possible malware infection

[dawgfather]

Ok i had tried to install something tonight and soon after doing so i was getting norton warnings saying they found some problems and were going to scan it, it did so and said it found problems and they we're resolved then i started getting ie popups asking me about installing some spyware killer and i never use ie at all so i started wondering. Then i opened the task manager and noticed rundll.exe running which is unusual for me so i attempted to end task it and it closed then it reopened almost immediately after i would end task it.

I've dealt with some malware before and did what seemed right i checked hijack this and removed what i believed to be the problem and after checking in c:\windows\system32 i found 5 new files that had just been created around the time of when i installed. So after not being able to delete them i shutdown and rebooted in safe mode thinking i could just delete the 5 files that way and 3 of them are now gone but the files - winrkp32.dll and awtrpqo.dll still remain. When i removed something via hjt it was a reference to awtrpqo.dll now there is another reference to something i dont recognize which im sure youll spot as well in my log.

After going through safemode and deleting the files i dont seem to have rundll.exe running right now in my task manager but i did get an error when i rebooted saying something along the lines of run a dll as a program has had an error and needs to be shutdown. I am still occasionally getting the ie popups which is moderatly annoying but i just hate the fact that i cannot get rid of or remove the files. Also i've attempted to use the hjt option to delete files on startup and when i try to select it it just closes hjt completely.

If there is any more info you need please just let me know. I will be around all night tonight and should be on the computer most of the night working on this. As for now ill post my hjt log and see if anyone has any suggestions and thanks for the help in advance.

Logfile of HijackThis v1.99.1
Scan saved at 2:01:29 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\RssReader\RssReader.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Norton AntiVirus\navapsvc.exe
D:\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
D:\FireFox\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NO MORE PARCHISI!
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [uhkxefqh.exe] C:\Documents and Settings\All Users.WINDOWS\Application Data\uhkxefqh.exe
O4 - HKCU\..\Run: [RssReader] D:\RssReader\RssReader.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099459613531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/lux...jolauncher.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...loader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3001797C-CD23-4A09-A5D5-138B9D7633BC}: NameServer = 85.255.115.157,85.255.112.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{B16EFC0D-3369-4C87-8597-5F6F0F42EAFA}: NameServer = 85.255.115.157,85.255.112.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE61BC32-9E25-4F16-ABE1-3B269F00E6D3}: NameServer = 85.255.115.157,85.255.112.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.157 85.255.112.97
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.157 85.255.112.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[PhilliePhan]

If there is any more info you need please just let me know. I will be around all night tonight and should be on the computer most of the night working on this. As for now ill post my hjt log and see if anyone has any suggestions and thanks for the help in advance.

Here's a suggestion before I call it a night:

You ought to run FixWareout and post that log as well run AVG Anti-Spyware and have it clean what it finds (see the Read Me First Sticky Post at the top of the Forum).

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.


-- You do have some malware including WareOut. Hang in there until Judy can have a look. I am not around all that often these days.

Best Luck
PP

[dawgfather]

Thanks phillie im workin on the steps posted in the sticky atm running the windows malware removal tool right now and going to scan with avg very shortly. Ill also try to run the program you linked also see what kind of help that is.

[dawgfather]

Im scanning now with avg antispyware and its currently scanning some folder called C:\recycler\nprotect and i have checked in windows explorer and that folder is no where to be found. I do recall a few yrs back i had some issues with my computer where it was locking me out entirely. Long story short is that a friend of mine tried to get me back in and couldnt uninstall or format or anything and we had decided to just install a new windows over the old one. Im thinking these recycler files are part of that left over system and from what avg is telling me during the actual scan is that most if not all of these files are infected and according to using the command line prompt and doin some searching there seem to be about 1600+ files at least in this recycler folder. Not sure if this matters but thought i should mention it.

*edit* as of this posting im currently showing 43,000+ files infected and before it got to the recycler file i was at maybe 500 then bam its just been going crazy since hitting that folder.

[jholland1964]

C:\recycler\nprotect is the Norton Protected Recycler Bin. It's the folder where the Norton Protected Recycle Bin feature stores items you delete.
Since you are using the Norton Anti-virus program then it is a normal folder. You can empty this folder. Don't delete the folder itself, just empty it.

[dawgfather]

ok i just finished running the avg scan, not in safe mode, it picked up a TON of stuff i have the log and then i had it do the recommended suggestion for the files which was set to quarantine though it did delete majority of the results that came up as tracking cookies. As far as the norton recycle bin that was what i figured it was but could those possibly be left over from my previous windows install? If that is the case i know thats a whole new can of worms to deal with but is it something i can get rid of eventually after i get this whole malware situation worked out?

Avg is asking me for a reboot atm so going to do that then i should be back and have more info for ya on how it turned out.

[dawgfather]

Well it seems that im still having the problem after running avg although i wasnt expecting it to be fixed after just that. Im running trend micro's online scan now it says it's going to take a while so with that im going to get some rest i should be back in a while and will update then.

[jholland1964]

I hope you are following the steps given by PhilliePhan in his post to you. He instructed you to run FixWareout...have you done that? This is one of the key infections that you have and that tool should have been run first and the log posted. We have seen NO logs other than the HJT which does show several infections. I want to caution you, HJT is NOT considered a fix tool. It is a SCANNER tool. Yes, some fixes can be done with it but most fixes done with HJT must be done AFTER specialized tools are used, like FixWareout.

[dawgfather]

sorry yes i have run fixwareout however my scan from trend micro seems to have been interupted somehow as i was sleeping but i will post the logs ive done so far from there and avg. Here they are..

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdbpy.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\temp\kdbpy.ren 63825 08/04/2004

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"uhkxefqh.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\uhkxefqh.exe"
"ApachInc"="rundll32.exe \"C:\\WINDOWS\\system32\\caiphfji.dll\",realset "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\AutorunsDisabled]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1149856220\\ee\\AOLSoftware.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"MPFEXE"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RssReader"="D:\\RssReader\\RssReader.exe"
"Yahoo! Pager"="\"D:\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"Uniblue RegistryBooster2"="D:\\Uniblue\\RegistryBooster 2\\RegistryBooster.exe /S"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\AutorunsDisabled]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
C:\WINDOWS\System32\AUTOEXEC.NT missing
»»»»» End report »»»»»

[dawgfather]

As far as the avg scan is concerned it contains about 160,000 entries i believe most of which are/were tracking cookies which im going to edit out to save space as i went in and deleted them through dos. If you need me to add them i can but for now ill just add what seems to be pertinent information.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:42:54 AM 6/7/2007

+ Scan result:



C:\WINDOWS\system32\gtdownls_95.ocx -> Adware.Gdown : No action taken.
HKU\S-1-5-21-220523388-1425521274-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{3E9B951E-6F72-431B-82CF-4A9FBF2F53BC} -> Adware.Generic : No action taken.
HKU\S-1-5-21-220523388-1425521274-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : No action taken.
[1284] C:\WINDOWS\system32\awtrpqo.dll -> Adware.Virtumonde : No action taken.
[3736] C:\WINDOWS\system32\ddayx.dll -> Adware.Virtumonde : No action taken.
[892] C:\WINDOWS\SYSTEM32\awtrpqo.dll -> Adware.Virtumonde : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : No action taken.
C:\Documents and Settings\Fluff Dawg.MOM\Local Settings\Temp\win497.tmp.exe -> Downloader.Agent.brf : No action taken.
C:\Documents and Settings\Fluff Dawg\Local Settings\Temporary Internet Files\Content.IE5\SHWXMBCH\pi[1].exe -> Downloader.Small.aal : No action taken.
D:\Fluff\Devices\ipnetinfo.exe -> Not-A-Virus.NetTool.Win32.IpNetInfo.120 : No action taken.
D:\Fluff\ipnetinfo.zip/ipnetinfo.exe -> Not-A-Virus.NetTool.Win32.IpNetInfo.120 : No action taken.

C:\Documents and Settings\Fluff Dawg.MOM\Local Settings\Temp\win493.tmp.exe -> Trojan.Agent.qt : No action taken.
C:\Documents and Settings\Fluff Dawg.MOM\Local Settings\Temp\gos489.tmp -> Trojan.Dialer.qn : No action taken.
C:\Documents and Settings\Fluff Dawg.MOM\Local Settings\Temp\win491.tmp.exe -> Trojan.Dialer.qn : No action taken.
C:\WINDOWS\system32\winrkp32.dll -> Trojan.Dialer.qn : No action taken.
D:\mp3converter\serial.exe -> Trojan.Dialer.qn : No action taken.
C:\Documents and Settings\Fluff Dawg\Local Settings\Temporary Internet Files\Content.IE5\PG0RXTOD\exitpoplight1[2].htm -> Trojan.NoClose.i : No action taken.
C:\Documents and Settings\Fluff Dawg\Local Settings\Temporary Internet Files\Content.IE5\SHWXMBCH\exitpoplight1[4].htm -> Trojan.NoClose.i : No action taken.
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\8PGJO3KZ\exitpoplight1[1].htm -> Trojan.NoClose.i : No action taken.
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\MJMDYDCL\exitpoplight1[1].htm -> Trojan.NoClose.i : No action taken.
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\QDC72PQX\exitpoplight1[1].htm -> Trojan.NoClose.i : No action taken.


::Report end


In the middle there were mostly all files along the lines of...

:mozilla.474:C:\RECYCLER\NPROTECT\00098495.MOZ -> TrackingCookie.Zedo : No action taken.
:mozilla.474:C:\RECYCLER\NPROTECT\00098497.MOZ -> TrackingCookie.Zedo : No action taken.
:mozilla.474:C:\RECYCLER\NPROTECT\00098510.MOZ -> TrackingCookie.Zedo : No action taken.

Which i have since deleted
Also, this log is from before i was able to take any action, i have quarantined everything listed above though since the scan and im doing another scan right now.