windows CleanUp..probably accessed from START>>ALL Programs>>Cleanup
Click the CleanUp button
Let it finish scanning for files, when it's done, it will prompt you too log off
Don't, Restart back to Normal mode

Back in Normal mode
Can you try that link to TDS-3 again
When installing it should let you know it's Setup for Diamond CS TDS-3
Don't install it if it's not TDS-3
Restart after it is installed and then update it with the second link I supplied earlier
Remember to right click on the second link and save it to
C:\Program Files\TDS-3 folder

Run the Full system scan
Post the scandump.txt from the instructions I supplied earlier
Fix all Postive Identified items
Restart your computer

Post back a fresh Hijackthis log afterwards
Do whatever you can and then post back a new log
Also post the scandump.txt

guestolo · « **Reply #10 on:** January 24, 2005, 01:46:02 AM »

Sorry, I was already posting a fix, do what you can from what I've posted above

Remember you have to update TDS-3 properly or it won't be right up to date

I would download Hoster too, we can get you a custom host file later

When your done with the above instructions
and you have posted back a fresh Hijackthis log and scandump.txt

Could you also do this for me
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as FindFile.bat
Save it on the Desktop

Quote

dir C:\WINDOWS\System32\w?aclt.exe /a h > files.txt
notepad files.txt

Double click on FindFile.bat

Notepad will open, can you copy and paste the whole contents of the files.txt back here

Guest · « **Reply #11 on:** January 24, 2005, 02:22:02 AM »

Hi Guestolo,

Thanks you so much for your efforts to help me killing the viruses. Your help is again greatly appreciated.

Here are my log files from TDS-3 scan dump and Hijack fresh log file sepparated by '=========================='

TDS-3 scan dump:

Scan Control Dumped @ 22:01:10 23-01-05
RegVal Trace: Worm.3DStars: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [SystemCheck=C:\WINDOWS\SysCheckBop32]

Positive identification: Adware.BetterInternet
File: c:\documents and settings\hy pham\local settings\temp\drtemp\mm_reco.exe

Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\o7wfs56d\d_15_0[1]

Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\o7wfs56d\d_17_0[1]

Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\qfybopwx\s5[1]

Positive identification: RAT.Agent.ay
File: c:\program files\common files\tlspuslo\ptrlndqm\oqambddt.exe

Positive identification: RAT.Agent.ay
File: c:\program files\common files\tlspuslo\tsdllupucc\bfaobcbao.exe

Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\windows\system32\adczciim.dll

Positive identification <Adv>: Possible WebDownloader
File: c:\windows\system32\cp18.exe

Positive identification (DLL): TrojanClicker.Win32.Agent.d (dll)
File: c:\windows\system32\xacqzncf.dll

==============================================
Here is my fresh Hijack scan log file:

Logfile of HijackThis v1.99.0
Scan saved at 10:06:38 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms059994820905.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - C:\WINDOWS\System32\adczciim.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D80B3641-DBF9-AF71-D168-FC1D8612409C} - C:\WINDOWS\System32\swosrmee.dll (file missing)
O2 - BHO: SDWin32 Class - {DEEEC9F9-AA86-4ADB-A26A-DBE4FE8EE0B7} - C:\WINDOWS\System32\suuvn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [usFi37Q] sorwks.exe
O4 - HKLM\..\Run: [ms059994820905] C:\WINDOWS\ms059994820905.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Mooh] C:\Documents and Settings\Hy Pham\Application Data\swrt.exe
O4 - HKCU\..\Run: [Lpyuhm] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [fBwsRXc7j] sndtsrv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler V3.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
============================================
Also why does my hijack file continue showing the executeable file such as C:\WINDOWS\ms059994820905.exe
This file always runs in the background process. I noticed it when I hit CTRL-ALT-DEL . I would appreciate if you can explain to me if this is a virus or anything.

Thanks again.

guestolo · « **Reply #12 on:** January 24, 2005, 02:25:36 AM »

I added a couple replies before you posted back the scandump.txt and the Fresh hijackthis log

Can you try the fixes I posted above and then post back a fresh hijackthis log
Also the files.txt from the Findfile.bat

Well we're at it
Could you Download and save to desktop
VX2 Finder.exe
Open up VX2 Finder and click the "Click to Find VX2.BetterInternet"
Let it finish scanning, it won't take long
Then make a log and post it back here too, thanks

Thanks
I may not see your new hijackthis log until tomorrow, but we should be able to get you totally clean then
But ensure you look over this whole thread and try and do all the fixes I asked
Post back the required logs afterwards, thanks

Also, we'll get some free tools on your computer to prevent this from happening again

Guest · « **Reply #13 on:** January 25, 2005, 01:17:11 AM »

Hi Guestolo,

Here is my Hijackthis log scan file:

Logfile of HijackThis v1.99.0
Scan saved at 12:09:31 AM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

==========================
By the way, you suggested me yesterday that I should delete the executable file "w?aclt.exe" in C:\WINDOWS\System32. I looked that up in the directory and found that the file name is "wuaclt.exe". The "?" mark replace the letter "u". I wonder if you realy meant to delete this file? I also look it up on Internet for further information and I found that this file is indeed from Microsoft XP for autoupdate programs. Please let me know should I delete the file or not? I also notice this file was written on to the directory the same day that I got virus.

guestolo · « **Reply #14 on:** January 25, 2005, 01:53:12 AM »

Good job, that logs looking better

One last time-----Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Restart your computer

Quote

By the way, you suggested me yesterday that I should delete the executable file "w?aclt.exe" in C:\WINDOWS\System32. I looked that up in the directory and found that the file name is "wuaclt.exe". The "?" mark replace the letter "u". I wonder if you realy meant to delete this file? I also look it up on Internet for further information and I found that this file is indeed from Microsoft XP for autoupdate programs. Please let me know should I delete the file or not? I also notice this file was written on to the directory the same day that I got virus.

Hold up,
Here's what I asked you to do
I asked you to kill this process in Hijackthis process manager
C:\WINDOWS\System32\w?aclt.exe

Then I asked you to do this
"Could you also do this for me
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as FindFile.bat
Save it on the Desktop"

Quote

dir C:\WINDOWS\System32\w?aclt.exe /a h > files.txt
notepad files.txt

Double click on FindFile.bat

Notepad will open, can you copy and paste the whole contents of the files.txt back here
Could you still do that for me

I made no mention of deleting wuauclt.exe
I know there is a legit file, I want to find out if there is also a bad file with a similiar name

I also asked you to do this, "I want to ensure you have no VX2.betterinternet infection
Could you Download and save to desktop
VX2 Finder.exe
Open up VX2 Finder and click the "Click to Find VX2.BetterInternet"
Let it finish scanning, it won't take long
Then make a log and post it back here too, thanks"

Could you please post the info I asked for and include a fresh Hijackthis log, thanks

Guest · « **Reply #15 on:** January 25, 2005, 02:31:54 AM »

Hi Guestolo,

Again thanks for your helps and the efforts that you or maybe people in your group that constantly helping me to resolve the viurses on my computer.

First of all, I'm sorry that I deleted the file "w?aclt.exe" file before I read your last reply to me. However, I later follow your instruction to create the bat file to capture the content of the "w?aclt.exe" but I already deleted before then. Therefore, the result is file not found. It's my fault I know it is sad excuse.

Secondly, here is the log file as the result of VX2finder scan:

=================
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

===========================

Thanks to you and your group.

guestolo · « **Reply #16 on:** January 25, 2005, 02:33:37 AM »

Could I see one last hijackthis log, thanks

It sounds like you got rid of a nasty file anyways

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />
VX2 finder came up clean
You can manually delete it

Guest · « **Reply #17 on:** January 25, 2005, 02:45:11 AM »

Hi Guestolo,

What do you mean by I can manualy delete it? Would you please elaborate it? What file should I manualy delete it?

I also followed your earlier instructions by check the entry "O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)" and let Hijack fix it. However, Hijack couldn't be able to clean/fix it. The same entry showed up again on the next scan.

Please help me out. Here is the Hijack scan:

==================================
Logfile of HijackThis v1.99.0
Scan saved at 10:14:52 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

=================================

Thanks

guestolo · « **Reply #18 on:** January 25, 2005, 03:03:35 AM »

I meant that you can manually delete VX2 Finder(126)

I see this still in your log
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)

Nothing major, but a leftover we should get rid of

Spyweeper's protection may be getting in the way

Can you do me a favor
I'll try and do this with the least amount of restarts

Open SPYBOT
Click on Mode at the top
Click the Advanced mode>>>YES to the prompt
Open TOOLS
SYSTEM STARTUP

Uncheck this from running on startup
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

We're just temporarily disabling it from running on startup

When that's done

If everything is running better
you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows ensure you Enable system Restore

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Your way behind on Windows updates>>>>>IF you have a legitimate version
of Windows installed there's no reason to be so far behind
Could you for now
Install Service Pack 1a, you can install SP2 at a later time if you would like
This provides security updates for your machine
Once Installed you will be prompted to restart your computer. Reboot and Go back to Windows updates and check for and install Latest Critical updates
As I mentioned, don't install Service Pack 2 or Recommended updates
If you decide to install SP2 in the near future (Which is very much recommended)
We should takes some steps to ensure your computer is prepared

Heres a link to Service Pack 1a
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

After you have SP1a installed and you have restarted and checked again at Windows updates for criticals
Go back and enable Spysweepers protection

For additional protection
against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Both don't run in the background, consider them silent Spyware Blockers
You may choose not to install IE-Spyad>>I see you use Firefox
But IE is so Integrated into Windows you may still choose to use it

Post back another log and let me know how everything is running?

Guest · « **Reply #19 on:** January 25, 2005, 04:11:43 AM »

Hi Guestolo,

Thanks again for looking into this.

I've followed your instructions and did some steps (not all steps). I proceeded to the steps and stopped just at before proceed to Windows updates since I don't have a legitimate version of Windows installed.

I followed your instructions but couldn't deleted the entry "O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)".

Here is my fresh Hijackthis log file:
=======================
Logfile of HijackThis v1.99.0
Scan saved at 11:55:29 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
===========================

Thanks again!

News:

Author Topic: Need Help on My Hijack Virus Log File (Read 3598 times)

homepham

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest