MALWARE, TROJAN.ZLOB, WIN32 ALERTS PLEASE HELP [RESOLVED]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

MALWARE, TROJAN.ZLOB, WIN32 ALERTS PLEASE HELP [RESOLVED]

#1 mikey22

Group: Member
Posts: 5
Joined: 19-December 07

Posted 19 December 2007 - 04:20 PM

Getting multiple alerts saying i have worm.win32.netsky, here is my hijk log please help, this driving me crazy thans so much,

Mike

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:20 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\AOL\1122639952\ee\AOLSoftware.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/mash1/en-us/mash...amp;affid=365-1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: BDEX System - {A8565FBC-8D53-4D4F-9BB0-CBC68A22B126} - C:\WINDOWS\blopenvxdt.dll
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1122639952\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZN
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...150/mcfscan.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O21 - SSODL: nopzet - {1BFBB9F1-5182-4CAD-8418-D55DA6005A1F} - C:\WINDOWS\nopzet.dll
O21 - SSODL: leorop - {AF045B1D-7DC3-46A1-8E67-28B6438CFE78} - C:\WINDOWS\leorop.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - http://media.kohls.com.edgesuite.net/is/im...mp;op_sharpen=1

--
End of file - 11724 bytes

#2 miekiemoes

Group: Member
Posts: 5,503
Joined: 12-January 05

Posted 20 December 2007 - 06:58 AM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager

Viewpoint Media Player

Then, * Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

#3 mikey22

Group: Member
Posts: 5
Joined: 19-December 07

Posted 20 December 2007 - 02:02 PM

thanks for your help!

I have tried to start in safe mode but it wont let me i highlight safe mode hit enter and a black screen with a list of drivers or someting comes up and it does not let me do anything else....there is a debugging mode?

#4 miekiemoes

Group: Member
Posts: 5,503
Joined: 12-January 05

Posted 20 December 2007 - 02:18 PM

Hi,

Don't worry. Let's use another tool instead and do it in normal mode, since Safe mode is actually not really required to remove this one.

But first, also uninstall ErrorSmart via software > add/remove programs.
Then reboot.

After reboot,

* Please download SmitfraudFix (by S!Ri)
In case you already downloaded/used it before, delete the version you are having and redownload it again since it has been updated recently.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: BDEX System - {A8565FBC-8D53-4D4F-9BB0-CBC68A22B126} - C:\WINDOWS\blopenvxdt.dll
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZN
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystan...acheManager.CAB
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O21 - SSODL: nopzet - {1BFBB9F1-5182-4CAD-8418-D55DA6005A1F} - C:\WINDOWS\nopzet.dll
O21 - SSODL: leorop - {AF045B1D-7DC3-46A1-8E67-28B6438CFE78} - C:\WINDOWS\leorop.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Doubleclick SmitFraudFix to start the tool.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

(Warning : running option #2 will set your desktop background blank again. But you can reapply your desktop background again afterwards

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it manually.
After reboot,
A text file will appear onscreen, with results from the cleaning process.

Post the log from smitfraudfix in your next reply together with a new hijackthislog.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

#5 mikey22

Group: Member
Posts: 5
Joined: 19-December 07

Posted 20 December 2007 - 02:59 PM

here is the smitfraudfix log:

SmitFraudFix v2.274

Scan done at 15:41:57.06, Thu 12/20/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
127.0.0.1 1.httpdads.com
127.0.0.1 207-87-18-203.wsmg.digex.net
127.0.0.1 a.mktw.net
127.0.0.1 a.tribalfusion.com
127.0.0.1 a207.p.f.qz3.net
127.0.0.1 a3.suntimes.com
127.0.0.1 actionsplash.com
127.0.0.1 ad.abcnews.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.adtraq.com
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.harmony-central.com
127.0.0.1 ad.horvitznewspapers.net
127.0.0.1 ad.howstuffworks.com
127.0.0.1 ad.img.yahoo.co.kr
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.iwin.com
127.0.0.1 ad.kimo.com.tw
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.linksynergy.com
127.0.0.1 ad.moscowtimes.ru
127.0.0.1 ad.net-service.de
127.0.0.1 ad.openfind.com.tw
127.0.0.1 ad.preferances.com
127.0.0.1 ad.preferences.com
127.0.0.1 ad.sales.olympics.com
127.0.0.1 ad.sma.punto.net
127.0.0.1 ad.tomshardware.com
127.0.0.1 ad.trafficmp.com
127.0.0.1 ad.usatoday.com
127.0.0.1 ad.vol.at
127.0.0.1 ad.washingtonpost.com
127.0.0.1 ad.webprovider.com
127.0.0.1 ad01.mediacorpsingapore.com
127.0.0.1 ad08.focalink.com
127.0.0.1 ad1.aaddzz.com
127.0.0.1 ad1.peel.comwww.xbn.ru
127.0.0.1 ad2.adcept.net
127.0.0.1 ad2.peel.com
127.0.0.1 ad3.peel.com
127.0.0.1 ad7.internetadserver.com
127.0.0.1 ad-adex3.flycast.com
127.0.0.1 adbanner.sweepsclub.com
127.0.0.1 adbot.com
127.0.0.1 adbureau.net
127.0.0.1 adcodes.bla-bla.com
127.0.0.1 adcontent.gamespy.com
127.0.0.1 adcontroller.unicast.com
127.0.0.1 adcount.hollywood.com
127.0.0.1 adcreative.tribuneinteractive.com
127.0.0.1 adcreatives.imaginemedia.com
127.0.0.1 add.yaho.com
127.0.0.1 adengine.theglobe.com
127.0.0.1 adex3.flycast.com
127.0.0.1 adfarm.mediaplex.com
127.0.0.1 adforce.ads.imgis.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adfu.blockstackers.com
127.0.0.1 adi.mainichi.co.jp
127.0.0.1 adimage.asia1.com.sg
127.0.0.1 adimage.asiaone.com.sg
127.0.0.1 adimage.bankrate.com
127.0.0.1 adimage.blm.net
127.0.0.1 adimages.earthweb.com
127.0.0.1 adimages.go.com
127.0.0.1 adimg.com.com
127.0.0.1 adimg.egroups.com
127.0.0.1 adimg1.chosun.com
127.0.0.1 adlink.deh.de
127.0.0.1 adlog.com.com
127.0.0.1 adlui001.adlink.de
127.0.0.1 admedia.xoom.com
127.0.0.1 adng.ascii24.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 adpop.theglobe.com
127.0.0.1 adpulse.ads.targetnet.com
127.0.0.1 adremote.pathfinder.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.1for1.com
127.0.0.1 ads.adflight.com
127.0.0.1 ads.ad-flow.com
127.0.0.1 ads.admaximize.com
127.0.0.1 ads.admonitor.net
127.0.0.1 ads.adtegrity.net
127.0.0.1 ads.advance.net
127.0.0.1 ads.adviva.net
127.0.0.1 ads.amazingmedia.com
127.0.0.1 ads.as4x.tmcs.net
127.0.0.1 ads.astalavista.us
127.0.0.1 ads.belointeractive.com
127.0.0.1 ads.bfast.com
127.0.0.1 ads.bianca.com
127.0.0.1 ads.bigcitytools.com
127.0.0.1 ads.bitsonthewire.com
127.0.0.1 ads.bloomberg.com
127.0.0.1 ads.cashsurfers.com
127.0.0.1 ads.cbc.ca
127.0.0.1 ads.centralohio.com
127.0.0.1 ads.clearbluemedia.com
127.0.0.1 ads.clearchannel.com
127.0.0.1 ads.clickagents.com
127.0.0.1 ads.clickhouse.com
127.0.0.1 ads.colo.kiva.net
127.0.0.1 ads.columbian.com
127.0.0.1 ads.courierpostonline.com
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.currantbun.com
127.0.0.1 ads.dai.net
127.0.0.1 ads.democratandchronicle.com
127.0.0.1 ads.desmoinesregister.com
127.0.0.1 ads.detelefoongids.nl
127.0.0.1 ads.developershed.com
127.0.0.1 ads.devx.com
127.0.0.1 ads.digitalmedianet.com
127.0.0.1 ads.discovery.com
127.0.0.1 ads.ecircles.com
127.0.0.1 ads.enliven.com
127.0.0.1 ads.erotism.com
127.0.0.1 ads.eu.msn.com
127.0.0.1 ads.exhedra.com
127.0.0.1 ads.fairfax.com.au
127.0.0.1 ads.filez.com
127.0.0.1 ads.floridatoday.com
127.0.0.1 ads.fool.com
127.0.0.1 ads.forbes.com
127.0.0.1 ads.forbes.net
127.0.0.1 ads.fortunecity.com
127.0.0.1 ads.fredericksburg.com
127.0.0.1 ads.freshmeat.net
127.0.0.1 ads.gameanswers.com
127.0.0.1 ads.gamespy.com
127.0.0.1 ads.globeandmail.com
127.0.0.1 ads.god.co.uk
127.0.0.1 ads.granadamedia.com
127.0.0.1 ads.greensboro.com
127.0.0.1 ads.guardian.co.uk
127.0.0.1 ads.guardianunlimited.co.uk
127.0.0.1 ads.hitcents.com
127.0.0.1 ads.hollywood.com
127.0.0.1 ads.hyperbanner.net
127.0.0.1 ads.i33.com
127.0.0.1 ads.iafrica.com
127.0.0.1 ads.iambic.com
127.0.0.1 ads.icq.com
127.0.0.1 ads.ign.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infi.net
127.0.0.1 ads.infospace.com
127.0.0.1 ads.iwon.com
127.0.0.1 ads.jacksonsun.com
127.0.0.1 ads.jpost.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.link4ads.com
127.0.0.1 ads.list-universe.com
127.0.0.1 ads.live365.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.madison.com
127.0.0.1 ads.mcafee.com
127.0.0.1 ads.mdchoice.com
127.0.0.1 ads.mediadevil.com
127.0.0.1 ads.mediaodyssey.com
127.0.0.1 ads.mediaturf.net
127.0.0.1 ads.mh5.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.msn-ppe.com
127.0.0.1 ads.musiccity.com
127.0.0.1 ads.mysimon.com
127.0.0.1 ads.nandomedia.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.nerve.com
127.0.0.1 ads.netmechanic.com
127.0.0.1 ads.newcity.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.newsdigital.net
127.0.0.1 ads.newsint.co.uk
127.0.0.1 ads.newsquest.co.uk
127.0.0.1 ads.newtimes.com
127.0.0.1 ads.ninemsn.com.au
127.0.0.1 ads.northjersey.com
127.0.0.1 ads.nwsource.com
127.0.0.1 ads.nyi.net
127.0.0.1 ads.nypost.com
127.0.0.1 ads.nytimes.com
127.0.0.1 ads.ole.com
127.0.0.1 ads.paxnet.co.kr
127.0.0.1 ads.paxnet.com
127.0.0.1 ads.peel.com
127.0.0.1 ads.pennyweb.com
127.0.0.1 ads.premiumnetwork.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.rottentomatoes.com
127.0.0.1 ads.scifi.com
127.0.0.1 ads.seattletimes.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.smartclicks.net
127.0.0.1 ads.snowball.com
127.0.0.1 ads.specificpop.com
127.0.0.1 ads.sptimes.com
127.0.0.1 ads.starnews.com
127.0.0.1 ads.statesmanjournal.com
127.0.0.1 ads.stileproject.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.telegraph.co.uk
127.0.0.1 ads.themes.org
127.0.0.1 ads.theolympian.com
127.0.0.1 ads.thestar.com
127.0.0.1 ads.tmcs.net
127.0.0.1 ads.tripod.com
127.0.0.1 ads.tucows.com
127.0.0.1 ads.ugo.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.viaarena.com
127.0.0.1 ads.videoaxs.com
127.0.0.1 ads.vnuemedia.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 ads.webcash.nl
127.0.0.1 ads.wnd.com
127.0.0.1 ads.x10.com
127.0.0.1 ads.xtra.co.nz
127.0.0.1 ads.zdnet.com
127.0.0.1 ads01.focalink.com
127.0.0.1 ads02.focalink.com
127.0.0.1 ads03.focalink.com
127.0.0.1 ads-03.tor.focusin.ads.targetnet.com
127.0.0.1 ads04.focalink.com
127.0.0.1 ads05.focalink.com
127.0.0.1 ads06.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads1.ad-flow.com
127.0.0.1 ads1.advance.net
127.0.0.1 ads1.condenet.com
127.0.0.1 ads1.intelliads.com
127.0.0.1 ads1.sptimes.com
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads13.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads15.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.bpath.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.advance.net
127.0.0.1 ads2.clearchannel.com
127.0.0.1 ads2.condenet.com
127.0.0.1 ads2.zdnet.com
127.0.0.1 ads20.focalink.com
127.0.0.1 ads21.focalink.com
127.0.0.1 ads22.focalink.com
127.0.0.1 ads23.focalink.com
127.0.0.1 ads24.focalink.com
127.0.0.1 ads25.focalink.com
127.0.0.1 ads3.advance.net
127.0.0.1 ads3.zdnet.com
127.0.0.1 ads4.advance.net
127.0.0.1 ads4.clearchannel.com
127.0.0.1 ads4.condenet.com
127.0.0.1 ads5.advance.net
127.0.0.1 ads5.canoe.ca
127.0.0.1 ads5.gamecity.net
127.0.0.1 ads7.advance.net
127.0.0.1 ads7.udc.advance.net
127.0.0.1 ads-b.focalink.com
127.0.0.1 adserv.iafrica.com
127.0.0.1 adserv.internetfuel.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adserv.quality-channel.de
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver.ads360.com
127.0.0.1 adserver.anm.co.uk
127.0.0.1 adserver.bizland-inc.net
127.0.0.1 adserver.colleges.com
127.0.0.1 adserver.dbusiness.com
127.0.0.1 adserver.digitalpartners.com
127.0.0.1 adserver.garden.com
127.0.0.1 adserver.hispavista.com
127.0.0.1 adserver.ign.com
127.0.0.1 adserver.janes.com
127.0.0.1 adserver.matchcraft.com
127.0.0.1 adserver.merc.com
127.0.0.1 adserver.monster.com
127.0.0.1 adserver.netcast.nl
127.0.0.1 adserver.news.com.au
127.0.0.1 adserver.nydailynews.com
127.0.0.1 adserver.phillyburbs.com
127.0.0.1 adserver.pollstar.com
127.0.0.1 adserver.securityfocus.com
127.0.0.1 adserver.snowball.com
127.0.0.1 adserver.track-star.com
127.0.0.1 adserver.trb.com
127.0.0.1 adserver.tribuneinteractive.com
127.0.0.1 adserver.ugo.com
127.0.0.1 adserver.ukplus.co.uk
127.0.0.1 adserver.webads.com
127.0.0.1 adserver.webads.nl
127.0.0.1 adserver1.ogilvy-interactive.de
127.0.0.1 adserver1.realtracker.com
127.0.0.1 adserver2.realtracker.com
127.0.0.1 adserver3.realtracker.com
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 adsrv.bankrate.com
127.0.0.1 adsrv.iol.co.za
127.0.0.1 adsrv2.gainesvillesun.com
127.0.0.1 adtegrity.spinbox.net
127.0.0.1 adtegrity.thruport.com
127.0.0.1 adthru.com
127.0.0.1 ad-up.com
127.0.0.1 adverity.adverity.com
127.0.0.1 advert.bayarea.com
127.0.0.1 advert.heise.de
127.0.0.1 affiliate.doteasy.com
127.0.0.1 akaads-abc.starwave.com
127.0.0.1 altfarm.mediaplex.com
127.0.0.1 amch.questionmarket.com
127.0.0.1 amedia.techies.com
127.0.0.1 antfarm-ad.flycast.com
127.0.0.1 ar.atwola.com
127.0.0.1 arc1.msn.com
127.0.0.1 arc2.msn.com
127.0.0.1 arc3.msn.com
127.0.0.1 arc4.msn.com
127.0.0.1 arc5.msn.com
127.0.0.1 askmen.thruport.com
127.0.0.1 au.ads.link4ads.com
127.0.0.1 banner.adlink.de
127.0.0.1 banner.coza.com
127.0.0.1 banner.easyspace.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 banner.media-system.de
127.0.0.1 banner.northsky.com
127.0.0.1 banner.orb.net
127.0.0.1 banner.relcom.ru
127.0.0.1 banner.rootsweb.com
127.0.0.1 banner1.adlink.de
127.0.0.1 bannerads.anytimenews.com
127.0.0.1 banners.adultfriendfinder.com
127.0.0.1 banners.affiliatefuel.com
127.0.0.1 banners.babylon-x.com
127.0.0.1 banners.chek.com
127.0.0.1 banners.easydns.com
127.0.0.1 banners.friendfinder.com
127.0.0.1 banners.internetextra.com
127.0.0.1 banners.looksmart.com
127.0.0.1 banners.moviegoods.com
127.0.0.1 banners.nextcard.com
127.0.0.1 banners.revenuelink.com
127.0.0.1 banners.valuead.com
127.0.0.1 banners.wunderground.com
127.0.0.1 bannerswap.com
127.0.0.1 barnesandnoble.bfast.com
127.0.0.1 beseenad.looksmart.com
127.0.0.1 bidclix.net
127.0.0.1 bizad.nikkeibp.co.jp
127.0.0.1 bn.bfast.com
127.0.0.1 c1.zedo.com
127.0.0.1 c3.xxxcounter.com
127.0.0.1 ca.fp.sandpiper.net
127.0.0.1 califia.imaginemedia.com
127.0.0.1 campaigns.f2.com.au
127.0.0.1 cb.icq.com
127.0.0.1 cds.mediaplex.com
127.0.0.1 cf.icq.com
127.0.0.1 cgi.declicnet.com
127.0.0.1 classic.adlink.de
127.0.0.1 click.adlink.de
127.0.0.1 click.avenuea.com
127.0.0.1 click.go2net.com
127.0.0.1 click.linksynergy.com
127.0.0.1 click.mp3.com
127.0.0.1 clickit.go2net.com
127.0.0.1 clickserve.cc-dt.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 comtrack.comclick.com
127.0.0.1 connect.247media.ads.link4ads.com
127.0.0.1 cookies.cmpnet.com
127.0.0.1 coreg.flashtrack.net
127.0.0.1 cornflakes.pathfinder.com
127.0.0.1 counter.hitbox.com
127.0.0.1 creative.whi.co.nz
127.0.0.1 crux.songline.com
127.0.0.1 delivery1.ads.telegraaf.nl
127.0.0.1 di.image.eshop.msn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 direct.adlink.de
127.0.0.1 ds.eyeblaster.com
127.0.0.1 ehg-bestbuy.hitbox.com
127.0.0.1 ehg-dig.hitbox.com
127.0.0.1 ehg-espn.hitbox.com
127.0.0.1 ehg-intel.hitbox.com
127.0.0.1 ehg-macromedia.hitbox.com
127.0.0.1 engage.speedera.net
127.0.0.1 erie.smartage.com
127.0.0.1 etad.telegraph.co.uk
127.0.0.1 eur.yimg.com
127.0.0.1 fl01.ct2.comclick.com
127.0.0.1 focusin.ads.targetnet.com
127.0.0.1 fp.valueclick.com
127.0.0.1 ftp.nacorp.com
127.0.0.1 gadgeteer.pdamart.com
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 garden.ngadcenter.net
127.0.0.1 geoads.osdn.com
127.0.0.1 global.msads.net
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 gm.preferences.com
127.0.0.1 gp.dejanews.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 holland.hyperbanner.net
127.0.0.1 hurricane.adlink.de
127.0.0.1 i.timeinc.net
127.0.0.1 icover.realmedia.com
127.0.0.1 ieee-images.adbureau.net
127.0.0.1 im.800.com
127.0.0.1 image.click2net.com
127.0.0.1 image.eimg.com
127.0.0.1 image.imgfarm.com
127.0.0.1 images.ads.fairfax.com.au
127.0.0.1 images.bizrate.com
127.0.0.1 images.cybereps.com
127.0.0.1 images.fastclick.net
127.0.0.1 images.newsx.cc
127.0.0.1 images.scripps.com
127.0.0.1 images.trafficmp.com
127.0.0.1 images.webads.nl
127.0.0.1 images2.nytimes.com
127.0.0.1 imageserv.adtech.de
127.0.0.1 img.cmpnet.com
127.0.0.1 information.gopher.com
127.0.0.1 java.yahoo.com
127.0.0.1 jobkeys.ngadcenter.net
127.0.0.1 js1.hitbox.com
127.0.0.1 k5ads.osdn.com
127.0.0.1 kansas.valueclick.com
127.0.0.1 kaplanindex.com
127.0.0.1 kr-adimage.lycos.co.kr
127.0.0.1 krd.realcities.com
127.0.0.1 leader.linkexchange.com
127.0.0.1 liquidad.narrowcastmedia.com
127.0.0.1 m.tribalfusion.com
127.0.0.1 macaddictads.snv.futurenet.com
127.0.0.1 marketing.nyi.net
127.0.0.1 maximumpcads.imaginemedia.com
127.0.0.1 mds.centrport.net
127.0.0.1 media.fastclick.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 media.preferences.com
127.0.0.1 media13.fastclick.net
127.0.0.1 media15.fastclick.net
127.0.0.1 media17.fastclick.net
127.0.0.1 media19.fastclick.net
127.0.0.1 mediamgr.ugo.com
127.0.0.1 mercury.rmuk.co.uk
127.0.0.1 mjxads.internet.com
127.0.0.1 mojofarm.mediaplex.com
127.0.0.1 mojofarm.sjc.mediaplex.com
127.0.0.1 mt37.mtree.com
127.0.0.1 nbc.adbureau.net
127.0.0.1 neighborhood.standard.net
127.0.0.1 netcomm.spinbox.net
127.0.0.1 netshelter.adtrix.com
127.0.0.1 newads.cmpnet.com
127.0.0.1 ng3.ads.warnerbros.com
127.0.0.1 ngads.smartage.com
127.0.0.1 nrsite.com
127.0.0.1 nsads.hotwired.com
127.0.0.1 ntbanner.digitalriver.com
127.0.0.1 oas.dispatch.com
127.0.0.1 oas.lee.net
127.0.0.1 oas.mmd.ch
127.0.0.1 oas.uniontrib.com
127.0.0.1 oas.villagevoice.com
127.0.0.1 oasads.whitepages.com
127.0.0.1 ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 ph-ad05.focalink.com
127.0.0.1 ph-ad06.focalink.com
127.0.0.1 ph-ad07.focalink.com
127.0.0.1 ph-ad16.focalink.com
127.0.0.1 ph-ad17.focalink.com
127.0.0.1 ph-ad18.focalink.com
127.0.0.1 ph-ad19.focalink.com
127.0.0.1 ph-ad21.focalink.com
127.0.0.1 phoenix-adrunner.mycomputer.com
127.0.0.1 phpads2.cnpapers.com
127.0.0.1 pluto1.iserver.net
127.0.0.1 primetime.ad.asap-asp.net
127.0.0.1 pub-g.ifrance.com
127.0.0.1 pubs.mgn.net #french
127.0.0.1 q.pni.com
127.0.0.1 rad.msn.com
127.0.0.1 rd1.hitbox.com
127.0.0.1 realads.realmedia.com
127.0.0.1 realmedia-a800.d4p.net
127.0.0.1 redherring.ngadcenter.net
127.0.0.1 redirect.click2net.com
127.0.0.1 regio.adlink.de
127.0.0.1 reply.mediatris.net
127.0.0.1 responsemedia-ad.flycast.com
127.0.0.1 retaildirect.realmedia.com
127.0.0.1 rmads.msn.com
127.0.0.1 rmedia.boston.com
127.0.0.1 s0b.bluestreak.com
127.0.0.1 s2.focalink.com
127.0.0.1 sc.clicksupply.com
127.0.0.1 scand.adlink.de
127.0.0.1 secure.webconnect.net
127.0.0.1 servads.aip.org
127.0.0.1 serve.thisbanner.com
127.0.0.1 servedby.advertising.com
127.0.0.1 service.bfast.com
127.0.0.1 sfads.osdn.com
127.0.0.1 sg.yimg.com
127.0.0.1 sh4sure-images.adbureau.net
127.0.0.1 spd.atdmt.com
127.0.0.1 speed.pointroll.com
127.0.0.1 spin.spinbox.net
127.0.0.1 spinbox.maccentral.com
127.0.0.1 spinbox.techtracker.com
127.0.0.1 ss.mtree.com
127.0.0.1 static.admaximize.com
127.0.0.1 stats.adultrevenueservice.com
127.0.0.1 stats.superstats.com
127.0.0.1 suissa-ad.flycast.com
127.0.0.1 sview.avenuea.com
127.0.0.1 techreview-images.adbureau.net
127.0.0.1 thinknyc.eu-adcenter.net
127.0.0.1 ti.click2net.com
127.0.0.1 tmsads.tribune.com
127.0.0.1 toads.osdn.com
127.0.0.1 tracker.clicktrade.com
127.0.0.1 tsms-ad.tsms.com
127.0.0.1 ugo.eu-adcenter.net
127.0.0.1 us.a1.yimg.com
127.0.0.1 usbytecom.orbitcycle.com
127.0.0.1 utils.mediageneral.com
127.0.0.1 v0.extreme-dm.com
127.0.0.1 v1.extreme-dm.com
127.0.0.1 van.ads.link4ads.com
127.0.0.1 view.accendo.com
127.0.0.1 view.atdmt.com
127.0.0.1 view.avenuea.com
127.0.0.1 vnu.eu-adcenter.net
127.0.0.1 vpdc.ru4.com
127.0.0.1 w113.hitbox.com
127.0.0.1 w25.hitbox.com
127.0.0.1 wap.adlink.de
127.0.0.1 web2.deja.com
127.0.0.1 webad.ajeeb.com
127.0.0.1 webads.bizservers.com
127.0.0.1 webaffiliate.covad.com
127.0.0.1 west.adlink.de
127.0.0.1 wwa.hitbox.com
127.0.0.1 wwb.hitbox.com
127.0.0.1 www.24pm-affiliation.com
127.0.0.1 www.ad.tomshardware.com
127.0.0.1 www.ad4ex.com
127.0.0.1 www.ad-flow.com
127.0.0.1 www.adireland.com
127.0.0.1 www.admex.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.alladvantage.com
127.0.0.1 www.avsads.com
127.0.0.1 www.banner2u.com
127.0.0.1 www.bannercampaign.com
127.0.0.1 www.banneroverdrive.com
127.0.0.1 www.blissnet.net
127.0.0.1 www.bonzi.com
127.0.0.1 www.burstnet.com
127.0.0.1 www.cibleclick.com
127.0.0.1 www.click-fr.com
127.0.0.1 www.commission-junction.com
127.0.0.1 www.crisscross.com
127.0.0.1 www.cyberbounty.com
127.0.0.1 www.datais.com
127.0.0.1 www.digitalbettingcasinos.com
127.0.0.1 www.dnps.com
127.0.0.1 www.eads.com
127.0.0.1 www.exchange-it.com
127.0.0.1 www.fineclicks.com
127.0.0.1 www.freestats.com
127.0.0.1 www.imaginemedia.com
127.0.0.1 www.kaplanindex.com
127.0.0.1 www.linksynergy.com
127.0.0.1 www.nailitonline2.com
127.0.0.1 www.netdirect.nl
127.0.0.1 www.netflip.com
127.0.0.1 www.netsponsors.com
127.0.0.1 www.netvertising.be
127.0.0.1 www.nrsite.com
127.0.0.1 www.oneandonlynetwork.com
127.0.0.1 www.onresponse.com
127.0.0.1 www.postmasterbannernet.com
127.0.0.1 www.qksrv.net
127.0.0.1 www.speedyclick.com
127.0.0.1 www.targetshop.com
127.0.0.1 www.teknosurf2.com
127.0.0.1 www.teknosurf3.com
127.0.0.1 www.valueclick.com
127.0.0.1 www.webads.nl
127.0.0.1 www.websitefinancing.com
127.0.0.1 www10.valueclick.com
127.0.0.1 www15.ad.tomshardware.com
127.0.0.1 www2.burstnet.com
127.0.0.1 www2.newtopsites.com
127.0.0.1 www23.valueclick.com
127.0.0.1 www3.ad.tomshardware.com
127.0.0.1 www3.bannerspace.com
127.0.0.1 www3.pagecount.com
127.0.0.1 www4.ad.tomshardware.com
127.0.0.1 www4.trix.net
127.0.0.1 www6.ad.tomshardware.com
127.0.0.1 www75.valueclick.com
127.0.0.1 www8.ad.tomshardware.com
127.0.0.1 www80.valueclick.com
127.0.0.1 y.ibsys.com
127.0.0.1 z.extreme-dm.com
127.0.0.1 z0.extreme-dm.com
127.0.0.1 z1.adserver.com
127.0.0.1 z1.extreme-dm.com
127.0.0.1 zi.r.tv.com
127.0.0.1 zrap.zdnet.com.com
127.0.0.1 as.casalemedia.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\blopenv???.dll Deleted
C:\WINDOWS\jokvip.exe Deleted
C:\WINDOWS\leorop.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{47739661-3A44-46D7-AB36-E1E93E6EA148}]
C:\WINDOWS\nopzet.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{783ADAE8-D46B-414E-BE7A-B4F6825504AA}]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.87.77.130
DNS Server Search Order: 68.87.72.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7C7659B0-D239-4D60-8CBB-FF908F0EA8A3}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7C7659B0-D239-4D60-8CBB-FF908F0EA8A3}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7C7659B0-D239-4D60-8CBB-FF908F0EA8A3}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

and hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:41 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\AOL\1122639952\ee\AOLSoftware.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/mash1/en-us/mash...amp;affid=365-1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1122639952\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...150/mcfscan.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10825 bytes

#6 miekiemoes

Group: Member
Posts: 5,503
Joined: 12-January 05

Posted 20 December 2007 - 03:03 PM

Hi,

Please disable your Spysweeper as it may interfere with next fix in HijackThis.

Then, Check and fix next entry in HijackThis again:

O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
- Java 2 Runtime Environment, SE v1.4.2
- J2SE Runtime Environment 5.0
- J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Let me know in your next reply how things are now.

#7 mikey22

Group: Member
Posts: 5
Joined: 19-December 07

Posted 20 December 2007 - 03:12 PM

it wont delete that file, i check ithe box, select fix now and it its there still

#8 miekiemoes

Group: Member
Posts: 5,503
Joined: 12-January 05

Posted 20 December 2007 - 03:28 PM

Did you disable/close Spysweeper? Because I know it may interfere with HijackThisfixes.

Anyway, it's just an orphaned entry, it won't/can't do anything.

How are things now?

#9 mikey22

Group: Member
Posts: 5
Joined: 19-December 07

Posted 20 December 2007 - 03:35 PM

it seems to be running smoother, faster, not getting the pop ups and alerts...downloading java now...what caused my comp. to act like that by chance? thanks alot for all your help, couldnt have done it with out ya!

#10 miekiemoes

Group: Member
Posts: 5,503
Joined: 12-January 05

Posted 20 December 2007 - 03:49 PM

Quote

what caused my comp. to act like that by chance

Because you were infected. Most probably you wanted to view a certain video and it asked you to download and install an additional Codec/activeX or whatever in order to view it. This is a trick this type of malware is using, so you download that codec / ActiveX and you get infected.
So for future reference, if you're asked to download a certain codec or ActiveX in order to watch a video, do NOT download and install it. By default, your mediaplayer should already have the necessary codecs installed to watch online videos anyway.
Also read next articles for more info: http://www.avertlabs...rch/blog/?p=152
http://news.bbc.co.u...ogy/6100016.stm

The articles are old, but the same method is still used today.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

#11 miekiemoes

Group: Member
Posts: 5,503
Joined: 12-January 05

Posted 01 January 2008 - 05:35 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

MALWARE, TROJAN.ZLOB, WIN32 ALERTS PLEASE HELP [RESOLVED] - Geeks to Go Forums