Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

> URGENT- Infectd With Trojan-Clicker.Win32.Tiny.h, Getting tons of pop ups
lovesmagick
post Oct 16 2008, 08:14 PM
Post #1


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
I have completed all steps to prepare this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:20 PM, on 10/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\ProgramData\lyjcnmls\ngxqzibo.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\xurwlorw.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\xurwlorw.exe
c:\program files\google\googletoolbar1user.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5404
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O3 - Toolbar: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\yaYstRIY.dll,#1
O4 - HKLM\..\RunOnce: [SpybotDeletingA1269] command /c del "C:\WINDOWS\System32\smp\msrc.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4909] cmd /c del "C:\WINDOWS\System32\smp\msrc.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [procset] C:\Windows\system32\xurwlorw.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Selene\AppData\Local\Temp\xxywWmjI.dll,#1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Selene\AppData\Local\Temp\hgGwXpNH.dll,c
O4 - HKCU\..\Run: [5cd2170e] rundll32.exe "C:\Users\Selene\AppData\Local\Temp\pvbfoxxw.dll",b
O4 - HKLM\..\Policies\Explorer\Run: [8gMCpfqtul] C:\ProgramData\lyjcnmls\ngxqzibo.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-542174280-2833692572-3353137174-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-542174280-2833692572-3353137174-1000\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent (User 'IUSR_NMPR')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.rr.com
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://clubgames.pogo.com/online2/pogop/ma...mesLauncher.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 9622 bytes

This just happened this afternoon sad.gif Any help would be awesome
Thnks

Debbie
Go to the top of the page
 
+Quote Post
2 Pages V   1 2 >  
 Start new topic
Replies (1 - 14)
kahdah
post Oct 17 2008, 05:47 AM
Post #2


Forum Addict
******

Group: HJT Team Coach
Posts: 6,712
Joined: 27-October 06
From: Florida
Member No.: 92,376
Hello lovesmagick

Welcome to BleepingComputer smile.gif
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


--------------------
Please do not pm for help, post it in the forums instead.

If I have helped you then please consider donating to continue the fight against malware

Go to the top of the page
 
+Quote Post
lovesmagick
post Oct 17 2008, 10:28 AM
Post #3


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
here are the logs:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Selene at 2008-10-17 08:26:23
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 170 GB (74%) free of 228 GB
Total RAM: 1013 MB (25% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:01 AM, on 10/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\lyjcnmls\ngxqzibo.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\xurwlorw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Selene\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Selene.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5404
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O3 - Toolbar: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\yaYstRIY.dll,#1
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [procset] C:\Windows\system32\xurwlorw.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Selene\AppData\Local\Temp\ljJYOFXN.dll,#1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [5cd2170e] rundll32.exe "C:\Users\Selene\AppData\Local\Temp\pvbfoxxw.dll",b
O4 - HKCU\..\Run: [AdmEnApp] C:\ProgramData\AdmEnApp\jcxmnuti.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Selene\AppData\Local\Temp\hgGwXpNH.dll,c
O4 - HKLM\..\Policies\Explorer\Run: [8gMCpfqtul] C:\ProgramData\lyjcnmls\ngxqzibo.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-542174280-2833692572-3353137174-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-542174280-2833692572-3353137174-1000\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent (User 'IUSR_NMPR')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.rr.com
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://clubgames.pogo.com/online2/pogop/ma...mesLauncher.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 9550 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
C:\Windows\tasks\McAfee Cleanup.job
C:\Windows\tasks\ParetoLogic Registration.job
C:\Windows\tasks\User_Feed_Synchronization-{156EADB6-B9AA-4DDF-BCA7-89801253E4B4}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-04-26 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-07-09 2549368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll [2008-07-09 654320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-09-04 121632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 546672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\google\BAE.dll [2006-01-31 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{981FE6A8-260C-4930-960F-C3BC82746CB0}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 546672]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-07-09 2549368]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-09-04 121632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=C:\Windows\system32\yaYstRIY.dll [2008-10-16 35840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"8gMCpfqtul"=C:\ProgramData\lyjcnmls\ngxqzibo.exe [2008-10-16 61440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"=C:\Program Files\IncrediMail\bin\IncMail.exe [2008-07-24 243072]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-09 68856]
"procset"=C:\Windows\system32\xurwlorw.exe [2008-10-16 86016]
"MSServer"=C:\User [2007-04-26 2]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"5cd2170e"=C:\User [2007-04-26 2]
"AdmEnApp"=C:\ProgramData\AdmEnApp\jcxmnuti.exe [2008-10-16 81920]
"cmds"=C:\User [2007-04-26 2]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-12-12 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E7602565-6B9E-49EC-B0B5-55F5CDA67DBB}"=C:\Windows\system32\yaYstRIY.dll [2008-10-16 35840]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-10-17 08:26:23 ----D---- C:\rsit
2008-10-17 06:27:28 ----D---- C:\ProgramData\UtilMonEn
2008-10-16 20:47:43 ----D---- C:\ProgramData\AdmEnApp
2008-10-16 18:01:07 ----A---- C:\Windows\wininit.ini
2008-10-16 14:19:04 ----D---- C:\Program Files\Lavasoft
2008-10-16 14:19:03 ----D---- C:\ProgramData\Lavasoft
2008-10-16 14:17:37 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-16 13:45:56 ----D---- C:\Users\Selene\AppData\Roaming\Download Manager
2008-10-16 11:57:41 ----A---- C:\Windows\system32\EncDec.dll
2008-10-16 11:57:30 ----A---- C:\Windows\system32\psisdecd.dll
2008-10-16 11:15:34 ----A---- C:\Windows\system32\yayWQheE.dll
2008-10-16 11:15:34 ----A---- C:\Windows\system32\yaYstRIY.dll
2008-10-16 11:09:44 ----D---- C:\ProgramData\lyjcnmls
2008-10-16 11:09:41 ----A---- C:\Windows\system32\xurwlorw.exe
2008-10-16 10:54:18 ----D---- C:\Program Files\Pixarra
2008-10-15 19:56:39 ----D---- C:\Program Files\GMX-PhotoPainter
2008-10-15 19:32:00 ----D---- C:\Users\Selene\AppData\Roaming\WinRAR
2008-10-15 12:50:29 ----A---- C:\Windows\system32\ntoskrnl.exe
2008-10-15 12:50:29 ----A---- C:\Windows\system32\ntkrnlpa.exe
2008-10-15 12:50:25 ----A---- C:\Windows\system32\mshtml.dll
2008-10-15 12:50:24 ----A---- C:\Windows\system32\ieframe.dll
2008-10-15 12:50:23 ----A---- C:\Windows\system32\wininet.dll
2008-10-15 12:50:23 ----A---- C:\Windows\system32\urlmon.dll
2008-10-15 12:50:23 ----A---- C:\Windows\system32\iertutil.dll
2008-10-15 12:50:22 ----A---- C:\Windows\system32\mstime.dll
2008-10-15 12:50:21 ----A---- C:\Windows\system32\jsproxy.dll
2008-10-08 19:27:28 ----D---- C:\Users\Selene\AppData\Roaming\Artweaver
2008-10-07 13:40:14 ----D---- C:\Program Files\Cassandra's Journey - The Legacy of Nostradamus
2008-10-06 14:53:56 ----D---- C:\Users\Selene\AppData\Roaming\GameInvest
2008-10-02 10:34:37 ----D---- C:\ProgramData\JoyBits
2008-09-29 18:57:50 ----D---- C:\ProgramData\FireGlow
2008-09-18 08:36:18 ----D---- C:\Program Files\Magic Encyclopedia

======List of files/folders modified in the last 1 months======

2008-10-17 08:26:28 ----D---- C:\Windows\Temp
2008-10-17 08:07:15 ----D---- C:\Windows\System32
2008-10-17 06:27:28 ----HD---- C:\ProgramData
2008-10-16 19:17:05 ----D---- C:\My Download Files
2008-10-16 18:09:09 ----D---- C:\Program Files\Trend Micro
2008-10-16 18:01:18 ----RD---- C:\Program Files
2008-10-16 18:01:18 ----D---- C:\WINDOWS
2008-10-16 17:35:00 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-16 17:34:56 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-10-16 17:20:36 ----D---- C:\ProgramData\Google Updater
2008-10-16 14:20:31 ----SHD---- C:\Windows\Installer
2008-10-16 14:20:30 ----HD---- C:\Config.Msi
2008-10-16 14:19:04 ----D---- C:\Windows\system32\drivers
2008-10-16 14:18:36 ----SHD---- C:\System Volume Information
2008-10-16 14:17:37 ----D---- C:\Program Files\Common Files
2008-10-16 12:57:51 ----D---- C:\Program Files\WinRAR
2008-10-16 12:13:49 ----D---- C:\Windows\Microsoft.NET
2008-10-16 12:13:34 ----RSD---- C:\Windows\assembly
2008-10-16 12:01:53 ----D---- C:\Windows\winsxs
2008-10-16 12:01:52 ----D---- C:\Windows\ehome
2008-10-16 11:54:27 ----D---- C:\Windows\system32\catroot
2008-10-16 11:54:22 ----D---- C:\Windows\system32\catroot2
2008-10-16 11:09:03 ----D---- C:\Windows\Prefetch
2008-10-16 10:05:45 ----AD---- C:\ProgramData\TEMP
2008-10-16 09:07:16 ----D---- C:\Program Files\Windows Mail
2008-10-16 09:07:15 ----D---- C:\Windows\system32\migration
2008-10-15 11:13:26 ----D---- C:\BigFishGamesCache
2008-10-08 11:50:16 ----RSD---- C:\Windows\Fonts
2008-10-07 12:19:42 ----A---- C:\Windows\system32\mrt.exe
2008-10-07 10:53:50 ----D---- C:\ProgramData\MumboJumbo
2008-10-06 14:35:01 ----D---- C:\Users\Selene\AppData\Roaming\Image Zone Express
2008-09-27 20:55:18 ----D---- C:\ProgramData\SpinTop Games
2008-09-26 06:53:43 ----D---- C:\Program Files\McAfee
2008-09-23 22:02:33 ----D---- C:\Windows\inf
2008-09-23 22:02:33 ----A---- C:\Windows\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ASPI32;ASPI32; C:\Windows\system32\drivers\ASPI32.sys [2002-07-17 16877]
R2 nmsgopro;GoProto Protocol Driver for NMS; C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
R2 nmsunidr;UniDriver for NMS; C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
R2 tmcomm;tmcomm; C:\Windows\system32\DRIVERS\tmcomm.sys [2007-12-24 138384]
R2 tmpreflt;tmpreflt; C:\Windows\system32\DRIVERS\tmpreflt.sys [2008-07-18 36368]
R2 tmxpflt;tmxpflt; C:\Windows\system32\DRIVERS\tmxpflt.sys [2008-07-18 205328]
R2 vsapint;vsapint; C:\Windows\system32\DRIVERS\vsapint.sys [2008-07-18 1195448]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2007-10-30 1201632]
R3 E100B;Intel® PRO Network Connection Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2006-10-30 165760]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
R3 IntelDH;IntelDH Driver; C:\Windows\System32\Drivers\IntelDH.sys [2007-04-26 5504]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-02-28 323584]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-02 108032]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 SDDMI2;SDDMI2; \??\C:\Windows\system32\DDMI2.sys []
S3 TSHWMDTCP;TSHWMDTCP; \??\C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys [2006-11-18 18904]
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-16 611664]
R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2007-09-26 12800]
R2 AlertService;Intel® Alert Service; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [2006-11-18 195032]
R2 DQLWinService;DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-09 137200]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-09-29 81920]
R2 ISSM;Intel® Software Services Manager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [2006-11-18 81880]
R2 M1 Server;Intel® Viiv™ Media Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [2006-11-18 32216]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-09-08 198944]
R2 MCLServiceATL;Intel® Application Tracker; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [2006-11-18 174552]
R2 Remote UI Service;Intel® Remoting Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [2006-11-18 550872]
R2 tavsvc;Trend Micro AntiVirus Protection Service; C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe [2007-01-19 251408]
R2 tmproxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe [2007-01-10 566872]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-01 29744]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2008-07-15 394608]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------
andthe second one:

info.txt logfile of random's system information tool 1.04 2008-10-17 08:27:08

======Uninstall list======

Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\WINDOWS\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\System32\Macromed\SHOCKW~1\Install.log
Agere Systems PCI-SV92PP Soft Modem-->agrsmdel
Alien Skin Xenofex 2 Demo-->C:\PROGRA~1\JASCSO~1\PAINTS~1\PlugIns\ALIENS~1\Unwise32.exe C:\PROGRA~1\JASCSO~1\PAINTS~1\PlugIns\ALIENS~1\INSTALL.LOG
Amazing Adventures: The Lost Tomb-->"C:\Program Files\Amazing Adventures - The Lost Tomb\Uninstall.exe"
Anfy-->C:\PROGRA~1\AnfyTeam\UNWISE.EXE C:\PROGRA~1\AnfyTeam\INSTALL.LOG
AoA DVD Ripper-->"C:\Program Files\AoA DVD Ripper\unins000.exe"
Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe
BigFix-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Blasterball 2 Holidays (Free with Gateway Game Console)-->"C:\Program Files\Gateway Games\Blasterball 2 Holidays\Uninstall.exe"
Browser Address Error Redirector-->regsvr32 /u /s "c:\google\BAE.dll"
Cassandra's Journey: The Legacy of Nostradamus-->"C:\Program Files\Cassandra's Journey - The Legacy of Nostradamus\Uninstall.exe"
Cate West The Vanishing Files-->C:\PROGRA~1\GAMEHO~1\CATEWE~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\CATEWE~1\INSTALL.LOG
Death on the Nile-->C:\PROGRA~1\AOLGAM~1\DEATHO~1\UNWISE.EXE C:\PROGRA~1\AOLGAM~1\DEATHO~1\INSTALL.LOG
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61} /l1033
EA Download Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
Eye Candy 3-->C:\PROGRA~1\JASCSO~1\PAINTS~1\PlugIns\UNWISE.EXE C:\PROGRA~1\JASCSO~1\PAINTS~1\PlugIns\INSTALL.LOG
Eye Candy 4000 Demo-->C:\PROGRA~1\JASCSO~1\PAINTS~1\PlugIns\EYECAN~1\UNWISE.EXE C:\PROGRA~1\JASCSO~1\PAINTS~1\PlugIns\EYECAN~1\INSTALL.LOG
Fishdom-->C:\PROGRA~1\GAMEHO~1\Fishdom\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\Fishdom\INSTALL.LOG
Gateway Recovery Center Installer-->MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hidden Expedition: Amazon ™-->"C:\Program Files\Hidden Expedition - Amazon\Uninstall.exe"
Hidden Expedition: Titanic™-->"C:\Program Files\Hidden Expedition - Titanic\Uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone Express-->C:\Windows\HP Image Zone Express Uninstaller.exe
IncrediMail Xe-->C:\Program Files\IncrediMail\bin\ImSetup.exe /remove /addon:IncrediMail /log:IncMail.log
Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® Viiv™ Software-->MsiExec.exe /X{26C610BF-761B-4209-BD6A-A0F1B73D6DDE} /qb!
James Patterson's Women's Murder Club: Death in Scarlet-->"C:\Program Files\James Patterson's Women's Murder Club - Death in Scarlet\Uninstall.exe"
Jasc Paint Shop Pro 8-->MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Jewel Quest II-->"C:\Program Files\Jewel Quest II\Uninstall.exe"
Luxor (remove only)-->"C:\Program Files\Luxor\Uninstall.exe"
Magic Encyclopedia-->"C:\Program Files\Magic Encyclopedia\Uninstall.exe"
McAfee SiteAdvisor-->C:\Program Files\McAfee\SiteAdvisor\Uninstall.exe
Microsoft Digital Image Starter Edition 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=12
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office 2000 SR-1 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Windows Media Video 9 VCM-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\wmv9vcm.inf, Uninstall
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Mystery Case Files: Ravenhearst ™-->"C:\Program Files\Mystery Case Files - Ravenhearst\Uninstall.exe"
Mystery Chronicles: Murder Among Friends-->"C:\Program Files\Mystery Chronicles - Murder Among Friends\Uninstall.exe"
OpenAL-->"C:\Program Files\OpenAL\oalinst.exe" /U
Pirateville-->"C:\Program Files\Pirateville\Uninstall.exe"
Power2Go 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
PS2 Multimedia Keyboard Driver-->"C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\setup.exe" -ul
Puzzle Hero-->"C:\Program Files\Puzzle Hero\Uninstall.exe"
Roxio EasyWrite Reader-->C:\Windows\system32\MRFUNIN.EXE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Sqirlz Water Reflections-->C:\Windows\Sqirlz Water Reflections Uninstaller.exe
Stamps.com Internet Postage-->C:\PROGRA~1\STAMPS~1.COM\Uninst.exe C:\PROGRA~1\STAMPS~1.COM\UNWISE.EXE C:\PROGRA~1\STAMPS~1.COM\INSTALL.LOG
The Clumsys-->C:\PROGRA~1\GAMEHO~1\THECLU~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\THECLU~1\INSTALL.LOG
The Magician's Handbook Cursed Valley-->C:\PROGRA~1\GAMEHO~1\THEMAG~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\THEMAG~1\INSTALL.LOG
Trend Micro AntiVirus-->MsiExec.exe /X{71E4D679-20AB-41E9-A350-D5BF92088FFE}
Tri Peaks 2 Quest For The Ruby Ring-->"C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring\Uninstall.exe" "C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring\install.log"
TWC Customer Controls-->MsiExec.exe /I{F8722041-B63A-47FB-82A8-5F0977E1CF45}
ViewSonic Monitor Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner-->MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Live Photo Gallery-->MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar-->"C:\Program Files\Windows Live Toolbar\UnInstall.exe" {C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}
Windows Live Toolbar-->MsiExec.exe /X{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Install Manager-->C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zwei-Stein Video Compositor 3.01 (Beta 2).-->"C:\Program Files\Thugs at Bay\Zwei-Stein\unins000.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 www.10sek.com

======Security center information======

AV: Trend Micro AntiVirus
AS: Windows Defender
AS: Trend Micro AntiVirus

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0604
"NUMBER_OF_PROCESSORS"=2

-----------------EOF-----------------



Thank you forall your help smile.gif
Go to the top of the page
 
+Quote Post
kahdah
post Oct 17 2008, 11:18 AM
Post #4


Forum Addict
******

Group: HJT Team Coach
Posts: 6,712
Joined: 27-October 06
From: Florida
Member No.: 92,376
You are welcome smile.gif
=====================

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
==============
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :processes
    explorer.exe
    ngxqzibo.exe
    xurwlorw.exe


    :files
    C:\Windows\system32\yaYstRIY.dll
    C:\ProgramData\lyjcnmls
    C:\Windows\system32\xurwlorw.exe
    C:\ProgramData\AdmEnApp
    C:\Windows\system32\yayWQheE.dll
    C:\Users\Selene\AppData\Local\Temp\ljJYOFXN.dll
    C:\Users\Selene\AppData\Local\Temp\hgGwXpNH.dll


    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSServer"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    "8gMCpfqtul"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "procset"="procset"=-
    "MSServer"=-
    "5cd2170e"=-
    "AdmEnApp"=-
    "cmds"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{E7602565-6B9E-49EC-B0B5-55F5CDA67DBB}"=-

    :commands
    [emptytemp]
    [start explorer]

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:

  1. Ot Move it log
  2. Malware Bytes log
  3. New Rsit log


--------------------
Please do not pm for help, post it in the forums instead.

If I have helped you then please consider donating to continue the fight against malware

Go to the top of the page
 
+Quote Post
lovesmagick
post Oct 17 2008, 11:52 AM
Post #5


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
Okay all done and logs are here:

========== PROCESSES ==========
Process explorer.exe killed successfully.
Process ngxqzibo.exe killed successfully.
Process xurwlorw.exe killed successfully.
========== FILES ==========
DllUnregisterServer procedure not found in C:\Windows\system32\yaYstRIY.dll
C:\Windows\system32\yaYstRIY.dll NOT unregistered.
C:\Windows\system32\yaYstRIY.dll moved successfully.
C:\ProgramData\lyjcnmls moved successfully.
C:\Windows\system32\xurwlorw.exe moved successfully.
C:\ProgramData\AdmEnApp moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\yayWQheE.dll
C:\Windows\system32\yayWQheE.dll NOT unregistered.
C:\Windows\system32\yayWQheE.dll moved successfully.
DllUnregisterServer procedure not found in C:\Users\Selene\AppData\Local\Temp\ljJYOFXN.dll
C:\Users\Selene\AppData\Local\Temp\ljJYOFXN.dll NOT unregistered.
C:\Users\Selene\AppData\Local\Temp\ljJYOFXN.dll moved successfully.
DllUnregisterServer procedure not found in C:\Users\Selene\AppData\Local\Temp\hgGwXpNH.dll
C:\Users\Selene\AppData\Local\Temp\hgGwXpNH.dll NOT unregistered.
C:\Users\Selene\AppData\Local\Temp\hgGwXpNH.dll moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\8gMCpfqtul deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\procset"="procset not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\5cd2170e deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AdmEnApp deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\cmds deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{E7602565-6B9E-49EC-B0B5-55F5CDA67DBB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7602565-6B9E-49EC-B0B5-55F5CDA67DBB}\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\Users\Selene\AppData\Local\Temp\Low\~DF187C.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Selene\AppData\Local\Temp\pvbfoxxw.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\Selene\AppData\Local\Temp\~DFDE70.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\sqlite_J7Qxb1RPlNy2fNg scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\sqlite_SCIwLXMkZUH7Mu9 scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\sqlite_UcWgcZ9RH6araF0 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10172008_092628

Files moved on Reboot...
C:\Users\Selene\AppData\Local\Temp\Low\~DF187C.tmp moved successfully.
DllUnregisterServer procedure not found in C:\Users\Selene\AppData\Local\Temp\pvbfoxxw.dll
C:\Users\Selene\AppData\Local\Temp\pvbfoxxw.dll NOT unregistered.
C:\Users\Selene\AppData\Local\Temp\pvbfoxxw.dll moved successfully.
C:\Users\Selene\AppData\Local\Temp\~DFDE70.tmp moved successfully.
File move failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be moved on reboot.
C:\Windows\temp\sqlite_J7Qxb1RPlNy2fNg moved successfully.
C:\Windows\temp\sqlite_SCIwLXMkZUH7Mu9 moved successfully.
C:\Windows\temp\sqlite_UcWgcZ9RH6araF0 moved successfully.



Log 2:

Malwarebytes' Anti-Malware 1.29
Database version: 1278
Windows 6.0.6001 Service Pack 1

10/17/2008 9:42:22 AM
mbam-log-2008-10-17 (09-42-22).txt

Scan type: Quick Scan
Objects scanned: 45750
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Log 3:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Selene at 2008-10-17 09:49:26
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 170 GB (74%) free of 228 GB
Total RAM: 1013 MB (32% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:04 AM, on 10/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Selene\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Selene.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5404
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O3 - Toolbar: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [procset] C:\Windows\system32\xurwlorw.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-542174280-2833692572-3353137174-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-542174280-2833692572-3353137174-1000\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent (User 'IUSR_NMPR')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.rr.com
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://clubgames.pogo.com/online2/pogop/ma...mesLauncher.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

--
End of file - 8799 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
C:\Windows\tasks\McAfee Cleanup.job
C:\Windows\tasks\ParetoLogic Registration.job
C:\Windows\tasks\User_Feed_Synchronization-{156EADB6-B9AA-4DDF-BCA7-89801253E4B4}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-04-26 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-07-09 2549368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll [2008-07-09 654320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-09-04 121632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 546672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\google\BAE.dll [2006-01-31 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{981FE6A8-260C-4930-960F-C3BC82746CB0}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 546672]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-07-09 2549368]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-09-04 121632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-16 1257104]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"=C:\Program Files\IncrediMail\bin\IncMail.exe [2008-07-24 243072]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-09 68856]
"procset"=C:\Windows\system32\xurwlorw.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-12-12 212992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-10-17 09:35:30 ----D---- C:\Users\Selene\AppData\Roaming\Malwarebytes
2008-10-17 09:35:24 ----D---- C:\ProgramData\Malwarebytes
2008-10-17 09:35:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-17 09:26:28 ----D---- C:\_OTMoveIt
2008-10-17 08:26:23 ----D---- C:\rsit
2008-10-17 06:27:28 ----D---- C:\ProgramData\UtilMonEn
2008-10-16 18:01:07 ----A---- C:\Windows\wininit.ini
2008-10-16 14:19:04 ----D---- C:\Program Files\Lavasoft
2008-10-16 14:19:03 ----D---- C:\ProgramData\Lavasoft
2008-10-16 14:17:37 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-16 13:45:56 ----D---- C:\Users\Selene\AppData\Roaming\Download Manager
2008-10-16 11:57:41 ----A---- C:\Windows\system32\EncDec.dll
2008-10-16 11:57:30 ----A---- C:\Windows\system32\psisdecd.dll
2008-10-16 10:54:18 ----D---- C:\Program Files\Pixarra
2008-10-15 19:56:39 ----D---- C:\Program Files\GMX-PhotoPainter
2008-10-15 19:32:00 ----D---- C:\Users\Selene\AppData\Roaming\WinRAR
2008-10-15 12:50:29 ----A---- C:\Windows\system32\ntoskrnl.exe
2008-10-15 12:50:29 ----A---- C:\Windows\system32\ntkrnlpa.exe
2008-10-15 12:50:25 ----A---- C:\Windows\system32\mshtml.dll
2008-10-15 12:50:24 ----A---- C:\Windows\system32\ieframe.dll
2008-10-15 12:50:23 ----A---- C:\Windows\system32\wininet.dll
2008-10-15 12:50:23 ----A---- C:\Windows\system32\urlmon.dll
2008-10-15 12:50:23 ----A---- C:\Windows\system32\iertutil.dll
2008-10-15 12:50:22 ----A---- C:\Windows\system32\mstime.dll
2008-10-15 12:50:21 ----A---- C:\Windows\system32\jsproxy.dll
2008-10-08 19:27:28 ----D---- C:\Users\Selene\AppData\Roaming\Artweaver
2008-10-07 13:40:14 ----D---- C:\Program Files\Cassandra's Journey - The Legacy of Nostradamus
2008-10-06 14:53:56 ----D---- C:\Users\Selene\AppData\Roaming\GameInvest
2008-10-02 10:34:37 ----D---- C:\ProgramData\JoyBits
2008-09-29 18:57:50 ----D---- C:\ProgramData\FireGlow
2008-09-18 08:36:18 ----D---- C:\Program Files\Magic Encyclopedia

======List of files/folders modified in the last 1 months======

2008-10-17 09:50:03 ----D---- C:\Windows\System32
2008-10-17 09:49:48 ----D---- C:\Windows\Temp
2008-10-17 09:35:28 ----D---- C:\Windows\system32\drivers
2008-10-17 09:35:24 ----RD---- C:\Program Files
2008-10-17 09:35:24 ----HD---- C:\ProgramData
2008-10-16 19:17:05 ----D---- C:\My Download Files
2008-10-16 18:09:09 ----D---- C:\Program Files\Trend Micro
2008-10-16 18:01:18 ----D---- C:\WINDOWS
2008-10-16 17:35:00 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-16 17:34:56 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-10-16 17:20:36 ----D---- C:\ProgramData\Google Updater
2008-10-16 14:20:31 ----SHD---- C:\Windows\Installer
2008-10-16 14:20:30 ----HD---- C:\Config.Msi
2008-10-16 14:18:36 ----SHD---- C:\System Volume Information
2008-10-16 14:17:37 ----D---- C:\Program Files\Common Files
2008-10-16 12:57:51 ----D---- C:\Program Files\WinRAR
2008-10-16 12:13:49 ----D---- C:\Windows\Microsoft.NET
2008-10-16 12:13:34 ----RSD---- C:\Windows\assembly
2008-10-16 12:01:53 ----D---- C:\Windows\winsxs
2008-10-16 12:01:52 ----D---- C:\Windows\ehome
2008-10-16 11:54:27 ----D---- C:\Windows\system32\catroot
2008-10-16 11:54:22 ----D---- C:\Windows\system32\catroot2
2008-10-16 11:09:03 ----D---- C:\Windows\Prefetch
2008-10-16 10:05:45 ----AD---- C:\ProgramData\TEMP
2008-10-16 09:07:16 ----D---- C:\Program Files\Windows Mail
2008-10-16 09:07:15 ----D---- C:\Windows\system32\migration
2008-10-15 11:13:26 ----D---- C:\BigFishGamesCache
2008-10-08 11:50:16 ----RSD---- C:\Windows\Fonts
2008-10-07 12:19:42 ----A---- C:\Windows\system32\mrt.exe
2008-10-07 10:53:50 ----D---- C:\ProgramData\MumboJumbo
2008-10-06 14:35:01 ----D---- C:\Users\Selene\AppData\Roaming\Image Zone Express
2008-09-27 20:55:18 ----D---- C:\ProgramData\SpinTop Games
2008-09-26 06:53:43 ----D---- C:\Program Files\McAfee
2008-09-23 22:02:33 ----D---- C:\Windows\inf
2008-09-23 22:02:33 ----A---- C:\Windows\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ASPI32;ASPI32; C:\Windows\system32\drivers\ASPI32.sys [2002-07-17 16877]
R2 nmsgopro;GoProto Protocol Driver for NMS; C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
R2 nmsunidr;UniDriver for NMS; C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
R2 tmcomm;tmcomm; C:\Windows\system32\DRIVERS\tmcomm.sys [2007-12-24 138384]
R2 tmpreflt;tmpreflt; C:\Windows\system32\DRIVERS\tmpreflt.sys [2008-07-18 36368]
R2 tmxpflt;tmxpflt; C:\Windows\system32\DRIVERS\tmxpflt.sys [2008-07-18 205328]
R2 vsapint;vsapint; C:\Windows\system32\DRIVERS\vsapint.sys [2008-07-18 1195448]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2007-10-30 1201632]
R3 E100B;Intel® PRO Network Connection Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2006-10-30 165760]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
R3 IntelDH;IntelDH Driver; C:\Windows\System32\Drivers\IntelDH.sys [2007-04-26 5504]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-02-28 323584]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-02 108032]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 SDDMI2;SDDMI2; \??\C:\Windows\system32\DDMI2.sys []
S3 TSHWMDTCP;TSHWMDTCP; \??\C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys [2006-11-18 18904]
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-16 611664]
R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2007-09-26 12800]
R2 AlertService;Intel® Alert Service; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [2006-11-18 195032]
R2 DQLWinService;DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-09 137200]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-09-29 81920]
R2 ISSM;Intel® Software Services Manager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [2006-11-18 81880]
R2 M1 Server;Intel® Viiv™ Media Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [2006-11-18 32216]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-09-08 198944]
R2 MCLServiceATL;Intel® Application Tracker; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [2006-11-18 174552]
R2 Remote UI Service;Intel® Remoting Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [2006-11-18 550872]
R2 tavsvc;Trend Micro AntiVirus Protection Service; C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe [2007-01-19 251408]
R2 tmproxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe [2007-01-10 566872]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-01 29744]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2008-07-15 394608]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------


On last re-boot, I was getting messages that my computer was not allowing certain programs to start.....is this normal?????


Thanks smile.gif
Go to the top of the page
 
+Quote Post
kahdah
post Oct 17 2008, 08:27 PM
Post #6


Forum Addict
******

Group: HJT Team Coach
Posts: 6,712
Joined: 27-October 06
From: Florida
Member No.: 92,376
Hi yes it is normal you will need to allow the program to run the program that is trying to run Is MalwareBytes click on the alert to allow it then choose allow blocked programs.
Then choose MalwareBytes.
====================
Please re-open Hijackthis and choose "Run as Administrator" then click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKCU\..\Run: [procset] C:\Windows\system32\xurwlorw.exe



Now click on Fix Checked and then close Hijackthis.
================================
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")


--------------------
Please do not pm for help, post it in the forums instead.

If I have helped you then please consider donating to continue the fight against malware

Go to the top of the page
 
+Quote Post
lovesmagick
post Oct 18 2008, 12:56 PM
Post #7


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
I keep saving the Kaspersky report and it doesn't show up on my desktop to copy and paste, yet when I overwrite it it shows it's there sad.gif..........what to do???? It says I have 11 infections
Go to the top of the page
 
+Quote Post
kahdah
post Oct 18 2008, 12:59 PM
Post #8


Forum Addict
******

Group: HJT Team Coach
Posts: 6,712
Joined: 27-October 06
From: Florida
Member No.: 92,376
Hi do a search for it by the name you saved it as.
See if you can open it or even try to attach it here.


--------------------
Please do not pm for help, post it in the forums instead.

If I have helped you then please consider donating to continue the fight against malware

Go to the top of the page
 
+Quote Post
lovesmagick
post Oct 18 2008, 01:06 PM
Post #9


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
Nope it keeps coming up that the folder is empty mad.gif
Go to the top of the page
 
+Quote Post
kahdah
post Oct 18 2008, 01:13 PM
Post #10


Forum Addict
******

Group: HJT Team Coach
Posts: 6,712
Joined: 27-October 06
From: Florida
Member No.: 92,376
Where did you save it and did you save it as a text document?


--------------------
Please do not pm for help, post it in the forums instead.

If I have helped you then please consider donating to continue the fight against malware

Go to the top of the page
 
+Quote Post
lovesmagick
post Oct 18 2008, 01:14 PM
Post #11


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
I saved it in a folder on my desktop and yes I saved it as a text file
Go to the top of the page
 
+Quote Post
kahdah
post Oct 18 2008, 01:29 PM
Post #12


Forum Addict
******

Group: HJT Team Coach
Posts: 6,712
Joined: 27-October 06
From: Florida
Member No.: 92,376
I will need to see it to finish up cleaning your computer.
Please see if you can save it again or type out the information for me to see.


--------------------
Please do not pm for help, post it in the forums instead.

If I have helped you then please consider donating to continue the fight against malware

Go to the top of the page
 
+Quote Post
lovesmagick
post Oct 18 2008, 01:34 PM
Post #13


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
okay, I am running the scan again and will type out everything it shows me.....the scan takes approximately 1 1/2 hours to complete so I will be back

Thanks smile.gif
Go to the top of the page
 
+Quote Post
kahdah
post Oct 18 2008, 01:35 PM
Post #14


Forum Addict
******

Group: HJT Team Coach
Posts: 6,712
Joined: 27-October 06
From: Florida
Member No.: 92,376
ok sorry about that.


--------------------
Please do not pm for help, post it in the forums instead.

If I have helped you then please consider donating to continue the fight against malware

Go to the top of the page
 
+Quote Post
lovesmagick
post Oct 19 2008, 12:05 AM
Post #15


Member
**

Group: Members
Posts: 26
Joined: 16-October 08
Member No.: 247,214
Geez this took me awhile to figure out how to do! This first log is from this afternoon:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 18, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, October 18, 2008 12:31:51
Records in database: 1320761
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 188901
Threat name: 4
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:06:11


File name / Threat name / Threats count
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\168A.tmp Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\75AA.tmp Infected: Backdoor.Win32.TDSS.acg 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\8D50.tmp Infected: Backdoor.Win32.TDSS.acg 1
C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\A2D0.tmp Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Users\Selene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\575b3459-694b2e2e Infected: Trojan.Java.ClassLoader.as 3
C:\Users\Selene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\50c2ce60-162cefce Infected: Trojan.Java.ClassLoader.as 3
C:\_OTMoveIt\MovedFiles\10172008_092628\ProgramData\lyjcnmls\ngxqzibo.exe Infected: Trojan-Downloader.Win32.Obfuscated.dxg 1

The selected area was scanned.


this one is from tonite:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, October 18, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 19, 2008 02:25:50
Records in database: 1322743
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 184693
Threat name: 2
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:04:27


File name / Threat name / Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\7A80.tmp Infected: Trojan.Java.ClassLoader.as 3
C:\Program Files\Trend Micro\Internet Security\Quarantine\FF2B.tmp Infected: Trojan.Java.ClassLoader.as 3
C:\_OTMoveIt\MovedFiles\10172008_092628\ProgramData\lyjcnmls\ngxqzibo.exe Infected: Trojan-Downloader.Win32.Obfuscated.dxg 1

The selected area was scanned.
Attached File(s)
Attached File  Kaspersky.jpg ( 74.71k ) Number of downloads: 7
 
Go to the top of the page
 
+Quote Post
« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »
 

2 Pages V   1 2 >
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 21st November 2009 - 10:59 PM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2009 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2009  IPS, Inc.