Virus from Limewire ... lost desktop and start menu

Hi everyone,

I was using Avast Antivirus and I downloaded some music from Limewire. The Avast program alerted me that a virus had been detected and I chose the option to stop the download. I ran a virus scan which found a Trojan and deleted the file. In the process I somehow lost my destop icons and my start menu taskbar.

Also, I repeatedly get redirected to **** sites whenever I open a new page in IE. So, I assumed I still had some sort of virus or malware. I uninstalled Avast and bought and installed Bitdefender. When I run a scan with it I m told no viruses are found but it seems there are 9 files which are somehow password protected and cannot be scanned.

So, Im at a loss as to what to do next. How can I get my desktop and start menu back and how ccan I be sure my computer is virus free?

I am accessing IE through Ctrl Alt Delete and then clicking New task.

 

Pippi, Welcome to the board.

Unfortunately, programs like Limewire will do that. Using those types of programs are frowned upon.

In order for someone to help you, you will need to be willing to uninstall Limewire.

Please post once you have uninstalled Limewire and one of the moderators will move your thread to "Removing Spyware and Viruses "

Mitch

 

HI and thank you.

Here is the requested log

Deckard's System Scanner v20071014.68
Run by AW on 2008-07-04 09:01:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
22: 2008-07-04 16:01:52 UTC - RP483 - Deckard's System Scanner Restore Point
21: 2008-07-04 03:21:41 UTC - RP482 - Installed Tweaking Toolbox XP
20: 2008-07-04 00:26:43 UTC - RP481 - Systemkontrolpunkt
19: 2008-07-03 00:14:05 UTC - RP480 - Software Distribution Service 3.0
18: 2008-07-02 19:20:04 UTC - RP479 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-29 00:47:43 UTC - RP462 - Configured AutoFriend


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as AW.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:03:23, on 04-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmer\Opera\profile\cache4\temporary_download\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {9711a5a7-66d5-d249-6f94-8d518c0317f0} - {0f7130c8-15d8-49f6-942d-5d667a5a1179} - C:\WINDOWS\system32\qtlwvf.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD} - C:\WINDOWS\system32\hgGxWnKC.dll
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\khfFUKeF.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Programmer\BitDefender\BitDefender 2008\IEShow.exe "
O4 - HKLM\..\Run: [BDAgent] "C:\Programmer\BitDefender\BitDefender 2008\bdagent.exe "
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKCU\..\Run: [ARSA] "C:\Programmer\AnswersThatWork\A Really Small App\A_Really_Small_App.exe" -startup
O4 - Startup: AOM.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programmer\WIDCOMM\Bluetooth-software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfFUKeF - C:\WINDOWS\SYSTEM32\khfFUKeF.dll
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7174 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SSHDRV5C - c:\windows\system32\drivers\sshdrv5c.sys
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 19 SP1>
R3 BDSelfPr - c:\programmer\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 krdpdre - c:\docume~1\aw\lokale~1\temp\krdpdre.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Apple Mobile Device - "c:\programmer\fælles filer\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Bonjour Service - c:\programmer\bonjour\mdnsresponder.exe <Not Verified; Apple Inc.; Bonjour>
S4 Viewpoint Manager Service - "c:\programmer\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS


-- Scheduled Tasks -------------------------------------------------------------

2008-06-24 22:43:04 278 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-03 20:09:58 0 d-------- C:\Programmer\Tweaking Toolbox XP 2
2008-07-02 12:22:34 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-02 10:38:46 0 dr-h----- C:\Documents and Settings\AW\Recent
2008-07-02 09:47:04 0 d-------- C:\WINDOWS\pss
2008-07-02 09:27:34 0 d-------- C:\WINDOWS\CSC
2008-07-01 09:21:52 0 d-------- C:\Documents and Settings\AW\Application Data\Bitdefender
2008-07-01 09:20:39 0 d-------- C:\Programmer\BitDefender
2008-07-01 09:20:39 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-30 22:42:39 0 d-------- C:\Documents and Settings\AW\.housecall6.6
2008-06-30 22:37:27 0 d-------- C:\Programmer\Trend Micro
2008-06-30 16:33:20 0 d-------- C:\kav
2008-06-30 11:06:49 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-30 09:57:43 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-30 09:46:18 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-30 09:01:08 87040 --a------ C:\WINDOWS\system32\srdevljt.dll
2008-06-30 08:59:51 104448 --a------ C:\WINDOWS\system32\qtlwvf.dll
2008-06-30 08:59:43 104448 --a------ C:\WINDOWS\system32\vtyffbih.dll
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer\BitDefender
2008-06-29 08:44:17 104960 --a------ C:\WINDOWS\system32\hwtddw.dll
2008-06-29 08:44:15 104960 --a------ C:\WINDOWS\system32\ejyyqhvo.dll
2008-06-29 08:42:31 86528 --a------ C:\WINDOWS\system32\dsjkjlnc.dll
2008-06-29 08:42:14 94208 --a------ C:\WINDOWS\system32\lxwpemcr.dll
2008-06-28 23:59:03 0 d-------- C:\Documents and Settings\AW\Application Data\Viewpoint
2008-06-28 17:58:50 0 d-------- C:\Documents and Settings\AW\Application Data\DivX
2008-06-28 17:47:28 658436 --ahs---- C:\WINDOWS\system32\CKnWxGgh.ini2
2008-06-28 17:47:22 285184 --a------ C:\WINDOWS\system32\hgGxWnKC.dll
2008-06-28 17:42:18 34304 --a------ C:\WINDOWS\system32\khfFUKeF.dll
2008-06-23 21:46:41 0 d-------- C:\Programmer\LimeWire
2008-06-17 18:28:46 0 d-------- C:\Documents and Settings\AW\Application Data\Apple Computer
2008-06-17 18:28:21 0 d-------- C:\Programmer\iPod
2008-06-17 18:28:13 0 d-------- C:\Programmer\iTunes
2008-06-17 18:27:56 0 d-------- C:\Programmer\Bonjour
2008-06-17 18:26:59 0 d-------- C:\Programmer\QuickTime
2008-06-17 18:26:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-17 18:26:31 0 d-------- C:\Programmer\Apple Software Update
2008-06-17 18:26:22 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-17 18:25:58 0 d-------- C:\Programmer\Fælles filer\Apple
2008-06-17 18:25:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-07 17:21:24 0 d--hs---- C:\found.000


-- Find3M Report ---------------------------------------------------------------

2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer
2008-06-29 09:04:30 0 d-------- C:\Documents and Settings\AW\Application Data\Yahoo!
2008-06-28 18:14:29 0 d-------- C:\Documents and Settings\AW\Application Data\LimeWire
2008-06-27 16:04:41 0 d-------- C:\Documents and Settings\AW\Application Data\skypePM
2008-06-27 16:04:31 0 d-------- C:\Documents and Settings\AW\Application Data\Skype
2008-06-18 18:12:06 0 d-------- C:\Programmer\Fælles filer\Adobe
2008-06-18 18:11:19 0 d-------- C:\Documents and Settings\AW\Application Data\Adobe
2008-06-16 18:05:17 0 d-------- C:\Programmer\Opera
2008-06-01 16:35:33 0 d--h----- C:\Programmer\InstallShield Installation Information
2008-06-01 16:35:24 0 d-------- C:\Programmer\Teknowebwork LLC
2008-06-01 15:12:28 486008 --a------ C:\WINDOWS\system32\perfh006.dat
2008-06-01 15:12:28 100208 --a------ C:\WINDOWS\system32\perfc006.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f7130c8-15d8-49f6-942d-5d667a5a1179}]
30-06-2008 08:59 104448 --a------ C:\WINDOWS\system32\qtlwvf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD}]
28-06-2008 17:47 285184 --a------ C:\WINDOWS\system32\hgGxWnKC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}]
28-06-2008 17:42 34304 --a------ C:\WINDOWS\system32\khfFUKeF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset "= "C:\Programmer\HPQ\Default Settings\cpqset.exe" [17-07-2003 04:50]
"AGRSMMSG "= "AGRSMMSG.exe" [04-03-2005 07:01 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr "= "C:\Programmer\Synaptics\SynTP\SynTPLpr.exe" [04-11-2004 10:40]
"SynTPEnh "= "C:\Programmer\Synaptics\SynTP\SynTPEnh.exe" [04-11-2004 10:38]
"BitDefender Antiphishing Helper "= "C:\Programmer\BitDefender\BitDefender 2008\IEShow.exe" [09-10-2007 15:46]
"BDAgent "= "C:\Programmer\BitDefender\BitDefender 2008\bdagent.exe" [03-07-2008 10:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ARSA "= "C:\Programmer\AnswersThatWork\A Really Small App\A_Really_Small_App.exe" [11-08-2006 12:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"*Restore "=C:\WINDOWS\system32\restore\rstrui.exe -i

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical "=00000000
"NoLogoff "=0 (0x0)
"NoActiveDesktop "=0 (0x0)
"NoDesktop "=0 (0x0)
"NoToolbarsOnTaskbar "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoSaveSettings "=0 (0x0)
"NoBandCustomize "=0 (0x0)
"NoMovingBands "=0 (0x0)
"NoCloseDragDropBands "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"StartMenuLogOff "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BA2A2046-75A4-47C0-A09C-F0DCC706D39B} "= C:\WINDOWS\system32\khfFUKeF.dll [28-06-2008 17:42 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFUKeF]
khfFUKeF.dll 28-06-2008 17:42 34304 C:\WINDOWS\system32\khfFUKeF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwprovau C:\WINDOWS\system32\hgGxWnKC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8752 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-04 09:05:53 ------------

 

Hi Pippi
Welcome to Windowsbbs.

About P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Virus and Spyware removal.


Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Thanks
Geri

 

Hi and thanks for the reply.

I shut down my Bitdefender rela time monitoring and downloaded and ran Combofix. It ran all the wy through and rebooted the laptop BUT I don't see any logfile. Is there somewhere I should look for it?

Here is the HijackThis logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01, on 2008-07-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Opera\opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {9711a5a7-66d5-d249-6f94-8d518c0317f0} - {0f7130c8-15d8-49f6-942d-5d667a5a1179} - C:\WINDOWS\system32\qtlwvf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD} - C:\WINDOWS\system32\hgGxWnKC.dll (file missing)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\khfFUKeF.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF4023.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF4023.exe /c C:\ComboFix\\Combobatch.bat
O4 - Startup: AOM.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programmer\WIDCOMM\Bluetooth-software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfFUKeF - khfFUKeF.dll (file missing)
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6990 bytes

 

Hi

It should be located here.

C:\ComboFix.txt

Thanks
Geri

 

When I paste in C:\ComboFix.txt as a new task it cannot be found.

 

Hi Pippi

Did you get your desktop icons and Start menu back after running Combofix?

Please do this, Delete the combofix you have downloaded and download this one and run it, It has updates added.


Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please keep me informed of any improvements or if there has been no changes after running any tools, I can not see your computer so I need to know what is happening.

Thanks
Geri

 

Ok, I deleted Combofix and reinstalled and ran it. I still cannot find any log file and there's no changes to my desktop. It appears that I'm not being redirected to sites though, so that's good.

 

Hi Pippi

OK I would like to see a fresh dss log. and also post this log if present.

C:\QooBox\ComboFix-quarantined-files.txt

Thanks
Geri

 

I found this text file in the Combofix folder>

ComboFix 08-07-04.6 - AW 2008-07-06 9:20:03.4 - NTFSx86
Running from: C:\Documents and Settings\AW\Skrivebord\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

And this one too entitled Pend.txt

.:\\(0!|0\\0)
C:\\WINDOWS\\system32\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\config\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\csrss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\drivers\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\hal.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\lsass.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\ntdll.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\services.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\smss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\svchost.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\userinit.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\wbem\\(\\|0!|0\\0)
C:\\WINDOWS\\system32\\winlogon.exe\\(0!|0\\0)
C:\\boot.ini\\(0!|0\\0)
C:\\ntdetect.com\\(0!|0\\0)
C:\\ntldr\\(0!|0\\0)
C:\\WINDOWS\\(\\|0!|0\\0)
C:\\WINDOWS\\explorer.exe\\(0!|0\\0)


Not sure if they tell you anything.

I was able to navigate to C:\QooBox\quarantined but theres no text file/ Theres a bunch of files ending in .vir though.

Im not sure what a dss log is.

 

Hi

Please open BitDefender, open Advanced Settings>Shield tab and uncheck Real-time Protection. In the popup, select Permanently and OK it.

Now run CF using a command line.
Click on Start>Run copy and paste this in the run box. or Use Task Manager>File>New Task (Run)

"%userprofile%\desktop\combofix.exe" /killall

BitDefender can be re-enabled after restart, once ComboFix has finished and produced a log.

Post the CF Log.

OK sorry, Deckard's System Scanner log, you posted one earlier, I would like to see a new scan.


Thanks
Geri

 

Ok, I disabled the real time protesction on BitDefender permanently and ran aother CF scan. Still no log is prodcued and I cannot find one either.

I see that Bitdefender is still showing up in the HIjackThis log ... should I completely uninstall it? Do you think its stopping CF from producing a log?

edited to add>> no change seen on my Desktop.


Here is the DSS log

Deckard's System Scanner v20071014.68
Run by AW on 2008-07-07 13:33:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AW.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34, on 2008-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmer\Opera\opera.exe
C:\Documents and Settings\AW\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {9711a5a7-66d5-d249-6f94-8d518c0317f0} - {0f7130c8-15d8-49f6-942d-5d667a5a1179} - C:\WINDOWS\system32\qtlwvf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD} - C:\WINDOWS\system32\hgGxWnKC.dll (file missing)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\khfFUKeF.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF23989.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF23989.exe /c C:\ComboFix\\Combobatch.bat
O4 - Startup: AOM.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programmer\WIDCOMM\Bluetooth-software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfFUKeF - khfFUKeF.dll (file missing)
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6960 bytes

-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-05 17:12:25 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-05 16:59:21 68096 --a------ C:\WINDOWS\zip.exe
2008-07-05 16:59:21 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-05 16:59:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-05 16:59:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-05 16:59:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-05 16:59:21 98816 --a------ C:\WINDOWS\sed.exe
2008-07-05 16:59:21 80412 --a------ C:\WINDOWS\grep.exe
2008-07-05 16:59:21 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-03 20:09:58 0 d-------- C:\Programmer\Tweaking Toolbox XP 2
2008-07-02 12:22:34 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-02 10:38:46 0 dr-h----- C:\Documents and Settings\AW\Recent
2008-07-02 09:47:04 0 d-------- C:\WINDOWS\pss
2008-07-02 09:27:34 0 d-------- C:\WINDOWS\CSC
2008-07-01 09:21:52 0 d-------- C:\Documents and Settings\AW\Application Data\Bitdefender
2008-07-01 09:20:39 0 d-------- C:\Programmer\BitDefender
2008-07-01 09:20:39 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-30 22:42:39 0 d-------- C:\Documents and Settings\AW\.housecall6.6
2008-06-30 22:37:27 0 d-------- C:\Programmer\Trend Micro
2008-06-30 16:33:20 0 d-------- C:\kav
2008-06-30 11:06:49 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-30 09:57:43 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-30 09:46:18 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer\BitDefender
2008-06-28 23:59:03 0 d-------- C:\Documents and Settings\AW\Application Data\Viewpoint
2008-06-28 17:58:50 0 d-------- C:\Documents and Settings\AW\Application Data\DivX
2008-06-23 21:46:41 0 d-------- C:\Programmer\LimeWire
2008-06-17 18:28:46 0 d-------- C:\Documents and Settings\AW\Application Data\Apple Computer
2008-06-17 18:28:21 0 d-------- C:\Programmer\iPod
2008-06-17 18:28:13 0 d-------- C:\Programmer\iTunes
2008-06-17 18:27:56 0 d-------- C:\Programmer\Bonjour
2008-06-17 18:26:59 0 d-------- C:\Programmer\QuickTime
2008-06-17 18:26:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-17 18:26:31 0 d-------- C:\Programmer\Apple Software Update
2008-06-17 18:26:22 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-17 18:25:58 0 d-------- C:\Programmer\Fælles filer\Apple
2008-06-17 18:25:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-07 17:21:24 0 d--hs---- C:\found.000


-- Find3M Report ---------------------------------------------------------------

2008-07-06 09:26:36 0 d-------- C:\Programmer\Opera
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer
2008-06-29 09:04:30 0 d-------- C:\Documents and Settings\AW\Application Data\Yahoo!
2008-06-28 18:14:29 0 d-------- C:\Documents and Settings\AW\Application Data\LimeWire
2008-06-27 16:04:41 0 d-------- C:\Documents and Settings\AW\Application Data\skypePM
2008-06-27 16:04:31 0 d-------- C:\Documents and Settings\AW\Application Data\Skype
2008-06-18 18:12:06 0 d-------- C:\Programmer\Fælles filer\Adobe
2008-06-18 18:11:19 0 d-------- C:\Documents and Settings\AW\Application Data\Adobe
2008-06-01 16:35:33 0 d--h----- C:\Programmer\InstallShield Installation Information
2008-06-01 16:35:24 0 d-------- C:\Programmer\Teknowebwork LLC
2008-06-01 15:12:28 486008 --a------ C:\WINDOWS\system32\perfh006.dat
2008-06-01 15:12:28 100208 --a------ C:\WINDOWS\system32\perfc006.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f7130c8-15d8-49f6-942d-5d667a5a1179}]
C:\WINDOWS\system32\qtlwvf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD}]
C:\WINDOWS\system32\hgGxWnKC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}]
C:\WINDOWS\system32\khfFUKeF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix "= "C:\WINDOWS\system32\CF23989.exe" [2004-08-26 17:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix "=C:\WINDOWS\system32\CF23989.exe /c C:\ComboFix\\Combobatch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical "=00000000
"NoLogoff "=0 (0x0)
"NoToolbarsOnTaskbar "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoBandCustomize "=0 (0x0)
"NoMovingBands "=0 (0x0)
"NoCloseDragDropBands "=0 (0x0)
"NoViewOnDrive "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BA2A2046-75A4-47C0-A09C-F0DCC706D39B} "= C:\WINDOWS\system32\khfFUKeF.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFUKeF]
khfFUKeF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan




-- End of Deckard's System Scanner: finished at 2008-07-07 13:35:07 ------------

 

Hi

No, lets not do that yet.

Some infections will look for combofix and hamper it when you run it.

So lets do this.

Delete the combofix you have.

Download a fresh copy of Combofix, and prior to saving it, rename it to FixCombo.exe, reboot into safe mode and run it. If it produces a log make sure you save it where you can find it and post it here.
To Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Thanks
Geri

 

I did as you described. No log was created. The computer rebooted. Nnothing changed. I found this text file here C:\FixCombo\ComboDel.txt

ComboFix 08-07-05.1 - AW 2008-07-07 14:48:14.6 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\AW\Skrivebord\FixCombo.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

 

Hi Pippi,

The text files inside of the ComboFix or FixCombo folder are of no concern. If there is no log named combofix.txt located in the root of the drive, eg; Local Disk C:, then we'll move on.

Please create and post a fresh dss log for review. geri and I will be offline for a while, but one of us will post back with further instructions later on today.

Also, please right click the C:\qoobox folder and select Send To>Compressed (Zipped) Folder
It will create qoobox.zip in C:
Please upload that zip file to my submission channel. Leave a link back to this topic. Thanks!

 

Deckard's System Scanner v20071014.68
Run by AW on 2008-07-07 18:46:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AW.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46, on 2008-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\AW\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {9711a5a7-66d5-d249-6f94-8d518c0317f0} - {0f7130c8-15d8-49f6-942d-5d667a5a1179} - C:\WINDOWS\system32\qtlwvf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD} - C:\WINDOWS\system32\hgGxWnKC.dll (file missing)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\khfFUKeF.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat
O4 - Startup: AOM.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programmer\WIDCOMM\Bluetooth-software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfFUKeF - khfFUKeF.dll (file missing)
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6928 bytes

-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-07 14:47:11 0 d-------- C:\FixCombo
2008-07-05 17:12:25 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-05 16:59:21 68096 --a------ C:\WINDOWS\zip.exe
2008-07-05 16:59:21 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-05 16:59:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-05 16:59:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-05 16:59:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-05 16:59:21 98816 --a------ C:\WINDOWS\sed.exe
2008-07-05 16:59:21 80412 --a------ C:\WINDOWS\grep.exe
2008-07-05 16:59:21 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-03 20:09:58 0 d-------- C:\Programmer\Tweaking Toolbox XP 2
2008-07-02 12:22:34 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-02 10:38:46 0 dr-h----- C:\Documents and Settings\AW\Recent
2008-07-02 09:47:04 0 d-------- C:\WINDOWS\pss
2008-07-02 09:27:34 0 d--hs---- C:\WINDOWS\CSC
2008-07-01 09:21:52 0 d-------- C:\Documents and Settings\AW\Application Data\Bitdefender
2008-07-01 09:20:39 0 d-------- C:\Programmer\BitDefender
2008-07-01 09:20:39 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-30 22:42:39 0 d-------- C:\Documents and Settings\AW\.housecall6.6
2008-06-30 22:37:27 0 d-------- C:\Programmer\Trend Micro
2008-06-30 16:33:20 0 d-------- C:\kav
2008-06-30 11:06:49 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-30 09:57:43 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-30 09:46:18 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer\BitDefender
2008-06-28 23:59:03 0 d-------- C:\Documents and Settings\AW\Application Data\Viewpoint
2008-06-28 17:58:50 0 d-------- C:\Documents and Settings\AW\Application Data\DivX
2008-06-23 21:46:41 0 d-------- C:\Programmer\LimeWire
2008-06-17 18:28:46 0 d-------- C:\Documents and Settings\AW\Application Data\Apple Computer
2008-06-17 18:28:21 0 d-------- C:\Programmer\iPod
2008-06-17 18:28:13 0 d-------- C:\Programmer\iTunes
2008-06-17 18:27:56 0 d-------- C:\Programmer\Bonjour
2008-06-17 18:26:59 0 d-------- C:\Programmer\QuickTime
2008-06-17 18:26:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-17 18:26:31 0 d-------- C:\Programmer\Apple Software Update
2008-06-17 18:26:22 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-17 18:25:58 0 d-------- C:\Programmer\Fælles filer\Apple
2008-06-17 18:25:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-07 17:21:24 0 d--hs---- C:\found.000


-- Find3M Report ---------------------------------------------------------------

2008-07-06 09:26:36 0 d-------- C:\Programmer\Opera
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer
2008-06-29 09:04:30 0 d-------- C:\Documents and Settings\AW\Application Data\Yahoo!
2008-06-28 18:14:29 0 d-------- C:\Documents and Settings\AW\Application Data\LimeWire
2008-06-27 16:04:41 0 d-------- C:\Documents and Settings\AW\Application Data\skypePM
2008-06-27 16:04:31 0 d-------- C:\Documents and Settings\AW\Application Data\Skype
2008-06-18 18:12:06 0 d-------- C:\Programmer\Fælles filer\Adobe
2008-06-18 18:11:19 0 d-------- C:\Documents and Settings\AW\Application Data\Adobe
2008-06-01 16:35:33 0 d--h----- C:\Programmer\InstallShield Installation Information
2008-06-01 16:35:24 0 d-------- C:\Programmer\Teknowebwork LLC
2008-06-01 15:12:28 486008 --a------ C:\WINDOWS\system32\perfh006.dat
2008-06-01 15:12:28 100208 --a------ C:\WINDOWS\system32\perfc006.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f7130c8-15d8-49f6-942d-5d667a5a1179}]
C:\WINDOWS\system32\qtlwvf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD}]
C:\WINDOWS\system32\hgGxWnKC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}]
C:\WINDOWS\system32\khfFUKeF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix "= "C:\WINDOWS\system32\CF16725.exe" [2004-08-26 17:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix "=C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical "=00000000
"NoLogoff "=0 (0x0)
"NoToolbarsOnTaskbar "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoBandCustomize "=0 (0x0)
"NoMovingBands "=0 (0x0)
"NoCloseDragDropBands "=0 (0x0)
"NoViewOnDrive "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BA2A2046-75A4-47C0-A09C-F0DCC706D39B} "= C:\WINDOWS\system32\khfFUKeF.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFUKeF]
khfFUKeF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan




-- End of Deckard's System Scanner: finished at 2008-07-07 18:47:15 ------------

 

I submitted the zip file as rquested.

 

Delete the following files and folders.

ComboFix.exe (FixCombo.exe)
C:\ComboFix (if present)
C:\FixCombo
C:\qoobox and qoobox.zip (once you've submitted it)
C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\fdsv.exe
C:\WINDOWS\grep.exe
C:\WINDOWS\sed.exe
C:\WINDOWS\swreg.exe
C:\WINDOWS\swsc.exe
C:\WINDOWS\swxcacls.exe
C:\WINDOWS\VFind.exe
C:\WINDOWS\zip.exe


Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
 "{BA2A2046-75A4-47C0-A09C-F0DCC706D39B} "=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

Double click fix.reg and allow it to merge with the registry. You can now delete fix.reg


Download and run the Active Desktop fix from Kellys-Korner, line 16 left column.
Download and run the Restore Taskbar and Start Menu fix from Kellys-Korner, line 117 left column.


Scan again with HijackThis and place a check next to the following entries.

O2 - BHO: {9711a5a7-66d5-d249-6f94-8d518c0317f0} - {0f7130c8-15d8-49f6-942d-5d667a5a1179} - C:\WINDOWS\system32\qtlwvf.dll (file missing)
O2 - BHO: (no name) - {8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD} - C:\WINDOWS\system32\hgGxWnKC.dll (file missing)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\khfFUKeF.dll (file missing)
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat
O20 - Winlogon Notify: khfFUKeF - khfFUKeF.dll (file missing)

Close all other windows then click Fix Checked. Close HijackThis.

Reboot and create a new HijackThis log then post it here. Let us know if there's any change.