|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-12-2005, 11:19 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
MySoft spyware
During my weekly virus and spyware update/scan Spybot S&D picked up four instances of MySoft. Three were removed without a problem, but one wasn't due to it being in use. I rebooted into Safe Mode, ran Spybot again, same problem; couldn't remove it. It was not picked up by Adaware or Microsoft Spyware Scan. Included is a HJT log for your viewing pleasure.
Logfile of HijackThis v1.98.2 Scan saved at 4:17:45 PM, on 13/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\CAP3RSK.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPWRTRAY.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Microsoft AntiSpyware\gcasServ.exe C:\RAM Idle\RAM_XP.exe C:\ZoneAlarm\zlclient.exe C:\Spybot\TeaTimer.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE C:\Microsoft AntiSpyware\gcasDtServ.exe C:\CleanUp!\Cleanup.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Main User\My Documents\Matts Stuff\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0616.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [RAM Idle Professional] C:\RAM Idle\RAM_XP.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099831942755 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8C40FDD8-7D2A-4A3D-8389-A2B557C903EE}: NameServer = 203.194.27.57,203.194.56.150 |
|
     |
| Sponsored Links |
|
04-13-2005, 05:16 AM
|
#2 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,420
OS: XP SP2
|
WhoLockMe - We all had this problem before. We try to delete/rename/move a file and it says it can't be done because some process is using it. With this program, you can determine which program is using the file. You can then end the program if you want.
__________________
  |
|
|
|
|
04-13-2005, 05:45 AM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
I don't think its a file. After the scan Spybot shows the MySoft spyware, and when i click on it to show the location of the problem, it says "Redirected host, sitefinder.verisign.com=IP address" I don't want to post the IP address in case it's sensitive.
When I try to fix the problem, I get a message saying that it couldn't be fixed; the reason being it is still in use (in memory) and that restarting my computer could help - which it doesn't. So it's not that I can't manually delete a file, it's something different. |
|
|
|
|
04-13-2005, 06:18 AM
|
#4 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,420
OS: XP SP2
|
You have an outdated version of HijackThis. Download the newest version at http://www.greyknight17.com/spy/HijackThis.exe and run it.
Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
__________________
|
|
|
|
|
04-13-2005, 07:28 AM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
the 2 logs
First one is the HJT Analyser log, second is the TDS-3.
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:41:37 PM, on 13/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE C:\Microsoft AntiSpyware\gcasServ.exe C:\RAM Idle\RAM_XP.exe C:\ZoneAlarm\zlclient.exe C:\QuickTime\qttask.exe C:\Spybot\TeaTimer.exe C:\WINDOWS\system32\CAP3RSK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE C:\Microsoft AntiSpyware\gcasDtServ.exe C:\Documents and Settings\Main User\Desktop\Security Programs\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0616.dll O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" O4 - HKLM\..\Run: [gcasServ] "C:\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [RAM Idle Professional] C:\RAM Idle\RAM_XP.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099831942755 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8C40FDD8-7D2A-4A3D-8389-A2B557C903EE}: NameServer = 203.194.27.57,203.194.56.150 O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ==================================================================== 23:46:02 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 23:46:02 [Init] Started 13-04-05 23:46:02 E. Australia Standard Time (UTC: -10), Internet Time @615.30 23:46:02 [Init] Loading TDS-3 Systems ... 23:46:02 [Init] Token successfully adjusted. 23:46:02 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 23:46:02 [Init] • Plugins : OK. Loaded 13 23:46:02 [Init] • Exec Protection : Not Installed 23:46:02 [Init] WARNING: Your Radius.TD3 database needs to be updated! 23:46:02 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 23:46:02 [Init] Licensed users can use the Update facility from the TDS menu 23:46:02 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 23:46:10 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 23:46:10 [Init] • Systems Initialised [52187 references - 26562 primaries/13408 traces/12217 variants/other] 23:46:10 [Init] Radius Systems loaded. <Databases updated 13-04-2005> 23:46:10 [Init] TDS-3 Ready. <Main user@192.168.1.2, 127.0.0.1 - Australia> 23:46:10 [Tip Of The Day] Rest your eyes often. (And don't underestimate the value of this tip!) 23:46:10 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 23:46:10 [TDS] Good evening Main user. 23:46:16 [Mutex Memory Scan] Started... 23:46:18 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:46:18 [TDS-3] NOTICE - TDS-3 was not properly shut down. 23:46:18 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 23:46:23 [CRC32] Started - verifying 29 files ... 23:46:24 [CRC32] Test finished. 23:48:15 [Memory Scan] Memory scan started, please wait a moment ... 23:48:18 [Memory Scan] Memory scan complete. 23:48:18 [Mutex Memory Scan] Started... 23:48:20 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:48:20 [Trace Scan] Started... 23:48:27 [Trace Scan] Finished. 23:48:27 [ServiceScan] Scanning for services and drivers ... 23:48:32 [ServiceScan] Scanned 294 services and drivers. 23:48:32 [File Scan] Scanning in C:\ ... 00:25:32 [File Scan] Scanned 39791 files: 2 alarms in -84179.94 seconds (Avg .53 files/sec) 00:25:32 [File Scan] Scanning in D:\ ... 00:25:52 [File Scan] Scanned 98 files: 2 alarms in 20.48901 seconds (Avg 5.78 files/sec) 00:25:52 [Scan] Finished. The 2 alarms found were: c:\gendel32.exe c:\windows\downloaded program files\popcaploader.dll |
|
|
|
|
04-13-2005, 10:01 PM
|
#6 (permalink) |
|
Analyst, Security Team
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SafeGuard or PCShield Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au <<-- If this site is ok, you may leave it alone R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0616.dll O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0616.dll" Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\System32\sfg_0616.dll c:\gendel32.exe c:\windows\downloaded program files\popcaploader.dll Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-13-2005, 10:25 PM
|
#7 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
latest HJT Analyser log
The references to linkt.com.au is my ISPs homepage, so I left them alone.
I couldn't find any reference to c:\windows\system32\sfg_0616.dll in safe mode or normal, but all others were found and removed/fixed. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 3:21:51 PM, on 14/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE C:\Microsoft AntiSpyware\gcasServ.exe C:\RAM Idle\RAM_XP.exe C:\ZoneAlarm\zlclient.exe C:\QuickTime\qttask.exe C:\Spybot\TeaTimer.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE C:\WINDOWS\system32\CAP3RSK.EXE C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE C:\Microsoft AntiSpyware\gcasDtServ.exe C:\Documents and Settings\Main User\Desktop\Security Programs\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll O2 - BHO: (no name) - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - (no file) O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [RAM Idle Professional] C:\RAM Idle\RAM_XP.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099831942755 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8C40FDD8-7D2A-4A3D-8389-A2B557C903EE}: NameServer = 203.194.27.57,203.194.56.150 O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe the Redirected host, sitefinder.verisign.com=IP address problem persists Last edited by Desmodus; 04-13-2005 at 10:47 PM. |
|
|
|
|
04-14-2005, 05:59 AM
|
#8 (permalink) |
|
Analyst, Security Team
|
Ok, do the following two things:
Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately): 564FFB73-9EEF-4969-92FA-5FC4A92E2C2A Save the file/files and post the results in the forum. Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-14-2005, 06:15 AM
|
#9 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
Thank you for your help so far, but I am a little confused by what you mean about the RegSearch log. I opened it and all I got was a notepad with the following:
'RegSrch.vbs - Search Registry for input string and display results. '© Bill James - wgjames@mvps.org ' revised 20 Apr 2001 (parses regfile ~3X faster) ' revised 13 Dec 2001 (added Regedit command line switch for Win2K/WindXP) Option Explicit Dim oWS : Set oWS = CreateObject("WScript.Shell") Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject") Dim sSearchFor sSearchFor = InputBox("This script will search your Registry and find all " & _ "instances of the search string you input." & vbcrlf & vbcrlf & _ "This search could take several minutes, so please be patient." & _ vbcrlf & vbcrlf & "Enter search string (case insensitive) and " & _ "click OK...", WScript.ScriptName & " " & Chr(169) & " Bill James") If sSearchFor = "" Then Cleanup() Dim StartTime : StartTime = Timer Dim sRegTmp, sOutTmp, eRegLine, iCnt, sRegKey, aRegFileLines sRegTmp = oWS.Environment("Process")("Temp") & "\RegTmp.tmp " sOutTmp = oWS.Environment("Process")("Temp") & "\sOutTmp" & _ Hour(Now) & Minute(Now) & Second(Now) & ".tmp " oWS.Run "regedit /e /a " & sRegTmp, , True '/a enables export as Ansi for WinXP With oFSO.OpenTextFile(sOutTmp, 8, True) .WriteLine("REGEDIT4" & vbcrlf & "; " & WScript.ScriptName & " " & _ Chr(169) & " Bill James" & vbcrlf & vbcrlf & "; Registry search " & _ "results for string " & Chr(34) & sSearchFor & Chr(34) & " " & Now & _ vbcrlf & vbcrlf & "; NOTE: This file will be deleted when you close " & _ "WordPad." & vbcrlf & "; You must manually save this file to a new " & _ "location if you want to refer to it again later." & vbcrlf & "; (If " & _ "you save the file with a .reg extension, you can use it to restore " & _ "any Registry changes you make to these values.)" & vbcrlf) With oFSO.GetFile(sRegTmp) aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf) End With oFSO.DeleteFile(sRegTmp) For Each eRegLine in aRegFileLines If InStr(1, eRegLine, "[", 1) > 0 Then sRegKey = eRegLine If InStr(1, eRegLine, sSearchFor, 1) > 0 Then If sRegKey <> eRegLine Then .WriteLine(vbcrlf & sRegKey) & vbcrlf & eRegLine Else .WriteLine(vbcrlf & sRegKey) End If iCnt = iCnt + 1 End If Next Erase aRegFileLines If iCnt < 1 Then oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _ vbcrlf & vbcrlf & "No instances of " & chr(34) & sSearchFor & chr(34) & _ " found.",, WScript.ScriptName & " " & Chr(169) & " Bill James", 4096 .Close oFSO.DeleteFile(sOutTmp) Cleanup() End If .Close End With oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _ vbcrlf & vbcrlf & iCnt & " instances of " & chr(34) & sSearchFor & chr(34) & _ " found." & vbcrlf & vbcrlf & "Click OK to open Results in WordPad.",, _ WScript.ScriptName & " " & Chr(169) & " Bill James", 4096 oWS.Run "WordPad " & sOutTmp, 3, True oFSO.DeleteFile(sOutTmp) Cleanup() Sub Cleanup() Set oWS = Nothing Set oFSO = Nothing WScript.Quit End Sub I'm not sure what to do at this point. I did however do the StartDreck log: StartDreck (build 2.1.7 public stable) - 2005-04-14 @ 23:11:45 (GMT +10:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as Main User at YOUR-9DL6YFN7YI »Registry »Run Keys »Current User »Run *SpybotSD TeaTimer=C:\Spybot\TeaTimer.exe »RunOnce »Default User »Run *AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE »RunOnce »Local Machine »Run *IgfxTray=C:\WINDOWS\system32\igfxtray.exe *HotKeysCmds=C:\WINDOWS\system32\hkcmd.exe *PmProxy=C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe *00THotkey=C:\WINDOWS\System32\00THotkey.exe *000StTHK=000StTHK.exe *TouchED=C:\Program Files\TOSHIBA\TouchED\TouchED.Exe *TFNF5=TFNF5.exe *Tpwrtray=TPWRTRAY.EXE *ezShieldProtector for Px=C:\WINDOWS\System32\ezSP_Px.exe *Drag'n Drop CD+DVD=C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp *LtMoh=C:\Program Files\ltmoh\Ltmoh.exe *AGRSMMSG=AGRSMMSG.exe *CAP3ON=C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE *LWBMOUSE=C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE *SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe *AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP *gcasServ="C:\Microsoft AntiSpyware\gcasServ.exe" *RAM Idle Professional=C:\RAM Idle\RAM_XP.exe *Zone Labs Client="C:\ZoneAlarm\zlclient.exe" *QuickTime Task="C:\QuickTime\qttask.exe" -atboottime +OptionalComponents +MSFS *Installed=1 +MAPI *NoChange=1 *Installed=1 +MAPI *NoChange=1 *Installed=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\Spybot\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.html *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.js *JSFile=notepad.exe "%1" %* +.jse *JSEFile=notepad.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs *VBSFile=notepad.exe "%1" %* +.vbe *VBEFile=notepad.exe "%1" %* +.wsh *WSHFile=notepad.exe "%1" %* +.wsf *WSFFile=notepad.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} *StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx *{4A368E80-174F-4872-96B5-0B27DDD11DB2} `InprocServer32= *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\Spybot\SDHelper.dll *{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} `InprocServer32= »Internet Explorer »Current User *Default_Page_URL=www.linkt.com.au *Local Page=C:\WINDOWS\system32\blank.htm *Search Bar=http://www.google.com/ie *Start Page=http://www.linkt.com.au/ +SearchUrl *provider=gogl *=http://www.google.com/keyword/%s »Default User »Local Machine *Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome *Default_Search_URL=http://home.microsoft.com/search/search.asp *Local Page=C:\WINDOWS\system32\blank.htm *Search Bar=http://www.google.com/ie *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.linkt.com.au/ *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm +SearchUrl *=http://www.google.com/keyword/%s »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=Explorer.exe *Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *C:\Documents and Settings\Main User\Start Menu\Programs\Startup\desktop.ini »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon LASER SHOT LBP-1120 Status Window.LNK *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=Explorer.exe »Text Files *C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn *C:\msdos.sys *C:\config.sys *C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\autoexec.bat *C:\WINDOWS\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 *C:\WINDOWS\wininit.ini `[Rename] `NUL=C:\WINDOWS\bdl44126.exe `nul=C:\gendel32.exe *C:\WINDOWS\hosts *C:\WINDOWS\system32\drivers\etc\hosts `127.0.0.1 www.altnet.com `127.0.0.1 search.kazaa.com `127.0.0.1 www.kazaaplus.com `127.0.0.1 ssa.kazaa.com `127.0.0.1 ssm.kazaa.com `127.0.0.1 www.cydoor.com `127.0.0.1 ads.kazaa.com `127.0.0.1 www.bullguard.com `127.0.0.1 www.certifiedkazaa.com `127.0.0.1 puma.kazaa.com `127.0.0.1 www.bns2.net `127.0.0.1 www.bns1.net `127.0.0.1 www.rgs2.net `127.0.0.1 www.rgs1.net `127.0.0.1 www.cms2.net `127.0.0.1 www.cms1.net `127.0.0.1 cys3.net `127.0.0.1 cys2.net `127.0.0.1 cys1.net `127.0.0.1 www.kapsules.org `127.0.0.1 images.kazaa.com `127.0.0.1 http://desktop.kazaa.com/us/kmdstart...nt=kmd&ver=260 `127.0.0.1 www.altnetp2p.com `127.0.0.1 alpha.kazaa.com `127.0.0.1 shop.kazaa.com `127.0.0.1 www.bonzi.com `127.0.0.1 www.brilliantdigital.com `127.0.0.1 www.b3d.com `127.0.0.1 media.altnet.com `127.0.0.1 dev.bde.com.au `127.0.0.1 update.kazaa.com `127.0.0.1 bravo.kazaa.com `127.0.0.1 localhost `127.0.0.1 www.k-lite.tk `127.0.0.1 http://www.kazanon.com/ `127.0.0.1 litetk.com `127.0.0.1 kazaa.ishareit.com `127.0.0.1 www.kazaa-gold.com `127.0.0.1 kazaagold.com `127.0.0.1 www.kazaa-download.de `127.0.0.1 www.mp3downloadhq.com `127.0.0.1 www.easymusicdownload.com `127.0.0.1 easymusicdownload.com `127.0.0.1 www.mp3madeeasy.com `127.0.0.1 www.monstershare.com `127.0.0.1 monstershare.com `127.0.0.1 www.kazaa-plus.net `127.0.0.1 kazaa-plus.net `127.0.0.1 www.kazaa-plus.com `127.0.0.1 www.edonkey.com `127.0.0.1 www.kazaa-file-sharing-downloads.com `127.0.0.1 www.kazaaplatinum.com `127.0.0.1 www.madeformusic.com `127.0.0.1 www.ikazaa.net `127.0.0.1 ikazaa.net `127.0.0.1 www.ondemandmp3.com `127.0.0.1 www.mp3u.com `127.0.0.1 www.mp3specialty.com `127.0.0.1 music-download-world.com `127.0.0.1 song-download-world.com `127.0.0.1 www.flixs.net `127.0.0.1 www.ishareit.net `127.0.0.1 www.ishareit.com `127.0.0.1 www.download-doctor.com `127.0.0.1 www.ezmp3download.com `127.0.0.1 www.freesoftusa.com `127.0.0.1 www.kazaamedia.com `127.0.0.1 mp3-network.com `127.0.0.1 www.mp3-network.com `127.0.0.1 www.mp3grandcentral.net `127.0.0.1 www.mp333.com `127.0.0.1 www.kazaamate.com `127.0.0.1 www.emule.biz `127.0.0.1 www.kazaam8.tk `127.0.0.1 www.rippro.com `127.0.0.1 k-lite-legal.com `127.0.0.1 www.kaaza.com `127.0.0.1 secure.Webstartz.com `127.0.0.1 www.kazaalite.de `127.0.0.1 www.kazza.de `127.0.0.1 kazza.com `127.0.0.1 www.kazaalite.at `127.0.0.1 www.kazaalite.ch `127.0.0.1 www.kazaa-hilfe.de `127.0.0.1 www.edonkey-2000.de `127.0.0.1 www.edonkey-bot.de `127.0.0.1 www.edonkey-edonkey2000.de `127.0.0.1 www.edonkey-hilfe.de `127.0.0.1 www.edonkey-morpheus-forum.de `127.0.0.1 www.emule-hilfe.de `127.0.0.1 www.file-sharing-forum.de `127.0.0.1 www.filesharing-forum.de `127.0.0.1 www.imesh-download.de `127.0.0.1 www.kazaa-kaza.de `127.0.0.1 www.kazaa-lite.info `127.0.0.1 www.kazaa-lite-download.de `127.0.0.1 www.1md.de `127.0.0.1 www.mariodolzer.de `127.0.0.1 www.morpheus-forum.de `127.0.0.1 www.overnet-download.de `127.0.0.1 www.overnet-hilfe.de `127.0.0.1 www.winmx-download.de `127.0.0.1 www.winmx-hilfe.de `127.0.0.1 www.download-und-hilfe.de `127.0.0.1 www.filesharing-hilfe-forum.de `127.0.0.1 www.musik-download.biz `127.0.0.1 www.mp3downloads.ch `127.0.0.1 www.songfly.com `127.0.0.1 www.kazaa.nl `127.0.0.1 1stsoftwaredownloads.com `127.0.0.1 morpheus-download-morpheus.com `127.0.0.1 www.icisnet.org `127.0.0.1 software.global-netcom.de `127.0.0.1 www.filesharing-download.de `127.0.0.1 www.p2p.tm `127.0.0.1 www.filesharing-center.de `127.0.0.1 www.filesharing-tools.de `127.0.0.1 kazaa-download-kazaa.com `127.0.0.1 www.interscilsa.com `127.0.0.1 www.dvd-download-free.com `127.0.0.1 www.howtominibooks.com `127.0.0.1 www.internetmovies.com `127.0.0.1 www.rippro.net `127.0.0.1 www.musicmoviesbooks.com `127.0.0.1 www.kazaalite.org `127.0.0.1 www.getmp3music.com `127.0.0.1 www1.ishareit.com `127.0.0.1 www.filesharing-software.de `127.0.0.1 www.firewarez.com `127.0.0.1 www.k-lite.co.uk `127.0.0.1 kazzaa.info `127.0.0.1 www.morpheusp2p.com `127.0.0.1 www.mudima.com `127.0.0.1 www.download-central.com `127.0.0.1 kazaaplatinum.com `127.0.0.1 www.dingosoft.net `127.0.0.1 www.kazaa-advance.com `127.0.0.1 www.downloads-unlimited.com `127.0.0.1 klserver.port5.com `127.0.0.1 rippro.net `127.0.0.1 www.findkazaalite.com `127.0.0.1 www.freegoldkazaa.com `127.0.0.1 www.freekazaalite.com `127.0.0.1 www.kazaalitekpp.com `127.0.0.1 kazaa.filez.ws `127.0.0.1 www.kazaalite-download.com `127.0.0.1 www.kazaavip.com `127.0.0.1 compgenie.host.sk `127.0.0.1 www.musicdownloadcenter.com `127.0.0.1 www.kazza-lite.net `127.0.0.1 sitefinder.Verisign.com `127.0.0.1 sitefinder-idn.Verisign.com `127.0.0.1 `127.0.0.1 `127.0.0.1 `127.0.0.1 06272002-dbase.hitcountz.net `127.0.0.1 1ca.cqcounter.com `127.0.0.1 2001-007.com `127.0.0.1 ad-logics.com `127.0.0.1 ad.trafficmp.com `127.0.0.1 adclient.rottentomatoes.com `127.0.0.1 adcodes.aim4media.com `127.0.0.1 adcounter.globeandmail.com `127.0.0.1 adcounter.theglobeandmail.com `127.0.0.1 adlog.com.com `127.0.0.1 admanmail.com `127.0.0.1 ads.tiscali.com `127.0.0.1 ads.tiscali.it `127.0.0.1 adtech.de `127.0.0.1 anm.intelli-direct.com `127.0.0.1 askmen.thruport.com `127.0.0.1 banner.0catch.com `127.0.0.1 best-search.cc `127.0.0.1 bilbo.counted.com `127.0.0.1 bluestreak.com `127.0.0.1 c1.statcounter.com `127.0.0.1 c1.thecounter.com `127.0.0.1 c1.xxxcounter.com `127.0.0.1 c2.gostats.com `127.0.0.1 c2.thecounter.com `127.0.0.1 c3.gostats.com `127.0.0.1 c3.thecounter.com `127.0.0.1 c3.xxxcounter.com `127.0.0.1 cashcounter.com `127.0.0.1 cgi.hotstat.nl `127.0.0.1 click.atdmt.com `127.0.0.1 click.fivemtn.com `127.0.0.1 click.payserve.com `127.0.0.1 click.silvercash.com `127.0.0.1 clickspring.net `127.0.0.1 clit13.sextracker.com `127.0.0.1 clit15.sextracker.com `127.0.0.1 clit2.sextracker.com `127.0.0.1 clit6.sextracker.com `127.0.0.1 clit8.sextracker.com `127.0.0.1 clk.aboxdeal.com `127.0.0.1 cnn.entertainment.printthis.clickability.com `127.0.0.1 collector.deepmetrix.com `127.0.0.1 cookies.cmpnet.com `127.0.0.1 count.paycounter.com `127.0.0.1 counter.aaddzz.com `127.0.0.1 counter.bloke.com `127.0.0.1 counter.digits.com `127.0.0.1 counter.hitslink.com `127.0.0.1 counter.rambler.ru `127.0.0.1 counter.yadro.ru `127.0.0.1 counter10.bravenet.com `127.0.0.1 counter12.sextracker.com `127.0.0.1 counter13.sextracker.com `127.0.0.1 counter14.sextracker.com `127.0.0.1 counter15.sextracker.com `127.0.0.1 counter16.bravenet.com `127.0.0.1 counter17.bravenet.com `127.0.0.1 counter19.bravenet.com `127.0.0.1 counter2.freeware.de `127.0.0.1 counter2.hitslink.com `127.0.0.1 counter2.sextracker.com `127.0.0.1 counter26.bravenet.com `127.0.0.1 counter27.bravenet.com `127.0.0.1 counter3.sextracker.com `127.0.0.1 counter32.bravenet.com `127.0.0.1 counter34.bravenet.com `127.0.0.1 counter39.bravenet.com `127.0.0.1 counter4.sextracker.com `127.0.0.1 counter41.bravenet.com `127.0.0.1 counter43.bravenet.com `127.0.0.1 counter45.bravenet.com `127.0.0.1 counter47.bravenet.com `127.0.0.1 counter49.bravenet.com `127.0.0.1 counter5.sextracker.com `127.0.0.1 counter50.bravenet.com `127.0.0.1 counter6.sextracker.com `127.0.0.1 counter7.sextracker.com `127.0.0.1 counter8.bravenet.com `127.0.0.1 counter9.sextracker.com `127.0.0.1 counters.honesty.com `127.0.0.1 counters.xaraonline.com `127.0.0.1 data.coremetrics.com `127.0.0.1 data.webads.co.nz `127.0.0.1 dclk.themarketer.com `127.0.0.1 delivery.loopingclick.com `127.0.0.1 dimeprice.com `127.0.0.1 directads.mcafee.com `127.0.0.1 dwclick.com `127.0.0.1 ebay.doubleclick.net `127.0.0.1 economisttestcollect.insightfirst.com `127.0.0.1 ehg-amerix.hitbox.com `127.0.0.1 ehg-ati.hitbox.com `127.0.0.1 ehg-bestbuy.hitbox.com `127.0.0.1 ehg-bskyb.hitbox.com `127.0.0.1 ehg-cafepress.hitbox.com `127.0.0.1 ehg-cbs.hitbox.com `127.0.0.1 ehg-closetmaid.hitbox.com `127.0.0.1 ehg-crain.hitbox.com `127.0.0.1 ehg-dig.hitbox.com `127.0.0.1 ehg-eckounlimited.hitbox.com `127.0.0.1 ehg-espn.hitbox.com `127.0.0.1 ehg-foundation.hitbox.com `127.0.0.1 ehg-foxsports.hitbox.com `127.0.0.1 ehg-groceryworks.hitbox.com `127.0.0.1 ehg-idg.hitbox.com `127.0.0.1 ehg-ignitemedia.hitbox.com `127.0.0.1 ehg-liveperson.hitbox.com `127.0.0.1 ehg-mindshare.hitbox.com `127.0.0.1 ehg-mybc.hitbox.com `127.0.0.1 ehg-oreilley.hitbox.com `127.0.0.1 ehg-oreilly.hitbox.com `127.0.0.1 ehg-sonybssc.hitbox.com `127.0.0.1 ehg-sonyelec.hitbox.com `127.0.0.1 ehg-sonyny.hitbox.com `127.0.0.1 ehg-space.hitbox.com `127.0.0.1 ehg-sportsline.hitbox.com `127.0.0.1 ehg-techtarget.hitbox.com `127.0.0.1 ehg-tigerdirect.hitbox.com `127.0.0.1 ehg-uniontrib.hitbox.com `127.0.0.1 ehg-viacom.hitbox.com `127.0.0.1 ehg-wachovia.hitbox.com `127.0.0.1 ehg.commjun.hitbox.com `127.0.0.1 ehg.hitbox.com `127.0.0.1 ehg.mindshare.hitbox.com `127.0.0.1 fastclick.net `127.0.0.1 fastcounter.bcentral.com `127.0.0.1 fcstats.bcentral.com `127.0.0.1 flycast.com `127.0.0.1 g-wizzads.net `127.0.0.1 gator.com `127.0.0.1 gcrim.cincinnati.com `127.0.0.1 gcrim.flatoday.com `127.0.0.1 gcrim.idehostatesman.com `127.0.0.1 gcrim.tennessean.com `127.0.0.1 gcrim.thedailyjournal.com `127.0.0.1 gcrim.thejournalnews.com `127.0.0.1 gostats.com `127.0.0.1 gtcc1.acecounter.com `127.0.0.1 hc2.humanclick.com `127.0.0.1 hit2.hotlog.ru `127.0.0.1 hit37.chark.dk `127.0.0.1 hit37.chart.dk `127.0.0.1 hit39.chart.dk `127.0.0.1 hit5.hotlog.ru `127.0.0.1 hitbox.com `127.0.0.1 hits.webstat.com `127.0.0.1 http300.edge.ru4.com `127.0.0.1 images.dailydiscounts.com `127.0.0.1 imp.clickability.com `127.0.0.1 impacts.alliancehub.com `127.0.0.1 impit.tradedouble.com `127.0.0.1 insightfirst.com `127.0.0.1 int.sitestat.com `127.0.0.1 jkearns.freestats.com `127.0.0.1 kt4.kliptracker.com `127.0.0.1 linktrack.bravenet.com `127.0.0.1 log.btopenworld.com `127.0.0.1 logs.comics.com `127.0.0.1 logs.eresmas.com `127.0.0.1 logv18.xiti.com `127.0.0.1 logv32.xiti.com `127.0.0.1 logv4.xiti.com `127.0.0.1 m1.nedstatbasic.net `127.0.0.1 mailcheckisp.biz `127.0.0.1 media101.sitebrand.com `127.0.0.1 mt122.mtree.com `127.0.0.1 multi1.rmuk.co.uk `127.0.0.1 mvs.mediavantage.de `127.0.0.1 nedstat.s0.nl `127.0.0.1 nl.sitestat.com `127.0.0.1 okcounter.com `127.0.0.1 p.reuters.com `127.0.0.1 partner.alerts.aol.com `127.0.0.1 paxito.sitetracker.com `127.0.0.1 perso.estat.com `127.0.0.1 pmg.ad-logics.com `127.0.0.1 postclick.adcentriconline.com `127.0.0.1 prof.estat.com `127.0.0.1 s10.sitemeter.com `127.0.0.1 s11.sitemeter.com `127.0.0.1 s12.sitemeter.com `127.0.0.1 s13.sitemeter.com `127.0.0.1 s14.sitemeter.com `127.0.0.1 s15.sitemeter.com `127.0.0.1 s16.sitemeter.com `127.0.0.1 s17.sitemeter.com `127.0.0.1 s18.sitemeter.com `127.0.0.1 s2.statcounter.com `127.0.0.1 scrooge.channelcincinnati.com `127.0.0.1 scrooge.channeloklahoma.com `127.0.0.1 scrooge.click10.com `127.0.0.1 scrooge.clickondetroit.com `127.0.0.1 scrooge.nbcsandiego.com `127.0.0.1 scrooge.newsnet5.com `127.0.0.1 scrooge.thebostonchannel.com `127.0.0.1 scrooge.thedenverchannel.com `127.0.0.1 scrooge.theindychannel.com `127.0.0.1 scrooge.thekansascitychannel.com `127.0.0.1 scrooge.theomahachannel.com `127.0.0.1 scrooge.wesh.com `127.0.0.1 scrooge.wftv.com `127.0.0.1 scrooge.wsoctv.com `127.0.0.1 scrooge.wtov9.com `127.0.0.1 servedby.valuead.com `127.0.0.1 sm1.sitemeter.com `127.0.0.1 sm2.sitemeter.com `127.0.0.1 sm3.sitemeter.com `127.0.0.1 sm4.sitemeter.com `127.0.0.1 sm5.sitemeter.com `127.0.0.1 sm6.sitemeter.com `127.0.0.1 sm7.sitemeter.com `127.0.0.1 sm8.sitemeter.com `127.0.0.1 sm9.sitemeter.com `127.0.0.1 sovereign.sitetracker.com `127.0.0.1 spinbox.maccentral.com `127.0.0.1 ss.tiscali.com `127.0.0.1 ss.tiscali.it `127.0.0.1 st.sageanalyst.net `127.0.0.1 stat.onestat.com `127.0.0.1 stat.webmedia.pl `127.0.0.1 stat.www.fi `127.0.0.1 stat1.z-stat.com `127.0.0.1 stat3.cybermonitor.com `127.0.0.1 static.smni.com `127.0.0.1 statik.topica.com `127.0.0.1 stats.absol.co.za `127.0.0.1 stats.clickability.com `127.0.0.1 stats.groupninetyfour.com `127.0.0.1 stats.idsoft.com `127.0.0.1 stats.jippii.com `127.0.0.1 stats.klsoft.com `127.0.0.1 stats.surfaid.ihost.com `127.0.0.1 stats.www.ibm.com `127.0.0.1 stats1.clicktracks.com `127.0.0.1 statse.webtrendslive.com `127.0.0.1 superstats.com `127.0.0.1 targetnet.com `127.0.0.1 tates.freestats.com `127.0.0.1 te.newsday.com `127.0.0.1 te.suntimes.com `127.0.0.1 te.thestar.ca `127.0.0.1 te.thestar.com `127.0.0.1 te.trb.com `127.0.0.1 the.sextracker.com `127.0.0.1 track.directleads.com `127.0.0.1 track.domainsponsor.com `127.0.0.1 track.ft.com `127.0.0.1 track.homestead.com `127.0.0.1 tracker.clicktrade.com `127.0.0.1 tracker.tradedoubler.com `127.0.0.1 tracking.iol.co.za `127.0.0.1 truehits1.gits.net.th `127.0.0.1 u3102.47.spylog.com `127.0.0.1 u3608.20.spylog.com `127.0.0.1 u4056.56.spylog.com `127.0.0.1 u574.07.spylog.com `127.0.0.1 u977.40.spylog.com `127.0.0.1 valueclick.com `127.0.0.1 valueclick.net `127.0.0.1 visit.theglobeandmail.com `127.0.0.1 vsii.spindox.net `127.0.0.1 w104.hitbox.com `127.0.0.1 w113.hitbox.com `127.0.0.1 w128.hitbox.com `127.0.0.1 w131.hitbox.com `127.0.0.1 w25.hitbox.com `127.0.0.1 web1.realtracker.com `127.0.0.1 web2.realtracker.com `127.0.0.1 web3.realtracker.com `127.0.0.1 web4.realtracker.com `127.0.0.1 webbug.seatreport.com `127.0.0.1 webcounter.goweb.de `127.0.0.1 webhit.aftenposten.no `127.0.0.1 webhit.afterposten.no `127.0.0.1 webmasterkai.sitetracker.com `127.0.0.1 www.2001-007.com `127.0.0.1 www.247realmedia.com `127.0.0.1 www.addfreestats.com `127.0.0.1 www.bar.ry2002.02-ry014.snpr.hotmx.hair.zaam.net `127.0.0.1 www.bigbadted.com `127.0.0.1 www.bluestreak.com `127.0.0.1 www.clickclick.com `127.0.0.1 www.clickspring.net `127.0.0.1 www.clixgalore.com `127.0.0.1 www.directgrowthhormone.com `127.0.0.1 www.dwclick.com `127.0.0.1 www.emaildeals.biz `127.0.0.1 www.estats4all.com `127.0.0.1 www.fxcounters.com `127.0.0.1 www.gator.com `127.0.0.1 www.hitbox.com `127.0.0.1 www.metareward.com `127.0.0.1 www.naturalgrowthstore.biz `127.0.0.1 www.nedstat.com `127.0.0.1 www.originalicons.com `127.0.0.1 www.popuptrafic.com `127.0.0.1 www.premiumsmail.net `127.0.0.1 www.rightstats.com `127.0.0.1 www.specificclick.com `127.0.0.1 www.specificpop.com `127.0.0.1 www.statcount.com `127.0.0.1 www.statcounter.com `127.0.0.1 www.statsession.com `127.0.0.1 www.trafficmagnet.net `127.0.0.1 www.v61.com `127.0.0.1 www.web-stat.com `127.0.0.1 www.whereugetxxx.com `127.0.0.1 www1.addfreestats.com `127.0.0.1 www101.coolsavings.com `127.0.0.1 www2.addfreestats.com `127.0.0.1 www2.pagecount.com `127.0.0.1 www3.addfreestats.com `127.0.0.1 www3.click-fr.com `127.0.0.1 www6.click-fr.com `127.0.0.1 www60.valueclick.com `127.0.0.1 www7.counter.bloke.com `127.0.0.1 ad.au.doubleclick.net `127.0.0.1 ad.br.doubleclick.net `127.0.0.1 ad.de.doubleclick.net `127.0.0.1 ad.doubleclick.net `127.0.0.1 ad.fi.doubleclick.net `127.0.0.1 ad.fr.doubleclick.net `127.0.0.1 ad.it.doubleclick.net `127.0.0.1 ad.jp.doubleclick.net `127.0.0.1 ad.nl.doubleclick.net `127.0.0.1 ad.no.doubleclick.net `127.0.0.1 ad.se.doubleclick.net `127.0.0.1 ad.sg.doubleclick.net `127.0.0.1 ad.za.doubleclick.net `127.0.0.1 ad2.doubleclick.net `127.0.0.1 doubleclick.com `127.0.0.1 doubleclick.net `127.0.0.1 m1.doubleclick.net `127.0.0.1 m3.doubleclick.net `127.0.0.1 m4.doubleclick.net `127.0.0.1 m5.doubleclick.net `127.0.0.1 m6.doubleclick.net `127.0.0.1 m7.doubleclick.net `127.0.0.1 m8.doubleclick.net `127.0.0.1 m9.doubleclick.net `127.0.0.1 rd.intl.doubleclick.net `127.0.0.1 devfw.imrworldwide.com `127.0.0.1 fe1-au.imrworldwide.com `127.0.0.1 fe1-fi.imrworldwide.com `127.0.0.1 fe1-it.imrworldwide.com `127.0.0.1 fe2-au.imrworldwide.com `127.0.0.1 fe3-au.imrworldwide.com `127.0.0.1 fe3-gc.imrworldwide.com `127.0.0.1 fe3-uk.imrworldwide.com `127.0.0.1 fe4-uk.imrworldwide.com `127.0.0.1 imrworldwide.com `127.0.0.1 ninemsn.imrworldwide.com `127.0.0.1 rc-au.imrworldwide.com `127.0.0.1 redsheriff.com `127.0.0.1 server-au.imrworldwide.com `127.0.0.1 server-br.imrworldwide.com `127.0.0.1 server-ca.imrworldwide.com `127.0.0.1 server-de.imrworldwide.com `127.0.0.1 server-dk.imrworldwide.com `127.0.0.1 server-fi.imrworldwide.com `127.0.0.1 server-fr.imrworldwide.com `127.0.0.1 server-hk.imrworldwide.com `127.0.0.1 server-it.imrworldwide.com `127.0.0.1 server-jp.imrworldwide.com `127.0.0.1 server-no.imrworldwide.com `127.0.0.1 server-nz.imrworldwide.com `127.0.0.1 server-se.imrworldwide.com `127.0.0.1 server-sg.imrworldwide.com `127.0.0.1 server-stockh.imrworldwide.com `127.0.0.1 server-uk.imrworldwide.com `127.0.0.1 server-us.imrworldwide.com `127.0.0.1 telstra.imrworldwide.com `127.0.0.1 www.imrworldwide.com `127.0.0.1 www.imrworldwide.com.au `127.0.0.1 www.redsheriff.com `127.0.0.1 102.112.2o7.net `127.0.0.1 192.168.112.2o7.net `127.0.0.1 ancestrymsn.112.2o7.net `127.0.0.1 angmar.112.2o7.net `127.0.0.1 angts.112.2o7.net `127.0.0.1 angvac.112.2o7.net `127.0.0.1 canwest.112.2o7.net `127.0.0.1 cbaol.112.2o7.net `127.0.0.1 cbsncaasports.112.2o7.net `127.0.0.1 cbspgatour.112.2o7.net `127.0.0.1 cbsspln.112.2o7.net `127.0.0.1 cfrfa.112.2o7.net `127.0.0.1 classifiedscanada.112.2o7.net `127.0.0.1 cnetnews.112.2o7.net `127.0.0.1 denverpost.112.2o7.net `127.0.0.1 dischannel.112.2o7.net `127.0.0.1 execulink.112.2o7.net `127.0.0.1 f2nsmh.112.2o7.net `127.0.0.1 f2ntheage.112.2o7.net `127.0.0.1 georgewbush.112.2o7.net `127.0.0.1 georgewbushcom.112.2o7.net `127.0.0.1 gpaper108.112.2o7.net `127.0.0.1 gpaper109.112.2o7.net `127.0.0.1 gpaper110.112.2o7.net `127.0.0.1 gpaper111.112.2o7.net `127.0.0.1 gpaper112.112.2o7.net `127.0.0.1 gpaper113.112.2o7.net `127.0.0.1 gpaper114.112.2o7.net `127.0.0.1 gpaper115.112.2o7.net `127.0.0.1 gpaper116.112.2o7.net `127.0.0.1 gpaper117.112.2o7.net `127.0.0.1 gpaper118.112.2o7.net `127.0.0.1 gpaper119.112.2o7.net `127.0.0.1 gpaper120.112.2o7.net `127.0.0.1 gpaper121.112.2o7.net `127.0.0.1 gpaper122.112.2o7.net `127.0.0.1 gpaper123.112.2o7.net `127.0.0.1 gpaper124.112.2o7.net `127.0.0.1 gpaper125.112.2o7.net `127.0.0.1 gpaper126.112.2o7.net `127.0.0.1 gpaper127.112.2o7.net `127.0.0.1 gpaper128.112.2o7.net `127.0.0.1 gpaper129.112.2o7.net `127.0.0.1 gpaper133.112.2o7.net `127.0.0.1 gpaper138.112.2o7.net `127.0.0.1 gpaper144.112.2o7.net `127.0.0.1 gpaper147.112.2o7.net `127.0.0.1 gpaper151.112.2o7.net `127.0.0.1 gpaper154.112.2o7.net `127.0.0.1 gpaper158.112.2o7.net `127.0.0.1 gpaper164.112.2o7.net `127.0.0.1 gpaper166.112.2o7.net `127.0.0.1 gpaper176.112.2o7.net `127.0.0.1 gpaper177.112.2o7.net `127.0.0.1 gpaper180.112.2o7.net `127.0.0.1 gpaper183.112.2o7.net `127.0.0.1 gpaper202.112.2o7.net `127.0.0.1 gpaper204.112.2o7.net `127.0.0.1 hchrmain.112.2o7.net `127.0.0.1 homesclick.112.2o7.net `127.0.0.1 hpglobal.112.2o7.net `127.0.0.1 hphqglobal.112.2o7.net `127.0.0.1 intelglobal.112.2o7.net `127.0.0.1 laxpsd.112.2o7.net `127.0.0.1 mgtbo.112.2o7.net `127.0.0.1 mlbglobal.112.2o7.net `127.0.0.1 mngidmn.112.2o7.net `127.0.0.1 mngislctrib.112.2o7.net `127.0.0.1 mxmacromedia.112.2o7.net `127.0.0.1 neber.112.2o7.net `127.0.0.1 nmcommancomedia.112.2o7.net `127.0.0.1 nmkawartha.112.2o7.net `127.0.0.1 nmminneapolis.112.2o7.net `127.0.0.1 nmsacramento.112.2o7.net `127.0.0.1 novellcom.112.2o7.net `127.0.0.1 nytbglobe.112.2o7.net `127.0.0.1 nytglobe.112.2o7.net `127.0.0.1 nythglobe.112.2o7.net `127.0.0.1 nytimesglobal.112.2o7.net `127.0.0.1 nytimesnonsampled.112.2o7.net `127.0.0.1 nytimesnoonsampled.112.2o7.net `127.0.0.1 nytrlakeland.112.2o7.net `127.0.0.1 nytrsarasota.112.2o7.net `127.0.0.1 pulpantagraph.112.2o7.net `127.0.0.1 rckymtnnws.112.2o7.net `127.0.0.1 thinkgeek.112.2o7.net `127.0.0.1 verisonwildcard.112.2o7.net `127.0.0.1 2.marketbanker.com `127.0.0.1 207-87-18-203.wsmg.digex.net `127.0.0.1 3ad.doubleclick.net `127.0.0.1 a.as-eu.falkag.net `127.0.0.1 a.as-us.falkag.net `127.0.0.1 a.mktw.net `127.0.0.1 a.websponsors.com `127.0.0.1 a3.suntimes.com `127.0.0.1 abcnews.footprint.net `127.0.0.1 ac.rnm.ca `127.0.0.1 actionflash.com `127.0.0.1 actionsplash.com `127.0.0.1 ad-adex3.flycast.com `127.0.0.1 ad-souk.com `127.0.0.1 ad.3au.doubleclick.net `127.0.0.1 ad.71i.de `127.0.0.1 ad.abcnews.com `127.0.0.1 ad.aboutwebservices.com `127.0.0.1 ad.adex3.flycast.com `127.0.0.1 ad.adition.de `127.0.0.1 ad.adition.net `127.0.0.1 ad.adsmart.net `127.0.0.1 ad.aftonbladet.se `127.0.0.1 ad.asv.de `127.0.0.1 ad.deviantart.com `127.0.0.1 ad.es.doubleclick.net `127.0.0.1 ad.espn.starwave.com `127.0.0.1 ad.eurosport.com `127.0.0.1 ad.horvitznewspapers.net `127.0.0.1 ad.howstuffworks.com `127.0.0.1 ad.iwin.com `127.0.0.1 ad.leadcrunch.com `127.0.0.1 ad.linkexchange.com `127.0.0.1 ad.linksynergy.com `127.0.0.1 ad.moscowtimes.ru `127.0.0.1 ad.nate.com `127.0.0.1 ad.network60.com `127.0.0.1 ad.preferences.com `127.0.0.1 ad.pro-advertising.com `127.0.0.1 ad.repubblica.it `127.0.0.1 ad.showbizz.net `127.0.0.1 ad.sma.punto.net `127.0.0.1 ad.smni.com `127.0.0.1 ad.suprnova.org `127.0.0.1 ad.tbn.ru `127.0.0.1 ad.tv2.no `127.0.0.1 ad.uk.tangozebra.com `127.0.0.1 ad.usatoday.com `127.0.0.1 ad.ve.doubleclick.net `127.0.0.1 ad.webprovider.com `127.0.0.1 ad01.focalink.com `127.0.0.1 ad01.mediacorpsingapore.com `127.0.0.1 ad02.focalink.com `127.0.0.1 ad03.focalink.com `127.0.0.1 ad04.focalink.com `127.0.0.1 ad05.focalink.com `127.0.0.1 ad06.focalink.com `127.0.0.1 ad07.focalink.com `127.0.0.1 ad08.focalink.com `127.0.0.1 ad09.focalink.com `127.0.0.1 ad1.hotel.com `127.0.0.1 ad1.lbn.ru `127.0.0.1 ad1.peel.com `127.0.0.1 ad10.focalink.com `127.0.0.1 ad11.focalink.com `127.0.0.1 ad12.focalink.com `127.0.0.1 ad13.focalink.com `127.0.0.1 ad14.focalink.com `127.0.0.1 ad15.focalink.com `127.0.0.1 ad16.focalink.com `127.0.0.1 ad17.focalink.com `127.0.0.1 ad18.focalink.com `127.0.0.1 ad19.focalink.com `127.0.0.1 ad2.hotel.com `127.0.0.1 ad2.lbn.ru `127.0.0.1 ad2.pamedia.com `127.0.0.1 ad2.peel.com `127.0.0.1 ad2.smni.com `127.0.0.1 ad3.lbn.ru `127.0.0.1 ad4.lbn.ru `127.0.0.1 ad5.lbn.ru `127.0.0.1 adbot.theonion.com `127.0.0.1 adcentric.randomseed.com `127.0.0.1 adcentriconline.com `127.0.0.1 adcontent.gamespy.com `127.0.0.1 adcontroller.unicast.com `127.0.0.1 adcreative.tribuneinteractive.com `127.0.0.1 adcycle.icpeurope.net `127.0.0.1 adex1.flycast.com `127.0.0.1 adex2.flycast.com `127.0.0.1 adex3.flycast.com `127.0.0.1 adfarm.mediaplex.com `127.0.0.1 adforce.ads.imgis.com `127.0.0.1 adforce.adtech.de `127.0.0.1 adforce.imgis.com `127.0.0.1 adfu.blockstackers.com `127.0.0.1 adgraphics.theonion.com `127.0.0.1 adi.mainichi.co.jp `127.0.0.1 adimage.asia1.com.sg `127.0.0.1 adimage.asiaone.com `127.0.0.1 adimage.asiaone.com.sg `127.0.0.1 adimage.blm.net `127.0.0.1 adimages.earthweb.com `127.0.0.1 adimages.go.com `127.0.0.1 adimages.mp3.com `127.0.0.1 adincl.gopher.com `127.0.0.1 adj1.thruport.com `127.0.0.1 adj10.thruport.com `127.0.0.1 adj11.thruport.com `127.0.0.1 adj12.thruport.com `127.0.0.1 adj13.thruport.com `127.0.0.1 adj14.thruport.com `127.0.0.1 adj15.thruport.com `127.0.0.1 adj16.thruport.com `127.0.0.1 adj16r1.thruport.com `127.0.0.1 adj17.thruport.com `127.0.0.1 adj18.thruport.com `127.0.0.1 adj2.thruport.com `127.0.0.1 adj3.thruport.com `127.0.0.1 adj4.thruport.com `127.0.0.1 adj5.thruport.com `127.0.0.1 adj6.thruport.com `127.0.0.1 adj7.thruport.com `127.0.0.1 adj8.thruport.com `127.0.0.1 adj9.thruport.com `127.0.0.1 adjuggler.yourdictionary.com `127.0.0.1 adman.freeze.com `127.0.0.1 admanager.btopenworld.com `127.0.0.1 admedia.xoom.com `127.0.0.1 admin.digitalacre.com `127.0.0.1 adnet.chicago.tribune.com `127.0.0.1 adnetwork.nextgen.net `127.0.0.1 adng.ascii24.com `127.0.0.1 adpepper.dk `127.0.0.1 adpick.switchboard.com `127.0.0.1 adpulse.ads.targetnet.com `127.0.0.1 adpush.dreamscape.com `127.0.0.1 adremote.pathfinder.com `127.0.0.1 adremote.timeinc.net `127.0.0.1 ads-direct.prodigy.net `127.0.0.1 ads.accelerator-media.com `127.0.0.1 ads.active.com `127.0.0.1 ads.ad-flow.com `127.0.0.1 ads.adcorps.com `127.0.0.1 ads.addesktop.com `127.0.0.1 ads.addynamix.com `127.0.0.1 ads.admaximize.com `127.0.0.1 ads.admonitor.net `127.0.0.1 ads.adsag.com `127.0.0.1 ads.adtegrity.net `127.0.0.1 ads.adviva.net `127.0.0.1 ads.adworldnetwork.com `127.0.0.1 ads.ah-ha.com `127.0.0.1 ads.allsites.com `127.0.0.1 ads.amazingmedia.com `127.0.0.1 ads.anm.co.uk `127.0.0.1 ads.as4x.tmcs.net `127.0.0.1 ads.as4x.tmcs.ticketmaster.ca `127.0.0.1 ads.asia1.com `127.0.0.1 ads.asia1.com.sg `127.0.0.1 ads.astalavista.us `127.0.0.1 ads.auctioncity.co.nz `127.0.0.1 ads.bangkokpost.co.th `127.0.0.1 ads.banner.t-online.de `127.0.0.1 ads.beliefnet.com `127.0.0.1 ads.belointeractive.com `127.0.0.1 ads.bfast.com `127.0.0.1 ads.bigcitytools.com `127.0.0.1 ads.bloomberg.com `127.0.0.1 ads.bluemountain.com `127.0.0.1 ads.bonnint.net `127.0.0.1 ads.box.sk `127.0.0.1 ads.businessweek.com `127.0.0.1 ads.camrecord.com `127.0.0.1 ads.canoe.ca `127.0.0.1 ads.cbc.ca `127.0.0.1 ads.champs-elysees.com `127.0.0.1 ads.channel4.com `127.0.0.1 ads.checkm8.co.za `127.0.0.1 ads.chumcity.com `127.0.0.1 ads.clickability.com `127.0.0.1 ads.clickad.com.pl `127.0.0.1 ads.clickagents.com `127.0.0.1 ads.clickhouse.com `127.0.0.1 ads.clickthru.net `127.0.0.1 ads.collegemix.com `127.0.0.1 ads.coopson.com `127.0.0.1 ads.courierpostonline.com `127.0.0.1 ads.cpsgsoftware.com `127.0.0.1 ads.democratandchronicle.com `127.0.0.1 ads.dennisnet.co.uk `127.0.0.1 ads.desmoinesregister.com `127.0.0.1 ads.developershed.com `127.0.0.1 ads.deviantart.com `127.0.0.1 ads.digital-digest.com `127.0.0.1 ads.digitalacre.com `127.0.0.1 ads.digitalhealthcare.com `127.0.0.1 ads.digitalmedianet.com `127.0.0.1 ads.discovery.com `127.0.0.1 ads.drf.com `127.0.0.1 ads.economist.com `127.0.0.1 ads.enliven.com `127.0.0.1 ads.euniverseads.com `127.0.0.1 ads.examiner.net `127.0.0.1 ads.exhedra.com `127.0.0.1 ads.fairfax.com.au `127.0.0.1 ads.flabber.nl `127.0.0.1 ads.fool.com `127.0.0.1 ads.forbes.com `127.0.0.1 ads.fredericksburg.com `127.0.0.1 ads.freshmeat.net `127.0.0.1 ads.ft.com `127.0.0.1 ads.gamespy.com `127.0.0.1 ads.gamespyid.com `127.0.0.1 ads.gateway.com `127.0.0.1 ads.globeandmail.com `127.0.0.1 ads.gorillanation.com `127.0.0.1 ads.granadamedia.com `127.0.0.1 ads.greenvilleonline.com `127.0.0.1 ads.guardian.co.uk `127.0.0.1 ads.guardianunlimited.co.uk `127.0.0.1 ads.hamptonroads.com `127.0.0.1 ads.hamtonroads.com `127.0.0.1 ads.hardwarezone.com `127.0.0.1 ads.heraldsun.com `127.0.0.1 ads.hitcents.com `127.0.0.1 ads.hollywood.com `127.0.0.1 ads.i33.com `127.0.0.1 ads.icq.com `127.0.0.1 ads.ign.com `127.0.0.1 ads.illuminatednation.com `127.0.0.1 ads.indiatimes.com `127.0.0.1 ads.indystar.com `127.0.0.1 ads.inetdirectories.com `127.0.0.1 ads.infi.net `127.0.0.1 ads.injersey.com `127.0.0.1 ads.iol.co.il `127.0.0.1 ads.isat-tech.com `127.0.0.1 ads.isoftmarketing.com `127.0.0.1 ads.jacksonville.com `127.0.0.1 ads.jeneauempire.com `127.0.0.1 ads.jpost.com `127.0.0.1 ads.jwtt3.com `127.0.0.1 ads.kleinman.com `127.0.0.1 ads.ksl.com `127.0.0.1 ads.link4ads.com `127.0.0.1 ads.linksponsor.com `127.0.0.1 ads.linktracking.net `127.0.0.1 ads.list-universe.com `127.0.0.1 ads.lycos.com `127.0.0.1 ads.madison.com `127.0.0.1 ads.mcafee.com `127.0.0.1 ads.mdchoice.com `127.0.0.1 ads.mediaodyssey.com `127.0.0.1 ads.mediaturf.net `127.0.0.1 ads.mgnetwork.com `127.0.0.1 ads.mindsetnetwork.com `127.0.0.1 ads.mircx.com `127.0.0.1 ads.mm.ap.org `127.0.0.1 ads.mouseplanet.com `127.0.0.1 ads.mustangworks.com `127.0.0.1 ads.mytelus.com `127.0.0.1 ads.nandomedia.com `127.0.0.1 ads.nationalreview.com `127.0.0.1 ads.nerve.com `127.0.0.1 ads.newcity.com `127.0.0.1 ads.newsint.co.uk `127.0.0.1 ads.newsquest.co.uk `127.0.0.1 ads.newtimes.com `127.0.0.1 ads.northjersey.com `127.0.0.1 ads.ntadvice.com `127.0.0.1 ads.nwsource.com `127.0.0.1 ads.nyjournalnews.com `127.0.0.1 ads.nypost.com `127.0.0.1 ads.nytimes.com `127.0.0.1 ads.omaha.com `127.0.0.1 ads.orsm.net `127.0.0.1 ads.osdn.com `127.0.0.1 ads.parrysound.com `127.0.0.1 ads.peel.com `127.0.0.1 ads.pennyweb.com `127.0.0.1 ads.pg.valueclick.net `127.0.0.1 ads.pilotonline.com `127.0.0.1 ads.pointroll.com `127.0.0.1 ads.premiumnetwork.com `127.0.0.1 ads.pressdemo.com `127.0.0.1 ads.prisacom.com `127.0.0.1 ads.pro-market.net `127.0.0.1 ads.queendom.com `127.0.0.1 ads.quicken.com `127.0.0.1 ads.rackshack.net `127.0.0.1 ads.realcities.com `127.0.0.1 ads.rediff.com `127.0.0.1 ads.register.com `127.0.0.1 ads.roanoke.com `127.0.0.1 ads.rodale.com `127.0.0.1 ads.rondomondo.com `127.0.0.1 ads.savannahnow.com `127.0.0.1 ads.scabee.com `127.0.0.1 ads.schwabtrader.com `127.0.0.1 ads.seattletimes.com `127.0.0.1 ads.simtel.com `127.0.0.1 ads.sitemeter.com `127.0.0.1 ads.smartclicks.com `127.0.0.1 ads.smartclicks.net `127.0.0.1 ads.snowball.com `127.0.0.1 ads.sohh.com `127.0.0.1 ads.space.com `127.0.0.1 ads.sptimes.com `127.0.0.1 ads.spymac.net `127.0.0.1 ads.starbanner.com `127.0.0.1 ads.stephensmedia.com `127.0.0.1 ads.stileproject.com `127.0.0.1 ads.stupid.com `127.0.0.1 ads.switchboard.com `127.0.0.1 ads.techtv.com `127.0.0.1 ads.telegraph.co.uk `127.0.0.1 ads.the15thinternet.com `127.0.0.1 ads.theglobeandmail.com `127.0.0.1 ads.theolympian.com `127.0.0.1 ads.thestar.com `127.0.0.1 ads.thewebfreaks.com `127.0.0.1 ads.timesunion.com `127.0.0.1 ads.top500.org `127.0.0.1 ads.toronto.com `127.0.0.1 ads.townhall.com `127.0.0.1 ads.track.net `127.0.0.1 ads.traderonline.com `127.0.0.1 ads.tricityherald.com `127.0.0.1 ads.tripod.com `127.0.0.1 ads.tromaville.com `127.0.0.1 ads.tucows.com `127.0.0.1 ads.ucomics.com `127.0.0.1 ads.valuead.com `127.0.0.1 ads.vegas.com `127.0.0.1 ads.veloxia.com `127.0.0.1 ads.vnuemedia.com `127.0.0.1 ads.weather.com `127.0.0.1 ads.web.aol.com `127.0.0.1 ads.web.compuserve.com `127.0.0.1 ads.webcoretech.com `127.0.0.1 ads.webmd.com `127.0.0.1 ads.websponsors.com `127.0.0.1 ads.whi.co.nz `127.0.0.1 ads.xtra.co.nz `127.0.0.1 ads.zap2it.com `127.0.0.1 ads.zdnet.com `127.0.0.1 ads01.focalink.com `127.0.0.1 ads01.hyperbanner.net `127.0.0.1 ads02.focalink.com `127.0.0.1 ads02.hyperbanner.net `127.0.0.1 ads03.focalink.com `127.0.0.1 ads03.hyperbanner.net `127.0.0.1 ads04.focalink.com `127.0.0.1 ads04.hyperbanner.net `127.0.0.1 ads05.focalink.com `127.0.0.1 ads05.hyperbanner.net `127.0.0.1 ads06.focalink.com `127.0.0.1 ads06.hyperbanner.net `127.0.0.1 ads07.focalink.com `127.0.0.1 ads07.hyperbanner.net `127.0.0.1 ads08.focalink.com `127.0.0.1 ads08.hyperbanner.net `127.0.0.1 ads09.focalink.com `127.0.0.1 ads09.hyperbanner.net `127.0.0.1 ads1.activeagent.at `127.0.0.1 ads1.ad-flow.com `127.0.0.1 ads1.advance.net `127.0.0.1 ads1.advertwizard.com `127.0.0.1 ads1.ami-admin.com `127.0.0.1 ads1.canoe.ca `127.0.0.1 ads1.globeandmail.com `127.0.0.1 ads1.jev.co.za `127.0.0.1 ads1.realcities.com `127.0.0.1 ads1.sptimes.com `127.0.0.1 ads1.theglobeandmail.com `127.0.0.1 ads1.ucomics.com `127.0.0.1 ads1.udc.advance.net `127.0.0.1 ads1.updated.com `127.0.0.1 ads1.virtumundo.com `127.0.0.1 ads1.zdnet.com `127.0.0.1 ads10.focalink.com `127.0.0.1 ads10.hyperbanner.net `127.0.0.1 ads11.focalink.com `127.0.0.1 ads11.hyperbanner.net `127.0.0.1 ads12.focalink.com `127.0.0.1 ads12.hyperbanner.net `127.0.0.1 ads13.focalink.com `127.0.0.1 ads13.hyperbanner.net `127.0.0.1 ads14.bpath.com `127.0.0.1 ads14.focalink.com `127.0.0.1 ads14.hyperbanner.net `127.0.0.1 ads15.focalink.com `127.0.0.1 ads15.hyperbanner.net `127.0.0.1 ads16.focalink.com `127.0.0.1 ads16.hyperbanner.net `127.0.0.1 ads17.focalink.com `127.0.0.1 ads17.hyperbanner.net `127.0.0.1 ads18.focalink.com `127.0.0.1 ads18.hyperbanner.net `127.0.0.1 ads19.focalink.com `127.0.0.1 ads2.ad-flow.com `127.0.0.1 ads2.advance.net `127.0.0.1 ads2.advertwizard.com `127.0.0.1 ads2.canoe.ca `127.0.0.1 ads2.clickad.com `127.0.0.1 ads2.newtimes.com `127.0.0.1 ads2.osdn.com `127.0.0.1 ads2.realcities.com `127.0.0.1 ads2.udc.advance.net `127.0.0.1 ads2.virtumundo.com `127.0.0.1 ads2.zdnet.com `127.0.0.1 ads20.focalink.com `127.0.0.1 ads21.focalink.com `127.0.0.1 ads22.focalink.com `127.0.0.1 ads23.focalink.com `127.0.0.1 ads24.focalink.com `127.0.0.1 ads25.focalink.com `127.0.0.1 ads3.ad-flow.com `127.0.0.1 ads3.advance.net `127.0.0.1 ads3.advertwizard.com `127.0.0.1 ads3.canoe.ca `127.0.0.1 ads3.freebannertrade.com `127.0.0.1 ads3.realcities.com `127.0.0.1 ads3.virtumundo.com `127.0.0.1 ads3.zdnet.com `127.0.0.1 ads36.hyperbanner.net `127.0.0.1 ads4.ad-flow.com `127.0.0.1 ads4.advance.net `127.0.0.1 ads4.advertwizard.com `127.0.0.1 ads4.canoe.ca `127.0.0.1 ads4.clearchannel.com `127.0.0.1 ads4.realcities.com `127.0.0.1 ads4.virtumundo.com `127.0.0.1 ads5.ad-flow.com `127.0.0.1 ads5.advance.net `127.0.0.1 ads5.advertwizard.com `127.0.0.1 ads5.canoe.ca `127.0.0.1 ads5.udc.advance.net `127.0.0.1 ads5.virtumundo.com `127.0.0.1 ads6.ad-flow.com `127.0.0.1 ads6.advertwizard.com `127.0.0.1 ads7.ad-flow.com `127.0.0.1 ads7.advance.net `127.0.0.1 ads7.advertwizard.com `127.0.0.1 ads8.ad-flow.com `127.0.0.1 ads8.advertwizard.com `127.0.0.1 ads9.ad-flow.com `127.0.0.1 ads9.advertwizard.com `127.0.0.1 adsatt.abcnews.starwave.com `127.0.0.1 adsatt.espn.starwave.com `127.0.0.1 adserv.aip.org `127.0.0.1 adserv.bravenet.com `127.0.0.1 adserv.iafrica.com `127.0.0.1 adserv.quality-channel.de `127.0.0.1 adserv2.bravenet.com `127.0.0.1 adserve.viaarena.com `127.0.0.1 adserver.71i.de `127.0.0.1 adserver.adtech.de `127.0.0.1 adserver.aim4media.com `127.0.0.1 adserver.airmiles.ca `127.0.0.1 adserver.ancestry.com `127.0.0.1 adserver.anm.co.uk `127.0.0.1 adserver.dbusiness.com `127.0.0.1 adserver.digitalpartners.com `127.0.0.1 adserver.dnps.com `127.0.0.1 adserver.eham.net `127.0.0.1 adserver.eva2000.com `127.0.0.1 adserver.freenet.de `127.0.0.1 adserver.friendfinder.com `127.0.0.1 adserver.gamesquad.net `127.0.0.1 adserver.garden.com `127.0.0.1 adserver.gorillanation.com `127.0.0.1 adserver.hardwareanalysis.com `127.0.0.1 adserver.harktheherald.com `127.0.0.1 adserver.hellasnet.gr `127.0.0.1 adserver.hg-computer.de `127.0.0.1 adserver.humanux.com `127.0.0.1 adserver.ign.com `127.0.0.1 adserver.ixm.co.uk `127.0.0.1 adserver.janes.com `127.0.0.1 adserver.journalinteractive.com `127.0.0.1 adserver.linktrader.co.uk `127.0.0.1 adserver.lunarpages.com `127.0.0.1 adserver.m2kcore.com `127.0.0.1 adserver.matchcraft.com `127.0.0.1 adserver.merc.com `127.0.0.1 adserver.monster.com `127.0.0.1 adserver.news.com.au `127.0.0.1 adserver.newtimes.com `127.0.0.1 adserver.nydailynews.com `127.0.0.1 adserver.nzoom.com `127.0.0.1 adserver.phillyburbs.com `127.0.0.1 adserver.securityfocus.com `127.0.0.1 adserver.terra.com.br `127.0.0.1 adserver.thisislondon.co.uk `127.0.0.1 adserver.tilted.net `127.0.0.1 adserver.track-star.com `127.0.0.1 adserver.trader.ca `127.0.0.1 adserver.trb.com `127.0.0.1 adserver.tribuneinteractive.com `127.0.0.1 adserver.ugo.com `127.0.0.1 adserver01.ancestry.com `127.0.0.1 adserver1.backbeatmedia.com `127.0.0.1 adserver1.ogilvy-interactive.de `127.0.0.1 adserver2.creative.com `127.0.0.1 adsfac.net `127.0.0.1 adsintl.starwave.com `127.0.0.1 adsnew.userfriendly.org `127.0.0.1 adsr3pg.com.br `127.0.0.1 adsrc.bankrate.com `127.0.0.1 adsremote.scripps.com `127.0.0.1 adsrv.heraldtribune.com `127.0.0.1 adsrv.hpg.com.br `127.0.0.1 adsrv.iol.co.za `127.0.0.1 adsrv.news.com.au `127.0.0.1 adsrv.tuscaloosanews.com `127.0.0.1 adtag.sympatico.ca `127.0.0.1 adtegrity.spinbox.net `127.0.0.1 adtracking.vinden.nlfrm `127.0.0.1 adv.bannercity.ru `127.0.0.1 adv.bbanner.it `127.0.0.1 adv.surinter.net `127.0.0.1 adv.wp.pl `127.0.0.1 adveng.hiasys.com `127.0.0.1 advert.bayarea.com `127.0.0.1 advertising.gfxartist.com `127.0.0.1 advertising.hiasys.com `127.0.0.1 adverts.ecn.co.uk `127.0.0.1 adviva.net `127.0.0.1 adx.adrenalinesk.sk `127.0.0.1 affiliate.aol.com `127.0.0.1 affiliate.cfdebt.com `127.0.0.1 ajcclassifieds.com `127.0.0.1 ak.imgfarm.com `127.0.0.1 akaads-espn.starwave.com `127.0.0.1 alliance.adbureau.net `127.0.0.1 altfarm.mediaplex.com `127.0.0.1 amch.questionmarket.com `127.0.0.1 americansingles.click-url.com `127.0.0.1 antfarm-ad.flycast.com `127.0.0.1 apps5.oingo.com `127.0.0.1 arsconsole.global-intermedia.com `127.0.0.1 as1.falkag.de `127.0.0.1 au.ads.link4ads.com `127.0.0.1 aureate.com `127.0.0.1 banner.coza.com `127.0.0.1 banner.easyspace.com `127.0.0.1 banner.media-system.de `127.0.0.1 banner.northsky.com `127.0.0.1 banner.oddcast.com `127.0.0.1 banner.orb.net `127.0.0.1 banner.relcom.ru `127.0.0.1 banner2.inet-traffic.com `127.0.0.1 bannerads.anytimenews.com `127.0.0.1 bannerads.zwire.com `127.0.0.1 bannerimages.0catch.com `127.0.0.1 bannerpower.com `127.0.0.1 banners.affiliatefuel.com `127.0.0.1 banners.affiliatefuture.com `127.0.0.1 banners.bol.se `127.0.0.1 banners.directnic.com `127.0.0.1 banners.dnastudio.com `127.0.0.1 banners.easydns.com `127.0.0.1 banners.expressindia.com `127.0.0.1 banners.img.uol.com.br `127.0.0.1 banners.japantoday.com `127.0.0.1 banners.ksl.com `127.0.0.1 banners.linkbuddies.com `127.0.0.1 banners.looksmart.com `127.0.0.1 banners.netcraft.com `127.0.0.1 banners.nextcard.com `127.0.0.1 banners.pennyweb.com `127.0.0.1 banners.tucson.com `127.0.0.1 banners.webmasterplan.com `127.0.0.1 banners.wunderground.com `127.0.0.1 banners1.linkbuddies.com `127.0.0.1 banners2.castles.org `127.0.0.1 barnesandnoble.bfast.com `127.0.0.1 bell.adcentriconline.com `127.0.0.1 beseenad.looksmart.com `127.0.0.1 betterperformance.goldenopps.info `127.0.0.1 bfast.com `127.0.0.1 bidclix.net `127.0.0.1 bild.ivwbox.de `127.0.0.1 bizad.nikkeibp.co.jp `127.0.0.1 bn.bfast.com `127.0.0.1 c1.zedo.com `127.0.0.1 c2.zedo.com `127.0.0.1 c3.zedo.com `127.0.0.1 c4.maxserving.com `127.0.0.1 c4.zedo.com `127.0.0.1 c5.zedo.com `127.0.0.1 c6.zedo.com `127.0.0.1 c7.zedo.com `127.0.0.1 cache.unicast.com `127.0.0.1 califia.imaginemedia.com `127.0.0.1 campaigns.f2.com.au `127.0.0.1 cashflowmarketing.com `127.0.0.1 cdn2.adsdk.com `127.0.0.1 click.avenuea.com `127.0.0.1 click.go2net.com `127.0.0.1 click.linksynergy.com `127.0.0.1 clickcash.webpower.com `127.0.0.1 clickit.go2net.com `127.0.0.1 clicks.adultplex.com `127.0.0.1 clipserv.adclip.com `127.0.0.1 clk.cloudyisland.com `127.0.0.1 cmhtml.overture.com `127.0.0.1 cmn1lsm2.beliefnet.com `127.0.0.1 commerce.www.ibm.com `127.0.0.1 connect.247media.ads.link4ads.com `127.0.0.1 content.ad-flow.com `127.0.0.1 coreg.flashtrack.net `127.0.0.1 cornflakes.pathfinder.com `127.0.0.1 count.casino-trade.com `127.0.0.1 counter.hitbox.com `127.0.0.1 crux.songline.com `127.0.0.1 dart.chron.com `127.0.0.1 db4.net-filter.com `127.0.0.1 dev.adforum.com `127.0.0.1 djbanners.deadjournal.com `127.0.0.1 dl.ncbuy.com `127.0.0.1 dnads.directnic.com `127.0.0.1 ehg-acdsystems.hitbox.com `127.0.0.1 ehg-legonewyorkinc.hitbox.com `127.0.0.1 engage.everyone.net `127.0.0.1 engage.speedera.net `127.0.0.1 erie.smartage.com `127.0.0.1 espn.footprint.net `127.0.0.1 etad.telegraph.co.uk `127.0.0.1 etype.adbureau.net `127.0.0.1 euniverseads.com `127.0.0.1 exits1.webquest.net `127.0.0.1 exits2.webquest.net `127.0.0.1 ezboard.bigbangmedia.com `127.0.0.1 faz.ivwbox.de `127.0.0.1 fp.valueclick.com `127.0.0.1 gadgeteer.pdamart.com `127.0.0.1 gavzad.keenspot.com `127.0.0.1 gcirm.burlingtonfreepress.com `127.0.0.1 gcirm.citizen-times.com `127.0.0.1 gcirm.dmregister.com `127.0.0.1 gcirm.gannett-tv.com `127.0.0.1 gcirm.lsj.com `127.0.0.1 gcirm.tennessean.com `127.0.0.1 gcrim.democratandchronicle.com `127.0.0.1 gcrim.theolympian.com `127.0.0.1 gm.preferences.com `127.0.0.1 got2goshop.com `127.0.0.1 goto.trafficmultiplier.com `127.0.0.1 gravitron.chron.com `127.0.0.1 grfx.mp3.com `127.0.0.1 gs1.idsales.co.uk `127.0.0.1 guptamedianetwork.com `127.0.0.1 hg1.hitbox.com `127.0.0.1 http300.content.ru4.com `127.0.0.1 ieee.adbureau.net `127.0.0.1 if.bbanner.it `127.0.0.1 image.i1img.com `127.0.0.1 image.linkexchange.com `127.0.0.1 imageads.canoe.ca `127.0.0.1 images.ads.fairfax.com.au `127.0.0.1 images.clickfinders.com `127.0.0.1 images.cybereps.com `127.0.0.1 images.emapadserver.com `127.0.0.1 imageserv.adtech.de `127.0.0.1 imgserv.adbutler.com `127.0.0.1 imp.partner2profit.com `127.0.0.1 impact.cossette-webpact.com `127.0.0.1 impes.tradedoubler.com `127.0.0.1 impse.tradedoubler.com `127.0.0.1 inl.adbureau.net `127.0.0.1 itxt.vibrantmedia.com `127.0.0.1 ivwbox.de `127.0.0.1 jl29jd25sm24mc29.com `127.0.0.1 kansas.valueclick.com `127.0.0.1 kicker.ivwbox.de `127.0.0.1 klipmart.dvlabs.com `127.0.0.1 klipmart.forbes.com `127.0.0.1 knight.economist.com `127.0.0.1 lanzar.publicidadweb.com `127.0.0.1 links.dot.tk `127.0.0.1 linktracker.angelfire.com `127.0.0.1 liquidad.narrowcastmedia.com `127.0.0.1 lnads.osdn.com `127.0.0.1 load.focalex.com `127.0.0.1 lt.angelfire.com `127.0.0.1 m.tribalfusion.com `127.0.0.1 macaddictads.snv.futurenet.com `127.0.0.1 manuel.theonion.com `127.0.0.1 matrix.mediavantage.de `127.0.0.1 maximumpcads.imaginemedia.com `127.0.0.1 mds.centrport.net `127.0.0.1 media.adcentriconline.com `127.0.0.1 media.bonnint.net `127.0.0.1 media1.fastclick.net `127.0.0.1 media10.fastclick.net `127.0.0.1 media11.fastclick.net `127.0.0.1 media12.fastclick.net `127.0.0.1 media13.fastclick.net `127.0.0.1 media2.fastclick.net `127.0.0.1 media2.travelzoo.com `127.0.0.1 media3.fastclick.net `127.0.0.1 media4.fastclick.net `127.0.0.1 media5.fastclick.net `127.0.0.1 media6.fastclick.net `127.0.0.1 media7.fastclick.net `127.0.0.1 media8.fastclick.net `127.0.0.1 media9.fastclick.net `127.0.0.1 mediacharger.com `127.0.0.1 messagia.adcentric.proximi-t.com `127.0.0.1 mii-image.adjuggler.com `127.0.0.1 mjx.ads.nwsource.com `127.0.0.1 mjxads.internet.com `127.0.0.1 mojofarm.mediaplex.com `127.0.0.1 mt58.mtree.com `127.0.0.1 nb.netbreak.com.au `127.0.0.1 nbc.adbureau.net `127.0.0.1 netcomm.spinbox.net `127.0.0.1 netshelter.adtrix.com `127.0.0.1 network.realmedia.com `127.0.0.1 newads.cmpnet.com `127.0.0.1 ng3.ads.warnerbros.com `127.0.0.1 ngads.smartage.com `127.0.0.1 nitrous.exitfuel.com `127.0.0.1 nitrous.internetfuel.com `127.0.0.1 nsads.hotwired.com `127.0.0.1 ntbanner.digitalriver.com `127.0.0.1 nx-adv0005.247realmedia.com `127.0.0.1 nytadvertising.nytimes.com `127.0.0.1 oas-central.realmedia.com `127.0.0.1 oas-eu.247realmedia.com `127.0.0.1 oas.foxnews.com `127.0.0.1 oas.lee.net `127.0.0.1 oas.startribune.com `127.0.0.1 oas.villagevoice.com `127.0.0.1 oasads.whitepages.com `127.0.0.1 oascentral.abclocal.go.com `127.0.0.1 oascentral.adage.com `127.0.0.1 oascentral.bostonherald.com `127.0.0.1 oascentral.clearchannel.com `127.0.0.1 oascentral.construction.com `127.0.0.1 oascentral.crainsdetroit.com `127.0.0.1 oascentral.drphil.com `127.0.0.1 oascentral.foxnews.com `127.0.0.1 oascentral.sina.com `127.0.0.1 oascentral.sina.com.hk `127.0.0.1 oascentral.theonion.com `127.0.0.1 oascentral.theonionavclub.com `127.0.0.1 oascentral.thesmokinggun.com `127.0.0.1 oascentral.thespark.com `127.0.0.1 oascentral.wwe.com `127.0.0.1 oasis.zmh.zope.com `127.0.0.1 oassis.zmh.zope.com `127.0.0.1 offers.impower.com `127.0.0.1 onlineads.magicvalley.com `127.0.0.1 openad.travelnow.com `127.0.0.1 overflow.adsoftware.com `127.0.0.1 oz.valueclick.com `127.0.0.1 pagead.googlesyndication.com `127.0.0.1 pagead1.googlesyndication.com `127.0.0.1 pagead2.googlesyndication.com `127.0.0.1 partner.ah-ha.com `127.0.0.1 partner01.oingo.com `127.0.0.1 partner02.oingo.com `127.0.0.1 partner03.oingo.com `127.0.0.1 ph-ad01.focalink.com `127.0.0.1 ph-ad02.focalink.com `127.0.0.1 ph-ad03.focalink.com `127.0.0.1 ph-ad04.focalink.com `127.0.0.1 ph-ad05.focalink.com `127.0.0.1 ph-ad06.focalink.com `127.0.0.1 ph-ad07.focalink.com `127.0.0.1 ph-ad08.focalink.com `127.0.0.1 ph-ad09.focalink.com `127.0.0.1 ph-ad10.focalink.com `127.0.0.1 ph-ad11.focalink.com `127.0.0.1 ph-ad12.focalink.com `127.0.0.1 ph-ad13.focalink.com `127.0.0.1 ph-ad14.focalink.com `127.0.0.1 ph-ad15.focalink.com `127.0.0.1 ph-ad16.focalink.com `127.0.0.1 ph-ad17.focalink.com `127.0.0.1 ph-ad18.focalink.com `127.0.0.1 ph-ad19.focalink.com `127.0.0.1 ph-ad20.focalink.com `127.0.0.1 phg.hitbox.com `127.0.0.1 phpads.cnpapers.com `127.0.0.1 phpads.macbidouille.com `127.0.0.1 popup.matchmaker.com `127.0.0.1 popups.ad-logics.com `127.0.0.1 popups.infostart.com `127.0.0.1 primetime.ad.primetime.net `127.0.0.1 ptrads.mp3.com `127.0.0.1 publicidades.redtotalonline.com `127.0.0.1 q.azcentral.com `127.0.0.1 realads.realmedia.com `127.0.0.1 realmedia-a800.d4p.net `127.0.0.1 red01.as-eu.falkag.net `127.0.0.1 red01.as-us.falkag.net `127.0.0.1 red02.as-eu.falkag.net `127.0.0.1 red02.as-us.falkag.net `127.0.0.1 red03.as-eu.falkag.net `127.0.0.1 red03.as-us.falkag.net `127.0.0.1 red04.as-eu.falkag.net `127.0.0.1 red04.as-us.falkag.net `127.0.0.1 redherring.ngadcenter.net `127.0.0.1 redirect.click2net.com `127.0.0.1 regio.adlink.de `127.0.0.1 remotead.cnet.com `127.0.0.1 responsemedia-ad.flycast.com `127.0.0.1 rmedia.boston.com `127.0.0.1 rotabanner100.utro.ru `127.0.0.1 s0b.bluestreak.com `127.0.0.1 search.freeonline.com `127.0.0.1 secure-au.imrworldwide.com `127.0.0.1 secure.webconnect.net `127.0.0.1 securerunner.com `127.0.0.1 servads.aip.org `127.0.0.1 servedby.advertising.com `127.0.0.1 server.as5000.com `127.0.0.1 server.iad.liveperson.net `127.0.0.1 server01.popupmoney.com `127.0.0.1 sfads.osdn.com `127.0.0.1 sh4sure-images.adbureau.net `127.0.0.1 shinystat.shiny.it `127.0.0.1 simg.zedo.com `127.0.0.1 skill.skilljam.com `127.0.0.1 specialoffers.aol.com `127.0.0.1 speed.pointroll.com `127.0.0.1 spiegel.ivwbox.de `127.0.0.1 spin.spinbox.net `127.0.0.1 spinbox.consumerreview.com `127.0.0.1 sponsor1.com `127.0.0.1 ssads.osdn.com `127.0.0.1 st.valueclick.com `127.0.0.1 stat.dealtime.com `127.0.0.1 static.admaximize.com `127.0.0.1 static.everyone.net `127.0.0.1 static.firehunt.com `127.0.0.1 stats2.dooyoo.com `127.0.0.1 suissa-ad.flycast.com `127.0.0.1 sview.avenuea.com `127.0.0.1 techreview-images.adbureau.net `127.0.0.1 techreview.adbureau.net `127.0.0.1 thinknyc.eu-adcenter.net `127.0.0.1 tmsads.tribune.com `127.0.0.1 topica.advertserve.com `127.0.0.1 touche.adcentric.proximi-t.com `127.0.0.1 tower.adexpedia.com `127.0.0.1 transfer.go.com `127.0.0.1 tsms-ad.tsms.com `127.0.0.1 ttarget.adbureau.net `127.0.0.1 twnads.weather.ca `127.0.0.1 u0.extreme-dm.com `127.0.0.1 ugo.eu-adcenter.net `127.0.0.1 uk.i1.yimg.com `127.0.0.1 us.a1.yimg.com `127.0.0.1 usads.vibrantmedia.com `127.0.0.1 utils.mediageneral.com `127.0.0.1 v0.extreme-dm.com `127.0.0.1 v1.extreme-dm.com `127.0.0.1 van.ads.link4ads.com `127.0.0.1 venus.goclick.com `127.0.0.1 view.atdmt.com `127.0.0.1 view.avenuea.com `127.0.0.1 view.iballs.a1.avenuea.com `127.0.0.1 vnu.eu-adcenter.net `127.0.0.1 w.extreme-dm.com `127.0.0.1 w0.extreme-dm.com `127.0.0.1 w1.extreme-dm.com `127.0.0.1 w2.extreme-dm.com `127.0.0.1 w3.extreme-dm.com `127.0.0.1 w4.extreme-dm.com `127.0.0.1 w5.extreme-dm.com `127.0.0.1 w6.extreme-dm.com `127.0.0.1 w7.extreme-dm.com `127.0.0.1 w8.extreme-dm.com `127.0.0.1 w9.extreme-dm.com `127.0.0.1 web.nyc.ads.juno.co `127.0.0.1 web1b.netreflector.com `127.0.0.1 webads.bizservers.com `127.0.0.1 weeklyad.target.com `127.0.0.1 wwbtads.com `127.0.0.1 www.3qqq.net `127.0.0.1 www.3turtles.com `127.0.0.1 www.404errorpage.com `127.0.0.1 www.5thavenue.com `127.0.0.1 www.ad-souk.com `127.0.0.1 www.ad-up.com `127.0.0.1 www.ad.tomshardware.com `127.0.0.1 www.adbanner.gr `127.0.0.1 www.adforum.com `127.0.0.1 www.adimages.beeb.com `127.0.0.1 www.admex.com `127.0.0.1 www.adpepper.dk `127.0.0.1 www.adpowerzone.com `127.0.0.1 www.adreporting.com `127.0.0.1 www.adsoftware.com `127.0.0.1 www.adtrix.com `127.0.0.1 www.affiliateclick.com `127.0.0.1 www.aureate.com `127.0.0.1 www.banner4all.dk `127.0.0.1 www.boonsolutions.com `127.0.0.1 www.bugsbanner.it `127.0.0.1 www.bulkclicks.com `127.0.0.1 www.burstnet.com `127.0.0.1 www.buyhitscheap.com `127.0.0.1 www.click10.com `127.0.0.1 www.clickbank.com `127.0.0.1 www.clicktilluwin.com `127.0.0.1 www.clickxchange.com `127.0.0.1 www.coolsavings.com `127.0.0.1 www.cpabank.com `127.0.0.1 www.crazypopups.com `127.0.0.1 www.datatech.es `127.0.0.1 www.digimedia.com `127.0.0.1 www.direc-tory.tk `127.0.0.1 www.e-bannerx.com `127.0.0.1 www.eads.com `127.0.0.1 www.ehg-rr.hitbox.com `127.0.0.1 www.fast-adv.it `127.0.0.1 www.fineclicks.com `127.0.0.1 www.focalex.com `127.0.0.1 www.fusionbanners.com `127.0.0.1 www.gatoradvertisinginformationnetwork.com `127.0.0.1 www.getloan.com `127.0.0.1 www.gopopup.com `127.0.0.1 www.guesstheview.com `127.0.0.1 www.guptamedianetwork.com `127.0.0.1 www.hightrafficads.com `127.0.0.1 www.idealcasino.net `127.0.0.1 www.idirect.com `127.0.0.1 www.ijacko.net `127.0.0.1 www.indiads.com `127.0.0.1 www.infinite-ads.com `127.0.0.1 www.interstitialzone.com `127.0.0.1 www.iwin.com `127.0.0.1 www.jetseeker.com `127.0.0.1 www.jl29jd25sm24mc29.com `127.0.0.1 www.joinfree.ro `127.0.0.1 www.leadgreed.com `127.0.0.1 www.linkhut.com `127.0.0.1 www.lottoforever.com `127.0.0.1 www.media2.travelzoo.com `127.0.0.1 www.merchantapp.com `127.0.0.1 www.my-stats.com `127.0.0.1 www.myaffiliateprogram.com `127.0.0.1 www.myuitm.com `127.0.0.1 www.netpalnow.com `127.0.0.1 www.netpaloffers.net `127.0.0.1 www.ontheweb.com `127.0.0.1 www.parsads.com `127.0.0.1 www.paypopup.com `127.0.0.1 www.popupad.net `127.0.0.1 www.postmasterbannernet.com `127.0.0.1 www.radiate.com `127.0.0.1 www.rankyou.com `127.0.0.1 www.rtcode.com `127.0.0.1 www.securerunner.com `127.0.0.1 www.servedby.advertising.com `127.0.0.1 www.shoppingjobshere.com `127.0.0.1 www.smartadserver.com `127.0.0.1 www.speedyclick.com `127.0.0.1 www.sponsoradulto.com `127.0.0.1 www.subsitesadserver.co.uk `127.0.0.1 www.textbanners.net `127.0.0.1 www.top20free.com `127.0.0.1 www.treeloot.com `127.0.0.1 www.tutop.com `127.0.0.1 www.tuttosessogratis.org `127.0.0.1 www.ukbanners.com `127.0.0.1 www.uproar.com `127.0.0.1 www.utarget.co.uk `127.0.0.1 www.valueclick.com `127.0.0.1 www.virtumundo.com `127.0.0.1 www.webcashvideos.com `127.0.0.1 www.websponsors.com `127.0.0.1 www.whatuwhatuwhatuwant.com `127.0.0.1 www.windaily.com `127.0.0.1 www.winnerschoiceservices.com `127.0.0.1 www.xbn.ru `127.0.0.1 www1.ad.tomshardware.com `127.0.0.1 www1.bannerspace.com `127.0.0.1 www10.ad.tomshardware.com `127.0.0.1 www10.indiads.com `127.0.0.1 www10.paypopup.com `127.0.0.1 www11.ad.tomshardware.com `127.0.0.1 www12.ad.tomshardware.com `127.0.0.1 www13.ad.tomshardware.com `127.0.0.1 www14.ad.tomshardware.com `127.0.0.1 www15.ad.tomshardware.com `127.0.0.1 www2.ad.tomshardware.com `127.0.0.1 www2.bannerspace.com `127.0.0.1 www3.ad.tomshardware.com `127.0.0.1 www3.bannerspace.com `127.0.0.1 www4.ad.tomshardware.com `127.0.0.1 www4.bannerspace.com `127.0.0.1 www5.ad.tomshardware.com `127.0.0.1 www5.bannerspace.com `127.0.0.1 www6.ad.tomshardware.com `127.0.0.1 www6.bannerspace.com `127.0.0.1 www7.ad.tomshardware.com `127.0.0.1 www7.bannerspace.com `127.0.0.1 www74.valueclick.com `127.0.0.1 www8.ad.tomshardware.com `127.0.0.1 www81.valueclick.com `127.0.0.1 www9.ad.tomshardware.com `127.0.0.1 xlonhcld.xlontech.net `127.0.0.1 z.extreme-dm.com `127.0.0.1 z0.extreme-dm.com `127.0.0.1 z1.adserver.com `127.0.0.1 z1.extreme-dm.com `127.0.0.1 zads.zedo.com `127.0.0.1 zdads.e-media.com `127.0.0.1 us.b1.yimg.com `127.0.0.1 us.c1.yimg.com `127.0.0.1 us.d1.yimg.com `127.0.0.1 us.e1.yimg.com `127.0.0.1 us.f1.yimg.com `127.0.0.1 us.g1.yimg.com `127.0.0.1 us.h1.yimg.com `127.0.0.1 us.j1.yimg.com `127.0.0.1 us.k1.yimg.com `127.0.0.1 us.l1.yimg.com `127.0.0.1 us.m1.yimg.com `127.0.0.1 us.n1.yimg.com `127.0.0.1 us.o1.yimg.com `127.0.0.1 us.p1.yimg.com `127.0.0.1 us.q1.yimg.com `127.0.0.1 us.r1.yimg.com `127.0.0.1 us.s1.yimg.com `127.0.0.1 us.t1.yimg.com `127.0.0.1 us.u1.yimg.com `127.0.0.1 us.v1.yimg.com `127.0.0.1 us.w1.yimg.com `127.0.0.1 us.x1.yimg.com `127.0.0.1 us.y1.yimg.com `127.0.0.1 us.z1.yimg.com `127.0.0.1 incestland.com `127.0.0.1 www.asiansforu.com `127.0.0.1 www.datanotary.com `127.0.0.1 www.entercasino.com `127.0.0.1 www.incestdot.com `127.0.0.1 www.incestgold.com `127.0.0.1 www.mangayhentai.com `127.0.0.1 www.realincestvideos.com `127.0.0.1 www.secretosx.com `127.0.0.1 www.seductiveamateurs.com `127.0.0.1 www.xxxnations.com `127.0.0.1 www.xxxnightly.com `127.0.0.1 www.xxxtoolbar.com »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *C:\WINDOWS\system32\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\system32\notepad.exe *C:\WINDOWS\notepad.exe +C:\WINDOWS\system32\slrundll.exe *C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\taskman.exe *C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\winhlp32.exe *C:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +612=\SystemRoot\System32\smss.exe +660=\??\C:\WINDOWS\system32\csrss.exe +684=\??\C:\WINDOWS\system32\winlogon.exe +728=C:\WINDOWS\system32\services.exe +740=C:\WINDOWS\system32\lsass.exe +900=C:\WINDOWS\system32\svchost.exe +976=C:\WINDOWS\system32\svchost.exe +1060=C:\WINDOWS\System32\svchost.exe +1112=C:\WINDOWS\System32\svchost.exe +1272=C:\WINDOWS\System32\svchost.exe +1468=C:\WINDOWS\Explorer.EXE +1584=C:\WINDOWS\system32\spoolsv.exe +1668=C:\WINDOWS\system32\igfxtray.exe +1676=C:\WINDOWS\system32\hkcmd.exe +1692=C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe +1708=C:\WINDOWS\System32\00THotkey.exe +1724=C:\Program Files\TOSHIBA\TouchED\TouchED.Exe +1736=C:\WINDOWS\system32\TFNF5.exe +1748=C:\WINDOWS\system32\TPWRTRAY.EXE +1760=C:\WINDOWS\System32\ezSP_Px.exe +1768=C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe +1788=C:\Program Files\ltmoh\Ltmoh.exe +1796=C:\WINDOWS\AGRSMMSG.exe +1820=C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE +1860=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe +1900=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe +1944=C:\Microsoft AntiSpyware\gcasServ.exe +1952=C:\RAM Idle\RAM_XP.exe +1960=C:\ZoneAlarm\zlclient.exe +1968=C:\QuickTime\qttask.exe +1980=C:\Spybot\TeaTimer.exe +2016=C:\WINDOWS\system32\CAP3RSK.EXE +156=C:\WINDOWS\system32\RAMASST.exe +208=C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE +284=C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE +484=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe +496=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe +516=C:\WINDOWS\System32\DVDRAMSV.exe +928=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe +1136=C:\Microsoft AntiSpyware\gcasDtServ.exe +1256=C:\WINDOWS\System32\svchost.exe +1268=C:\WINDOWS\System32\wdfmgr.exe +1316=C:\WINDOWS\system32\ZoneLabs\vsmon.exe +2604=C:\WINDOWS\System32\alg.exe +3748=C:\Program Files\Mozilla Firefox\firefox.exe +1532=C:\WINDOWS\system32\notepad.exe +2348=C:\Documents and Settings\Main User\Desktop\startdreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User |
|
|
|
|
04-14-2005, 06:34 AM
|
#10 (permalink) |
|
Analyst, Security Team
|
For RegSrch, did you save it yet? You have to right click on that link and choose Save As since some computers will just open up that file in Notepad.
Go to C:\WINDOWS\ and double click on wininit.ini to open it. Delete these lines: `NUL=C:\WINDOWS\bdl44126.exe `nul=C:\gendel32.exe Save the file and close it. Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program: *{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} `InprocServer32= Delete these two files: C:\WINDOWS\bdl44126.exe C:\gendel32.exe
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-14-2005, 06:50 AM
|
#11 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
OK for RegSearch, I did right click on it and Save As. I looked at its properties, it is saved as a VBScript Script File, but automatically set to open in Notepad. What should it be opening in?
I deleted *{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} but i could not click on the delete button for `InprocServer32= I did a search for C:\WINDOWS\bdl44126.exe and C:\gendel32.exe, neither were found. |
|
|
|
|
04-14-2005, 06:56 AM
|
#12 (permalink) |
|
Analyst, Security Team
|
No problem. I just wanted to make sure you did download it.
 OK, download noscript and run it. Does it say you have scripting disabled? If so, enable it using that program. Now run the vbs script. ** You may disable the scripting after this is all done if you want.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-14-2005, 07:05 AM
|
#13 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
Ok i downloaded NoScript and ran it. It said that scripting is enabled.
I deleted the VBS and downloaded again, still opens in Notebook. If this helps when I click on Save As, in 'save file type' the only option is text document. |
|
|
|
|
04-14-2005, 07:08 AM
|
#14 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
OK i got it, opened it in command prompt. here are the results:
REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "564FFB73-9EEF-4969-92FA-5FC4A92E2C2A" 15/04/2005 12:07:09 AM ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SafeGuardProtect.PCShield\CLSID] @="{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SafeGuardProtect.PCShield.2.0\CLSID] @="{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A}" [HKEY_USERS\S-1-5-21-2756014877-605660226-3650299314-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A}] [HKEY_USERS\S-1-5-21-2756014877-605660226-3650299314-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A}\iexplore] |
|
|
|
|
04-14-2005, 07:34 AM
|
#15 (permalink) |
|
Analyst, Security Team
|
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete SafeGuardProtect.PCShield Next go to HKEY_USERS\S-1-5-21-2756014877-605660226-3650299314-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ and delete {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Restart and post back a new HijackThis log. You should be clean now.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-14-2005, 07:42 AM
|
#16 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
OK here's the latest HJT log:
Logfile of HijackThis v1.99.1 Scan saved at 12:40:29 AM, on 15/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPWRTRAY.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Microsoft AntiSpyware\gcasServ.exe C:\RAM Idle\RAM_XP.exe C:\ZoneAlarm\zlclient.exe C:\QuickTime\qttask.exe C:\Spybot\TeaTimer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE C:\WINDOWS\system32\CAP3RSK.EXE C:\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Documents and Settings\Main User\Desktop\Security Programs\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.linkt.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkt.com.au/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\RF OPTICAL MOUSE\RF OPTICAL MOUSE\4.0\MOUSE32A.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [RAM Idle Professional] C:\RAM Idle\RAM_XP.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot\TeaTimer.exe O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099831942755 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8C40FDD8-7D2A-4A3D-8389-A2B557C903EE}: NameServer = 203.194.27.57,203.194.56.150 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Just as a side, you said to go HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ and delete SafeGuardProtect.PCShield. I also found a SafeGuardProtect.PCShield 2.0 should this be deleted as well? |
|
|
|
|
04-14-2005, 09:28 AM
|
#17 (permalink) |
|
Analyst, Security Team
|
Yes, delete that registry entry also.
Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-14-2005, 04:07 PM
|
#18 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
I thank you for your help in this so far, however my original problem still remains. Spybot is still detecting MySoft and gives the location of the file as Redirected Host: sitefinder.verisign.com=127.0.0.1. I can't get rid of it still because it is apparently 'in use'.
Also when I reboot now I get a message from Microsoft Antispyware saying an unknown BHO is trying to install itself. I've been blocking it every time. Last edited by Desmodus; 04-14-2005 at 04:12 PM. |
|
|
|
|
04-14-2005, 05:02 PM
|
#19 (permalink) |
|
Analyst, Security Team
|
Download Hoster http://www.greyknight17.com/spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK.
You had a modified hosts file before, so if you want to use that again, get one at this site and replace that HOSTS file. Run Hoster first just to make sure it can restore the hosts file. See if that fixes the problem.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-14-2005, 05:14 PM
|
#20 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 124
OS: Vista(32)
|
Alrighty I ran Hoster and restorted the other hosts file without a problem. Rebooted and got the message from Spywareguard that the BHO trying to install itself is 564FFB73-9EEF-4969-92FA-5FC4A92E2C2A. I did a search for it in regedit, but couldn't find it. On the MySoft front though, Spybot did find a problem, but the location this time was different, and it was removed without a problem.
|
|
|
|
| Thread Tools | |
|
|
