logfile hijack (smartsecurity)

[Guest_tom_*]

Logfile of HijackThis v1.99.0
Scan saved at 16:42:08, on 1/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
E:\Program Files\McAfee\McAfee Firewall\CPD.EXE
E:\WINDOWS\Explorer.EXE
E:\Program Files\McAfee\McAfee Firewall\CPD.EXE
E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
E:\Program Files\Java\jre1.5.0\bin\jusched.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
E:\WINDOWS\System32\w?wexec.exe
E:\Documents and Settings\thomas\Application Data\herc.exe
e:\windows\system32\taskmgn.exe
E:\Winamp\winamp.exe
E:\Football Manager 2005\fm2005.exe
E:\DOCUME~1\thomas\LOCALS~1\Temp\~e5.0001
E:\Program Files\Outlook Express\msimn.exe
E:\PROGRA~1\MOZILL~1\firefox.exe
E:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - E:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {766F4A98-F55B-AFFB-0843-F7CABEA2C99B} - E:\WINDOWS\System32\rtjnkv.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - E:\Program Files\Games\tbGame.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - E:\WINDOWS\srchfst.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - E:\Program Files\YourSiteBar\ysb.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [System Toolkit] F:\McAfee Anti virus v7.00.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Task Manager] e:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [Games toolbar] rundll32.exe "E:\PROGRA~1\Games\tbGame.dll" DllShowTB
O4 - HKLM\..\Run: [SurfSideKick 2] E:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [TV Media] E:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "E:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [SurfSideKick 2] E:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Ruk] E:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Nsbo] E:\Documents and Settings\thomas\Application Data\herc.exe
O4 - HKCU\..\Run: [TV Media] E:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://ocx1.advnt01.com/dialer/belgio_ver3.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVSync Manager - Network Associates, Inc. - E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Network Associates, Inc. - E:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe



I already tried fixing it yesterday, hope this still helps.
Tom.

[Guest_tom_*]

Guestolo,

I'm sorry, but yesterday i tried removing that thing, so i don't know if my logfile is of any use. I do live in Belgium, though, so if this guy lives in Belgium like suggested, i can always notify the police if you want me to.

[guestolo]

Let's try some cleanup Tom

Can you first Access your Add/Remove Programs via Control Panel
Remove if found
Search Fast
TV Media
SurfSideKick 2
180Solutions or 180 search assistant if found stay online and follow the prompts closely
NCase

Restart your computer if anything found

Back in Windows

Could you download a couple tools please
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Ad-Aware may check for updates and run a scan after installing
Allow to update but don't run a scan at this time

Could you also
Download
Windows CleanUp! by StevenGould
Install for now but, Don't run a scan yet
This will clean all your temp folders, cookies, prefetch, etc...

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

I'm going to ask you to edit your registry in Safe mode
So beforehand can you make a fresh Restore point
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and click Create
No worries, this is just for backup purposes

Please print the rest of this out or save it to a Notepad file on your Desktop
Disconnect from the Internet
Restart your computer into SAFE MODE
Sign in with this account that has the desktop problems

Open Hijackthis>>Open Misc Tools section>>Open Process Manager
Kill any of these processes if still running, they shouldn't be, but take a look
E:\WINDOWS\System32\w?wexec.exe
E:\Documents and Settings\thomas\Application Data\herc.exe
e:\windows\system32\taskmgn.exe
E:\DOCUME~1\thomas\LOCALS~1\Temp\~e5.0001

Find and delete these files or folders if they exist

E:\WINDOWS\System32\rtjnkv.dll <--this file
E:\WINDOWS\srchfst.dll <--file
E:\Documents and Settings\thomas\Application Data\herc.exe <--file
C:\foo.mht <--file

e:\windows\system32\taskmgn.exe <--file, Careful of the spelling, don't delete taskmgr.exe with an r, only the one with the n at the end before .exe

E:\Program Files\Games\tbGame.dll <--file, if the Games subfolder is empty delete it too, if not let me know what other files exist in it

E:\Program Files\TV Media <--folder
E:\Program Files\SurfSideKick 2 <--folder
E:\Program Files\YourSiteBar <--folder

We're also after the ones related too SmartSecurity
Look for and delete any of these that are found in bold
Try to also do a Search for them, they may not all exist

E:\WINDOWS\desktop.html '
E:\WINDOWS\Web\desktop.html
E:\WINDOWS\SSICO.ICO
E:\Documents and Settings\thomas\Desktop\! Protect Your Data.url
E:\Documents and Settings\thomas\Favorites\! Smart Security.url
E:\Documents and Settings\thomas\Recent\! Smart Security.url
E:\Documents and Settings\thomas\Start Menu\! Secure Yourself.url

*I'm assuming the user account \thomas\ is the one with the desktop problem from Smart Security

Again, in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - E:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O2 - BHO: (no name) - {766F4A98-F55B-AFFB-0843-F7CABEA2C99B} - E:\WINDOWS\System32\rtjnkv.dll

O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - E:\Program Files\Games\tbGame.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - E:\WINDOWS\srchfst.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - E:\Program Files\YourSiteBar\ysb.dll (file missing)

O4 - HKLM\..\Run: [Windows Task Manager] e:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [Games toolbar] rundll32.exe "E:\PROGRA~1\Games\tbGame.dll" DllShowTB
O4 - HKLM\..\Run: [SurfSideKick 2] E:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [TV Media] E:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [SurfSideKick 2] E:\Program Files\SurfSideKick 2\Ssk.exe

O4 - HKCU\..\Run: [Ruk] E:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Nsbo] E:\Documents and Settings\thomas\Application Data\herc.exe
O4 - HKCU\..\Run: [TV Media] E:\Program Files\TV Media\Tvm.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://ocx1.advnt01.com/dialer/belgio_ver3.CAB

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

After the above is done
Stay in safe mode
Open Registry Editor. Click Start>Run, type REGEDIT
then press Enter.
# In the left panel, expand(+) the following
+HKEY_CURRENT_USER
+Software
+Microsoft
+Internet Explorer
+Desktop
+Components
# Still in the left panel, locate and Right click on and delete the subkey:
0
# Close Registry Editor.

Open Windows CleanUp! that you installed earlier
Start>>All programs>>CleanUp
Click the CleanUp button, let it finish scanning for files, when it's done it will prompt you to Log off
Don't at this time

Instead Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process


===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Findfile.bat
Save this on the Desktop

dir E:\WINDOWS\System32\w?wexec.exe /a h > files.txt
notepad files.txt

Double click on Findfile.bat
It will quickly open a log in Notepad(files.txt), copy and paste the contents of the notepad back here

Could you also include a fresh Hijackthis log

Do what you can from the above before posting back, ensure to include a fresh log, thanks

[Guest_tom_*]

Thanks, Guestolo. I've done all of the above.

These are the contents of files.txt:

 Volume in drive E is Boot
 Volume Serial Number is F026-A2ED

 Directory of E:\WINDOWS\System32

23/08/2001  13:00            10.368 wowexec.exe
08/12/2004  15:35           389.120 w?wexec.exe
               2 File(s)        399.488 bytes

 Directory of E:\Documents and Settings\thomas\Desktop


Here's another Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 22:16:23, on 1/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Program Files\McAfee\McAfee Firewall\CPD.EXE
E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
E:\Program Files\McAfee\McAfee Firewall\CPD.EXE
E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
E:\Program Files\Java\jre1.5.0\bin\jusched.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\PROGRA~1\MOZILL~1\firefox.exe
E:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {766F4A98-F55B-AFFB-0843-F7CABEA2C99B} - E:\WINDOWS\System32\rtjnkv.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [System Toolkit] F:\McAfee Anti virus v7.00.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "E:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "E:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVSync Manager - Network Associates, Inc. - E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Network Associates, Inc. - E:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

[guestolo]

As you can see by the contents of the files.txt

23/08/2001 13:00 10.368 wowexec.exe <--this is legitimate

08/12/2004 15:35 389.120 w?wexec.exe <--this ones a bad guy

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {766F4A98-F55B-AFFB-0843-F7CABEA2C99B} - E:\WINDOWS\System32\rtjnkv.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis


Restart back into safe mode

Navigate back to E:\WINDOWS\System32 folder

Find the file that starts with  w ends with wexec.exe
I'm not sure what the ? mark will resemble, you may not see the ? mark

As I said, at least one wowexec.exe is legitimate
Right click on the file that resembles the bad guy
and left click properties
Your looking for one that was created on 08/12/2004
and has a size of about 389 kb
Only delete that one

When your done with that

Restart back to Normal mode

If everything is running better
you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Post back one more log and let me know how everything's running

EDIT>>Can you let me know about this one in your log
O4 - HKLM\..\Run: [System Toolkit] F:\McAfee Anti virus v7.00.EXE
It's running from a different partition or drive
Just curious about it, is it a download of some sort
I've never used McAfee products before