Help to ID and remove unknown virus

BullGuard Antivirus Forum > Virus > Alerts & New Threats > Help to ID and remove unknown virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

ocium
New Member

Date Joined Feb 2006
Total Posts : 3

Posted 2-26-2006 10:46 (GMT +2)

Hi there,

I am having trouble with somehting I suspect is a virus, but can find no info on as yet.
My virus scanner (AVG Free v7.1.285 (26/02/2006)), doesn't recognise it.

My firewall (Sygate Personal Firewall Pro 5) identifies it as "Universa application", and I am currently blocking traffic for this app with: www.meta-porn.com (70.84.127.98).
The background process(es) associated with this application use the filename syntax "win*.tmp.exe".

The little bugger is replicating itself madly in my windows/temp folder: I am currently up to win2FE.tmp.exe.
Also, some new executables have just started appearing that I suspect are related, and which seem to have random filename generation: gcajpiod.exe, idjlakmd.exe, iogeokmd.exe, jnlahkmd.exe, kjfdliod.exe, pafbkiod.exe, pp!!!!md.exe.

I can't seem to find the mother file that is creating these executables, and respawning the processes.

Can anyone help me out with identification, or advice on how to remove it?

TIA,

Dave

Andrei Ionescu
Forum Moderator

Date Joined Dec 2005
Total Posts : 58

Posted 2-27-2006 12:03 (GMT +2)

Hi Dave,

1. Download the HijackThis from this link: http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1

2. You must unzip it in a newly created folder before you can actually use it. For this you will need a program such as WinZip or WinRar to open the archive. Please create a permanent folder on your desktop for instance, and place the executable file in that folder.

3. Run the "hijackthis.exe" file and a new window will appear. In that new window please click on the button that says "Do a system scan and save a logfile".

4. After the program finishes searching for abnormal objects, the logfile will be saved automatically in the same folder in which you have placed the contents of the archive.

5. Locate the log file, open it with a normal text editor (Notepad) copy its content and paste it as a reply to this thread.

After analuzing the log we might actually know what infection we are up against.

Andrei Cristian Ionescu

Support Team Member

BullGuard Software Ltd.

Cell phone: +40 724.276.719

YM!: ionescu1982 ; Skype: ionesan

andreio@bullguard.com / www.bullguard.com

BullGuard specialises in best-of-breed security solutions for home users and
small businesses, emphasising technical excellence, ease-of-use and customer-care.
BullGuard is a Microsoft Gold Certified Partner with competencies in Security Solutions
and ISV Software Solutions: www.microsoft.com/security/partners/antivirus.asp

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

ocium
New Member

Date Joined Feb 2006
Total Posts : 3

Posted 2-27-2006 12:18 (GMT +2)

Thank you kindly Andrei; here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:34 a.m., on 27/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\TEMP\win31.tmp.exe
C:\WINDOWS\TEMP\win52.tmp.exe
C:\Documents and Settings\Ged\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [d12] C:\Program Files\BPK\d12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe

Andrei Ionescu
Forum Moderator

Date Joined Dec 2005
Total Posts : 58

Posted 2-27-2006 1:51 (GMT +2)

Hi Dave,

1. First, you will have to unregister this .dll file on your computer:

C:\WINDOWS\SYSTEM32\wingsa32.dll

You can use the Regsvr32 tool (Regsvr32.exe) to register and unregister object linking and embedding (.OLE), controls such as dynamic-link library (.DLL) or ActiveX Controls (.OCX), and all other files that are self-registerable.

Press the Windows Start button-> Run-> then type the regsvr32 command as it is showed below:

Regsvr32 [/u] C:\WINDOWS\SYSTEM32\wingsa32.dll

2. Then please restart your computer in Safe Mode (you can do that by pressing the F8 key when Windows is starting, before the Windows start-up screen is loaded). Start HijackThis again, press the "Do a System Scan only" option, and place a check mark in front of the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll (file missing)

O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\SYSTEM32\wingsa32.dll

And press the Fix Checked button.

3. Copy the following bold blue text to a notepad. Ensure the "Save as type" field says *All files*. Save the file to the desktop as remove.bat:

@ECHO OFF
cd %windir%\TEMP
del win*.tmp.exe
cd %windir%\system32
del wingsa32.dll

del winlogon.exe
exit

While still in Safe Mode, please right click on the remove.bat file you have created. A Command Prompt window should flash on your screen, and in the same time the infected files should be removed.

4. Restart your computer in Windows normal mode and follow these steps:

Please download, install, and update the free version of Ewido anti-malware from this link: http://www.ewido.net/en/download/

[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.
[*]From the main Ewido screen, click on "update" in the left menu, then click the "Start update" button.
[*]After the update finishes, the status bar at the bottom will display "Update successful"
[*]Click on Scanner
[*]Click on Complete System Scan and the scan will begin.
[*]Save the report to your desktop
[*]Close Ewido

Restart your computer, and post a fresh HijackThis log and the Ewido log, and let me know if the infected files and processes are still on your computer.

Andrei Cristian Ionescu

Support Team Member

BullGuard Software Ltd.

Cell phone: +40 724.276.719

YM!: ionescu1982 ; Skype: ionesan

andreio@bullguard.com / www.bullguard.com

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

ocium
New Member

Date Joined Feb 2006
Total Posts : 3

Posted 2-27-2006 5:03 (GMT +2)

Hi Andrei,

Thank you very much for all your efforts to help me; I really appreciate it, and I am very happy to report that whatever it was is now sorted :0)

I was unable to unregister the wingsa32.dll - sorry, I can't remember the exact error message, something like: dll found but unable to find install start point?
Of course, the batch file couldn't do its thing with the dll still registered...

However, that Ewido is really great and managed to find the nasty without unregistering and deleting the dll (and winlogon.exe). After a full scan and fix, the dll is gone, and I was able to manually delete all win*.tmp.exe files in the windows/temp folder.

Here are the logfiles, just in case they can help you to identify what exactly it was:

Logfile of HijackThis v1.99.1
Scan saved at 3:56:04 p.m., on 27/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Ged\Desktop\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe (file missing)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:26:29 p.m., 27/02/2006
+ Report-Checksum: 8E1ABE4D

+ Scan result:

HKLM\SOFTWARE\Classes\LaunchInIE.Launch -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CLSID -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\LaunchInIE.Launch\CurVer -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\LaunchInIE.Launch.1 -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources.1 -> Adware.CoolWebSearch : Cleaned with backup
[600] C:\WINDOWS\system32\wingsa32.dll -> Hijacker.Small.kb : Cleaned with backup
[1728] C:\WINDOWS\SYSTEM\svchost.exe -> Logger.AdvancedKeyLogger.b : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Roispy : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Roispy : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Roispy : Cleaned with backup
:mozilla.283:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.285:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.286:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.289:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.307:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.314:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.322:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.323:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.338:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.368:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.369:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\19eume44.default\cookies.txt -> TrackingCookie.Cj : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Ivwbox : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Opentracker : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.265:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.266:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.283:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.313:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.325:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.331:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.353:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.366:C:\Documents and Settings\Ged\Application Data\Mozilla\Firefox\Profiles\ehywi64q.Dave\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Ged\Cookies\ged@perf.overture.txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Ged\Cookies\ged@statcounter.txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Ged\Local Settings\Temp\ddl13.tmp.exe -> Dialer.Agent.z : Cleaned with backup
C:\Documents and Settings\Ged\Local Settings\Temp\ddl15.tmp.exe -> Dialer.Agent.z : Cleaned with backup
C:\Documents and Settings\Ged\Local Settings\Temp\ddl9.tmp.exe -> Dialer.Agent.z : Cleaned with backup
C:\Documents and Settings\Ged\Local Settings\Temp\ddlF.tmp.exe -> Dialer.Agent.z : Cleaned with backup
C:\Documents and Settings\Ged\Local Settings\Temporary Internet Files\Content.IE5\UDE1GLM5\mullbin2.exe -> Downloader.Small.ckr : Cleaned with backup
C:\Documents and Settings\Ged\Local Settings\Temporary Internet Files\Content.IE5\UDE1GLM5\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\Program Files\BitLord\Downloads\FINISHED\APPZ\ActMon Computer Monitoring v5.2.exe/wskrnl.exe -> Not-A-Virus.Monitor.Win32.ActMon.511 : Error during cleaning
C:\Program Files\BitLord\Downloads\FINISHED\APPZ\Handy Keylogger v3.24.032 [Crack].exe -> Not-A-Virus.Monitor.Win32.QuickKeyLogger.a : Cleaned with backup
C:\Program Files\BitLord\Downloads\FINISHED\APPZ\Spy SHOP 2005\Spytech SpyAgent5-lucid.rar/Spytech SpyAgent5-lucid\fixed.exe -> Not-A-Virus.Monitor.Win32.SpyAgent.k : Error during cleaning
C:\Program Files\BitLord\Downloads\Serial Key\Craagle.exe -> Adware.Craagle : Cleaned with backup
C:\Program Files\BitLord\Downloads\Serial Key.rar/Serial Key\Craagle & Crackdown.rar/Craagle.exe -> Adware.Craagle : Error during cleaning
C:\Program Files\BitLord\Downloads\Sex Game - Virtua Girl 2 desktop stripper + 18 models with activation & crac!.rar.bc!/Complete - Virtua Girl 2 desktop stripper + 18 models\activation.exe -> Adware.WinAD : Error during cleaning
C:\Program Files\BitLord\Downloads\Sex Game - Virtua Girl 2 desktop stripper + 18 models with activation & crac!.rar.bc!/Complete - Virtua Girl 2 desktop stripper + 18 models\crack.exe -> Adware.WinAD : Error during cleaning
C:\Program Files\BPK\d12.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned with backup
C:\WINDOWS\ASK\ScrCap.exe -> Not-A-Virus.Monitor.Win32.Amplusnet.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Logger.AdvancedKeyLogger.b : Cleaned with backup
C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\qlib.dll -> Not-A-Virus.Monitor.Win32.QuickKeyLogger.c : Cleaned with backup
C:\WINDOWS\system32\qpanel.exe -> Not-A-Virus.Monitor.Win32.QuickKeyLogger.a : Cleaned with backup
C:\WINDOWS\system32\TMUtils.dll -> Logger.AdvancedKeyLogger.16 : Cleaned with backup
C:\WINDOWS\system32\wingsa32.dll -> Hijacker.Small.kb : Cleaned with backup
C:\WINDOWS\Temp\winFC.tmp.exe -> Trojan.Dialer.u : Cleaned with backup
F:\CRACK\CRC\pwdspy.zip/bin/i386r/PwdSpyHk.dll -> Backdoor.PowerSpider.b : Cleaned with backup
F:\CRACK\CRC\pwdspy.zip/bin/i386ur/PwdSpyHk.dll -> Backdoor.PowerSpider.b : Cleaned with backup
F:\CRACK\Gamez - Serials\Gamez - Keygens\Warhammer 40000 [Keygen-Vengeance].exe -> Trojan.Steam.a : Cleaned with backup

::Report End

Thanks again,

Dave

Andrei Ionescu
Forum Moderator

Date Joined Dec 2005
Total Posts : 58

Posted 2-27-2006 9:49 (GMT +2)

Hi Dave,

Both logs are clean now, and the infection is no longer present. Please try to follow-up this situation and let us know as soon as you have any other problems.

In the meantime, please read this useful guide, for preventing infection:

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". The most common answer is that you are not running the proper security software and that the security settings are too low on your machine.

Please follow these steps to keep your computer clean and secure so that you do not get infected again:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

http://www.bleepingcomputer.com/forums/tutorial43.html 
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

http://www.bleepingcomputer.com/forums/tutorial48.html 
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

http://www.bleepingcomputer.com/forums/tutorial49.html 
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Andrei Cristian Ionescu

Support Team Member

BullGuard Software Ltd.

Cell phone: +40 724.276.719

YM!: ionescu1982 ; Skype: ionesan

andreio@bullguard.com / www.bullguard.com

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

jampy82
New Member

Date Joined Mar 2006
Total Posts : 2

Posted 3-3-2006 10:08 (GMT +2)

I used a different method to delete the file and it work fine for me (I think).

First do the regsvr32 thing described above, then restart the computer on reboot press f8 repetedly and load windows in safe mode command prompt.

In the command prompt type: cd.. until you don't get to c: path, then type following:
cd windows (or cd winnt if you are using 2000)
cd system32
del win***32.dll (in my case the file name was wingsa32.dll

Please wait for a more expert user to verify if this is a suitable way of solving the problem.

JazzMan66
New Member

Date Joined Jun 2006
Total Posts : 1

Posted 7-24-2006 7:48 (GMT +2)

hi all...

I am having the same problems as ocium did. I've triad doing all the steps given by Mr Andrei up to the point of hijackthis part...where on mine report there is no wingsa32.dll..maybe its in different name this time..so i am pasting my report below...hope Mr Andrei could help me identify the problem..thanks..

Logfile of HijackThis v1.99.1
Scan saved at 12:56:30 AM, on 25/07/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\AYAH\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BPS Security Console] C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153590671365
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C01101-08B9-48CD-AC13-0AD8412681AD}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winclv32 - C:\WINDOWS\SYSTEM32\winclv32.dll
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pls help..btw I am using Ewido..but it cant seem to detact anything.. on dll files...

thanks

Myth_Pennywise
New Member

Date Joined Aug 2006
Total Posts : 1

Posted 8-18-2006 8:38 (GMT +2)

Hello there

Im having the same problems as the others.
ive tried the same method as Ocium but the virus just keep returning

here is my Hijakcthis log can somebody please tell which files i must delete with ewido.

Logfile of HijackThis v1.99.1
Scan saved at 8:35:15, on 18-8-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\VINCEN~1\LOCALS~1\Temp\Rar$EX00.312\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

my nod32 virusscanner is saying that its a win32/dialer trojan.

does somebody know how th