Free Malware Removal Forum

[Negalith]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:29 AM, on 8/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\NeverwinterNights\NWN\nwserver.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SysVContoller32] C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Startup Defender.lnk = C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9776794140
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6052 bytes

[Bob4]

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant.
Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear.
So lets do this to the end!

• Save and quit any work your doing before beginning the fix.
• All hijackthis logs I ask for should be done in normal mode ( not safe mode)
• These logs should be done last after you have followed my instructions in the previous post.
• DO NOT be installing new programs while we are fixing this machine.
• Be sure to use the subscribe button to receive notification by Email that you have been replied to.
  If I do not hear from you in 3 days from my last post this topic will be closed. You will need to start another.

Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!





______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)



Close that.




_________________________________________
Download and install CCleaner from here


If you use either the Firefox/ Mozilla browsers, the box to uncheck for Cookies (using ccleaner) is on the Applications tab, under Firefox/Mozilla.

• Set Cookie Retention.
  Click on the Options block on the left, then choose Cookies.
  Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  
• Reset Temp File Removal for Regular Use.
  Click on the Options block on the left. Select the Advanced button.
  Check "Only delete files in Windows Temp folders older than 48 hours".
  
  Now run the program by clicking on Run Cleaner

( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).




__________________
open CCleaner
click on tools
highlight uninstall

down on the bottom click save to text file.
Save it to your desktop and post
the contents
of that log for me.


_________________________________________
I see that Viewpoint is installed.

Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

If AOL is present, to prevent it from being recreated every time you run the AOL software:

• Open AOL
• Go to Help on the toolbar
• Select About AOL
• Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

Another way to prevent Viewpoint from being recreated every time you run the AOL software is:

• Click C:\Program Files\AOL 9.0\Jiti (a hidden folder).
• Rename viewpoint.exe to viewpoint.old.

This is the item to fix in HijackThis.

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe






_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath in there.
If theres is more than one file to scan, insert them 1 at a time.


C:\NeverwinterNights\NWN\nwserver.exe

C:\Program Files\Zards software\Startup Defender\Startup Defender.exe

C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

You may recieve a message stating "
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Just let me know if that is what you saw.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html



______________________________
The following program:

C:\Program Files\Zards software\Startup Defender Do you have the full and paid version ?


_________________________
In your next reply I would like to see:

• A new HJT log
• The reports (3) from Jottis/ Virus total
• Do you have the full paid for version of startup Defender ?
• Letting me know what issues your having would help steer us in the right direction.

[Negalith]

No... Zards is not a paid program... I dont know where it came from....

Until recentley... when I made google searches, the top result always worked fine... all lesser ranked resulting links went to (got hijacked to) incorrect web sites. Since doing the last Hijack this run, all APPEARS ok.
********************************************
Jotti Results

nwserver.exe
Scan finished. 1 out of 21 scanners reported malware.
File size: 2557160 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: d4bba21c58fef209d4ea313eef00ec86
SHA1: c1c3e6b16da822e8fe9c94c0ead3e6903d80bd14
This is a program I trust. I've used it for 5 years to hoast on online video game server.


Startup Defender.exe
Scan finished. 3 out of 21 scanners reported malware.
File size: 1052160 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5: af29f813b58dda7d23a6c0af9f8ca5e3
SHA1: 8f2e934389e1747b4456b5dbd9b5d13784bf1483


C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe
I do not even see a svcl32.exe file in the C:\NeverwinterNights\NWN\hak\svcl32 Folder.
I do see a svcl32.txt The read me identifies this as "SpyArsenal.com - Family Keylogger v3.02"..... Looks as if my sugnificant other was checking up on me.

*****************************************************************
Hijack This Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:23 PM, on 8/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\NeverwinterNights\NWN\nwserver.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\EVEMon\EVEMon.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SysVContoller32] C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Startup Defender.lnk = C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9776794140
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5729 bytes


*****************************************************************
Ccleaner Log

7-Zip 4.65
Acoustica MP3 CD Burner
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0
Adobe Shockwave Player
America Online (Choose which version to remove)
AOL Connectivity Services
AOL Spyware Protection
Athlon 64 Processor Driver
AutoREALM Version 2.2.1
Avira AntiVir Personal - Free Antivirus
Avira RootKit Detection
Axis & Allies Iron Blitz
BitTorrent
CCleaner (remove only)
DNA
Dual-Core Optimizer
eMule
EVE Online (remove only)
EVEMon
EZ Macros
Free Download Manager 2.5
gmax
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HUE HD Webcam
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 5
K-Lite Mega Codec Pack 3.9.5
Kate's Video Joiner
Kodak EasyShare software
Lexmark 1200 Series
Malwarebytes' Anti-Malware
Master of Orion 3
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel Viewer
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Morrowind
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.13)
MP3 CD Converter Professional 5.03
Mpeg Layer3 Codec FHG-Radium v1.263
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Neverwinter Nights
NVIDIA Drivers
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Starcraft
Startup Defender 1.5.9.9
Steam
Team Fortress Classic
TES Construction Set
The Sims 2
The Sims™ 2 Seasons
Trillian
UFO2000 Beta
Ventrilo Client
Viewpoint Manager (Remove Only)
Warcraft II BNE
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Service Pack 3
WinRAR archiver
XCOM: Terror from the Deep (remove only)
Yahoo! Messenger

[Bob4]

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.


BitTorrent
eMule

We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programs.

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
I am also going to include other programs you should install but is not Peer to Peer programs. Failure to remove those 2 Peer to peer programs will result in this thread being closed.

PLease also remove this program. It's possible this was downloaded from a bad source and is infected.Startup Defender 1.5.9.9

______________________________________________

C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe
I do not even see a svcl32.exe file in the C:\NeverwinterNights\NWN\hak\svcl32 Folder.
I do see a svcl32.txt The read me identifies this as "SpyArsenal.com - Family Keylogger v3.02".....
Looks as if my sugnificant other was checking up on me.

I don't think so. The file is named the same as a known family keylogger but is running from an entirely different place..

If you trust this program that's OK. But that file (svcl32.exe) is there weather you see it or not.
May be hidden.

Since doing the last Hijack this run, all APPEARS ok.

Haven't really done anything yet. But I am glad things are better.



____________________________

Please download HoxtXpert.

1. Unzip HostsXpert.zip
2. Double click on HostsXpert.exe
3. Then click on "Download< MVPs Hosts < Replace.
   Onve it's done
4. Click on Make Hosts Read Only to secure it against further infection.
5. Close program when complete.

____________________________________________________
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however you may need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


__________________________________
Open Malwarebytes >>click on the LOG tab
Open and copy the first report you had done.
It will be in a dated values such as:
mbam-log-2009-01-02 (21-39-41).txt
I want the last log. That will be the latest dated.



_________________________
In your next reply I would like to see:

• A new HJT log
• The report from NOD32
• The report from Malwarebytes
• Things still seem to be running OK?

[Negalith]

I have removed the three programs (startup defender, emule and bit torrent).

I have deleted the entire folder
C:\NeverwinterNights\NWN\hak\svcl32

I am having problems with HostsXpert..
I have downloaded and unzipped it. I have run it. I have chosen the "Download" button near the bottom left. I have clicked the MVPs Hoasts tab in as many diffrent ways as I could imagine with no results and I can not see an option to choose Replace....

[Bob4]

I have deleted the entire folder
C:\NeverwinterNights\NWN\hak\svcl32

Is that program (Never winter Nights) going to run properly with that folder gone? Maybe not I think.

If not it's best you restore that folder from the recycle bin and just uninstall that program. Removing parts of a program may/will lead to errors.

____________________________________

I am having problems with HostsXpert..

I'm sorry I left something out. That's my fault.

Double click on HostsXpert.exe
Click on Make writeable.
Then click on Download<< MVPs Hosts << Replace.
Once it's done.
Click on Make Hosts Read Only to secure it against further infection.

What this does... A host file is a list of known bad sites.
When you click or type in a link the host file is checked first. If that link you typed or clicked is in the host file your browser will redirect you to http://127.0.0.1 . A page on your computer. Go ahead and click that. Then use the back button to come back.

If you still have trouble with hostxpert just continue with NOD32 we can come back to that.

_______________________________

[Negalith]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:58 PM, on 8/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\NeverwinterNights\NWN\nwserver.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SysVContoller32] C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Startup Defender.lnk = C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9776794140
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5933 bytes

********************************************************************************************

ESET ONline Scanner

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=625ef8132a1582428f5c4cf5bc0ec77a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-26 09:56:57
# local_time=2009-08-26 04:56:57 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 582607656250
# scanned=187210
# found=2
# cleaned=0
# scan_time=8545
C:\Documents and Settings\Jeff\DoctorWeb\Quarantine\A0006722.exe Win32/Adware.Gator.Trickler application 00000000000000000000000000000000 I
E:\Old Imporded D Drive\Program Files\Common Files\GMT\GMT.exe probably a variant of Win32/Adware.Gator application 00000000000000000000000000000000 I

***********************************************************************************************************************

Malwarebytes' Anti-Malware 1.40
Database version: 2660
Windows 5.1.2600 Service Pack 3

8/27/2009 11:53:39 AM
mbam-log-2009-08-27 (11-53-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 220987
Time elapsed: 1 hour(s), 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ytasfwbcaganrv.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ytasfwbvioweey.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\ytasfwskjibgxl.sys (Trojan.Agent) -> No action taken.

[Bob4]

_____________________
Search for and remove
Now I want you to search for and delete the following file(s) and folders(s) and all folder contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD


E:\Old Imporded D Drive\Program Files\Common Files\GMT\GMT.exe



_______________________
I'm sure you did at the time but I am going to ask.
You let Malwarebytes remove those 3 files when it found them?


____________________________________
Update Java Runtime

You are using an old and vulnerable version of Java. The lateset isyJava Runtime Environment Version 6 Update 15.

• Go to Java Site
• Click to Download Java SE Runtime Environment (JRE) 6 Update 16
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says "jre-6u16-windows-i586-p.exe" and save the downloaded file to your desktop.
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
• Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
• Reboot your computer

Because of something I saw in a log I am going to ask for one more scan.
It's quick and painless I assure you.
_____________________________________________

• Download Random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

This log will also produce a Hijackthis log so NO reason to post one of those.





_________________________
In your next reply I would like to see:

• A new HJT log
• The report from RSIT
• Let em know you were able to remove that file.

[Negalith]

I did remove the 3 files found by Malwarebytes.
I did delete the Gator file GMT.exe as instructed in the past post.
I believe I have installed the newer Java version correctley.




Logfile of random's system information tool 1.06 (written by random/random)
Run by Jeff at 2009-08-29 15:09:55
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 115 GB (38%) free of 305 GB
Total RAM: 1983 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:01 PM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\NeverwinterNights\NWN\nwserver.exe
C:\Documents and Settings\Jeff\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Jeff.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SysVContoller32] C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Startup: Startup Defender.lnk = C:\Program Files\Zards software\Startup Defender\Startup Defender.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9776794140
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5223 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}]
FDMIECookiesBHO Class - C:\Program Files\Free Download Manager\iefdm2.dll [2007-11-26 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
ID

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-11 98304]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-12-09 7311360]
"SysVContoller32"=C:\NeverwinterNights\NWN\hak\svcl32\svcl32.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe []
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe []
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [2007-07-23 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0\AOL.EXE [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [2004-10-18 79448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2004-10-20 34904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fat32scan]
C:\Program Files\Instant Message Grabber 2.x\fat32scan.exe [2006-01-17 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1200056510\EE\AOLHostManager.exe [2004-11-03 125528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ka4]
C:\WINDOWS\system32\ka4.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe [2006-07-13 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe [2001-08-23 331830]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2005-12-09 7311360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2005-12-09 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-01-11 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2008-01-11 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2006-05-27 16208384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe [2009-06-19 1217784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trackstick Manager.exe]
C:\Program Files\NWN helper\Trackstick Manager.EXE -min []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe [2001-10-05 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2007-09-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~4\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe [2001-08-07 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
C:\PROGRA~1\ORBITD~1\orbitdm.exe /H []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MGS"=2
"aawservice"=2
"AOL TopSpeedMonitor"=2
"AOL ACS"=2
"WANMiniportService"=2

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup
SDK Tray Menu.lnk - C:\Sun\SDK\jdk\bin\javaw.exe
Startup Defender.lnk - C:\Program Files\Zards software\Startup Defender\Startup Defender.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\NeverwinterNights\NWN\nwmain.exe"="C:\NeverwinterNights\NWN\nwmain.exe:*:Enabled:Neverwinter Nights"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1200056510\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1200056510\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"C:\NeverwinterNights\NWN\nwserver.exe"="C:\NeverwinterNights\NWN\nwserver.exe:*:Enabled:Neverwinter Nights Server"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\ACSPMonitor\ASMonitor.exe"="C:\Program Files\ACSPMonitor\ASMonitor.exe:*:Enabled:System"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2009-08-29 13:58:10 ----D---- C:\rsit
2009-08-29 13:43:55 ----D---- C:\Sun
2009-08-29 13:42:15 ----SHD---- C:\Config.Msi
2009-08-25 12:45:59 ----D---- C:\Program Files\CCleaner
2009-08-20 02:44:54 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-20 02:44:50 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-20 02:44:47 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-20 02:44:43 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-20 02:44:39 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-20 02:44:36 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-20 02:44:32 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-20 02:44:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-20 02:44:24 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-20 02:44:17 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-20 02:44:13 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$
2009-08-20 02:43:51 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-08-20 02:43:40 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-08-20 02:42:07 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-08-20 02:31:31 ----D---- C:\WINDOWS\system32\XPSViewer
2009-08-20 02:31:28 ----D---- C:\Program Files\MSBuild
2009-08-20 02:31:21 ----D---- C:\Program Files\Reference Assemblies
2009-08-20 02:31:03 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-08-20 02:31:03 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-08-20 02:31:02 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-08-20 02:31:02 ----D---- C:\5bd1755a01226375a2077ba4
2009-08-20 02:27:46 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-08-20 02:27:43 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-08-20 02:27:39 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-08-20 02:27:03 ----D---- C:\WINDOWS\ie8updates
2009-08-20 02:26:54 ----D---- C:\WINDOWS\WBEM
2009-08-20 02:26:37 ----HDC---- C:\WINDOWS\ie8
2009-08-20 02:24:18 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-08-20 02:24:15 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-08-20 02:24:10 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-08-20 02:24:02 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-08-20 02:23:57 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-08-20 02:23:52 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-08-20 02:23:50 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-08-20 02:23:46 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-08-20 02:23:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-08-20 02:23:32 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-08-20 02:23:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-08-20 02:23:25 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-08-20 02:23:14 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-08-20 02:23:10 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-08-20 02:23:07 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-08-20 02:23:03 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-08-20 02:22:59 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-08-20 02:22:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-08-20 02:22:53 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-08-20 02:22:50 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-08-20 02:22:46 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-08-20 02:22:43 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-08-20 02:22:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-08-20 02:22:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-08-20 02:22:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-08-20 02:22:28 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-08-20 02:22:23 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-08-20 02:15:19 ----D---- C:\WINDOWS\Prefetch
2009-08-20 02:12:10 ----D---- C:\WINDOWS\system32\scripting
2009-08-20 02:12:10 ----D---- C:\WINDOWS\system32\en-us
2009-08-20 02:12:10 ----D---- C:\WINDOWS\l2schemas
2009-08-20 02:12:09 ----D---- C:\WINDOWS\system32\en
2009-08-20 02:12:09 ----D---- C:\WINDOWS\system32\bits
2009-08-20 02:11:04 ----D---- C:\WINDOWS\ServicePackFiles
2009-08-20 02:10:11 ----D---- C:\WINDOWS\network diagnostic
2009-08-20 02:08:58 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-08-20 02:08:56 ----D---- C:\WINDOWS\EHome
2009-08-20 02:05:20 ----A---- C:\WINDOWS\system32\xmllite.dll
2009-08-20 02:05:16 ----N---- C:\WINDOWS\system32\wmphoto.dll
2009-08-20 02:05:12 ----N---- C:\WINDOWS\system32\wlanapi.dll
2009-08-20 02:05:10 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2009-08-20 02:05:10 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2009-08-20 02:05:03 ----N---- C:\WINDOWS\system32\tspkg.dll
2009-08-20 02:05:03 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-08-20 02:04:59 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2009-08-20 02:04:59 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2009-08-20 02:04:56 ----N---- C:\WINDOWS\system32\slserv.exe
2009-08-20 02:04:56 ----N---- C:\WINDOWS\system32\slrundll.exe
2009-08-20 02:04:56 ----N---- C:\WINDOWS\system32\slgen.dll
2009-08-20 02:04:56 ----N---- C:\WINDOWS\system32\slextspk.dll
2009-08-20 02:04:56 ----N---- C:\WINDOWS\slrundll.exe
2009-08-20 02:04:55 ----N---- C:\WINDOWS\system32\slcoinst.dll
2009-08-20 02:04:52 ----N---- C:\WINDOWS\system32\setupn.exe
2009-08-20 02:04:51 ----N---- C:\WINDOWS\system32\s3gnb.dll
2009-08-20 02:04:50 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-08-20 02:04:49 ----N---- C:\WINDOWS\system32\rasqec.dll
2009-08-20 02:04:49 ----N---- C:\WINDOWS\system32\qutil.dll
2009-08-20 02:04:48 ----N---- C:\WINDOWS\system32\qcliprov.dll
2009-08-20 02:04:48 ----N---- C:\WINDOWS\system32\qagentrt.dll
2009-08-20 02:04:48 ----N---- C:\WINDOWS\system32\qagent.dll
2009-08-20 02:04:48 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2009-08-20 02:04:47 ----N---- C:\WINDOWS\system32\onex.dll
2009-08-20 02:04:45 ----N---- C:\WINDOWS\system32\napstat.exe
2009-08-20 02:04:45 ----N---- C:\WINDOWS\system32\napmontr.dll
2009-08-20 02:04:45 ----N---- C:\WINDOWS\system32\napipsec.dll
2009-08-20 02:04:44 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2009-08-20 02:04:44 ----N---- C:\WINDOWS\system32\msxml6r.dll
2009-08-20 02:04:44 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2009-08-20 02:04:44 ----N---- C:\WINDOWS\system32\mssha.dll
2009-08-20 02:04:44 ----A---- C:\WINDOWS\system32\msxml6.dll
2009-08-20 02:04:39 ----N---- C:\WINDOWS\system32\mmcperf.exe
2009-08-20 02:04:38 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-08-20 02:04:38 ----N---- C:\WINDOWS\system32\mmcex.dll
2009-08-20 02:04:38 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-08-20 02:04:36 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2009-08-20 02:04:28 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2009-08-20 02:04:28 ----N---- C:\WINDOWS\system32\kmsvc.dll
2009-08-20 02:04:28 ----N---- C:\WINDOWS\system32\kbdpash.dll
2009-08-20 02:04:28 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2009-08-20 02:04:28 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2009-08-20 02:04:28 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2009-08-20 02:04:24 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2009-08-20 02:04:22 ----N---- C:\WINDOWS\system32\faxpatch.exe
2009-08-20 02:04:22 ----A---- C:\WINDOWS\002830_.tmp
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eapsvc.dll
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eapqec.dll
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eappprxy.dll
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eapphost.dll
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eappgnui.dll
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eappcfg.dll
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2009-08-20 02:04:21 ----N---- C:\WINDOWS\system32\eapolqec.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dot3ui.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dot3svc.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dot3msm.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dot3api.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dimsroam.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2009-08-20 02:04:20 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2009-08-20 02:04:19 ----N---- C:\WINDOWS\system32\credssp.dll
2009-08-20 02:04:16 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2009-08-20 02:04:16 ----N---- C:\WINDOWS\system32\azroles.dll
2009-08-20 02:04:15 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2009-08-20 02:04:15 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2009-08-20 02:04:15 ----N---- C:\WINDOWS\system32\ati3duag.dll
2009-08-20 02:04:15 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2009-08-20 02:04:15 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2009-08-20 02:04:15 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2009-08-20 02:04:15 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2009-08-20 02:04:14 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-08-20 01:56:43 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-08-20 01:54:07 ----A---- C:\WINDOWS\system32\muweb.dll
2009-08-20 01:54:07 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-08-20 01:54:07 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-08-20 00:59:49 ----D---- C:\Avenger
2009-08-20 00:59:49 ----A---- C:\avenger.txt
2009-08-11 01:03:50 ----D---- C:\Program Files\Common Files\Viewpoint
2009-08-10 19:31:40 ----D---- C:\Documents and Settings\Jeff\Application Data\Ventrilo
2009-08-10 19:31:25 ----D---- C:\Program Files\Ventrilo
2009-08-10 19:31:25 ----A---- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-08-10 19:31:11 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-06 00:44:57 ----D---- C:\Program Files\Avira
2009-08-06 00:44:57 ----D---- C:\Documents and Settings\All Users\Application Data\Avira

======List of files/folders modified in the last 1 months======

2009-08-29 13:56:46 ----D---- C:\WINDOWS\TEMP
2009-08-29 13:56:46 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-29 13:56:15 ----RD---- C:\Program Files
2009-08-29 13:56:03 ----D---- C:\WINDOWS\system32\drivers
2009-08-29 13:55:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-29 13:49:12 ----D---- C:\WINDOWS\system32
2009-08-29 13:42:19 ----D---- C:\Program Files\Common Files
2009-08-29 13:42:15 ----SHD---- C:\WINDOWS\Installer
2009-08-29 13:12:29 ----D---- C:\Program Files\Mozilla Firefox
2009-08-29 12:40:54 ----A---- C:\WINDOWS\win.ini
2009-08-29 11:54:20 ----D---- C:\WINDOWS
2009-08-28 18:41:21 ----D---- C:\Documents and Settings\Jeff\Application Data\EVEMon
2009-08-26 14:32:51 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-26 14:19:41 ----D---- C:\1PSYC
2009-08-26 11:55:31 ----D---- C:\temp
2009-08-26 10:09:22 ----D---- C:\Program Files\Viewpoint
2009-08-25 19:19:57 ----D---- C:\Program Files\eMule
2009-08-25 13:28:12 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-08-25 12:53:57 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 12:53:04 ----D---- C:\WINDOWS\Debug
2009-08-25 12:53:03 ----D---- C:\WINDOWS\Minidump
2009-08-21 14:14:58 ----A---- C:\WINDOWS\lexstat.ini
2009-08-20 03:03:35 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-20 03:03:34 ----RSD---- C:\WINDOWS\assembly
2009-08-20 02:46:18 ----D---- C:\Program Files\Microsoft Silverlight
2009-08-20 02:44:56 ----HD---- C:\WINDOWS\inf
2009-08-20 02:44:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-20 02:44:41 ----D---- C:\Program Files\Outlook Express
2009-08-20 02:44:39 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-20 02:44:11 ----D---- C:\WINDOWS\WinSxS
2009-08-20 02:42:23 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-20 02:41:15 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-20 02:40:44 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-20 02:36:04 ----D---- C:\Program Files\Internet Explorer
2009-08-20 02:36:03 ----D---- C:\WINDOWS\system32\wbem
2009-08-20 02:36:03 ----D---- C:\WINDOWS\Help
2009-08-20 02:36:03 ----D---- C:\WINDOWS\AppPatch
2009-08-20 02:31:26 ----RSD---- C:\WINDOWS\Fonts
2009-08-20 02:31:10 ----D---- C:\WINDOWS\system32\spool
2009-08-20 02:26:56 ----D---- C:\WINDOWS\system32\config
2009-08-20 02:26:51 ----D---- C:\WINDOWS\Media
2009-08-20 02:23:43 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-20 02:22:45 ----D---- C:\Program Files\Messenger
2009-08-20 02:14:55 ----D---- C:\WINDOWS\system32\Setup
2009-08-20 02:12:23 ----D---- C:\Program Files\Windows Media Player
2009-08-20 02:12:16 ----D---- C:\WINDOWS\ime
2009-08-20 02:12:10 ----D---- C:\WINDOWS\system32\usmt
2009-08-20 02:12:09 ----D---- C:\WINDOWS\PeerNet
2009-08-20 02:12:09 ----D---- C:\Program Files\Movie Maker
2009-08-20 02:11:00 ----D---- C:\WINDOWS\system32\Restore
2009-08-20 02:11:00 ----D---- C:\WINDOWS\system32\npp
2009-08-20 02:11:00 ----D---- C:\WINDOWS\msagent
2009-08-20 02:10:59 ----D---- C:\WINDOWS\srchasst
2009-08-20 02:10:59 ----D---- C:\Program Files\NetMeeting
2009-08-20 02:10:58 ----D---- C:\WINDOWS\system32\Com
2009-08-20 02:10:57 ----D---- C:\Program Files\Windows NT
2009-08-20 02:10:55 ----D---- C:\Program Files\Common Files\System
2009-08-20 02:10:48 ----D---- C:\WINDOWS\system32\oobe
2009-08-20 02:10:47 ----D---- C:\WINDOWS\system
2009-08-20 02:09:44 ----D---- C:\WINDOWS\security
2009-08-20 00:55:20 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-20 00:47:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-10 21:31:50 ----SD---- C:\Documents and Settings\Jeff\Application Data\Microsoft
2009-08-09 00:25:56 ----D---- C:\Program Files\Steam
2009-08-06 23:47:11 ----D---- C:\audio
2009-08-06 00:28:25 ----D---- C:\WINDOWS\Registration
2009-08-05 04:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-30 16:15:52 ----D---- C:\gmax

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2008-01-11 8552]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys [2007-06-29 34304]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-05-26 4279296]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-02-28 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-12-09 3536768]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-16 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-16 13056]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD); C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-08-17 12274432]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;Usbscan; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 catchme;catchme; \??\C:\DOCUME~1\Jeff\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 PSSdk23;PSSdk23; \??\C:\WINDOWS\system32\Drivers\PsSdk23.drv []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2006-04-17 311296]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-12-09 131139]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2004-10-20 10328]
S4 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
S4 MGS;MGS; C:\Program Files\Instant Message Grabber 2.x\fat32scan.exe [2006-01-17 94208]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 WANMiniportService;WAN Miniport (ATW) Service; C:\WINDOWS\wanmpsvc.exe [2001-10-03 65536]

-----------------EOF-----------------

[Bob4]

Great news !

Your log now appears to be clean.

Lets do a few things to tidy up.


You can delete RSIT.exe


___________________________________
Please create a 'clean' System Restore Point: [/b]
The reason for doing this is in case you need system restore you don't put back all we just took out.
Right click My Computer
Normally click Properties >> system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and un-checksystem restore
Click APPLYand OK



_______________________________________
A few things to help with possible threats

These are optional . But will help protect you further.
and
Some of these you may already have.





________________________________________
Windows Updates
Be certain automatic updates is turned on for XP. - For Vista Or if you like to do it manually be sure to visit http://update.microsoft.com/ regularly. This requires internet explorer to do so.

This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Browser settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.



___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.



_______________________________________
So many people are point and click crazy either because there naive or their in a rush.

Always watch closely to any software your installing.
If they want to install something more than their program stop right there and investigate what it is they want to place on your computer.
If they give you the option not to install it choose that until you investigate it completely.
The more you install that you don't want or need the more you'll wish you didn't.

Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.


Safe and Happy Surfing.

[Gary R]

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.