Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Getting Rid Of Msgrpics


  • This topic is locked This topic is locked
30 replies to this topic

#1 MetallicACDC

MetallicACDC

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 19 December 2007 - 06:20 PM

I know this is exactly what I picked up recently and need some help getting rid of it. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:55 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\GW Maps\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.28.180.123/privacyASP.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [net32] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CCS\Services\Tcpip\..\{D59BC085-F7BA-4580-966A-E00FF22E9977}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O17 - HKLM\System\CS2\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityCOMSysApp (FastUserSwitchingCompatibilityCOMSysApp) - Unknown owner - C:\WINDOWS\system32\arpr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmdfx.exe (file missing)

--
End of file - 8561 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 20 December 2007 - 09:21 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum MetallicACDC
My name is Richie and i'll be helping you to fix your problems.

Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O4 - HKLM\..\Run: [net32] C:\WINDOWS\svhost.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CCS\Services\Tcpip\..\{D59BC085-F7BA-4580-966A-E00FF22E9977}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O17 - HKLM\System\CS2\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmdfx.exe (file missing)


Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Post the contents of the logfile C:\fixwareout\report.txt into your next reply.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 MetallicACDC

MetallicACDC
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 21 December 2007 - 06:54 PM

Thanks for your help thus far, Richie! I truly appreciate all the help you've given me, and the time it took to give me the help.
I'd like to point out that when running the Hijackthis log after running Fixwareout (when you told me to check certain items) there were some items that were not on the list. They were: (all but the first one)
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CCS\Services\Tcpip\..\{D59BC085-F7BA-4580-966A-E00FF22E9977}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O17 - HKLM\System\CS2\Services\Tcpip\..\{AD5B24FF-C313-4539-93DB-F485EA621D65}: NameServer = 85.255.116.146,85.255.112.196
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.146 85.255.112.196
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmdfx.exe (file missing)

Here is the Fixwareout report:

Username "Michael" - 12/21/2007 17:44:18 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
Service: "Windows Management Service" = C:\WINDOWS\System32\dmdfx.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.146 85.255.112.196" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AD5B24FF-C313-4539-93DB-F485EA621D65}
"nameserver"="85.255.116.146,85.255.112.196" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D59BC085-F7BA-4580-966A-E00FF22E9977}
"nameserver"="85.255.116.146,85.255.112.196" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AD5B24FF-C313-4539-93DB-F485EA621D65}
"DhcpNameServer"="85.255.116.146,85.255.112.196" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C924228B-6E6A-4F70-B2F6-DC7AD392166E}
"DhcpNameServer"="85.255.116.146,85.255.112.196" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}40F8DCD91875-C2A9-6AD4-3884-E78C211F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E188FC18ADBF-3919-F404-F7B1-F2FFF448{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}E8AADA92561B-A5BB-9474-5C01-A839FA30{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}59126C6472DB-6078-8344-9034-C6BC553F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}95D584FAB024-A869-25A4-C80B-8382D98B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}AD4C2A737C3B-8F18-4EC4-971C-D9885538{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D8EAA53B7C68-020A-52D4-8960-076723A4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}912EAD03686A-2E99-3BF4-773C-8DE2F0B8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3D379C1D9A88-CE89-6934-C98A-BCFB1259{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4DB9318DF270-C438-B304-26E7-22E21C8A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F2F1882D6904-2198-CD54-AB6C-BB159137{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xfdmd" Deleted
....
~~~~~ Misc files.
C:\WINDOWS\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"DXDllRegExe"="dxdllreg.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"net32"="C:\\WINDOWS\\svhost.exe"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~





The ComboFix log:

ComboFix 07-12-22.1 - Michael 2007-12-21 18:27:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.177 [GMT -5:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Guest\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Guest\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\temp\iee
C:\WA6P
C:\WINDOWS\system32\stera.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 18:37 . 2007-12-22 18:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-21 18:23 . 2007-12-21 18:23 <DIR> d-------- C:\Program Files\Sun
2007-12-21 18:23 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-21 18:17 . 2007-12-21 18:17 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 23:23 --------- d-----w C:\Program Files\Java
2007-12-21 23:13 --------- d-----w C:\Documents and Settings\Michael\Application Data\Xfire
2007-12-21 22:45 --------- d-s---w C:\Program Files\Xfire
2007-12-21 02:56 --------- d-----w C:\Documents and Settings\Dad\Application Data\Apple Computer
2007-12-18 22:25 --------- d-----w C:\Documents and Settings\Michael\Application Data\uTorrent
2007-12-13 23:17 --------- d-----w C:\Program Files\Omerta Script
2007-11-23 18:51 --------- d-----w C:\Documents and Settings\Michael\Application Data\teamspeak2
2007-11-19 22:42 --------- d-----w C:\Program Files\EphPod
2007-10-07 01:25 28,868,320 ----a-w C:\FileFormatConverters.exe
2007-09-24 21:21 51,422,520 ----a-w C:\Program Files\iTunes742Setup.exe
2006-11-16 13:05 0 ----a-w C:\Program Files\Common Files\err.log
2006-08-23 21:41 1,033,879 ----a-w C:\Program Files\wrar360.exe
2006-08-09 14:17 29,853,358 ----a-w C:\Program Files\DBViewer.rar
2006-08-09 14:08 23,510,720 ----a-w C:\Program Files\dotnetfx.exe
2006-02-05 06:15 2,010,624 ----a-w C:\Program Files\ventrilo-2.3.0-Windows-i386.exe
2005-08-28 03:59 3,266,519 ----a-w C:\Program Files\Teamspeak2_RC2.exe
2005-08-20 21:46 254 ----a-w C:\Program Files\Hey_Jude.asx
2005-07-05 05:18 7,290,120 ----a-w C:\Program Files\setup.exe
2005-07-05 05:18 1,002,752 ----a-w C:\Program Files\JournalViewer1.5_KB886179_ENU.exe
2005-05-04 10:31 1,103,367 ----a-w C:\Documents and Settings\Dad\s-t-i-n-g-e-r.exe
2005-05-01 02:16 2,636,408 ----a-w C:\Documents and Settings\All Users\aawsepersonal.exe
2005-05-01 02:10 49,152 ----a-w C:\Documents and Settings\All Users\pcOrionInstaller.exe
2005-05-01 01:57 876,492 ----a-w C:\Documents and Settings\All Users\noadware.exe
2005-05-01 01:33 534,104 ----a-w C:\Documents and Settings\All Users\psa2011_ytb01_DLM_enu_full.exe
2005-04-27 17:43 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-04-25 21:55 36,769,215 ----a-w C:\Program Files\dx90b_redist.exe
2007-04-21 16:51 32,636 --sh--r C:\WINDOWS\system32\accwizv.exe
2007-05-08 23:06 32,660 --sh--r C:\WINDOWS\system32\appendv.exe
2007-04-10 13:15 32,108 --sh--r C:\WINDOWS\system32\arpr.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2005-05-30 12:48:24 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 49,152 2003-08-04 21:28:18 C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe

----a-w 241,664 2003-12-22 13:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 241,664 2003-12-22 12:38:42 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,064 2007-09-14 14:00:06 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 36,975 2004-12-07 01:31:50 C:\Program Files\Java\jre1.5.0_01\bin\bak\jusched.exe

----a-w 1,111,040 2005-03-23 19:47:02 C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe

----a-w 5,354,792 2006-07-29 23:34:04 C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe
----a-w 5,674,352 2007-01-19 17:54:56 C:\Program Files\MSN Messenger\msnmsgr.exe

----a-w 77,824 2005-04-21 00:58:38 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 253,650 2006-11-21 02:12:50 C:\Program Files\Xfire\bak\xfiremusic.exe

----a-w 118,784 2004-02-10 15:51:30 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2004-02-10 15:55:32 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 176,128 2004-01-05 07:27:30 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe
----a-w 176,128 2004-01-05 07:27:30 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 21:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 02:27]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" []
"DXDllRegExe"="dxdllreg.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-02-24 08:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" []
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-05-20 18:42:47]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2007-12-04 21:25:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 11:28 684032 --a------ C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Update 3300C]
C:\sj650\hpupdate.exe 3300C+

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
2002-06-13 14:01 49152 --a------ C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE /background

S0 ptrukkwy;ptrukkwy;C:\WINDOWS\system32\drivers\ykjyjuig.sys []
S2 FastUserSwitchingCompatibilityCOMSysApp;Fast User Switching Compatibility FastUserSwitchingCompatibilityCOMSysApp;C:\WINDOWS\system32\arpr.exe srv []
S2 FastUserSwitchingCompatibilityCOMSysAppShellHWDetection;Fast User Switching Compatibility FastUserSwitchingCompatibilityCOMSysApp FastUserSwitchingCompatibilityCOMSysAppShellHWDetection;C:\WINDOWS\system32\appendv.exe srv []
S2 usnjsvcNVSvc;Messenger Sharing Folders USN Journal Reader service usnjsvcNVSvc;C:\WINDOWS\system32\accwizv.exe srv []
S3 dump_wmimmc;dump_wmimmc;C:\Documents and Settings\Michael\Desktop\2Moons\bin\GameGuard\dump_wmimmc.sys []
S3 jbridgep;jbridgep;C:\DOCUME~1\Michael\LOCALS~1\Temp\jbridgep.sys []
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2007-09-06 12:28]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 15:28:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-16 12:56:00 C:\WINDOWS\Tasks\WebReg 20060124075639.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20060124075639 /N
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 18:38:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
Completion time: 2007-12-22 18:44:30 - machine was rebooted



And the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:53 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Michael\Desktop\GW Maps\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.28.180.123/privacyASP.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityCOMSysApp (FastUserSwitchingCompatibilityCOMSysApp) - Unknown owner - C:\WINDOWS\system32\arpr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8766 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 21 December 2007 - 07:20 PM

Download FindAWF.exe and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.
Posted Image
Posted Image

#5 MetallicACDC

MetallicACDC
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 21 December 2007 - 08:17 PM

When I press any key to continue, I have a choice between:

Press 1 then Enter to scan for bak folders
Press 2 then Enter to restore files from bak folders
Press 3 then Enter to remove bak folders
Press 4 then Enter to reset domain zones
Press E then Enter to EXIT

Which should I choose?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 21 December 2007 - 08:22 PM

Press 1 then Enter to scan for bak folders
Posted Image
Posted Image

#7 MetallicACDC

MetallicACDC
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 21 December 2007 - 09:08 PM

Ok, here is the AWF.txt file.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 12/21/2007
The current time is: 21:01:14.28


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\COMMON~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

07/29/2006 06:34 PM 5,354,792 MsnMsgr.Exe
1 File(s) 5,354,792 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/20/2005 07:58 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\XFIRE\BAK

11/20/2006 09:12 PM 253,650 xfiremusic.exe
1 File(s) 253,650 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/10/2004 10:51 AM 118,784 hkcmd.exe
02/10/2004 10:55 AM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

08/04/2003 04:28 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE\SPAMKI~1\BAK

03/23/2005 02:47 PM 1,111,040 MSKDetct.exe
1 File(s) 1,111,040 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/30/2005 07:48 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

12/06/2004 08:31 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/05/2004 02:27 AM 176,128 hpztsb09.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

51422520 Sep 24 2007 "C:\Program Files\iTunes742Setup.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 24 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
116008 Dec 1 2007 "C:\Documents and Settings\Michael\Local Settings\Application Data\Apple\Apple Software Update\iTunesSetupAdmin.exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\msnmsgr.exe"
5354792 Jul 29 2006 "C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
77824 Apr 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
253650 Nov 20 2006 "C:\Program Files\Xfire\bak\xfiremusic.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Jan 13 2003 "C:\DELL\drivers\R55351\Graphics\Win2000\hkcmd.exe"
114688 Jan 13 2003 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\hkcmd.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Jan 13 2003 "C:\DELL\drivers\R55351\Graphics\Win2000\igfxtray.exe"
155648 Jan 13 2003 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\igfxtray.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
1111040 Mar 23 2005 "C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
180269 May 30 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
36975 Dec 6 2004 "C:\Program Files\Java\jre1.5.0_01\bin\bak\jusched.exe"
176128 Jan 5 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
176128 Jan 5 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"


end of report

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 21 December 2007 - 09:24 PM

Double-click FindAWF.exe to start the tool.
Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up.
Please copy and paste the following bold text inside the quote box below into the text file:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Xfire\bak\xfiremusic.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
"C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


Close the files.txt and click Yes to save the changes.
FindAWF will now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log.
Copy and paste the contents of that log in your next reply.
Posted Image
Posted Image

#9 MetallicACDC

MetallicACDC
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 21 December 2007 - 10:07 PM

Done; here's the new report.


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 12/21/2007
The current time is: 21:58:09.29


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\COMMON~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

07/29/2006 06:34 PM 5,354,792 MsnMsgr.Exe
1 File(s) 5,354,792 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/20/2005 07:58 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\XFIRE\BAK

11/20/2006 09:12 PM 253,650 xfiremusic.exe
1 File(s) 253,650 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/10/2004 10:51 AM 118,784 hkcmd.exe
02/10/2004 10:55 AM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

08/04/2003 04:28 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE\SPAMKI~1\BAK

03/23/2005 02:47 PM 1,111,040 MSKDetct.exe
1 File(s) 1,111,040 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/30/2005 07:48 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

12/06/2004 08:31 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/05/2004 02:27 AM 176,128 hpztsb09.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

51422520 Sep 24 2007 "C:\Program Files\iTunes742Setup.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 24 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
116008 Dec 1 2007 "C:\Documents and Settings\Michael\Local Settings\Application Data\Apple\Apple Software Update\iTunesSetupAdmin.exe"
5354792 Jul 29 2006 "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
5354792 Jul 29 2006 "C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
77824 Apr 20 2005 "C:\Program Files\QuickTime\qttask.exe"
77824 Apr 20 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
253650 Nov 20 2006 "C:\Program Files\Xfire\xfiremusic.exe"
253650 Nov 20 2006 "C:\Program Files\Xfire\bak\xfiremusic.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Jan 13 2003 "C:\DELL\drivers\R55351\Graphics\Win2000\hkcmd.exe"
114688 Jan 13 2003 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\hkcmd.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Jan 13 2003 "C:\DELL\drivers\R55351\Graphics\Win2000\igfxtray.exe"
155648 Jan 13 2003 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\igfxtray.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
1111040 Mar 23 2005 "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe"
1111040 Mar 23 2005 "C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
180269 May 30 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 May 30 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
36975 Dec 6 2004 "C:\Program Files\Java\jre1.5.0_01\bin\bak\jusched.exe"
176128 Jan 5 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
176128 Jan 5 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"


end of report

#10 MetallicACDC

MetallicACDC
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 21 December 2007 - 10:15 PM

By the way, my MSN Messenger is now not working. Did FindAWF delete it or something?

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 22 December 2007 - 07:30 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\Program Files\iTunes\bak
C:\Program Files\MSN Messenger\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Xfire\bak
C:\WINDOWS\system32\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\McAfee\SpamKiller\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.5.0_01\bin\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Restart your pc,post a new Hijackthis log please.
Posted Image
Posted Image

#12 MetallicACDC

MetallicACDC
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 22 December 2007 - 05:29 PM

Ok, here is the OTMoveIt results

C:\Program Files\iTunes\bak moved successfully.
C:\Program Files\MSN Messenger\bak moved successfully.
C:\Program Files\QuickTime\bak moved successfully.
C:\Program Files\Xfire\bak moved successfully.
C:\WINDOWS\system32\bak moved successfully.
C:\Program Files\HP\hpcoretech\bak moved successfully.
C:\Program Files\HP\HP Software Update\bak moved successfully.
C:\Program Files\McAfee\SpamKiller\bak moved successfully.
C:\Program Files\Common Files\Real\Update_OB\bak moved successfully.
C:\Program Files\Java\jre1.5.0_01\bin\bak moved successfully.
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak moved successfully.

Created on 12222007_172323


And the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:50 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael\Desktop\GW Maps\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.28.180.123/privacyASP.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityCOMSysApp (FastUserSwitchingCompatibilityCOMSysApp) - Unknown owner - C:\WINDOWS\system32\arpr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8680 bytes

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 22 December 2007 - 05:45 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#14 MetallicACDC

MetallicACDC
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 22 December 2007 - 07:23 PM

On the F-Secure Online Virus Scanner, you said you check both "scan programs and documents" and "scan all files", but you can only choose one or the other. I'll wait for your reply to begin that scan. But I've completed the first scan.

Here is the SUPERAntiSpyware Scan Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/22/2007 at 07:08 PM

Application Version : 3.9.1008

Core Rules Database Version : 3366
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 01:02:32

Memory items scanned : 414
Memory threats detected : 0
Registry items scanned : 5702
Registry threats detected : 0
File items scanned : 41450
File threats detected : 275

Adware.Tracking Cookie
C:\Documents and Settings\Michael\Cookies\michael@ilead.itrack[1].txt
C:\Documents and Settings\Michael\Cookies\michael@collective-media[1].txt
C:\Documents and Settings\Michael\Cookies\michael@pornaccess[2].txt
C:\Documents and Settings\Michael\Cookies\michael@3.adbrite[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adultadworld[2].txt
C:\Documents and Settings\Michael\Cookies\michael@hardcoresexvault[1].txt
C:\Documents and Settings\Michael\Cookies\michael@s1[2].txt
C:\Documents and Settings\Michael\Cookies\michael@image.masterstats[1].txt
C:\Documents and Settings\Michael\Cookies\michael@findwhat[1].txt
C:\Documents and Settings\Michael\Cookies\michael@atwola[1].txt
C:\Documents and Settings\Michael\Cookies\michael@eas.apm.emediate[1].txt
C:\Documents and Settings\Michael\Cookies\michael@worldlingomedia[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adbrite[1].txt
C:\Documents and Settings\Michael\Cookies\michael@fastclick[1].txt
C:\Documents and Settings\Michael\Cookies\michael@anad.tacoda[2].txt
C:\Documents and Settings\Michael\Cookies\michael@dealtime[2].txt
C:\Documents and Settings\Michael\Cookies\michael@www.couplesseduceteens[2].txt
C:\Documents and Settings\Michael\Cookies\michael@clicks.smartbizsearch[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.neowin[1].txt
C:\Documents and Settings\Michael\Cookies\michael@www.adultplayersclub[1].txt
C:\Documents and Settings\Michael\Cookies\michael@usenext[1].txt
C:\Documents and Settings\Michael\Cookies\michael@path.pureadstracking[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ad.yieldmanager[2].txt
C:\Documents and Settings\Michael\Cookies\michael@doubleclick[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adrevolver[2].txt
C:\Documents and Settings\Michael\Cookies\michael@xiti[1].txt
C:\Documents and Settings\Michael\Cookies\michael@mystat.synch[1].txt
C:\Documents and Settings\Michael\Cookies\michael@audit.median[1].txt
C:\Documents and Settings\Michael\Cookies\michael@traffic.buyservices[1].txt
C:\Documents and Settings\Michael\Cookies\michael@cgi-bin[1].txt
C:\Documents and Settings\Michael\Cookies\michael@cz3.clickzs[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ad.fenopy[1].txt
C:\Documents and Settings\Michael\Cookies\michael@yadro[1].txt
C:\Documents and Settings\Michael\Cookies\michael@xxxfilmfinder[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.gamershell[1].txt
C:\Documents and Settings\Michael\Cookies\michael@clickaider[1].txt
C:\Documents and Settings\Michael\Cookies\michael@bluestreak[1].txt
C:\Documents and Settings\Michael\Cookies\michael@mrspskids.tripod[2].txt
C:\Documents and Settings\Michael\Cookies\michael@revsci[2].txt
C:\Documents and Settings\Michael\Cookies\michael@members.tripod[1].txt
C:\Documents and Settings\Michael\Cookies\michael@server.cpmstar[1].txt
C:\Documents and Settings\Michael\Cookies\michael@cgi-bin[2].txt
C:\Documents and Settings\Michael\Cookies\michael@hornyfux[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adopt.euroclick[2].txt
C:\Documents and Settings\Michael\Cookies\michael@media.injectnet[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ad[1].txt
C:\Documents and Settings\Michael\Cookies\michael@linkstattrack[1].txt
C:\Documents and Settings\Michael\Cookies\michael@partner2profit[2].txt
C:\Documents and Settings\Michael\Cookies\michael@casalemedia[2].txt
C:\Documents and Settings\Michael\Cookies\michael@trafficroup[2].txt
C:\Documents and Settings\Michael\Cookies\michael@youngadultsteenagers[2].txt
C:\Documents and Settings\Michael\Cookies\michael@tribalfusion[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.pointroll[1].txt
C:\Documents and Settings\Michael\Cookies\michael@statsgold[2].txt
C:\Documents and Settings\Michael\Cookies\michael@t1[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ad1.soundpedia[1].txt
C:\Documents and Settings\Michael\Cookies\michael@azjmp[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.adbrite[2].txt
C:\Documents and Settings\Michael\Cookies\michael@1066971300[1].txt
C:\Documents and Settings\Michael\Cookies\michael@advertising[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.str8up[1].txt
C:\Documents and Settings\Michael\Cookies\michael@sex-superstore[2].txt
C:\Documents and Settings\Michael\Cookies\michael@tacoda[1].txt
C:\Documents and Settings\Michael\Cookies\michael@findlaw[1].txt
C:\Documents and Settings\Michael\Cookies\michael@icexxx[1].txt
C:\Documents and Settings\Michael\Cookies\michael@4.adbrite[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.pubmatic[2].txt
C:\Documents and Settings\Michael\Cookies\michael@interclick[2].txt
C:\Documents and Settings\Michael\Cookies\michael@eyewonder[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.mediamayhemcorp[2].txt
C:\Documents and Settings\Michael\Cookies\michael@crackle[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ad1.clickhype[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adopt.specificclick[1].txt
C:\Documents and Settings\Michael\Cookies\michael@anat.tacoda[1].txt
C:\Documents and Settings\Michael\Cookies\michael@richmedia.yahoo[1].txt
C:\Documents and Settings\Michael\Cookies\michael@www.sexy-access[2].txt
C:\Documents and Settings\Michael\Cookies\michael@enhance[2].txt
C:\Documents and Settings\Michael\Cookies\michael@adultbouncer[1].txt
C:\Documents and Settings\Michael\Cookies\michael@atdmt[2].txt
C:\Documents and Settings\Michael\Cookies\michael@tremor.adbureau[1].txt
C:\Documents and Settings\Michael\Cookies\michael@date.ventivmedia[1].txt
C:\Documents and Settings\Michael\Cookies\michael@www.spermypornvids[1].txt
C:\Documents and Settings\Michael\Cookies\michael@couplesseduceteens[2].txt
C:\Documents and Settings\Michael\Cookies\michael@mediaplex[2].txt
C:\Documents and Settings\Michael\Cookies\michael@www.burstbeacon[2].txt
C:\Documents and Settings\Michael\Cookies\michael@www.worldlingomedia[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.joinaxxess[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.bnmedia[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adrevolver[3].txt
C:\Documents and Settings\Michael\Cookies\michael@www.sexy-party[2].txt
C:\Documents and Settings\Michael\Cookies\michael@crackserialkeygen[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.realtechnetwork[2].txt
C:\Documents and Settings\Michael\Cookies\michael@adecn[1].txt
C:\Documents and Settings\Michael\Cookies\michael@media.adrevolver[2].txt
C:\Documents and Settings\Michael\Cookies\michael@www.clckm[2].txt
C:\Documents and Settings\Michael\Cookies\michael@www.sexpositionspics[1].txt
C:\Documents and Settings\Michael\Cookies\michael@password-crackers[2].txt
C:\Documents and Settings\Michael\Cookies\michael@specificclick[1].txt
C:\Documents and Settings\Michael\Cookies\michael@hentaicounter[2].txt
C:\Documents and Settings\Michael\Cookies\michael@list[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adserver.easyad[1].txt
C:\Documents and Settings\Michael\Cookies\michael@media.xfire[2].txt
C:\Documents and Settings\Michael\Cookies\michael@2.go.globaladsales[1].txt
C:\Documents and Settings\Michael\Cookies\michael@realmedia[2].txt
C:\Documents and Settings\Michael\Cookies\michael@gostats[2].txt
C:\Documents and Settings\Michael\Cookies\michael@clicktorrent[1].txt
C:\Documents and Settings\Michael\Cookies\michael@media.movies.ign[1].txt
C:\Documents and Settings\Michael\Cookies\michael@adultsallowed[1].txt
C:\Documents and Settings\Michael\Cookies\michael@servedby.adxpower[2].txt
C:\Documents and Settings\Michael\Cookies\michael@trafficmp[1].txt
C:\Documents and Settings\Michael\Cookies\michael@burstnet[2].txt
C:\Documents and Settings\Michael\Cookies\michael@tracking.foxnews[2].txt
C:\Documents and Settings\Michael\Cookies\michael@clicksor[1].txt
C:\Documents and Settings\Michael\Cookies\michael@statcounter[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads3.blastro[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.associatedcontent[2].txt
C:\Documents and Settings\Michael\Cookies\michael@adserver[1].txt
C:\Documents and Settings\Michael\Cookies\michael@hornyseek[1].txt
C:\Documents and Settings\Michael\Cookies\michael@www.burstnet[1].txt
C:\Documents and Settings\Michael\Cookies\michael@questionmarket[1].txt
C:\Documents and Settings\Michael\Cookies\michael@cz5.clickzs[2].txt
C:\Documents and Settings\Michael\Cookies\michael@lynxtrack[1].txt
C:\Documents and Settings\Michael\Cookies\michael@gcc[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.newgrounds[1].txt
C:\Documents and Settings\Michael\Cookies\michael@metacafe.122.2o7[1].txt
C:\Documents and Settings\Michael\Cookies\michael@ads4.blastro[2].txt
C:\Documents and Settings\Michael\Cookies\michael@a[1].txt
C:\Documents and Settings\Michael\Cookies\michael@shopping.112.2o7[1].txt
C:\Documents and Settings\Michael\Cookies\michael@buycom.122.2o7[1].txt
C:\Documents and Settings\Michael\Cookies\michael@stat.dealtime[2].txt
C:\Documents and Settings\Michael\Cookies\michael@ads.bridgetrack[2].txt
C:\Documents and Settings\Michael\Cookies\michael@zedo[1].txt
C:\Documents and Settings\Michael\Cookies\michael@2o7[2].txt
C:\Documents and Settings\Michael\Cookies\michael@www.findermega[1].txt
C:\Documents and Settings\Michael\Cookies\michael@www.findlaw[1].txt
C:\Documents and Settings\Michael\Cookies\michael@aa.tribalfusion[1].txt
C:\Documents and Settings\Michael\Cookies\michael@mediacollege[1].txt
C:\Documents and Settings\Michael\Cookies\michael@overture[1].txt
C:\Documents and Settings\Chris\Cookies\chris@2o7[2].txt
C:\Documents and Settings\Chris\Cookies\chris@ad.yieldmanager[2].txt
C:\Documents and Settings\Chris\Cookies\chris@adopt.specificclick[1].txt
C:\Documents and Settings\Chris\Cookies\chris@ads.addynamix[1].txt
C:\Documents and Settings\Chris\Cookies\chris@ads.pointroll[1].txt
C:\Documents and Settings\Chris\Cookies\chris@adserver.adreactor[1].txt
C:\Documents and Settings\Chris\Cookies\chris@advertising[1].txt
C:\Documents and Settings\Chris\Cookies\chris@anad.tacoda[1].txt
C:\Documents and Settings\Chris\Cookies\chris@apmebf[1].txt
C:\Documents and Settings\Chris\Cookies\chris@atdmt[2].txt
C:\Documents and Settings\Chris\Cookies\chris@atwola[1].txt
C:\Documents and Settings\Chris\Cookies\chris@bs.serving-sys[1].txt
C:\Documents and Settings\Chris\Cookies\chris@burstnet[2].txt
C:\Documents and Settings\Chris\Cookies\chris@casalemedia[2].txt
C:\Documents and Settings\Chris\Cookies\chris@doubleclick[1].txt
C:\Documents and Settings\Chris\Cookies\chris@entrepreneur[1].txt
C:\Documents and Settings\Chris\Cookies\chris@fastclick[1].txt
C:\Documents and Settings\Chris\Cookies\chris@msnportal.112.2o7[1].txt
C:\Documents and Settings\Chris\Cookies\chris@qksrv[1].txt
C:\Documents and Settings\Chris\Cookies\chris@realmedia[1].txt
C:\Documents and Settings\Chris\Cookies\chris@serving-sys[1].txt
C:\Documents and Settings\Chris\Cookies\chris@specificclick[2].txt
C:\Documents and Settings\Chris\Cookies\chris@tacoda[1].txt
C:\Documents and Settings\Chris\Cookies\chris@tribalfusion[2].txt
C:\Documents and Settings\Chris\Cookies\chris@www.burstbeacon[1].txt
C:\Documents and Settings\Chris\Cookies\chris@zedo[2].txt
C:\Documents and Settings\Dad\Cookies\dad@ad.yieldmanager[2].txt
C:\Documents and Settings\Dad\Cookies\dad@adopt.euroclick[1].txt
C:\Documents and Settings\Dad\Cookies\dad@adrevolver[2].txt
C:\Documents and Settings\Dad\Cookies\dad@adrevolver[3].txt
C:\Documents and Settings\Dad\Cookies\dad@ads.pointroll[2].txt
C:\Documents and Settings\Dad\Cookies\dad@adserver[1].txt
C:\Documents and Settings\Dad\Cookies\dad@advertising[1].txt
C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt
C:\Documents and Settings\Dad\Cookies\dad@bluestreak[1].txt
C:\Documents and Settings\Dad\Cookies\dad@bs.serving-sys[1].txt
C:\Documents and Settings\Dad\Cookies\dad@burstnet[2].txt
C:\Documents and Settings\Dad\Cookies\dad@divx.112.2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@doubleclick[2].txt
C:\Documents and Settings\Dad\Cookies\dad@fastclick[2].txt
C:\Documents and Settings\Dad\Cookies\dad@ford.112.2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@kelleybluebook.112.2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@media.adrevolver[2].txt
C:\Documents and Settings\Dad\Cookies\dad@mediaplex[1].txt
C:\Documents and Settings\Dad\Cookies\dad@msnportal.112.2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@revsci[1].txt
C:\Documents and Settings\Dad\Cookies\dad@serving-sys[2].txt
C:\Documents and Settings\Dad\Cookies\dad@specificclick[1].txt
C:\Documents and Settings\Dad\Cookies\dad@tacoda[2].txt
C:\Documents and Settings\Dad\Cookies\dad@zedo[1].txt
C:\Documents and Settings\Guest\Cookies\guest@005.free-counters.co[1].txt
C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@3.adbrite[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.adtegrity[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.firstadsolution[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad1.clickhype[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adecn[2].txt
C:\Documents and Settings\Guest\Cookies\guest@admin.waverevenue[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[3].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.mininova[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.newgrounds[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.str8up[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adsrevenue[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adult-videos[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adultadworld[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adultbouncer[1].txt
C:\Documents and Settings\Guest\Cookies\guest@aff.primaryads[1].txt
C:\Documents and Settings\Guest\Cookies\guest@atdmt[1].txt
C:\Documents and Settings\Guest\Cookies\guest@azjmp[2].txt
C:\Documents and Settings\Guest\Cookies\guest@bunnywarez[1].txt
C:\Documents and Settings\Guest\Cookies\guest@burstnet[1].txt
C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@clicktorrent[1].txt
C:\Documents and Settings\Guest\Cookies\guest@count4.exitexchange[2].txt
C:\Documents and Settings\Guest\Cookies\guest@cpvfeed[2].txt
C:\Documents and Settings\Guest\Cookies\guest@cz4.clickzs[2].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@edge.ru4[2].txt
C:\Documents and Settings\Guest\Cookies\guest@enhance[2].txt
C:\Documents and Settings\Guest\Cookies\guest@exitexchange[2].txt
C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@go.winantispyware[2].txt
C:\Documents and Settings\Guest\Cookies\guest@go.winantivirus[1].txt
C:\Documents and Settings\Guest\Cookies\guest@image.masterstats[1].txt
C:\Documents and Settings\Guest\Cookies\guest@interclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[2].txt
C:\Documents and Settings\Guest\Cookies\guest@mediamgr.ugo[2].txt
C:\Documents and Settings\Guest\Cookies\guest@overture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt
C:\Documents and Settings\Guest\Cookies\guest@richmedia.yahoo[1].txt
C:\Documents and Settings\Guest\Cookies\guest@server.cpmstar[1].txt
C:\Documents and Settings\Guest\Cookies\guest@sexyandfunny[1].txt
C:\Documents and Settings\Guest\Cookies\guest@stats[1].txt
C:\Documents and Settings\Guest\Cookies\guest@teenworldcentral[2].txt
C:\Documents and Settings\Guest\Cookies\guest@toplist[1].txt
C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[1].txt
C:\Documents and Settings\Guest\Cookies\guest@uporn[1].txt
C:\Documents and Settings\Guest\Cookies\guest@winantispyware[1].txt
C:\Documents and Settings\Guest\Cookies\guest@winantivirus[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.adultplayersclub[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.burstbeacon[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.clckm[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.finder-name[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.virtual-adult[2].txt
C:\Documents and Settings\Guest\Cookies\guest@yadro[2].txt
C:\Documents and Settings\Guest\Cookies\guest@zedo[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adknowledge[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.adbrite[1].txt
C:\Documents and Settings\LocalService\Cookies\system@agoramedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
C:\Documents and Settings\LocalService\Cookies\system@entrepreneur[1].txt
C:\Documents and Settings\LocalService\Cookies\system@free.wegcash[2].txt
C:\Documents and Settings\LocalService\Cookies\system@hornymatches[2].txt
C:\Documents and Settings\LocalService\Cookies\system@network-ca.247realmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\LocalService\Cookies\system@secure.agoramedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@sexlovingblondes[1].txt
C:\Documents and Settings\LocalService\Cookies\system@statsgold[2].txt
C:\Documents and Settings\LocalService\Cookies\system@thunderbolt.adjuggler[2].txt
C:\Documents and Settings\LocalService\Cookies\system@tour.splash.sexsearch[1].txt
C:\Documents and Settings\LocalService\Cookies\system@upspiral[2].txt
C:\Documents and Settings\LocalService\Cookies\system@upspiral[3].txt
C:\Documents and Settings\LocalService\Cookies\system@whatpornsite[1].txt
C:\Documents and Settings\LocalService\Cookies\system@wt.sexsearchcom[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.hornymatches[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.pornpasses4free[2].txt
C:\Documents and Settings\LocalService\Cookies\system@www.rowise[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.upspiral[1].txt
C:\Documents and Settings\LocalService\Cookies\system@www.upspiral[3].txt
C:\Documents and Settings\Michael\Cookies\michael@ad.yieldmanager[1].txt
C:\Documents and Settings\Michael\Cookies\michael@media[2].txt
C:\Documents and Settings\Michael\Cookies\michael@soundtracks[1].txt

Trojan.Downloader-Gen/MS-Fake
C:\WINDOWS\SYSTEM32\JMMNXJXD.EXE

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 23 December 2007 - 05:09 AM

Now follow the F-Secure Online Virus Scanner instructions please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users