Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: Please Help Diagnose


  • This topic is locked This topic is locked
23 replies to this topic

#1 xstxaxrsx

xstxaxrsx

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 08 March 2006 - 08:31 PM

I have gotten spy sheriff on my computer...I don't get the background image, but even after using adaware, spybot, and even counterspy, (which both spybot and counterspy say removed spy sheriff) the virus comes back shortly thereafter.

Thanks for any help...

Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:28 PM, on 3/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\??pPatch\s?rvices.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\PPPATC~1\nslookup.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\4297.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f502.mail.yahoo.com/ym/login?.rand=b7u0c3n604kgo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R3 - URLSearchHook: (no name) - {ED2E7547-96D7-B420-A5FC-E63B8B007290} - C:\WINDOWS\System32\jiql.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\prefs.js)
O1 - Hosts: 127.193.205.104 www.symantec.com
O1 - Hosts: 127.116.28.232 securityresponse.symantec.com
O1 - Hosts: 127.77.9.33 housecall.trendmicro.com
O1 - Hosts: 127.20.58.57 www.pandasoftware.com
O1 - Hosts: 127.141.150.98 www.bitdefender.com
O1 - Hosts: 127.67.100.35 www.ravantivirus.com
O1 - Hosts: 127.243.184.169 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.48.209.43 www.windowsupdate.com
O1 - Hosts: 127.77.189.12 windowsupdate.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {ED2E7547-96D7-B420-A5FC-E63B8B007290} - C:\WINDOWS\System32\jiql.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [dmdzf.exe] C:\WINDOWS\System32\dmdzf.exe
O4 - HKLM\..\Run: [jbrug.exe] C:\WINDOWS\System32\jbrug.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [DLLLoad] chkmon.exe -services
O4 - HKCU\..\Run: [Kfefjii] C:\WINDOWS\??pPatch\s?rvices.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [Artn] "C:\PROGRA~1\COMMON~1\PPPATC~1\nslookup.exe" -vt tzt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 - HKLM\System\CCS\Services\Tcpip\..\{638155F5-0EBE-4DAE-BB9C-62DF0F52BD08}: NameServer = 85.255.115.158,85.255.112.107
O20 - Winlogon Notify: winykm32 - winykm32.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:17 PM

Posted 09 March 2006 - 08:15 AM

Hello,

This system is badly infected, and actually it doesn't suprise me at all, because you don't have an antivirus and firewall present. Your windows is not up to date either, so you are wideopen to infections.

That's why we can't go any further without an antivirus and firewall installed, because otherwise you'll get reinfected immediately.

But first, perform next:

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

Then download an antivirus and firewall:

AVG, AntiVir® OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Zonealarm, Agnitum Outpost Free OR Kerio are FREE firewalls.

Understanding and using firewalls

Perform a full scan with your antivirus!
Reboot afterwards.

After reboot, perform next:

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 xstxaxrsx

xstxaxrsx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 13 March 2006 - 06:08 PM

Here is the report from the fixwareout scan:

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmdzf.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMMLR.EXE
C:\WINDOWS\SYSTEM32\CSLUR.EXE
* csr.exe C:\WINDOWS\System32\CSLUR.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

Here is the Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:07:40 PM, on 3/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\??pPatch\s?rvices.exe
C:\PROGRA~1\COMMON~1\PPPATC~1\nslookup.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.microsoft.com/isapi/redir.dll?p...id={SUB_CLSID}&

pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R3 - URLSearchHook: (no name) -

{ED2E7547-96D7-B420-A5FC-E63B8B007290} -

C:\WINDOWS\System32\jiql.dll
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and

Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearc

hplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris\Application

Data\Mozilla\Profiles\default\qhy2ko6o.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {ED2E7547-96D7-B420-A5FC-E63B8B007290} -

C:\WINDOWS\System32\jiql.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

- C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} -

(no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -

C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity

Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [jbrug.exe] C:\WINDOWS\System32\jbrug.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [DLLLoad] chkmon.exe -services
O4 - HKCU\..\Run: [Kfefjii] C:\WINDOWS\??pPatch\s?rvices.exe
O4 - HKCU\..\Run: [Artn]

"C:\PROGRA~1\COMMON~1\PPPATC~1\nslookup.exe" -vt tzt
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -

http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX

Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 -

HKLM\System\CCS\Services\Tcpip\..\{638155F5-0EBE-4DAE-BB9C-62DF0F5

2BD08}: NameServer = 85.255.115.158,85.255.112.107
O20 - Winlogon Notify: winykm32 - winykm32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program

Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO

EPSON CORPORATION - C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GearSecurity - GEAR Software -

C:\WINDOWS\system32\gearsec.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:17 PM

Posted 13 March 2006 - 06:28 PM

Hello, let's have a big cleanup now, because your system is still terribly infected.

But first of all...The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Go to start > controlpanel > software and uninstall next programs if still present:

Purityscan
Spysheriff


* Please set your system to show all files; please see here if you're unsure how to do this.

* Please download ATF Cleaner by Atribune to your desktop.
Do not use it yet.

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {ED2E7547-96D7-B420-A5FC-E63B8B007290} - C:\WINDOWS\System32\jiql.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKLM\..\Run: [jbrug.exe] C:\WINDOWS\System32\jbrug.exe
O4 - HKLM\..\RunServices: [DLLLoad] chkmon.exe -services
O4 - HKCU\..\Run: [Kfefjii] C:\WINDOWS\??pPatch\s?rvices.exe
O4 - HKCU\..\Run: [Artn] "C:\PROGRA~1\COMMON~1\PPPATC~1\nslookup.exe" -vt tzt
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveXControl) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 - HKLM\System\CCS\Services\Tcpip\..\{638155F5-0EBE-4DAE-BB9C-62DF0F52BD08}: NameServer = 85.255.115.158,85.255.112.107
O20 - Winlogon Notify: winykm32 - winykm32.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\winstall.exe
C:\Program Files\SpySheriff <== folder
C:\WINDOWS\SYSTEM32\DMMLR.EXE
C:\WINDOWS\SYSTEM32\CSLUR.EXE

Next folders you have to delete are a bit difficult, because this infection uses names of similar looking legit folders and I don't want you to delete the legit ones. So watch out here!!!

Delete next folders:

C:\WINDOWS\??pPatch <== this folder, most probably it will look like Appatch. BUT BE CAREFUL HERE!! There is also a legit Appatch folder present in your Windows folder. The legit/good folder will contain dll files and sdb files. DON'T delete that Appatch folder! The bad Appatch folder contains next file: s?rvices.exe (most probably it will look like services.exe)

Delete next folder:

C:\PROGRAM FILES\COMMON FILES\PPPATC...<== this folder, most probably this one will be also called Appatch and contains the file nslookup.exe

* Still in safe mode Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply
together a fresh HijackThis log and the ewido-log so I can take another look.

Edited by miekiemoes, 13 March 2006 - 06:29 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 xstxaxrsx

xstxaxrsx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2006 - 01:41 AM

Ok Here are the logs:

Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:05:53 PM, 3/13/2006
+ Report-Checksum: 494CF14A

+ Scan result:

C:\counter.cab/counter.exe -> Dropper.Small.ls : Cleaned with backup
C:\Documents and Settings\Chris\.jpi_cache\file\1.0\Dummy.class-319fb935-6fd44e1e.class -> Trojan.Nocheat : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\backups\backup-20060313-170741-189.dll -> Adware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\4E9707CE-43A5-4C5C-B1EE-157D72\91615FF7-853E-4AC2-A304-A4242D -> Adware.SBSoft : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5687C2E9-136F-4EBB-A9D6-9EF733\CB9FCC0A-3370-4AB5-B3BF-29E75E -> Hijacker.Small.kb : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\12999.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\13371.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\21161.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\21738.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\22022.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\23717.exe -> Not-A-Virus.Hoax.Win32.Renos.bm : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\24416.exe -> Not-A-Virus.Hoax.Win32.Renos.bm : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\25150.exe -> Not-A-Virus.Hoax.Win32.Renos.bm : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\2741.exe -> Not-A-Virus.Hoax.Win32.Renos.bm : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\4297.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\4682.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Temp\9515.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Chris\Start Menu\Programs\SpySheriff -> Adware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Chris\Start Menu\Programs\SpySheriff\SpySheriff.lnk -> Adware.SpySheriff : Cleaned with backup
C:\My Downloads\mirror_plugin.exe -> Downloader.INService : Cleaned with backup
:mozilla.18:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.19:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.20:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.21:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.23:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.24:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.25:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.26:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.27:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.28:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.29:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.30:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.31:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.41:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.42:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.43:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.45:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.47:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.52:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.57:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.58:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.59:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.60:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.63:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.64:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.65:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.72:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.89:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.94:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.101:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.102:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.103:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.105:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.106:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.116:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.118:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.119:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.120:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.121:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.122:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.123:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.126:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.127:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.128:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.129:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.130:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.138:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.139:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.140:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.142:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.143:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.146:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.150:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.151:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.179:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.181:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.194:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.195:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.199:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.200:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.202:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.203:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.204:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.208:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.212:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.239:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.240:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.242:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.243:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.244:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.245:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.251:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.255:C:\RECYCLER\NPROTECT\03584041.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.41:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.42:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.43:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.45:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.47:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.52:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.57:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.58:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.59:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.60:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.63:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.64:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.65:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.68:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.69:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.70:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.71:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.72:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.74:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.76:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.77:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.78:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.80:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.97:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.101:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.106:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.124:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.125:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.126:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.127:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.129:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.130:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.131:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.132:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.134:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.138:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.139:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.147:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.148:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.149:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.151:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.152:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.155:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.159:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.160:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.188:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.190:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.193:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.194:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.198:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.199:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.200:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.202:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.203:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.207:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.211:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.238:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.239:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.241:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.242:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.243:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.244:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.250:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.254:C:\RECYCLER\NPROTECT\03584042.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.41:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.42:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.43:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.45:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.47:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.52:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.57:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.58:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.59:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.60:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.63:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.64:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.65:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.68:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.69:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.70:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.71:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.72:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.74:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.76:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.77:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.78:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.80:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.97:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.101:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.106:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.124:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.125:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.126:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.127:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.129:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.130:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.131:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.132:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.134:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.138:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.139:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.147:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.148:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.149:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.151:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.152:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.155:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.159:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.160:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.188:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.190:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.193:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.194:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.198:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.199:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.200:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.202:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.203:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.207:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.211:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.238:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.239:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.241:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.242:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.243:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.244:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.250:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.254:C:\RECYCLER\NPROTECT\03584085.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.41:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.42:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.43:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.45:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.47:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.52:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.57:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.58:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.59:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.60:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.63:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.64:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.65:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.68:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.69:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.70:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.71:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.72:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.74:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.76:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.77:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.78:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.80:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.97:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.101:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.106:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.124:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.125:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.126:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.127:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.129:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.130:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.131:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.132:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.134:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.138:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.139:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.147:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.148:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.149:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.151:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.152:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.155:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.159:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.160:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.188:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.190:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.193:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.194:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.198:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.199:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.200:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.202:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.203:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.207:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.211:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.238:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.239:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.241:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.242:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.243:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.244:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.250:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.254:C:\RECYCLER\NPROTECT\03584170.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.41:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.42:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.43:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.45:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.46:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.47:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.48:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.49:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.50:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.52:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.57:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.58:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.59:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.60:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.63:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.64:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.65:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.67:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.68:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.69:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.70:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.71:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.72:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.74:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.76:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.77:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.78:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.80:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.97:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.101:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.106:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.124:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.125:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.126:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.127:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.129:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.130:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.131:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.132:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.133:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.134:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.138:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.139:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.147:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.148:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.149:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.151:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.152:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.155:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Bfast : Cleaned wit

#6 xstxaxrsx

xstxaxrsx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2006 - 01:48 AM

it looks like i can only post so much text...so i will continue with the post in sections from the point where i see that the last one got cut off.

e-wido:

:mozilla.155:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.159:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.160:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.188:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.190:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.193:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.194:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.198:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.199:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.200:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.201:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.202:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.203:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.207:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.211:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.238:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.239:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.241:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.242:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.243:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.244:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.250:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.254:C:\RECYCLER\NPROTECT\03584213.MOZ -> TrackingCookie.Onestat : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc11\mullbin1[1].exe -> Downloader.Small.ckr : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc12\!update-3595[1].0000 -> Downloader.PurityScan.bw : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc13\sex[1].exe -> Downloader.Agent.tc : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc13\srvlbin6[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc13\YazzleActiveX[1].cab/YazzleActiveX.ocx -> Adware.MediaTickets : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc14\!update-3600[1].0000 -> Downloader.PurityScan.bz : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc14\srvlbin4[1].exe -> Downloader.Small.ckr : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc8.exe -> Trojan.Favadd.ar : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1580818891-1957994488-1004\Dc9.exe -> Hijacker.Small : Cleaned with backup
C:\WINDOWS\system32\msfaol.dll -> Adware.ClientMan : Cleaned with backup
C:\WINDOWS\system32\msiaih.dll -> Adware.Ipend : Cleaned with backup
C:\WINDOWS\system32\msnimk.gif -> Adware.Ipend : Cleaned with backup
C:\WINDOWS\system32\oins.exe -> Dropper.PurityScan.ad : Cleaned with backup
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup


::Report End

here is the Panda Online log:


Incident Status Location

Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Chris\.jpi_cache\jar\1.0\archive.jar-487b52a0-6a49d9f1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Chris\.jpi_cache\jar\1.0\archive.jar-487b52a0-6a49d9f1.zip[VBUG.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Chris\.jpi_cache\jar\1.0\archive.jar-487b52a0-6a49d9f1.zip[Dummy.class]
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Chris\.jpi_cache\jar\1.0\archive.jar-487b52a0-6a49d9f1.zip[Beyond.class]
Adware:Adware/Startpage.JU Not disinfected C:\Documents and Settings\Chris\.jpi_cache\jar\1.0\archive.jar-487b52a0-6a49d9f1.zip[winmodem.exe]
Adware:Adware/Startpage.JK Not disinfected C:\Documents and Settings\Chris\.jpi_cache\jar\1.0\archive.jar-487b52a0-6a49d9f1.zip[rundll32.exe]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\cookies.txt[]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-7e0c0f66.zip[InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5ad1bcbe-53fdd0e9.zip[InstallerApplet.class]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Chris\Desktop\backups\backup-20060313-170740-984.dll
Virus:Trj/Downloader.CUJ Not disinfected C:\Documents and Settings\Chris\Local Settings\Temp\13539.exe
Virus:Trj/Downloader.CUJ Not disinfected C:\Documents and Settings\Chris\Local Settings\Temp\16079.exe
Virus:Trj/Downloader.CUJ Not disinfected C:\Documents and Settings\Chris\Local Settings\Temp\19940.exe
Adware:Adware/SpyAxe Not disinfected C:\Documents and Settings\Chris\Local Settings\Temp\8080.exe
Virus:Trj/Downloader.CUJ Not disinfected C:\Documents and Settings\Chris\Local Settings\Temp\8799.exe
Virus:Trj/Downloader.CUJ Not disinfected C:\Documents and Settings\Chris\Local Settings\Temp\8826.exe
Virus:Trj/Qhost.gen Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050214-111239.backup
Virus:Trj/Qhost.gen Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.20060221-180210.backup
Virus:Trj/PWSteal.AE Not disinfected C:\WINDOWS\system32\jbprd.exe
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\system32\msdipo.dll
Spyware:Spyware/Omi Not disinfected C:\WINDOWS\system32\msfdje.gif
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\system32\msglji.gif
Spyware:Spyware/Omi Not disinfected C:\WINDOWS\system32\mshpeb.dll



And finally, here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:38:18 PM, on 3/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?P...ie5update&O1=b1
R3 - URLSearchHook: (no name) - {ED2E7547-96D7-B420-A5FC-E63B8B007290} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\qhy2ko6o.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:17 PM

Posted 14 March 2006 - 06:55 AM

Hello,

Looking much better! :thumbsup:

Just some leftovers now.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {ED2E7547-96D7-B420-A5FC-E63B8B007290} - (no file)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next files:

C:\WINDOWS\system32\drivers\etc\hosts.20050214-111239.backup <== don't delete hosts!
C:\WINDOWS\system32\drivers\etc\hosts.20060221-180210.backup <== don't delete hosts!
C:\WINDOWS\system32\jbprd.exe
C:\WINDOWS\system32\msdipo.dll
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\msglji.gif
C:\WINDOWS\system32\mshpeb.dll

Run ATF-Cleaner again!

Then Update your Java and clean the Java Cache!

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 xstxaxrsx

xstxaxrsx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2006 - 11:37 AM

thanks so much! Everything seems to be working great now...the only thing i see is that a baloon pops up from the avg icon on the taskbar saying my internal virus database is out of date. Is this because I only have xp service pack 1? I have tried to get service pack 2, but when i go to control panel==>system==>automatic updates everything is grayed out so I cannot update to sp2. How can I override this?

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:17 PM

Posted 14 March 2006 - 12:03 PM

Hello,

the only thing i see is that a baloon pops up from the avg icon on the taskbar saying my internal virus database is out of date


This means you need to update your AVG. It could be possible that the updateserver is blocked in your hostsfile; so perform next:

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

Most probably you Windows Update is also blocked in your hostsfile.

However, there's something extra I would like to check as well, so perform next steps:

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Also perform next;

Open notepad and copy and paste next bold from the quotebox in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center"
regedit /e peek4.txt "HKEY_CURRENT_USER\Software\Microsoft\Security Center"
regedit /e peek5.txt "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsFirewall"
regedit /e peek6.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
type peek4.txt >> look.txt
type peek5.txt >> look.txt
type peek6.txt >> look.txt
del peek*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick look.bat and notepad will open.
Copy and paste the contents also in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 xstxaxrsx

xstxaxrsx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2006 - 03:39 PM

Here is the file that was saved to the desktop from the blacklight program:

03/14/06 12:16:50 [Info]: BlackLight Engine 1.0.33 initialized
03/14/06 12:16:50 [Info]: OS: 5.1 build 2600 (Service Pack 1)
03/14/06 12:16:50 [Note]: 7019 4
03/14/06 12:16:50 [Note]: 7005 0
03/14/06 12:16:52 [Note]: 7006 0
03/14/06 12:16:52 [Note]: 7011 1392
03/14/06 12:16:53 [Note]: FSRAW library version 1.7.1015
03/14/06 12:33:01 [Note]: 7007 0

I also did the look.bat thing, but after the program runs and opens "look.txt" in notepad, there is nothing contained in the notepad file.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:17 PM

Posted 14 March 2006 - 03:51 PM

Hmm, strange.
Could be that the path variable got corrupted here (already the third person this day with that problem)

Ok, try next:

Download FIXPATH2.ZIP. Extract the files to a folder in C:\, like C:\FIXPATH2.

RUNNING THE PROGRAM:
  • Open a command prompt window by going to start > run and copy and type: cmd
    In the command prompt, type: cd C:\

    So you should get C:\>

    Then type: cd FIXPATH2

    So you should get: C:\>fixpath2

    Then type: FIXPATH.EXE
  • It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.
  • If it successfully updates the Path value in the registry, you will need to
    reboot for the change to take effect.
After reboot, as a test, go to start > run and type cmd
Then the command prompt opens.
Then type regedit
This should open your registry editor.
In case it opens, this means that problem is fixed.

Then try to run look.bat again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 xstxaxrsx

xstxaxrsx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2006 - 04:13 PM

i did all of that...regedit does make the registry editor open, but there is still nothing produced from look.bat. It displays a blank notepad doc.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:17 PM

Posted 14 March 2006 - 04:22 PM

It should not open in a doc. It should open in notepad.
After you created above batch (look.bat), does it look like this?
Posted Image

If you rightclick look.bat, and choose edit, does it contain this?

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center"
regedit /e peek4.txt "HKEY_CURRENT_USER\Software\Microsoft\Security Center"
regedit /e peek5.txt "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsFirewall"
regedit /e peek6.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
type peek4.txt >> look.txt
type peek5.txt >> look.txt
type peek6.txt >> look.txt
del peek*.txt
start notepad look.txt


Please let me know.

Edited by miekiemoes, 14 March 2006 - 04:23 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 xstxaxrsx

xstxaxrsx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 14 March 2006 - 04:49 PM

perhaps i used the wrong terminology. look.txt does open in notepad. Also, when I click edit to look.bat, it looks the same as your post.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:17 PM

Posted 14 March 2006 - 05:14 PM

Ok, can you rightclick on look.bat and choose edit.
The contents will open in notepad now.

Delete next line in it:

del peek*.txt

And close look.bat again. It will ask you if you want to save the changes, click yes.

Now doubleclick look.bat again and this should create a couple of txt files on your desktop (peek1.txt, peek2.txt, peek3.txt.. ) copy and paste the contents of those peek. txtfiles in your next reply.

Strange though, since I use the type command, it should all be present in look.txt
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users