WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved]Need Help Removing Spylocked And Trojan-smitfraud

Started by mrgroovitude , Aug 14 2007 09:35 PM

This topic is locked

12 replies to this topic

#1 mrgroovitude

New Member

Authentic Member
6 posts

Posted 14 August 2007 - 09:35 PM

Need help removing malware from my computer. I've got a flashing icon in my task bar, which keeps popping messages up trying to redirect me to a website for spyware removal software. Started out in the self help section. Downloaded Smitfraudfix by (S!Ri) and AVG Anti spyware. Here's a copy of my HJT scan and rapport scan:

Logfile of HijackThis v1.99.1
Scan saved at 10:06:55 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SYSWB6.exe
C:\WINDOWS\Dit.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\Callwave11\IAM.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\system32\Winkb6.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\HiJack This\HijackThis.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crosswalk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mid-Iowa PCPartner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: CallWave.lnk = C:\Documents and Settings\Douglas\My Documents\My Downloads\Callwave11\IAM.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120013803375
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_02) -
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{92AA402F-3C3A-4E9F-9335-6AF59B245CC9}: NameServer = 69.66.0.20 69.66.1.20
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

SmitFraudFix v2.212

Scan done at 22:02:15.71, Tue 08/14/2007
Run from C:\Documents and Settings\Douglas\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SYSWB6.exe
C:\WINDOWS\Dit.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\Callwave11\IAM.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\system32\Winkb6.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\HiJack This\HijackThis.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 ads.microsoft.com
127.0.0.1 ads.techguy.org

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\xtsyynm.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Douglas

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Douglas\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Douglas\FAVORI~1

C:\DOCUME~1\Douglas\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a4029063-4fe3-422c-ac72-12905c09642a}"="clinker"

[HKEY_CLASSES_ROOT\CLSID\{a4029063-4fe3-422c-ac72-12905c09642a}\InProcServer32]
@="C:\WINDOWS\system32\xtsyynm.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{a4029063-4fe3-422c-ac72-12905c09642a}\InProcServer32]
@="C:\WINDOWS\system32\xtsyynm.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 69.66.0.20
DNS Server Search Order: 69.66.1.20

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92AA402F-3C3A-4E9F-9335-6AF59B245CC9}: NameServer=69.66.0.20 69.66.1.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{92AA402F-3C3A-4E9F-9335-6AF59B245CC9}: NameServer=69.66.0.20 69.66.1.20

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Thank you for your assistance.

Advertisements

Register to Remove

#2 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 15 August 2007 - 09:47 AM

Hi! Welcome to the Tom Coyote forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

You too could train to help others- Join the Classroom

#3 mrgroovitude

New Member

Authentic Member
6 posts

Posted 15 August 2007 - 02:20 PM

Thank you, Scotty. I appreciate your assistance!

Here's a copy of the uninstall list from HJT: Ad-Aware SE Personal Adobe Acrobat - Reader 6.0.2 Update Adobe Acrobat 5.0 Adobe Acrobat and Reader 6.0.3 Update Adobe Reader 6.0.1 Avance AC'97 Audio AVG Anti-Spyware 7.5 CallWave CDK Players CleanUp! ClearType Tuning Control Panel Applet Easy CD Creator 5 DVD Edition Google Earth Gravis Xperience 4.5 HijackThis 1.99.1 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) HP PrecisionScan LT Software Informations about your PC J2SE Runtime Environment 5.0 J2SE Runtime Environment 5.0 Update 2 Jeopardy! 2003 KB9908 Uninstall Lernout & Hauspie TruVoice American English TTS Engine Lexmark Supplies Monitor Lexmark Z23-Z33 LiveReg (Symantec Corporation) LiveUpdate 2.0 (Symantec Corporation) Macromedia Shockwave Player MailWasher 2.0.19 beta Medal of Honor Allied Assault Medion Flash XL Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.0 Hotfix (KB928367) Microsoft Calculator Plus Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Encarta Encyclopedia Standard 2003 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Money 2003 Microsoft Money 2003 System Pack Microsoft National Language Support Downlevel APIs Microsoft Office XP Professional with FrontPage Microsoft Picture It! Photo 7.0 Microsoft Plus! for Windows XP Microsoft PowerPoint Viewer 97 Microsoft Reader Microsoft Streets and Trips 2002 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Web Publishing Wizard 1.52 Microsoft Word 2002 Microsoft Works 7.0 Microsoft Works Suite Add-in for Microsoft Word Mouse Driver Mozilla Firefox (2.0.0.4) Mozilla Firefox (2.0.0.6) MSXML 4.0 SP2 (KB925672) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 Parser and SDK NAIC Classic Plus Member Edition NAIC Portfolio Record Keeper 4 (101 Day Version) NAIC Stock Prospector Member Edition Nero Norton AntiVirus Corporate Edition NVIDIA Drivers NVIDIA Logo Screensaver PhotoRecall Deluxe Pop-Up Stopper Professional Power Cinema PowerDirector Pro PowerDVD QuickTime QuickVerse 7.0 RealPlayer Roxio EasyWrite Reader Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Serif DrawPlus 3.0 Shockwave SiS 900 PCI Fast Ethernet Adapter Driver SiSAGP driver Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Startup Control Panel Stickies 5.0a Trivial Pursuit Unhinged TurboTax Deluxe 2005 TurboTax ItsDeductible 2005 Tweak UI Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB900930) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB936357) Update for Windows XP (KB938828) USB PC Camera (SN9C103) Viewpoint Media Player (Remove Only) We-Blocker WexTech AnswerWorks Windows Backup Utility Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinZip Yahoo! Messenger ZoneAlarm

#4 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 15 August 2007 - 03:20 PM

Hi

Run Smitfraudfix
Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Download MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

You too could train to help others- Join the Classroom

#5 mrgroovitude

New Member

Authentic Member
6 posts

Posted 15 August 2007 - 09:50 PM

Hi, Ran the smitfraudfix.cmd, option #2, in safe mode. I didn't see anything about the 'wininet.dll' file, so I assume it wasn't infected. Rebooted in normal mode. Downloaded the new hosts file. Here's the results of the cleaning process: SmitFraudFix v2.212 Scan done at 22:31:54.39, Wed 08/15/2007 Run from C:\Documents and Settings\Douglas\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei] 127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider] 127.0.0.1 abc-search.info 127.0.0.1 abloga.info #[Spamdexing] 127.0.0.1 www.abx4.com #[Adware.ABXToolbar] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net #[IE-SpyAd] 127.0.0.1 d.abnad.net 127.0.0.1 e.abnad.net 127.0.0.1 t.abnad.net 127.0.0.1 adv.abv.bg 127.0.0.1 bimg.abv.bg 127.0.0.1 www2.a-counter.kiev.ua 127.0.0.1 accuserveadsystem.com 127.0.0.1 www.accuserveadsystem.com 127.0.0.1 gtcc1.acecounter.com 127.0.0.1 gtp1.acecounter.com 127.0.0.1 acestats.com 127.0.0.1 www.acestats.com 127.0.0.1 ads.active.com 127.0.0.1 am1.activemeter.com 127.0.0.1 www.activemeter.com 127.0.0.1 ads.activepower.net 127.0.0.1 at.ad2click.nl 127.0.0.1 cms.ad2click.nl 127.0.0.1 banner.ad.nu 127.0.0.1 ad-up.com 127.0.0.1 www.ad-up.com 127.0.0.1 www.adagencypro.com 127.0.0.1 adbest.com #[IE-SpyAd] 127.0.0.1 ad.adbest.com 127.0.0.1 ad.pop1.adbn.ru 127.0.0.1 adserv.adbonus.com #[IE-SpyAd] 127.0.0.1 www.adbonus.com 127.0.0.1 james.adbutler.de #[Tenebril.TrackingCookie] 127.0.0.1 www.adbutler.de #[SunBelt.AdButler.de] 127.0.0.1 adcp.adcentriconline.com 127.0.0.1 bell.adcentriconline.com #[Wildcard DNS] 127.0.0.1 media.adcentriconline.com #[IE-SpyAd] 127.0.0.1 adcomplete.com #[IE-SpyAd] 127.0.0.1 www.adcomplete.com 127.0.0.1 www.adcopy.info 127.0.0.1 axa.addcontrol.net #[Ewido.TrackingCookie.Addcontrol] 127.0.0.1 ads.addynamix.com #[SpySweeper.Spy.Cookie] 127.0.0.1 e13.media.addynamix.com 127.0.0.1 www.adeos.eu 127.0.0.1 adcode.adengage.com 127.0.0.1 stats2.adengage.com 127.0.0.1 www.adengage.com 127.0.0.1 pt.server1.adexit.com 127.0.0.1 www.adexit.com #[IE-SpyAd] 127.0.0.1 www.ad4ever.com #[IE-SpyAd] 127.0.0.1 track.adform.net 127.0.0.1 www.adfusion.com 127.0.0.1 harvest.adgardener.com 127.0.0.1 harvest8.adgardener.com 127.0.0.1 harvest11.adgardener.com 127.0.0.1 harvest12.adgardener.com 127.0.0.1 harvest13.adgardener.com 127.0.0.1 harvest163.adgardener.com 127.0.0.1 seeds.adgardener.com 127.0.0.1 www.adgroups.net 127.0.0.1 www.ad-groups.com #[Ban Man Pro Banner Code] 127.0.0.1 www.adgauge.com 127.0.0.1 host1.adhese.be #[Adhese Datamine Tag] 127.0.0.1 host2.adhese.be 127.0.0.1 host3.adhese.be #[ad.be.doubleclick.net] 127.0.0.1 host4.adhese.be 127.0.0.1 ssl3.adhost.com #[IE-SpyAd] 127.0.0.1 www2.adhost.com 127.0.0.1 ads.adhostingsolutions.com 127.0.0.1 www.adimpact.com 127.0.0.1 www.adinventoryrecorder.com 127.0.0.1 adfarm1.adition.com 127.0.0.1 imagesrv.adition.com 127.0.0.1 ad.adition.net 127.0.0.1 adsearch.adkontekst.pl 127.0.0.1 community.adlandpro.com #[Ad-Aware Tracking Cookie] 127.0.0.1 pk.adlandpro.com 127.0.0.1 te.adlandpro.com #[IE-SpyAd] 127.0.0.1 trafficex.adlandpro.com 127.0.0.1 www.adlandpro.com #[Ad-Aware Tracking Cookie] 127.0.0.1 engine.adland.ru 127.0.0.1 publicidad.adlead.com 127.0.0.1 ad.adlegend.com #[affects Webroot AlertNet] 127.0.0.1 media.adlegend.com 127.0.0.1 www.adlimg03.com 127.0.0.1 classic.adlink.de #[IE-SpyAd] 127.0.0.1 regio.adlink.de 127.0.0.1 west.adlink.de 127.0.0.1 rc.de.adlink.net 127.0.0.1 tr.de.adlink.net 127.0.0.1 www.adminder.com #[SpySweeper.Spy.Cookie] 127.0.0.1 rms.admeta.com #[admeta.basefarm.net] 127.0.0.1 ads.admodus.com 127.0.0.1 ad.adnet.biz 127.0.0.1 engine.adnet.ru 127.0.0.1 ad2.adnetinteractive.com 127.0.0.1 ad.adnetwork.com.br 127.0.0.1 www.adnetworkonline.com 127.0.0.1 s1.ad.adocean.pl #[Ewido.Spyware.Cookie.Adocean] 127.0.0.1 s2.ad.adocean.pl 127.0.0.1 s1.centrumcz.adocean.pl 127.0.0.1 s1.czgde.adocean.pl 127.0.0.1 s1.skgde.adocean.pl 127.0.0.1 ad01.adonspot.com #[IE-SpyAd] 127.0.0.1 ad02.adonspot.com 127.0.0.1 isohunt.adonspot.com 127.0.0.1 ab.adpro.com.ua 127.0.0.1 ac.adpro.com.ua 127.0.0.1 system.adquick.nl 127.0.0.1 www.adquest.nl 127.0.0.1 adreactor.com 127.0.0.1 adserver.adreactor.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 adx.adrenaline.cz 127.0.0.1 www.adsforindians.com 127.0.0.1 ad.adrefer.net 127.0.0.1 www.adreporting.com #[SunBelt.Adreporting.com] 127.0.0.1 gambling911.adrevolver.com 127.0.0.1 media.adrevolver.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 track.adrevolver.com #[McAfee.Cookie-Adrevolver] 127.0.0.1 cntr.adrime.com 127.0.0.1 images.adrime.com 127.0.0.1 ad.adriver.ru 127.0.0.1 www.adrotate.net 127.0.0.1 serv.ad-rotator.com #[SpySweeper.Spy.Cookie] 127.0.0.1 ad.ads8.com 127.0.0.1 vip.ads8.com 127.0.0.1 www.ads183.com 127.0.0.1 antevenio.flux.ads-click.com 127.0.0.1 ad.ads.dk #[IE-SpyAd] 127.0.0.1 tdkads.ads.dk 127.0.0.1 adservercentral.com 127.0.0.1 banners.adservercentral.com 127.0.0.1 www.adservercentral.com #[SunBelt.adservercentral.com] 127.0.0.1 adservicedomain.info 127.0.0.1 adsfac.net #[Facilitate Tracking Code][IE-SpyAd] 127.0.0.1 images.adshuffle.com 127.0.0.1 this.content.served.by.adshuffle.com 127.0.0.1 ad-soft.net #[regfreeze.net][IE-SpyAd] 127.0.0.1 adsaway.com #[HTML/TrojanDownloader.Agent.BP trojan] 127.0.0.1 www.adsaway.com #[Google.Warning] 127.0.0.1 www.adshot.de 127.0.0.1 allchix.adsmax.com 127.0.0.1 www2.adsmax.com 127.0.0.1 www.adsodainteractive.com 127.0.0.1 37.adsonar.com 127.0.0.1 ads.adsonar.com 127.0.0.1 foxnews.adsonar.com 127.0.0.1 js.adsonar.com 127.0.0.1 redir.adsonar.com 127.0.0.1 www.adspace.be 127.0.0.1 g.adspeed.net 127.0.0.1 serv.adspeed.com 127.0.0.1 ads.adsponse.de 127.0.0.1 www.adsprve1.com #[IE-SpyAd] 127.0.0.1 creative.adsrevenue.net 127.0.0.1 popunder.adsrevenue.net 127.0.0.1 adserve.adster.com 127.0.0.1 images.adster.com 127.0.0.1 adsvert.com 127.0.0.1 o.adtargeter.com 127.0.0.1 ads.adtiger.de 127.0.0.1 www.adtiger.de 127.0.0.1 ads.adgoto.com 127.0.0.1 adsrv.admindshare.com 127.0.0.1 adtology.com 127.0.0.1 adtology2.com 127.0.0.1 ad.adtoma.com 127.0.0.1 downldcl.adtoolsinc.com 127.0.0.1 www.adtoolsinc.com #[IE-SpyAd] 127.0.0.1 www.adtrade.net 127.0.0.1 www.adtrader.com #[IE-SpyAd] 127.0.0.1 netshelter.adtrix.com 127.0.0.1 ads.advancedpcmedia.com 127.0.0.1 survey.advantageresearch.com #[IE-SpyAd] 127.0.0.1 ad.adver.com.tw 127.0.0.1 www.adventideas.com #[Adcycle] 127.0.0.1 www.adversal.com 127.0.0.1 www.adversalservers.com 127.0.0.1 austria1.adverserve.net #[Ad-Aware.Tracking Cookie] 127.0.0.1 ads.advertise.net #[IE-SpyAd] 127.0.0.1 www.advertisingspaces.net 127.0.0.1 www.advertisingstats.com #[IE-SpyAd] 127.0.0.1 advertisingpurchase.com 127.0.0.1 ad.adverticum.net 127.0.0.1 img.adverticum.net 127.0.0.1 imgs.adverticum.net 127.0.0.1 ads.advertisingz.com 127.0.0.1 ad.advertstream.com 127.0.0.1 adviva.com #[IE-SpyAd] 127.0.0.1 www.adviva.com 127.0.0.1 ads.adviva.net #[Panda.Spyware:Cookie/Adviva] 127.0.0.1 de.ads.adviva.net 127.0.0.1 adstats.adviva.net 127.0.0.1 www.traf.advscripts.com 127.0.0.1 ad.adworx.at 127.0.0.1 www.ad-z.de 127.0.0.1 banners.adzones.com 127.0.0.1 clicks.adzones.com 127.0.0.1 feeds.adzones.com 127.0.0.1 www.adzones.com 127.0.0.1 aeoworld.de 127.0.0.1 www.aeoworld.de #[W32/WMF-exploit] 127.0.0.1 banners.affilimatch.de 127.0.0.1 tracker.affistats.com #[IE-SpyAd][msvrl.dll] 127.0.0.1 adz.afterdawn.net 127.0.0.1 ad.afy11.net 127.0.0.1 stats.agent.co.il 127.0.0.1 agentmediagroup.com #[Javascript.Exploit] 127.0.0.1 www.agentmediagroup.com 127.0.0.1 rmbannerserver.agestado.com.br 127.0.0.1 stats.agentinteractive.com 127.0.0.1 api.aggregateknowledge.com 127.0.0.1 aams1.aim4media.com 127.0.0.1 artwork.aim4media.com 127.0.0.1 www.aim4media.com #[SunBelt.Adserver.aim4media] 127.0.0.1 adlik.akavita.com 127.0.0.1 adlik2.akavita.com 127.0.0.1 adserver.akqa.net #[Ad-Aware Tracking Cookie] 127.0.0.1 www.alaqiq.net #[Javascript.Exploit] 127.0.0.1 download.alexa.com #[Trackware.Alexa][SPYW_ALEXA.A] 127.0.0.1 download.china.alibaba.com #[Adware.AlibabaTB][AdWare.ToolBar.Alibabar.b] 127.0.0.1 tracking.allposters.com 127.0.0.1 ad.allstar.cz 127.0.0.1 bokee.allyes.com 127.0.0.1 demoafp.allyes.com 127.0.0.1 eastmoney.allyes.com 127.0.0.1 smarttrade.allyes.com 127.0.0.1 taobaoafp.allyes.com 127.0.0.1 tom.allyes.com 127.0.0.1 uuseeafp.allyes.com 127.0.0.1 www.almondnetworks.com 127.0.0.1 www.almoso3h.com #[Trojan-PSW.Win32.VB.cl] 127.0.0.1 www.alsaloumainvestment.com #[Win32/SpamTool.Gadina] 127.0.0.1 ad.altervista.org 127.0.0.1 marx2.altervista.org 127.0.0.1 pqwaker.altervista.org 127.0.0.1 bantam.ai.net #[IE-SpyAd] 127.0.0.1 fiona.ai.net 127.0.0.1 adimg.alice.it 127.0.0.1 adv.alice.it 127.0.0.1 count1.altastat.com 127.0.0.1 altmedia101.com 127.0.0.1 www.alldep.com #[Spamdexing] 127.0.0.1 adserver.alt.com 127.0.0.1 c0.amazingcounters.com 127.0.0.1 c1.amazingcounters.com 127.0.0.1 c2.amazingcounters.com 127.0.0.1 c3.amazingcounters.com 127.0.0.1 c4.amazingcounters.com 127.0.0.1 c5.amazingcounters.com 127.0.0.1 c6.amazingcounters.com 127.0.0.1 c7.amazingcounters.com 127.0.0.1 c8.amazingcounters.com 127.0.0.1 www.amazingcounters.com 127.0.0.1 banner.ambercoastcasino.com 127.0.0.1 ads.amdmb.com 127.0.0.1 whos.amung.us #[WebBug] 127.0.0.1 advert.ananzi.co.za 127.0.0.1 advert2.ananzi.co.za 127.0.0.1 adserver.ancestry.com #[RealMedia] 127.0.0.1 adserver04.ancestry.com #[RealMedia] 127.0.0.1 andishecenter.com #[VBS/Envary.A] 127.0.0.1 www.andyhoppe.com 127.0.0.1 angpeu.info #[Win32/TrojanDownloader.Ani.Gen] 127.0.0.1 ads.angryape.com 127.0.0.1 banners.ads.angryape.com 127.0.0.1 www.antarasystems.com 127.0.0.1 www.anticlown.com 127.0.0.1 ads.antionline.com 127.0.0.1 junior.apk.net 127.0.0.1 www.arcadebanners.com 127.0.0.1 www.arcadebannerexchange.com 127.0.0.1 ard114.info #[Spamdexing] 127.0.0.1 areabuyreal.com 127.0.0.1 act.areabuyreal.com #[Win32/TrojanDownloader.Zlob] 127.0.0.1 click.areabuyreal.com #[WildCard DNS] 127.0.0.1 www.areabuyreal.com 127.0.0.1 demiurge.arstechnica.com 127.0.0.1 artsklimited.info #[Win32/Padodor.NAQ] 127.0.0.1 banner.arttoday.com 127.0.0.1 ads.asia1.com.sg 127.0.0.1 asimpleinternet.com #[Tenebril.SpecialOffers] 127.0.0.1 www.asimpleinternet.com 127.0.0.1 ads.ask.com #[sv-click.looksmart.com] 127.0.0.1 www.askyaya.com #[SunBelt.AskYaya] 127.0.0.1 ads.aspalliance.com 127.0.0.1 ads.associatedcontent.com 127.0.0.1 dist.atlas-ia.com #[ADW_ATLAST.A] 127.0.0.1 www.atlas-ia.com #[Adware.OfferAgent][Adware-Atlas] 127.0.0.1 elitegaming.ath.cx #[Adware.AdSupport] 127.0.0.1 www.elitegaming.ath.cx 127.0.0.1 ads.auctionads.com 127.0.0.1 audiogalaxy.com 127.0.0.1 www.audiogalaxy.com 127.0.0.1 auto-search.org #[VicMan Search] 127.0.0.1 ads.auctioncity.co.nz 127.0.0.1 www.autosurfpro.com #[IE-SpyAd] 127.0.0.1 ads.autotrader.co.za 127.0.0.1 adserving.autotrader.com #[SunBelt.AdServing.AutoTrader.com] 127.0.0.1 www.axill.com 127.0.0.1 images.axill.in 127.0.0.1 www.axill.in 127.0.0.1 axload.to #[Adware.Webprefix][Trojan.Downloader.6588.E] 127.0.0.1 valid.axload.to 127.0.0.1 ayiosamvrosios.com #[Javascript.Exploit] 127.0.0.1 www.azads.net #[IE-SpyAd] 127.0.0.1 azresults.com #[Spamdexing] 127.0.0.1 www.azresults.com 127.0.0.1 azsearch.org 127.0.0.1 babla.info #[Spamdexing] 127.0.0.1 adserver1.backbeatmedia.com 127.0.0.1 adserver1-images.backbeatmedia.com 127.0.0.1 bullseye.backbeatmedia.com 127.0.0.1 www.badhyip.org #[Google.Warning] 127.0.0.1 ads.badische-zeitung.de 127.0.0.1 bar.baidu.com #[Win32/Adware.Toolbar.Baidu][Sophos.JS/BDHelper-A] 127.0.0.1 ad.baiso.com.cn #[Trojan.Baiso][ADSPY/BaiduBar.P] 127.0.0.1 balticaffiliate.com #[Spamdexing] 127.0.0.1 www.baltictop.com 127.0.0.1 adsrv.bankrate.com 127.0.0.1 click.banneradv.com 127.0.0.1 adserver.banneradministration.com 127.0.0.1 www.bannerbox.cn 127.0.0.1 bannerboxes.com #[BannerBoxes Ad Code] 127.0.0.1 clicks.bannerboxes.com 127.0.0.1 feeds.bannerboxes.com 127.0.0.1 www.bannerboxes.com 127.0.0.1 bannerbg.com 127.0.0.1 www.banner-exchange.nl 127.0.0.1 ad.bannerhost.ru 127.0.0.1 banners.bannerlandia.com.ar 127.0.0.1 www.bannermanagement.nl 127.0.0.1 www.bannerout.com 127.0.0.1 www.banneroverdrive.com 127.0.0.1 www.bannerpromotion.it 127.0.0.1 www.banner-mania.com 127.0.0.1 www.bannerspace.com 127.0.0.1 www3.bannerspace.com #[SpySweeper.Spy.Cookie] 127.0.0.1 www5.bannerspace.com 127.0.0.1 www6.bannerspace.com 127.0.0.1 www7.bannerspace.com #[Tenebril.Tracking Cookie] 127.0.0.1 www.bannerswap.ca 127.0.0.1 ads.vg.basefarm.net #[RealMedia] 127.0.0.1 media.baventures.com 127.0.0.1 ads.baz.ch 127.0.0.1 ad2.bbmedia.cz 127.0.0.1 bbeplayer.com #[WebBug] 127.0.0.1 bc0.cn #[ANI.Exploit] 127.0.0.1 www.beachtrash.com #[MHTMLRedir.Exploit] 127.0.0.1 autocontext.begun.ru 127.0.0.1 adlogger.bertgeens.be 127.0.0.1 www.belstat.be 127.0.0.1 www.belstat.com 127.0.0.1 www.belstat.nl 127.0.0.1 oas.benchmark.fr #[RealMedia] 127.0.0.1 bengilani.com #[VBS/Envary.A] 127.0.0.1 bestinfosearch.com 127.0.0.1 www.bestinfosearch.com #[Malicious.Links] 127.0.0.1 bestinshowjewelry.com #[HTML/TrojanDownloader.Agent.BP] 127.0.0.1 webtrends.besite.be 127.0.0.1 www.besttoolbars.net #[ADW_TBARWIN32.A] 127.0.0.1 bestzarplata.info 127.0.0.1 www.bestzarplata.info #[Javascript.Exploit.makemelaugh][server down?] 127.0.0.1 ads.betanews.com 127.0.0.1 banner.betfred.com 127.0.0.1 download.baigoo.com #[AdWare.Win32.Baigoo.a][Trackware.Baigoo] 127.0.0.1 big4top.com 127.0.0.1 www.big4top.com #[IFrame.Exploit] 127.0.0.1 ad0.bigmir.net 127.0.0.1 ad1.bigmir.net 127.0.0.1 ad4.bigmir.net 127.0.0.1 ad5.bigmir.net 127.0.0.1 ad6.bigmir.net 127.0.0.1 ad7.bigmir.net 127.0.0.1 adi.bigmir.net 127.0.0.1 c.bigmir.net #[SecuritySpace.WebBug] 127.0.0.1 i.bigmir.net 127.0.0.1 bigtracker.com 127.0.0.1 bighits.net 127.0.0.1 bigticker.bighits.net 127.0.0.1 bounty.bighits.net 127.0.0.1 www.bighits.net 127.0.0.1 counter.bigli.ru 127.0.0.1 banex.bikers-engine.com 127.0.0.1 ad2.billboard.cz 127.0.0.1 adserver.bizhat.com 127.0.0.1 counter.bizland.com 127.0.0.1 dc.bizjournals.com 127.0.0.1 webads.bizservers.com 127.0.0.1 blackhatcrew.ru 127.0.0.1 www.black-hole.co.uk 127.0.0.1 ads2.blastro.com 127.0.0.1 ads3.blastro.com 127.0.0.1 ads4.blastro.com 127.0.0.1 blaze-search.com 127.0.0.1 ads.blick.ch 127.0.0.1 streamstats1.blinkx.com 127.0.0.1 ads.blizzard.com 127.0.0.1 blogadswap.com 127.0.0.1 tracker.blogbeat.net 127.0.0.1 ads.blogdrive.com 127.0.0.1 banners.blogexplosion.com 127.0.0.1 counter.blogexplosion.com 127.0.0.1 blogtextlinks.blogexplosion.com 127.0.0.1 rentblog.blogexplosion.com 127.0.0.1 mapstats.blogflux.com 127.0.0.1 www.blogpatrol.com 127.0.0.1 pcbutts1-therealtruth.blogspot.com 127.0.0.1 t.blogreaderproject.com #[WebBug] 127.0.0.1 ads1.prod.bluetape.com 127.0.0.1 blogmark.bokee.com #[Adware.BocaiToolbar] 127.0.0.1 count.blogscout.de 127.0.0.1 track.blogcounter.de 127.0.0.1 www.blogcounter.de 127.0.0.1 adserver.bluewin.ch 127.0.0.1 ads.boardtracker.com 127.0.0.1 ranks.boardtracker.com 127.0.0.1 adimage.bokee.com 127.0.0.1 ad.bol.bg 127.0.0.1 adv.bol.bg 127.0.0.1 ads.bomis.com 127.0.0.1 banners.bookmaker.com 127.0.0.1 boolom.com #[Win32/Viking.DA] 127.0.0.1 ccc.boolans.com #[Adware.Rugo] 127.0.0.1 err.boom.ru 127.0.0.1 www.borlander.cn #[Adware.Borlan] 127.0.0.1 www.borlander.com.cn #[ADSPY/Boran.X.19.C] 127.0.0.1 astalavista.box.sk #[SiteAdvisor.astalavista.box.sk] 127.0.0.1 ads.brainiads.com 127.0.0.1 download.bravesentry.com #[McAfee.BraveSentry] 127.0.0.1 support.bravesentry.com 127.0.0.1 www.bravesentry.com #[NOD32.Win32/Adware.SpySheriff.variant] 127.0.0.1 bans.bride.ru #[IE-SpyAd] 127.0.0.1 cc.bridgetrack.com 127.0.0.1 citi.bridgetrack.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 citi.bridgetrack.com.edgesuite.net 127.0.0.1 rccl.bridgetrack.com #[MVPS.Criteria] 127.0.0.1 banners.broadwayworld.com 127.0.0.1 www.browserplugin.com #[HJTH.EroticAccess][wobz.de] 127.0.0.1 bsdpng.info 127.0.0.1 btbilgisayarkursu.com #[Win32/TrojanDownloader.Small.AWA] 127.0.0.1 www.btbilgisayarkursu.com #[Win32/TrojanDownloader.Small.AWA] 127.0.0.1 www.bulletads.com 127.0.0.1 redemption.bullseye-media.net 127.0.0.1 users.bullseye-media.net 127.0.0.1 www.bullseye-media.net 127.0.0.1 bunnezone.com #[Win32/Jep.Russ] 127.0.0.1 burnsrecyclinginc.com #[Win32/TrojanDropper.Agent.NBX] 127.0.0.1 www.burnsrecyclinginc.com 127.0.0.1 ad1.bustcash.com 127.0.0.1 www.buy404s.com 127.0.0.1 www.buzzclick.com 127.0.0.1 tr.buzzlogic.com 127.0.0.1 byet.org #[zedo.com] 127.0.0.1 byindia.com #[Spamdexing] 127.0.0.1 www.byip.cn #[Google.Warning] 127.0.0.1 multi.byulcom.com #[Win32/TrojanDownloader.Small.BIV] 127.0.0.1 ads.calgarystampede.com 127.0.0.1 canadianhw.ca #[VBS/Envary.A] 127.0.0.1 www.canadianhw.ca 127.0.0.1 images.cashfiesta.com #[AdWare.CashFiesta.a] 127.0.0.1 www.cashfiesta.com #[McAfee.Adware-CashFiesta] 127.0.0.1 www.cashfiesta.net 127.0.0.1 banner.casinoking.com #[AdWare.Win32.Casino.ae] 127.0.0.1 www.cashventure.com 127.0.0.1 ads.casino.com 127.0.0.1 out.catchonlife.com #[lootseek.com] 127.0.0.1 ad.caradisiac.com 127.0.0.1 ads.cars.com 127.0.0.1 blockbuster.com.7.ccg360.com 127.0.0.1 blockbuster.med.ccg360.com 127.0.0.1 www.cd321.com 127.0.0.1 ads.cdfreaks.com #[eTrust.Ads.cdfreaks] 127.0.0.1 ads.cdrinfo.com 127.0.0.1 stats.cdrinfo.com #[WebBug] 127.0.0.1 www.celebritypicturesarchive.com #[Trojan-Downloader.Win32.IstBar.nn] 127.0.0.1 www.celebrity-pictures-world.com #[Trojan-Downloader.Win32.IstBar.nn] 127.0.0.1 clicktracker.centrum.cz 127.0.0.1 mds.centrport.net #[Ad-Aware.Tracking Cookie] 127.0.0.1 cetrk.com 127.0.0.1 cesp.be #[HTML/TrojanDownloader.Agent.NAB] 127.0.0.1 adserver.cducinema.com 127.0.0.1 counter.cgiworld.net 127.0.0.1 tracker.cgiworld.net 127.0.0.1 abc.checkm8.com 127.0.0.1 rmm1u.checkm8.com 127.0.0.1 web.checkm8.com #[CHECKM8 AD TAGS] 127.0.0.1 web2.checkm8.com 127.0.0.1 ads.checkm8.co.za 127.0.0.1 ads.chellomedia.com 127.0.0.1 ads.china.com 127.0.0.1 www.china3q.com #[Trojan.Startpage.S] 127.0.0.1 ad.chip.de 127.0.0.1 www.chsniper.com #[Downloader.Sniper] 127.0.0.1 ad.cibleclick.com #[eTrust.Cibleclick] 127.0.0.1 www.cibleclick.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 cindyproject.info #[Spamdexing] 127.0.0.1 www.classicequipment.com #[Google.Warning] 127.0.0.1 board.classifieds1000.com 127.0.0.1 xp.classifieds1000.com 127.0.0.1 www.classifieds1000.com #[SiteAdvisor.classifieds1000.com] 127.0.0.1 images.clckm.com 127.0.0.1 pics.clckm.com #[Parking Service] 127.0.0.1 cleanfeed.info #[Spamdexing] 127.0.0.1 ads.clickad.com #[eTrust.Tracking Cookie] 127.0.0.1 clickbank.net #[Ad-Aware.Tracking Cookie] 127.0.0.1 hop.clickbank.net #[Adware.Clickbank][Adware.ClickDLoader] 127.0.0.1 ssl.clickbank.net 127.0.0.1 zzz.clickbank.net #[Ewido.TrackingCookie.Clickbank] 127.0.0.1 publishers.clickbooth.com #[directleads.com] 127.0.0.1 clickboothlnk.com 127.0.0.1 www.clickboothlnk.com 127.0.0.1 j.clickdensity.com 127.0.0.1 r.clickdensity.com 127.0.0.1 dsml.clickexperts.net 127.0.0.1 www.clicks2you.com 127.0.0.1 www.clickmanage.com 127.0.0.1 clicktopsite.com #[Spamdexing] 127.0.0.1 clicktracks.com #[McAfee.Cookie-Clicktracks] 127.0.0.1 stats.clicktracks.com #[Tenebril.Tracking Cookie] 127.0.0.1 stats1.clicktracks.com # [eTrust.Tracking Cookie] 127.0.0.1 stats2.clicktracks.com #[SpySweeper.Spy.Cookie] 127.0.0.1 stats3.clicktracks.com 127.0.0.1 stats4.clicktracks.com 127.0.0.1 www.clicktracks.com #[SunBelt.ClickTracks] 127.0.0.1 www.is1.clixgalore.com 127.0.0.1 www.clixgalore.com 127.0.0.1 hit.click2006.com 127.0.0.1 www2.click-fr.com 127.0.0.1 www3.click-fr.com 127.0.0.1 www4.click-fr.com 127.0.0.1 www.clickhouse.com #[SunBelt.ClickHouse] 127.0.0.1 www.click-power.com #[Win32/TrojanDownloader.VB.JL][Win32.Virtumonde.by] 127.0.0.1 www.clicks4u.com #[IE-SpyAd] 127.0.0.1 www.clicksbroker.com 127.0.0.1 ad1.clickhype.com #[Ewido.TrackingCookie.Clickhype] 127.0.0.1 clickoly.com #[Spamdexing] 127.0.0.1 redirect.clickshield.net 127.0.0.1 clickthru.net 127.0.0.1 ads.clickthru.net 127.0.0.1 icon.clickthru.net 127.0.0.1 clicktorrent.info 127.0.0.1 static.clicktorrent.info 127.0.0.1 www.clicktorrent.info #[phpAds] 127.0.0.1 www1.clicktorrent.info 127.0.0.1 norbert_sirot.club.fr #[Trojan-Spy.Win32.Banker.anv] 127.0.0.1 banner.clubdicecasino.com 127.0.0.1 adserver.clix.pt 127.0.0.1 ad.cmfu.com 127.0.0.1 www.cnstats.com 127.0.0.1 ad.coas2.co.kr 127.0.0.1 ads.cobrad.com 127.0.0.1 collectiveads.net 127.0.0.1 www.combimedia.nl 127.0.0.1 bdx.comclick.com 127.0.0.1 br.comclick.com 127.0.0.1 ct2.comclick.com #[Tenebril.Tracking Cookie] 127.0.0.1 fl01.ct2.comclick.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 ihm01.ct2.comclick.com 127.0.0.1 www.comclick.com #[Ewido.TrackingCookie.Comclick] 127.0.0.1 members.commissionmonster.com 127.0.0.1 aa.connextra.com 127.0.0.1 bb.connextra.com #[a22.g.akamai.net] 127.0.0.1 cc.connextra.com 127.0.0.1 dd.connextra.com 127.0.0.1 ee.connextra.com 127.0.0.1 ff.connextra.com #[a22.g.akamai.net] 127.0.0.1 data.connextra.com 127.0.0.1 linkexchange.consoleunderground.com 127.0.0.1 www.consoleunderground.com #[Adware.Begin2search] 127.0.0.1 ads.consumeraffairs.com 127.0.0.1 ads.contactmusic.com #[AdvertPro] 127.0.0.1 servedby.contextuad.org 127.0.0.1 svp.contextuad.org #[SunBelt.ContextuAd] 127.0.0.1 www.contextualclick.com #[Dynamic keywords analyser] 127.0.0.1 ads.console.net 127.0.0.1 su.copylouis.info #[SiteAdvisor.msiesettings.com] 127.0.0.1 banners.copyscape.com 127.0.0.1 www.countit.ch 127.0.0.1 counter.co.kz 127.0.0.1 www.counter-gratis.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 www.countercentral.com 127.0.0.1 www.counterguide.com 127.0.0.1 counter-shop.net 127.0.0.1 htm-pop-ky.counterstat.net 127.0.0.1 www.counting4free.com 127.0.0.1 www.counter.cz 127.0.0.1 www.counti.de 127.0.0.1 www.countmypage.com 127.0.0.1 log1.countomat.com 127.0.0.1 connectionzone.com 127.0.0.1 www.couponsandoffers.com #[Adware.TopMoxie] 127.0.0.1 data.coremetrics.com 127.0.0.1 test.coremetrics.com #[SpySweeper.Spy.Cookie] 127.0.0.1 twci.coremetrics.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 banner.coza.com 127.0.0.1 www.cpaclicks.com #[Spamdexing] 127.0.0.1 server.cpmstar.com #[ads.shizmoo.com] 127.0.0.1 1.cq158.cn #[Win32/Agent.NAW] 127.0.0.1 cracklab.info #[server down?] 127.0.0.1 cracks.am #[eTrust.Cracks.am][ADW_CRAMTB.A] 127.0.0.1 www.cracks.am #[######-portal.com][Adware.CramToolbar] 127.0.0.1 ads.cracked.com 127.0.0.1 track.cracked.com 127.0.0.1 www.crackserver.com #[StopBadware.Report] 127.0.0.1 new.crashextads.co.uk 127.0.0.1 crawl.ws 127.0.0.1 cont.crawl.ws #[AdWare.Win32.MegaKiss.b] 127.0.0.1 www.crawl.ws 127.0.0.1 counter.credo.ru 127.0.0.1 www.cridem.org #[Win32/Spy.Banker.AHY] 127.0.0.1 www.crispads.com 127.0.0.1 ads.crosswinds.net 127.0.0.1 megabyte.crosswinds.net 127.0.0.1 ads.crucialparadigm.com 127.0.0.1 crunet.info #[Win32/TrojanDownloader.Ani.Gen] 127.0.0.1 cxss358.com #[HTML/TrojanDownloader.Agent.BP] 127.0.0.1 cyberbounty.com 127.0.0.1 clk.cyberbounty.com 127.0.0.1 pop.cyberbounty.com 127.0.0.1 serve.cyberbounty.com 127.0.0.1 www.cyberbounty.com 127.0.0.1 js.cybermonitor.com #[McAfee.Cookie-Cybermonitor] 127.0.0.1 stat3.cybermonitor.com 127.0.0.1 banner.cybertechdev.com 127.0.0.1 cybertown.ru 127.0.0.1 search.cygo.net 127.0.0.1 www.cygo.net #[McAfee.Adware-Cygo] 127.0.0.1 cytron.com #[DailyWinner][eTrust.Cytron] 127.0.0.1 www.cytron.com 127.0.0.1 www.d3m0n.biz 127.0.0.1 dabestdomain.info #[SiteAdvisor.msiesettings.com] 127.0.0.1 ads.dada.it 127.0.0.1 mm.dalumm.com #[Win32/TrojanDownloader.Small.TZ] 127.0.0.1 www.data-jpn.com #[Trojan.Pajatan] 127.0.0.1 banner.date.com #[Tenebril.Tracking Cookie] 127.0.0.1 www.dateclix.com #[DateClix.com Banner Exchange Code] 127.0.0.1 datingbanners.net 127.0.0.1 ads.datinggold.com 127.0.0.1 ad.db3nf.com 127.0.0.1 dcstat.com 127.0.0.1 deansplanet.com #[Malicious.Links.Zango] 127.0.0.1 www.deansplanet.com 127.0.0.1 au.track.decideinteractive.com 127.0.0.1 au.link.decideinteractive.com 127.0.0.1 eu.link.decideinteractive.com 127.0.0.1 link.decideinteractive.com 127.0.0.1 www.decideinteractive.com 127.0.0.1 www.decideinteractive.co.uk 127.0.0.1 deepcom.com #[SiteAdvisor.deepcom.com] 127.0.0.1 www.deepcom.com #[TrojanDropper.Win32.Small.gt] 127.0.0.1 collector.deepmetrix.com 127.0.0.1 geo.deepmetrix.com 127.0.0.1 www.deepmetrix.com #[Microsoft] 127.0.0.1 demsas-iran.com #[VBS/Envary.A] 127.0.0.1 ads.dennisnet.co.uk 127.0.0.1 ad.depositfiles.com 127.0.0.1 ad.detik.com 127.0.0.1 desire-search.com #[Spamdexing] 127.0.0.1 ads.deviantart.com 127.0.0.1 adsvr.deviantart.com 127.0.0.1 phpadsnew.devstart.com 127.0.0.1 banners.diariodelaltoaragon.es 127.0.0.1 track.did-it.com #[Panda.Spyware:Cookie/did-it] 127.0.0.1 digiwexonline.com #[W32/Kibik.a] 127.0.0.1 www.digink.com #[PcTools.SysCheckBop32] 127.0.0.1 ads.digitalpoint.com 127.0.0.1 geo.digitalpoint.com 127.0.0.1 comm1.digits.com 127.0.0.1 counter.digits.com #[IE-SpyAd] 127.0.0.1 ads.dir.bg 127.0.0.1 banners.dir.bg 127.0.0.1 direct-ip.com #[Adware-DirectIP][SecurityRisk.DirectIP] 127.0.0.1 www.direct-ip.com #[Adware-DirectIP][Adware-CommanderNET] 127.0.0.1 ad.directconnect.se 127.0.0.1 banners.directnic.com #[SecuritySpace.WebBug][MVPS.Criteria] 127.0.0.1 dnads.directnic.com 127.0.0.1 parked.directnic.com 127.0.0.1 stats.directnic.com 127.0.0.1 www.directnicparking.com 127.0.0.1 cache.directorym.com #[c2.mii.instacontent.net] 127.0.0.1 ads.directnetadvertising.net 127.0.0.1 www.directnetadvertising.net #[Ad-Aware Tracking Cookie] 127.0.0.1 ad.displayadsmedia.com 127.0.0.1 agentq.ditto.com 127.0.0.1 js.ditto.com 127.0.0.1 matrix.ditto.com 127.0.0.1 media.ditto.com #[a232.x.akamai.net] 127.0.0.1 www.ditto.com #[AdWare.Win32.Softomate.c] 127.0.0.1 cnads.dixcom.com 127.0.0.1 dcww.dmcast.com #[Adware-DesktopMedia] 127.0.0.1 ad1.dmcmedia.co.kr 127.0.0.1 dmdl.dmcast.com 127.0.0.1 install.dmcast.com #[Adware-DesktopMedia.dr] 127.0.0.1 track.dmipartners.com 127.0.0.1 ads.dmnews.com 127.0.0.1 ad.dmpi.net 127.0.0.1 ad2.dmpi.net 127.0.0.1 ad3.dmpi.net 127.0.0.1 ad4.dmpi.net 127.0.0.1 ubnm.dmpi.net 127.0.0.1 www.dnscaching.net #[SiteAdvisor.dnscaching.net] 127.0.0.1 dnv-counter.com 127.0.0.1 www.domamil.cz #[Trojan.Beagooz] 127.0.0.1 www.dodostats.com 127.0.0.1 doorgen.com #[Spamdexing] 127.0.0.1 www.doorgen.com 127.0.0.1 ads.dotomi.com 127.0.0.1 www.donotchangeme.com 127.0.0.1 www.down988.cn #[Win32/TrojanDownloader.Ani.Gen] 127.0.0.1 www.download-services.com #[VBA32.Trojan-Downloader.Agent.26] 127.0.0.1 www.downseek.com #[SunBelt.DownSeek Search] 127.0.0.1 downloa-d.com 127.0.0.1 www.downloa-d.com #[Trojan-Clicker.Win32.Agent.ip] 127.0.0.1 banners.dpnet.com.br 127.0.0.1 drmx01.net #[Spamdexing] 127.0.0.1 counter.dreamhost.com 127.0.0.1 www.claus.drehteile-rieche.de #[Win32.Formglieder.B] 127.0.0.1 www.dreamadvert.com #[SunBelt.Dreamadvert] 127.0.0.1 www.dropthehammer.com #[Win32/Spy.Banker.AHY] 127.0.0.1 ads.drugs.com 127.0.0.1 b.ds1.nl 127.0.0.1 ddd.dudu.com #[Tenebril.DuDu Accelerator] 127.0.0.1 ulink4.dudu.com #[Adware.DDDClient][SunBelt.DuDuAccelerator] 127.0.0.1 ulink13.dudu.com #[Win32/Adware.DM] 127.0.0.1 www.dudu.com #[McAfee.Downloader-AVV] 127.0.0.1 www.duenow.com 127.0.0.1 www.dutty.de #[W32.Peerload.A] 127.0.0.1 gfx.dvlabs.com 127.0.0.1 klipads.dvlabs.com 127.0.0.1 www.dzy520.com #[Google.Warning] 127.0.0.1 e2give.com #[Adware-E2Give][Spyware.e2give] 127.0.0.1 www.e2give.com 127.0.0.1 hits.e.cl 127.0.0.1 blogads.ebanner.nl 127.0.0.1 www.e-bannerx.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 www.earncashontheinternet.com #[SunBelt.OpinionBar] 127.0.0.1 www.eash.info #[Spamdexing][Microsoft.Strider] 127.0.0.1 click.easilyfound.com #[Tenebril.AdTraffic] 127.0.0.1 www.easilyfound.com 127.0.0.1 www.eastworldnetwork.com 127.0.0.1 www.easycounter.com #[IE-SpyAd] 127.0.0.1 banners.easydns.com 127.0.0.1 easyerror.info #[Trojan-Downloader.Win32.Delf.agw] 127.0.0.1 easyhitcounters.com 127.0.0.1 beta.easyhitcounters.com 127.0.0.1 www.ebannertraffic.com 127.0.0.1 easy-web-stats.com 127.0.0.1 adserv1.ebates.com #[WebSavings] 127.0.0.1 mailer.ebates.com 127.0.0.1 www.ebates.com #[Adware.MoeMoney] 127.0.0.1 ads.eccentrix.com 127.0.0.1 ads.ecrush.com #[AdvertPro] 127.0.0.1 www.eden21.net #[Win32/Haxdoor][TR/Dldr.Botol.D.1] 127.0.0.1 c6.edgesuite.net #[RealMedia] 127.0.0.1 ads.edirectme.com 127.0.0.1 qq.ee28.cn #[Javascript.Exploit] 127.0.0.1 www.ejmx.com #[Adware.ElectroJMX] 127.0.0.1 ad.e-kolay.net 127.0.0.1 www.ek21.com #[Trojan.Chost.B] 127.0.0.1 www.elancenet.org #[Worm/Eyeveg.CH] 127.0.0.1 elitwarez.ru #[Javascript.Exploit] 127.0.0.1 www.elitwarez.ru 127.0.0.1 now.eloqua.com #[WebBug] 127.0.0.1 ads.eluniversal.com.mx 127.0.0.1 hits.eluniversal.com.mx 127.0.0.1 publicidad.eluniversal.com.mx 127.0.0.1 elwebsearch.info #[Malicious Links] 127.0.0.1 wwv.elwebsearch.info 127.0.0.1 www.elwebsearch.info 127.0.0.1 ad1.emediate.dk 127.0.0.1 ad1.emediate.se 127.0.0.1 www.emoinstaller.com #[Win32/Adware.NdotNet][SiteAdvisor.emoinstaller.com] 127.0.0.1 www.emusic.com #[McAfee.Adware-eMusic][F-Secure.Adware.eMusic] 127.0.0.1 dotnet.endai.com 127.0.0.1 stats.engineseeker.com 127.0.0.1 entk.net 127.0.0.1 log.enquisite.com 127.0.0.1 adv.entercasino.com #[Adware.Casino.V] 127.0.0.1 ads.eog.com 127.0.0.1 ads.e-planning.net 127.0.0.1 ads.us.e-planning.net 127.0.0.1 adserving00.epi.es 127.0.0.1 adserving03.epi.es 127.0.0.1 launcheruk.escritorioactivo.com 127.0.0.1 vipuk.escritorioactivo.com #[HJTH.123Messenger Hijacker] 127.0.0.1 www.escorcher.com #[eTrust.EScorcher] 127.0.0.1 www.eshopads2.com 127.0.0.1 estat.com 127.0.0.1 perso.estat.com #[Ewido.Spyware.Cookie.Estat] 127.0.0.1 prof.estat.com #[SecuritySpace.WebBug] 127.0.0.1 sky.estat.com 127.0.0.1 www.estat.com 127.0.0.1 gtb.etology.com 127.0.0.1 pages.etology.com 127.0.0.1 www.etracker.de 127.0.0.1 www.etxh.com #[Win32/Prosti.C] 127.0.0.1 ads.ero-advertising.com 127.0.0.1 adopt.euroclick.com #[Ewido.TrackingCookie.Euroclick] 127.0.0.1 cdn.euroclick.com 127.0.0.1 www.euroklik.nl #[EasyBar][HJTH.SinCity Dialer] 127.0.0.1 advert.eurotip.cz 127.0.0.1 www.euros4click.de 127.0.0.1 ad.eurosport.com #[oas.eurosport.com] 127.0.0.1 www.eurowebstats.com 127.0.0.1 www.everestpoker.com #[AdWare.Win32.Casino.t] 127.0.0.1 advert.exaccess.ru 127.0.0.1 dynamic.exaccess.ru 127.0.0.1 static.exaccess.ru 127.0.0.1 www.exchangead.com 127.0.0.1 exchange.bg 127.0.0.1 www.exchange.bg 127.0.0.1 exit-ad.de #[Ad-Aware.Tracking Cookie] 127.0.0.1 exitexchange.com #[IE-SpyAd][SiteAdvisor.exitexchange.com] 127.0.0.1 ads.exitexchange.com 127.0.0.1 count.exitexchange.com #[McAfee.Cookie-Exitexchange] 127.0.0.1 images.exitexchange.com 127.0.0.1 www.exitexchange.com #[SpySweeper.Spy.Cookie] 127.0.0.1 www.exittrade.com 127.0.0.1 www.exittraffic.net #[SiteAdvisor.exittraffic.net] 127.0.0.1 syndication.exoclick.com 127.0.0.1 nyton.experclick.com #[p.mii.instacontent.net] 127.0.0.1 www.experclick.com #[SpySweeper.Spy.Cookie] 127.0.0.1 ads.expressindia.com 127.0.0.1 banners.expressindia.com 127.0.0.1 cdn.eyewonder.com #[SunBelt.EyeWonder] 127.0.0.1 pixel1097.everesttech.net 127.0.0.1 pixel1324.everesttech.net 127.0.0.1 pixel1370.everesttech.net 127.0.0.1 www.evidence-eliminator.com 127.0.0.1 evilman.cn #[Win32/TrojanDownloader.VB.APY] 127.0.0.1 ads2.exhedra.com 127.0.0.1 www.eyeget.com #[McAfee.Adware-EyeGet] 127.0.0.1 feedback.eyereturn.com 127.0.0.1 resources.eyereturn.com 127.0.0.1 timespent.eyereturn.com 127.0.0.1 voken.eyereturn.com 127.0.0.1 ads.ezboard.com 127.0.0.1 eziin.com #[Adware.Eziin] 127.0.0.1 www.eziin.com 127.0.0.1 www.ezurl.co.kr #[Spyware.Ezurl] 127.0.0.1 ads.facebook.com #[facebook-ads.vo.llnwd.net] 127.0.0.1 www.factorygames.com #[SiteAdvisor.factorygames.com] 127.0.0.1 banner.fairpoker.com #[AdWare.Win32.Casino.w] 127.0.0.1 www.fast-adv.it 127.0.0.1 www.fastfind.org #[TROJ_STARTPAG.KF][Win32/Adware.MediaBack] 127.0.0.1 fastonlineusers.com 127.0.0.1 fasttrack.nu 127.0.0.1 fastwebcounter.com 127.0.0.1 counter.fateback.com 127.0.0.1 counter1.fc2.com 127.0.0.1 www.ffxiforums.net #[Trojan-PSW.Win32.OnLineGames.kw] 127.0.0.1 alex.fileburst.com #[Win32/TrojanDropper.Agent.NBT] 127.0.0.1 adserver.filefront.com #[Ad-Aware.Tracking Cookie] 127.0.0.1 findover.org #[Spamdexing] 127.0.0.1 search.findscout.com 127.0.0.1 www.findscout.com #[W32/Delf.KPZ] 127.0.0.1 ai.p.findology.com 127.0.0.1 banner.finn.no 127.0.0.1 ads.firingsquad.com 127.0.0.1 ads2.firingsquad.com 127.0.0.1 ads.firstgrand.com 127.0.0.1 firstwolf.org #[Downloader-BAC] 127.0.0.1 fishclix.com 127.0.0.1 www.fishclix.com 127.0.0.1 www.fish-screensaver.com #[AdWare.Win32.Gator.1008] 127.0.0.1 www.fjordbergen.com #[Win32/Spy.Banker.BIG] 127.0.0.1 www.fjjyjy.net #[Win32/Hipigon][W32.Fijjy] 127.0.0.1 cdn.flashedmail.com #[Parked?] 127.0.0.1 tracker1.flashedmail.com #[IE-SpyAd] 127.0.0.1 adserver4.fluent.ltd.uk 127.0.0.1 adserver.fmpub.net 127.0.0.1 dynamic.fmpub.net 127.0.0.1 static.fmpub.net 127.0.0.1 ads.fmwinc.com 127.0.0.1 www.foofle.net #[Backdoor.Foobot] 127.0.0.1 adcycle.footymad.net 127.0.0.1 www.forodeortodoncia.com #[Backdoor.IRC.Zapchast] 127.0.0.1 js.forrestersurveys.com 127.0.0.1 socratos.forrestersurveys.com 127.0.0.1 user.france.net.in #[Javascript.Exploit] 127.0.0.1 akcr.free.fr #[Win32/Spy.Bancos.U] 127.0.0.1 googlelite.free.fr #[Spamdexing] 127.0.0.1 ad.freecity.de 127.0.0.1 ads05.freecity.de 127.0.0.1 freecounters.xp.tl 127.0.0.1 maurobb.freecounter.it 127.0.0.1 www.freecounter.it 127.0.0.1 securinews.free.fr #[Trojan.Hexem] 127.0.0.1 www.freedownloadhq.com #[SiteAdvisor.freedownloadhq.com] 127.0.0.1 ad.freefind.com 127.0.0.1 www.freehitwebcounters.com 127.0.0.1 adverts.freeloader.com 127.0.0.1 freelogs.com 127.0.0.1 bar.freelogs.com 127.0.0.1 goo.freelogs.com 127.0.0.1 htm.freelogs.com 127.0.0.1 ico.freelogs.com 127.0.0.1 joe.freelogs.com 127.0.0.1 mom.freelogs.com 127.0.0.1 xyz.freelogs.com 127.0.0.1 adserver.freenet.de 127.0.0.1 freeonlineusers.com 127.0.0.1 www.free-ranking.de 127.0.0.1 freescanpro.com 127.0.0.1 www.freescanpro.com 127.0.0.1 free-stats.com 127.0.0.1 abbyssh.freestats.com 127.0.0.1 insurancejournal.freestats.com 127.0.0.1 www.freestat.ws 127.0.0.1 www.freestats.ws 127.0.0.1 banners.freett.com 127.0.0.1 count.freett.com 127.0.0.1 counters.freewebs.com 127.0.0.1 ads.freeonlinegames.com 127.0.0.1 stats.freeonlinegames.com 127.0.0.1 error.freewebsites.com 127.0.0.1 www.freewebsites.com 127.0.0.1 media.ftv-publicite.fr #[RealMedia] 127.0.0.1 fullddl.com 127.0.0.1 www.fullddl.com #[HTML/TrojanDownloader.XXXToolbar] 127.0.0.1 404.funpic.de 127.0.0.1 funppc.com 127.0.0.1 www.funppc.com 127.0.0.1 ads.futurenetworkusa.com 127.0.0.1 ads.gad-network.com 127.0.0.1 adserver.gadu-gadu.pl 127.0.0.1 www.gamersbanner.com 127.0.0.1 ads.gameservers.com 127.0.0.1 ads.gamespy.com #[SpySweeper.Spy.Cookie] 127.0.0.1 adcontent.gamespy.com 127.0.0.1 ads.gamespyid.com 127.0.0.1 www.gameurdr.com #[Win32/TrojanDownloader.Ani.Gen] 127.0.0.1 server.gamyun.net 127.0.0.1 www.gamyun.net #[Adware.GamyunIeToolbar] 127.0.0.1 ad.garantiarkadas.com 127.0.0.1 ads.gather.com 127.0.0.1 track.gawker.com #[WebBug] 127.0.0.1 js.gbeb.cc #[Javascript.Exploit] 127.0.0.1 haymarket-adserver.gcnpublishing.com 127.0.0.1 www.gebr-wachs.de #[Trojan.Mitglieder.C][Backdoor.Gaster] 127.0.0.1 sda.geek.com #[AdvertPro] 127.0.0.1 adserver.geenstijl.nl 127.0.0.1 kassa.geenstijl.nl 127.0.0.1 adserver.geizkragen.de 127.0.0.1 gd.geobytes.com #[obtains users location] 127.0.0.1 geotarget.info #[Whois.Blacklisted] 127.0.0.1 banners.geotarget.info 127.0.0.1 www.geotarget.info 127.0.0.1 www.geowhere.net #[SunBelt.GeoWhere Search] 127.0.0.1 get-access.host.sk #[McAfee.StartPage-IR] 127.0.0.1 getclicky.com 127.0.0.1 static.getclicky.com 127.0.0.1 www.getmusicvideocodes.com #[Malicious.Links.Zango] 127.0.0.1 www.getsmart.com 127.0.0.1 dlx.getupdate.com #[AdvWare.ToolBar.VB.b][Adware.Getup] 127.0.0.1 banner.giantvegas.com 127.0.0.1 truehits.gits.net.th 127.0.0.1 truehits1.gits.net.th 127.0.0.1 ads.globo.com 127.0.0.1 ads.img.globo.com 127.0.0.1 glory-movy.net #[Javascript.Exploit] 127.0.0.1 duke.gocomics.com #[ads.uclick.com] 127.0.0.1 www.god74.com #[Trojan.Huanux] 127.0.0.1 www.godesktop.com #[SiteAdvisor.godesktop.com] 127.0.0.1 adserver2.goals365.com 127.0.0.1 www.go-and-search.com #[Spamdexing] 127.0.0.1 goglee.biz 127.0.0.1 www.goglee.biz 127.0.0.1 golden-keys.net #[Spamdexing] 127.0.0.1 banner.goldenpalace.com #[Tenebril.Tracking Cookie] 127.0.0.1 stage.goldkey.com #[Parking Service] 127.0.0.1 goldstats.net 127.0.0.1 www.goldstats.net 127.0.0.1 www.goodhealth-search.com #[Spamdexing] 127.0.0.1 www.qooqlesearch.com #[Spamdexing] 127.0.0.1 www.goggle.com #[IE-SpyAd][typo squatter] 127.0.0.1 google-counter.com #[Win32/Spy.Banker.CKW] 127.0.0.1 www.google-counter.com #[Google.Warning] 127.0.0.1 google-moogle.com #[Spamdexing] 127.0.0.1 www.google-moogle.com 127.0.0.1 show.googleadsenseagent.com #[Adware.Roogoo][server down?] 127.0.0.1 www.google-hard.com #[Win32/TrojanProxy.Agent.LK] 127.0.0.1 google-pharmacy.com #[Spamdexing] 127.0.0.1 goooglegulp.com #[Spamdexing] 127.0.0.1 www.gogogo.com #[PremiumTraffic.Parking Service] 127.0.0.1 partner.gonamic.de 127.0.0.1 www.goodsearchnow.com #[Trojan.Jakposh] 127.0.0.1 googlus.com #[Spamdexing] 127.0.0.1 adincl.gopher.com #[InfoSpace] 127.0.0.1 goserv.com #[VBS/Exploit.Phel.A] 127.0.0.1 stat.org.gosite.ws 127.0.0.1 gostats.com 127.0.0.1 as.gostats.com 127.0.0.1 c1.gostats.com 127.0.0.1 c2.gostats.com #[SpySweeper.Spy.Cookie] 127.0.0.1 c3.gostats.com 127.0.0.1 c4.gostats.com #[Panda.Spyware:Cookie/GoStats] 127.0.0.1 ded.gostats.com 127.0.0.1 monster.gostats.com 127.0.0.1 webcounter.goweb.de 127.0.0.1 ads.goyk.com 127.0.0.1 www.gpt-pal.com #[Javascript.Exploit] 127.0.0.1 graffitifonts.com 127.0.0.1 www.graffitifonts.com #[Malicious.Links.Zango] 127.0.0.1 graficastrigo.com #[Trojan.Tabela.E] 127.0.0.1 www.gratis-toplist.de 127.0.0.1 adv.gratuito.st 127.0.0.1 greatfog.com #[Javascript.Exploit] 127.0.0.1 www.greasypalm.co.uk #[PcTools.GreasyPalm bar] 127.0.0.1 greencunt.org #[Javascript.Exploit] 127.0.0.1 grepblogs.net 127.0.0.1 grigcnt.info #[Javascript.Exploit] 127.0.0.1 adserver.gruprc.ro 127.0.0.1 publi.grupocorreo.es #[RealMedia] 127.0.0.1 ads.guru3d.com 127.0.0.1 www.g-wizzads.net #[adbureau.net] 127.0.0.1 www.h148.cn #[Google.Warning] 127.0.0.1 ads2.haber3.com 127.0.0.1 www.handyarchive.com #[SiteAdvisor.handyarchive.com] 127.0.0.1 www.haogs.cn 127.0.0.1 www.haosf128.com #[Google.Warning] 127.0.0.1 streamit.hardwarezone.com 127.0.0.1 ad1.hardware.no #[AdvertPro] 127.0.0.1 adserver.hardwareanalysis.com 127.0.0.1 www.harmonyhollow.net #[Adware Bundler] 127.0.0.1 ads.harpers.org 127.0.0.1 hartim.com 127.0.0.1 ad0.haynet.com 127.0.0.1 ad.hbv.de 127.0.0.1 ads.heias.com 127.0.0.1 www.helpdesignonline.com 127.0.0.1 helpingfind.info #[SiteAdvisor.msiesettings.com] 127.0.0.1 www.henbang.net #[Adware.Henbang][SPYW_HAP.A] 127.0.0.1 www.hentaibanners.com 127.0.0.1 www.hentaicashmachine.com 127.0.0.1 www.hentaicounter.com 127.0.0.1 www.hentaipop.com #[Electronic Group Dialer] 127.0.0.1 www.hentaiseeker.com 127.0.0.1 www.hentaitoonami.com 127.0.0.1 ads.herbalsmokeshop.com 127.0.0.1 www.herbalsmokeshops.com 127.0.0.1 www2.hermoment.com 127.0.0.1 www.hermoment.com 127.0.0.1 ads.hexun.com 127.0.0.1 www.hey.lt 127.0.0.1 hiden.info #[Javascript.Exploit] 127.0.0.1 pubs.hiddennetwork.com 127.0.0.1 ads.highdefdigest.com 127.0.0.1 www.hiperstat.com 127.0.0.1 adserver.hispanoclick.com 127.0.0.1 www.hitscount.com 127.0.0.1 hits-counter.com 127.0.0.1 www.hits-counter.com 127.0.0.1 ctr.hitcounter-1.com 127.0.0.1 www.hit-counter-download.com 127.0.0.1 hithopper.com #[Adware.Hithopper] 127.0.0.1 www.hithopper.com #[ADW_HITHOPPER.A] 127.0.0.1 www.hitlogger.com 127.0.0.1 rdr.hitmngr.com 127.0.0.1 hitmodel.net 127.0.0.1 www.hit-counts.com 127.0.0.1 hit-now.com 127.0.0.1 www.hitscreamer.com 127.0.0.1 hitslog.com 127.0.0.1 h1.hitslog.com 127.0.0.1 s4.histats.com 127.0.0.1 s10.histats.com 127.0.0.1 s11.histats.com 127.0.0.1 www.hitstats.co.uk 127.0.0.1 hitstats.net 127.0.0.1 www.hittracking.com 127.0.0.1 images.hitwise.co.uk 127.0.0.1 anna.homeftp.net #[W32.Linkbot.A] 127.0.0.1 adserver.hostfinderguy.com 127.0.0.1 www.gontijoamaral.hpg.com.br #[Adware.Diginum] 127.0.0.1 www.adserver.home.pl 127.0.0.1 www.homeoffun.com #[SiteAdvisor.homeoffun.com] 127.0.0.1 counters.honesty.com 127.0.0.1 cgi.honesty.com #[MVPS.Criteria] 127.0.0.1 ad.hosting.pl 127.0.0.1 ns1.hosting101.biz #[JS/Small.DN] 127.0.0.1 hot8888.com #[Win32/TrojanDownloader.Ani.Gen] 127.0.0.1 hot8888.cn #[Win32/TrojanDownloader.Ani.Gen] 127.0.0.1 ad2.hotels.com 127.0.0.1 www.hot-lindsay.com #[Zango][Parked?] 127.0.0.1 cgi.hotstat.nl 127.0.0.1 viewstat.hotstat.nl 127.0.0.1 hotstream.info 127.0.0.1 ad.howstuffworks.com #[RealMedia][SpySweeper.Spy.Cookie] 127.0.0.1 hpod.com 127.0.0.1 www.htmate2.com #[Cursor.MySpace] 127.0.0.1 adserver.html.it 127.0.0.1 click.html.it 127.0.0.1 vip.huigezi.com #[Backdoor.Graybird.Q][W32.Looked.F] 127.0.0.1 down.hunll.com #[BDS/Agent.ahj.701] 127.0.0.1 www.huxley-online.net #[Win32/Spy.Elite.10.A] 127.0.0.1 hyip-review.info #[Javascript.Exploit] 127.0.0.1 www.hypercounter.com 127.0.0.1 www.hypertracker.com #[SpySweeper.Spy.Cookie] 127.0.0.1 ads.iafrica.com 127.0.0.1 ibm-ssl.com #[Trojan.DR.Cimuz.Gen.1] 127.0.0.1 www.i-clicks.net 127.0.0.1 hits.icdirect.com #[SunBelt.ICDirect.com] 127.0.0.1 hitctr01.icdirect.com 127.0.0.1 tracker.icerocket.com 127.0.0.1 ads.idgnow.com.br 127.0.0.1 banners.idg.com.br 127.0.0.1 adidm07.idmnet.pl 127.0.0.1 adidm.idmnet.pl 127.0.0.1 ie-exe.com #[AdWare.Win32.Softomate.x] 127.0.0.1 ad.ifrance.com 127.0.0.1 ijk.cc #[JS/Downloader-BCP] 127.0.0.1 image-catcher.com 127.0.0.1 bar.iebar8.com #[Adware.Navihelper] 127.0.0.1 stats.surfaid.ihost.com #[IE-SpyAd] 127.0.0.1 adserver.ig.com.br 127.0.0.1 gate.ilogbox.com 127.0.0.1 ads.imeem.com 127.0.0.1 bbn.img.com.ua 127.0.0.1 content-ads.impactengine.com 127.0.0.1 www.impregnable.net #[TrojanDownloader.Win32.VB.dw][Trojan.Win32.StartPage.kk] 127.0.0.1 ads.ims.nl 127.0.0.1 s201.indexstats.com 127.0.0.1 stats.indexstats.com #[Analytics Tracking Code] 127.0.0.1 stats.indextools.com #[eTrust.Tracking Cookie] 127.0.0.1 campaign.indieclick.com 127.0.0.1 optimize.indieclick.com 127.0.0.1 adcenter.in2.com 127.0.0.1 get.inetbar.com #[SunBelt.INetBar] 127.0.0.1 juggler.inetinteractive.com 127.0.0.1 rotator.juggler.inetinteractive.com 127.0.0.1 banners.inetfast.com 127.0.0.1 adserving.infinite-ads.com 127.0.0.1 www.infineo.de #[Win32/Spy.Banker.AWA] 127.0.0.1 www.info--bits.com 127.0.0.1 infospot.infocious.com 127.0.0.1 ads.infospace.com #[ADW_DEALHELPER.C] 127.0.0.1 msxml.infospace.com #[SpySweeper.Spy.Cookie] 127.0.0.1 www.infotelsrl.com #[eTrust.Infotel srl] 127.0.0.1 ads.injersey.com #[RealMedia] 127.0.0.1 bimonline.insites.be 127.0.0.1 ads.intellicast.com #[weather.com] 127.0.0.1 strtt.interfree.it #[W32.Iberio] 127.0.0.1 counter.internet.ge 127.0.0.1 indiads.com 127.0.0.1 images.indiads.com 127.0.0.1 servedby.indiads.com #[RealMedia] 127.0.0.1 popups.infostart.com #[eTrust.Popups.infostart.com] 127.0.0.1 www.imiclk.com 127.0.0.1 inexplorer.com 127.0.0.1 toolbar.inexplorer.com #[Win32/Parite.B] 127.0.0.1 www.inexplorer.com 127.0.0.1 www.inpopo.com #[W32.Validin] 127.0.0.1 oc.inspectorclick.com 127.0.0.1 trax.inspectorclick.com 127.0.0.1 v2.inspectorclick.com 127.0.0.1 v3.inspectorclick.com 127.0.0.1 instantbuzz.com #[NOD32.Win32/Adware.InstantBuzz] 127.0.0.1 www2.instantbuzz.com 127.0.0.1 www.instantbuzz.com #[Adware.ToolBar.InstantBuzz.a] 127.0.0.1 media.intelia.it 127.0.0.1 anm.intelli-direct.com #[IntelliTracker] 127.0.0.1 info.intelli-direct.com 127.0.0.1 oxfam.intelli-direct.com 127.0.0.1 tui.intelli-direct.com 127.0.0.1 www.intelli-tracker.com 127.0.0.1 intraviewer.net 127.0.0.1 www.intraviewer.net 127.0.0.1 newadserver.interfree.it #[Adcycle] 127.0.0.1 internet-explorer.name #[Trojan-Clicker.Win32.Agent.ip] 127.0.0.1 www.internet-explorer.name 127.0.0.1 www.interstats.nl 127.0.0.1 www.intrastats.com 127.0.0.1 channels.intwined.com #[Adware/ToolBar.ISearch.c] 127.0.0.1 search.intwined.com 127.0.0.1 www.intwined.com #[McAfee.Adware-SSF!Hosts] 127.0.0.1 www.invinc.com #[Troj/Dloader-J] 127.0.0.1 www.ipcounter.de 127.0.0.1 ad2.ip.ro 127.0.0.1 ads.ipowerweb.com 127.0.0.1 www.ipqwe.com #[Exploit.ANI] 127.0.0.1 content.ipro.com #[WebBug] 127.0.0.1 www.ipstat.com 127.0.0.1 adzones.ircspy.com 127.0.0.1 isecurepages.net #[Google Warning] 127.0.0.1 www.isecurepages.net #[IFrame.Exploit] 127.0.0.1 www.istats.nl 127.0.0.1 a.isohunt.com 127.0.0.1 adserver1.isohunt.com 127.0.0.1 ads.isoftmarketing.com 127.0.0.1 banman.isoftmarketing.com 127.0.0.1 ads1.itadnetwork.co.uk 127.0.0.1 itcompany.com #[SunBelt.Family Cyber Alert] 127.0.0.1 www.itcompany.com #[Symantec.Spyware.CyberAlert] 127.0.0.1 www.itemgame.net #[W32/HLLP.Philis.ar][server down?] 127.0.0.1 itisbest.info #[Spamdexing] 127.0.0.1 itnos.info 127.0.0.1 www.itrackpages.com 127.0.0.1 ilead.itrack.it 127.0.0.1 adserver.itsfogo.com 127.0.0.1 partnerfeed.itsfogo.com 127.0.0.1 www1.itsun.com 127.0.0.1 www8.itsun.com 127.0.0.1 ads.itv.com #[adbureau.net] 127.0.0.1 barafranca.iwarp.com #[Win32/Spy.ProAgent] 127.0.0.1 www.iwebmusic.com 127.0.0.1 iwebtunes.com #[FTC Action] 127.0.0.1 www.iwebtunes.com 127.0.0.1 ad.jamba.de 127.0.0.1 ad.jamba.net 127.0.0.1 ad.jamster.com 127.0.0.1 www.jcount.com 127.0.0.1 www.jellycounter.com 127.0.0.1 www.jethit.com 127.0.0.1 t1.jfglass.net #[Trojan.Booha] 127.0.0.1 dl.jiangmin.com #[Adware-BDSearch.dr] 127.0.0.1 jimmybuttons.com #[eTrust.Win32/Nirbot] 127.0.0.1 www.jm-my.com #[BackDoor-CXI] 127.0.0.1 ad.joetec.net 127.0.0.1 jointmediagroup.com #[Trojan-Spy.Win32.Delf.uc] 127.0.0.1 ads.jokaroo.com 127.0.0.1 jpedownload.joltid.com 127.0.0.1 banners.joost.com 127.0.0.1 ads.jossip.com 127.0.0.1 pastorale.jpn.org #[Win32/Spy.Banker.AHY] 127.0.0.1 www.joltid.com #[Adware.P2PNetworking][SPYW_PPNETWORK.B] 127.0.0.1 promotion.jpds.com 127.0.0.1 www.jprmthome.com #[Trojan-PSW.Win32.Maran.ei] 127.0.0.1 www.jstracker.com 127.0.0.1 ads.jt.org 127.0.0.1 www.justfreegames.com #[AdWare.Win32.Relevant.a] 127.0.0.1 925.vip.jx828.net #[HTML/Exploit.IframeBof] 127.0.0.1 jxdoe.com #[Win32/TrojanDownloader.Ani.Gen] 127.0.0.1 www.k265.com #[Adware.Borlan] 127.0.0.1 stat.katalysatormedia.no 127.0.0.1 kazantip-top.com 127.0.0.1 www.kazantip-top.com #[HTML/Exploit.VMLFill] 127.0.0.1 ads.webfever.kadserver.com 127.0.0.1 ads.deblok.net.kadserver.com 127.0.0.1 ads.zebest-3000.net.kadserver.com 127.0.0.1 countus.get.kadserver.com 127.0.0.1 geo113prod.kadserver.com 127.0.0.1 get.kadserver.com 127.0.0.1 scripts.kataweb.it 127.0.0.1 kazaalite.pl 127.0.0.1 www.kazaalite.pl #[MHTMLRedir.Exploit] 127.0.0.1 gavzad.keenspot.com 127.0.0.1 ad.kewlbox.com 127.0.0.1 a.keyrun.com #[Adware-TargetAD] 127.0.0.1 u.keyrun.com 127.0.0.1 union.keyrun.com 127.0.0.1 ww.keyrun.com 127.0.0.1 www1.keyrun.com 127.0.0.1 www.keyrun.com 127.0.0.1 banner.kiev.ua 127.0.0.1 kikclick.com #[Spamdexing] 127.0.0.1 adserve.kikizo.com 127.0.0.1 union.db.kingsoft.com #[PopupAds] 127.0.0.1 www.kiss-search.net 127.0.0.1 ebay.kisswin.com #[Adware.Kiswin] 127.0.0.1 kjsc.org #[Win32/Spy.Banker.ANV] 127.0.0.1 ads.kleinman.com #[Adcycle] 127.0.0.1 www.klikvipresources.com #[Spamdexing] 127.0.0.1 gfx.klipmart.com #[gfx.dvlabs.com] 127.0.0.1 kt3.kliptracker.com 127.0.0.1 kt4.kliptracker.com 127.0.0.1 www.kliptracker.com 127.0.0.1 ads.klixxx.com 127.0.0.1 www.km-nyc.com #[W32.Lecna.A] 127.0.0.1 click.kmindex.ru 127.0.0.1 counter.kmindex.ru 127.0.0.1 counting.kmindex.ru 127.0.0.1 www.kmindex.ru 127.0.0.1 www.knacads.com 127.0.0.1 xx.ko51.com #[Google.Warning] 127.0.0.1 images.kolmic.com 127.0.0.1 pics.kolmic.com #[Parking Service] 127.0.0.1 ads.komli.com 127.0.0.1 www.kompass-intl.com #[Win32/Adware.Toolbar.PowerSearch] 127.0.0.1 de.komtrack.com 127.0.0.1 koolbar.net #[Adware Bundler][ADW_KOOLBAR.A] 127.0.0.1 www.koolbar.net #[eTrust.AutoSearch] 127.0.0.1 sitestat.kpn-is.nl 127.0.0.1 kuaiso.com #[AdWare.Win32.Kuaiso.a] 127.0.0.1 toolsbar.kuaiso.com #[Adware.Kuaiso] 127.0.0.1 www.kuaiso.com 127.0.0.1 kustusch.com #[Javascript.Exploit] 127.0.0.1 www.kz163.net #[Win32/Virut] 127.0.0.1 alwaysforfriend.land.ru #[Trojan-Downloader.Win32.Banload.bdp] 127.0.0.1 www.animacoes.land.ru #[Downloader.Swif.B] 127.0.0.1 landinghall.com #[Spamdexing] 127.0.0.1 www.latinbusca.com #[Adware-CommanderNET] 127.0.0.1 ads.lawnsite.com 127.0.0.1 layer-ads.de 127.0.0.1 www.layer-ads.de 127.0.0.1 banner.lbs.km.ru 127.0.0.1 iframe.leadacceptor.com 127.0.0.1 leakedcelebvideos.com #[Win32/TrojanDownloader.Agent.BCZ] 127.0.0.1 www.leakedcelebvideos.com 127.0.0.1 lem0n.info 127.0.0.1 pubs.lemonde.fr 127.0.0.1 www.leopardsearch.com 127.0.0.1 ads.letemps.ch 127.0.0.1 www.letusearch.com #[Google.Warning] 127.0.0.1 ts1.lexmark.com 127.0.0.1 leythosthestalker.com 127.0.0.1 www.leythosthestalker.com 127.0.0.1 adserver.libero.it 127.0.0.1 adv-banner.libero.it 127.0.0.1 phpads.lime.com 127.0.0.1 link.ru 127.0.0.1 link.link.ru 127.0.0.1 www.linkads.net #[IE-SpyAd] 127.0.0.1 ads.linki.nl 127.0.0.1 www.linkads.de 127.0.0.1 linkbuddies.com 127.0.0.1 banners.linkbuddies.com 127.0.0.1 www.linkbuddies.com 127.0.0.1 www.linkcounter.com 127.0.0.1 linksexchange.net 127.0.0.1 linkexchange.ru 127.0.0.1 web.linkexchange.ru 127.0.0.1 www.linkexchange.ru 127.0.0.1 link4link.com 127.0.0.1 plus.link4link.com 127.0.0.1 www.links4trade.com 127.0.0.1 escati.linkopp.net 127.0.0.1 www.linkopp.net 127.0.0.1 click.linkstattrack.com #[SiteAdvisor.linkstattrack.com] 127.0.0.1 www.linkpal.biz #[Trojan.Win32.LowZones.dr] 127.0.0.1 linktarget.com 127.0.0.1 banner.linktech.cn 127.0.0.1 www.linkworth.com 127.0.0.1 ads.linuxjournal.com 127.0.0.1 www.ligue13.com #[Win32/Spy.Banker.BIG] 127.0.0.1 www.liveads.org 127.0.0.1 livecounter.net 127.0.0.1 www.livecounter.net 127.0.0.1 image.adv.livedoor.com 127.0.0.1 js.livehelper.com 127.0.0.1 newbrowse.livehelper.com 127.0.0.1 ads.livescore.com 127.0.0.1 traffic.liveuniversenetwork.com 127.0.0.1 traffic.livevideo.com 127.0.0.1 broadent.vo.llnwd.net 127.0.0.1 lw.lnkworld.com 127.0.0.1 loadz.biz #[Javascript.Exploit] 127.0.0.1 omnituretrack.local.com 127.0.0.1 ads.locators.com 127.0.0.1 toolbar.locators.com #[AdWare.Win32.Locator.f] 127.0.0.1 www.lojastal.com.br #[Win32/Spy.Banker.ANV] 127.0.0.1 lol.to #[HTML/Exploit.Mht] 127.0.0.1 err.lolipop.jp 127.0.0.1 www.lookde5.com #[W32.Looked] 127.0.0.1 lookoutsoft.net #[SiteAdvisor.lookoutsoft.net] 127.0.0.1 screensavers.lookoutsoft.net 127.0.0.1 www.lookoutsoft.net #[AdWare.Win32.WinAD.b] 127.0.0.1 www.lords-of-havoc.de #[Trojan.Mitglieder.C][Backdoor.Gaster] 127.0.0.1 lolteens.in #[Haxdoor.Exploit] 127.0.0.1 lottery-news.info #[HTML/TrojanDownloader.Agent.NAB] 127.0.0.1 hexusads.fluent.ltd.uk 127.0.0.1 www.luxemil.com #[Google.Warning] 127.0.0.1 ads-apsa.lvz-online.de 127.0.0.1 www.lynxtrack.com 127.0.0.1 counter.lyricsdownload.com 127.0.0.1 www.lyricspy.com #[PluginAccess] 127.0.0.1 666.lyzh.com #[Trojan-PSW.Win32.Lineage.aec][TSPY_LINEAGE.WK] 127.0.0.1 m2k.ru 127.0.0.1 ad.m5prod.net 127.0.0.1 ad.m-adx.com 127.0.0.1 media.m-adx.com 127.0.0.1 www.macrcmedia.com #[Exploit.ANI] 127.0.0.1 www.macrcmedia.net 127.0.0.1 ads.madisonavenue.com 127.0.0.1 resource.madisonavenue.com 127.0.0.1 textads.madisonavenue.com 127.0.0.1 www.madrascements.com #[Win32/Spy.Banker.Big] 127.0.0.1 banner.magicboxcasino.com #[AdWare.Win32.Casino.w] 127.0.0.1 msn-sexoweb.mail15.com #[Win32/Spy.Banker.ANV] 127.0.0.1 humortadela.mail15.com #[Win32/Spy.Banker.ANV] 127.0.0.1 www.novogerador.mail15.com 127.0.0.1 www.uolcard.mail15.com #[Trojan-Spy.Win32.Banker.ark] 127.0.0.1 voegol.mail15.com #[Win32/Spy.Banker.ANV] 127.0.0.1 humortadela0.mail333.com #[Win32/Spy.Banker.AHY] 127.0.0.1 destino-gol.mail333.com #[Win32/Spy.Banker.BCK] 127.0.0.1 www.messengerbeta.mail333.com #[Win32/Spy.Banker.BCK] 127.0.0.1 mair.net #[Realtracker] 127.0.0.1 ads.marketing-internet.com 127.0.0.1 marketing-know-how.com #[TR/Dldr.iBill.V] 127.0.0.1 adsnew.maktoob.com #[AdvertPro] 127.0.0.1 aw.masterstats.com 127.0.0.1 erotic.masterstats.com 127.0.0.1 image.masterstats.com 127.0.0.1 link.masterstats.com 127.0.0.1 vw.masterstats.com #[Ewido.TrackingCookie.Masterstats] 127.0.0.1 adserver.matchcraft.com 127.0.0.1 www.maxi-music.fr #[Win32/Spy.Banker.ANV] 127.0.0.1 ads.maxivip.fr 127.0.0.1 sitestat.mayoclinic.com 127.0.0.1 ads.mcafee.com 127.0.0.1 directads.mcafee.com #[Tenebril.Tracking Cookie] 127.0.0.1 www2.md80.cn 127.0.0.1 www.md80.cn #[W32.Validin] 127.0.0.1 tracker.measuremap.com 127.0.0.1 mcmads.mediacapital.pt #[DoubleClick] 127.0.0.1 matrix.mediavantage.de 127.0.0.1 adland.medialand.ru 127.0.0.1 adnet.medialand.ru 127.0.0.1 content.medialand.ru 127.0.0.1 ads.mediamayhemcorp.com 127.0.0.1 ads.mediaodyssey.com 127.0.0.1 acvs.mediaonenetwork.net 127.0.0.1 acvsrv.mediaonenetwork.net 127.0.0.1 ads1.mediaops.com.br 127.0.0.1 ad2.pl.mediainter.net 127.0.0.1 servedby.mediaplace.tv #[ad.firstadsolution.com] 127.0.0.1 media-servers.net 127.0.0.1 search.mediatarget.com 127.0.0.1 ads.mediaturf.net #[McAfee.Cookie-Mediaturf] 127.0.0.1 adv.medscape.com #[ads.webmd.com] 127.0.0.1 megabablo.info 127.0.0.1 www.megastats.com 127.0.0.1 exit.megago.com #[SpySweeper.Spy.Cookie] 127.0.0.1 www.megago.com #[typo squatter] 127.0.0.1 www.mercuras.com 127.0.0.1 reklama.metacafe.com 127.0.0.1 adserv2.meritdesigns.com 127.0.0.1 ads.metropol.dk 127.0.0.1 automagazine.metriweb.be 127.0.0.1 hln-frinfos.metriweb.be 127.0.0.1 levif.metriweb.be 127.0.0.1 line01.metriweb.be #[Ad-Aware.Tracking Cookie] 127.0.0.1 line02.metriweb.be 127.0.0.1 line03.metriweb.be 127.0.0.1 line04.metriweb.be #[SpySweeper.Spy Cookie] 127.0.0.1 line05.metriweb.be 127.0.0.1 line06.metriweb.be 127.0.0.1 line07.metriweb.be #[Panda.Spyware:Cookie] 127.0.0.1 line08.metriweb.be 127.0.0.1 line09.metriweb.be 127.0.0.1 line10.metriweb.be 127.0.0.1 line11.metriweb.be 127.0.0.1 line12.metriweb.be 127.0.0.1 line13.metriweb.be 127.0.0.1 line14.metriweb.be 127.0.0.1 line15.metriweb.be 127.0.0.1 line16.metriweb.be 127.0.0.1 line17.metriweb.be 127.0.0.1 line18.metriweb.be 127.0.0.1 line19.metriweb.be 127.0.0.1 line20.metriweb.be 127.0.0.1 line24.metriweb.be 127.0.0.1 line26.metriweb.be 127.0.0.1 line32.metriweb.be 127.0.0.1 rtbf09.metriweb.be 127.0.0.1 skynet-news.metriweb.be 127.0.0.1 zattevrienden.metriweb.be 127.0.0.1 m-gallery.org #[Javascript.Exploit] 127.0.0.1 pubs.mgn.net #[Grolier Network] 127.0.0.1 www.mgshareware.com #[Adware Bundler][Parasite.MySearch] 127.0.0.1 w.mh8888.cn 127.0.0.1 microsoftout.com #[Phish.site] 127.0.0.1 ads.milenio.com 127.0.0.1 www.milesdebanners.com 127.0.0.1 adc1.mingpao.com 127.0.0.1 ads.mininova.org 127.0.0.1 ads.miniclip.com #[eur56deliv.247realmedia.com] 127.0.0.1 www.mini-player.com #[5MOF Mini-Player] 127.0.0.1 counter.mirohost.net 127.0.0.1 miron555.org #[Javascript.Exploit] 127.0.0.1 misofthelp.com 127.0.0.1 www.misofthelp.com #[Google Warning] 127.0.0.1 banner.missbingo.com #[AdWare.Win32.Casino.ae] 127.0.0.1 banner.missingkids.com 127.0.0.1 misterbanner.com 127.0.0.1 ads.mixi.jp 127.0.0.1 img.ads.mixi.jp 127.0.0.1 www.mlclick.com 127.0.0.1 vod.mmdy.org #[McAfee.StartPage-JN!CC32C55] 127.0.0.1 www.mmoi.cn #[Javascript.Exploit] 127.0.0.1 timeout.mmy88.cn #[Google.Warning] 127.0.0.1 www.mnogotrafa.net #[Spamdexing] 127.0.0.1 banners.mobilesidewalk.com 127.0.0.1 ads.mobygames.com 127.0.0.1 smile.modchipstore.com 127.0.0.1 survey2.modernmindsoftware.com 127.0.0.1 banners.mojoflix.com 127.0.0.1 ad.mokead.com #[Trojan.Daekom] 127.0.0.1 w5.mokead.com 127.0.0.1 www.mokead.com #[W32/DLoader.VZN] 127.0.0.1 ads.monster.com 127.0.0.1 adserver.monster.com #[SunBelt.AdServer.Monster.com] 127.0.0.1 adserver.a.in.monster.com 127.0.0.1 ads.monstermoving.com 127.0.0.1 cookie.monster.com #[SunBelt.cookie.monster] 127.0.0.1 www.moratoriumx.net #[JS/TrojanDownloader.Agent.BI] 127.0.0.1 m1.webstats.motigo.com 127.0.0.1 www.motioncodecs.com #[Win32/TrojanDownloader.Mediket] 127.0.0.1 www.movies.net.cn #[AdWare.Win32.AdBlaster.b] 127.0.0.1 www.mp3downloadhq.com #[SiteAdvisor.mp3downloadhq.com] 127.0.0.1 mp3today.net 127.0.0.1 mpamexit.com 127.0.0.1 ads.mrtones.com 127.0.0.1 msedulearner.com »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: WAN (PPP/SLIP) Interface DNS Server Search Order: 69.66.0.20 DNS Server Search Order: 69.66.1.20 HKLM\SYSTEM\CCS\Services\Tcpip\..\{92AA402F-3C3A-4E9F-9335-6AF59B245CC9}: NameServer=69.66.0.20 69.66.1.20 HKLM\SYSTEM\CS2\Services\Tcpip\..\{92AA402F-3C3A-4E9F-9335-6AF59B245CC9}: NameServer=69.66.0.20 69.66.1.20 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End I had to cut some of the hosts, because it kept saying the post was too long. Sorry.

#6 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 16 August 2007 - 04:32 AM

Hello

Download and Run ComboFix

Download this file from below:

Here
Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

You too could train to help others- Join the Classroom

#7 mrgroovitude

New Member

Authentic Member
6 posts

Posted 17 August 2007 - 08:40 AM

Hi,

Ran ComboFix. Here's the log, and the new HJT log.

ComboFix 07-08-16.3 - "Douglas" 2007-08-17 9:07:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.88 [GMT -5:00]

((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))

2007-08-17 09:05 51,200 --a--c--- C:\WINDOWS\nircmd.exe
2007-08-14 22:02 2,204 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-08-14 16:54 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-17 00:12 --------- d----c--- C:\DOCUME~1\Douglas\APPLIC~1\MailWasher
2007-08-13 15:15 --------- d----c--- C:\Program Files\SpywareBlaster
2007-08-02 18:07 --------- d----c--- C:\Program Files\stickies
2007-07-02 09:24 --------- d----c--- C:\DOCUME~1\Douglas\APPLIC~1\MailFrontier
2007-06-28 18:41 --------- d----c--- C:\DOCUME~1\Douglas\APPLIC~1\AdobeUM
2007-06-26 01:08 1104896 --a--c--- C:\WINDOWS\system32\msxml3.dll
2007-06-19 08:31 282112 --a--c--- C:\WINDOWS\system32\gdi32.dll
2007-06-13 05:23 1033216 --a--c--- C:\WINDOWS\explorer.exe
2007-05-17 06:28 549376 -----c--- C:\WINDOWS\system32\oleaut32.dll
1998-08-24 12:09 10000 --a--c--- C:\WINDOWS\inf\unregpn.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SYSWB6"="SYSWB6" []
"nwiz"="nwiz.exe" [2005-06-15 17:20 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 17:20]
"Dit"="Dit.exe" [2002-08-28 14:43 C:\WINDOWS\Dit.exe]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2002-02-20 22:22]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-04 13:18]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [2002-01-17 11:40]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 03:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe" [2005-06-01 17:09]

C:\Documents and Settings\Douglas\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-10-02 19:52:56]
Stickies.lnk - C:\Program Files\stickies\stickies.exe [2004-10-26 12:02:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - C:\DOCUME~1\Douglas\My Documents\My Downloads\Callwave11\IAM.exe [2002-12-11 16:09:33]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CWShredder Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SoundMan"=SOUNDMAN.EXE
"nwiz"=nwiz.exe /install
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"hplampc"=C:\WINDOWS\system32\hplampc.exe

R0 MrFilter;EasyWrite Driver;C:\WINDOWS\system32\drivers\MrFilter.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 kid_sys;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\drivers\KID_SYS.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 hidgame;Microsoft Hid to Joystick Port Enabler;C:\WINDOWS\system32\DRIVERS\hidgame.sys
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys
S3 IIUSBISP;USB Mass Storage for USB ISP;C:\WINDOWS\system32\Drivers\iiusbisp.sys
S3 ntxpusb;Gravis USB device driver;C:\WINDOWS\system32\drivers\ntxpusb.sys
S3 WmAdiHid;Logitech WingMan Digital Devices Driver;C:\WINDOWS\system32\drivers\WmAdiHid.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

Contents of the 'Scheduled Tasks' folder
2007-01-06 23:54:23 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 09:11:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-17 9:14:11

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:20:30 AM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\SYSWB6.exe
C:\WINDOWS\Dit.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe
C:\WINDOWS\system32\Winkb6.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\Callwave11\IAM.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: CallWave.lnk = C:\Documents and Settings\Douglas\My Documents\My Downloads\Callwave11\IAM.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120013803375
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_02) -
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 17 August 2007 - 12:06 PM

Hi

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

I see that Viewpoint Media Player is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight Viewpoint Media Player, click Remove.

Make sure AVG is up to date before proceeding

Run a scan with AVG.

Click on Scanner
- Click on the Settings tab, and set the following settings.
  - How to act
  - Click on Recommended actions, and set to Quarantine.
- How to scan
  - Check all options.
- Possibly unwanted software.
  - Check all options.
- Reports
  - Check Do not automatically generate reports after every scan.
- What to scan
  - Check Scan every file.
Click on the Scan tab.
- Click on Complete System Scan and the scan will begin.
- When the scan has finished
- Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
- At the bottom of the window click on the Apply all Actions button.

Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Post back with the AVG report and a new HijackThis log. And let me know how your computer is behaving now.

You too could train to help others- Join the Classroom

#9 mrgroovitude

New Member

Authentic Member
6 posts

Posted 17 August 2007 - 05:04 PM

Hi,
Here's a copy of the AVG scan report and a new HJT log. I also went ahead and removed the 'Viewpoint Media Player'. So far, the computer is working fine. The flashing icon and all the warning boxes are gone.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:51:42 PM 8/17/2007

+ Scan result:

C:\Documents and Settings\Douglas\My Documents\My Videos\CartoonInstall.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Documents\Downloads\weblock.exe/WeUninstall.exe -> Backdoor.Graybird : Cleaned with backup (quarantined).
C:\Documents and Settings\Douglas\My Documents\My Downloads\WeBlocker\WeBlockerII\weblock.exe/WeUninstall.exe -> Backdoor.Graybird : Cleaned with backup (quarantined).
C:\Documents and Settings\Douglas\My Documents\My Downloads\WeBlocker\weblock.exe/WeUninstall.exe -> Backdoor.Graybird : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WeUninstall.exe -> Backdoor.Graybird : Cleaned with backup (quarantined).
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Dropper.Small.hx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\notepad.exe.bak -> Dropper.Small.hx : Cleaned with backup (quarantined).
C:\Documents and Settings\Douglas\My Documents\My Jokes\Maytag Washing Machine.exe -> Not-A-Virus.BadJoke.Win32.Train : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.137:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.138:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.246:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.227:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.324:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Intelli-direct : Cleaned.
:mozilla.259:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.217:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.46:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.47:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.48:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.49:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.50:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.51:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.52:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.293:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.325:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.59:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.60:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.61:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.62:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.115:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.116:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.175:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.176:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.177:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.178:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.179:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.180:C:\Documents and Settings\Douglas\Application Data\Mozilla\Firefox\Profiles\hg61w9u8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 6:03:03 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\SYSWB6.exe
C:\WINDOWS\Dit.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Winkb6.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\Callwave11\IAM.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Douglas\My Documents\My Downloads\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\PopUpStopperProfessional.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: CallWave.lnk = C:\Documents and Settings\Douglas\My Documents\My Downloads\Callwave11\IAM.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120013803375
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92AA402F-3C3A-4E9F-9335-6AF59B245CC9}: NameServer = 69.66.0.20 69.66.1.20
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 17 August 2007 - 05:30 PM

Hi mrgroovitude

The AVG I had you download is only a 30-day trial of the full product after which time, if you opt not to subscribe it reverts to a simple on-demand scanner. You already have Spybot S&D so disabling the AVG Guard is recommended, as they may conflict with each other. I would also suggest re-immunising with Spybot S&D and enabling the TeaTimer function.

Open AVG Anti-spyware
Click Infections at the top
Click on Select All
Now click Remove Finally and press Yes at the prompt.
Close AVG-Anti-Spyware

Delete the Combofix icon and the Smitfraudfix folder from your Desktop.

Navigate to and delete the following files and/or folders (if they are present):

Folders:
C:\Combofix
C:\Qoobox

Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.

Close any programmes you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Then download the latest version of Java Runtime Environment (JRE) (4th one down the list), which is JRE6u2, and click Yes at the page warning, then accept the Licence Agreement before downloading the Offline file.

I would advise updating Adobe Reader, as the latest version clears up any vulnerabilities of previous versions.
First uninstall the version you have on your computer then download and install Adobe Reader 8.1.

This is my usual speech for when you are clean, which you appear to be.

Please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore.
It's also a good idea to Flush your System Restore points after ridding yourself of malware:

Click Start | Help and Support | Undo changes to your computer with System Restore.
Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
Close the Help and Support Center box.
Click Start | Run and type Cleanmgr
Select (C: ) then click OK.
Click the More Options tab.
Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

Here are some free programs, I recommend.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

You too could train to help others- Join the Classroom

#11 mrgroovitude

New Member

Authentic Member
6 posts

Posted 19 August 2007 - 08:47 PM

Thanks Scotty, Things always get a little hectic here on the weekends. I removed the old versions of JAVA and Adobe, and downloaded the most current versions. Reset the system restore and updated all my anti virus and spyware programs. The computer is working great once again. Thanks again!! Blessings, Doug

#12 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 20 August 2007 - 03:58 AM

You are welcome. :thumbup:

You too could train to help others- Join the Classroom

#13 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 20 August 2007 - 03:59 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

You too could train to help others- Join the Classroom

Body Background

skin color theme