Virus from Limewire ... lost desktop and start menu

I did as you outlined but the new My Computer that I made on the start menu still doesn't work.

Nope.

Nope.

Yes.

Yes

Yes.

 

Hmmm ... paste the following command from the code box into a command window then hit enter.

Code:

regedit /a  "%userprofile%\Skrivebord\startmenu.txt"  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu "

Should create startmenu.txt on your desktop. Since it will be fairly large, rather than post it here, attach it to an email to me.

 

Done and sent.

 

Registry key appears to be in order.
Please browse to the following file

C:\Windows\system32\shell32.dll

Right click and select properties
I'd like whatever information you can provide from the Version tab

 

Is this what you need?

6.00.2900.5512 (xpsp.080413-2105)

 

Download Dial-a-fix and Save it to your Desktop.

• Right click on the Dial-a-fix zip and select Extract All
• Once extracted, open the Dial-a-fix-vO.60.0.24 folder and run Dial-a-fix.exe
• Click the hammer icon.
• Scroll down under Tools and click Repair permissions
• Click GO and then Run
• Click Run again when prompted.
• When it finishes, it will say Ready. at the bottom and the Go button will again be available.
• Click Close
• Check the all of the boxes in section 5 labled Registration Center
• Click GO
• When done, click Exit

** Should you get any error messages while running the tool, click the Log button (to the right of the hammer icon) before closing the tool, then Save it to your desktop.

Restart the computer and see if the Start Menu shortcuts are working properly. If not, and if you saved a log from Dial-a-fix, post the log here please.

 

Ok, BIG problem ... I did the above and I now have NO access to the internet at all. I am on the computer at the library.

I have tried to do a system restore but it just won't work for some reason. I click the Next button on System Restore and nothing happens.

I'm really hoping you can advise what I should do to be able to gain internet access again as this is a LOT BIGGER problem than I had originally.

I saved a Log of Dial a Fix:


Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 3
IE version: 7.0.5730.13
MPC: 55860-OEM
CPU: Intel(R) Pentium(R) M processor 1400MHz (~1400MHz)
BIOS: 2003-11-17
Memory (approx): 1279MB
Uptime: 1 hour(s)
Current directory: C:\Programmer\Opera\profile\cache4\temporary_download\Dial-a-fix-v0.60.0.24\Dial-a-fix-v0.60.0.24
---

2008-07-23 23:54:29 -- Dial-a-fix : [v0.60.0.24] -- started
23:54:29 | Policy scan started
23:54:29 | Policy scan ended - no restrictive policies were found
--- Repair permissions ---
--- Registration: ActiveX controls/codecs ---
00:02:09 | Registered: C:\WINDOWS\system32\acelpdec.ax
00:02:09 | Registered: C:\WINDOWS\system32\actxprxy.dll
00:02:09 | Registered: C:\WINDOWS\system32\asctrls.ocx
00:02:09 | Registered: C:\WINDOWS\system32\daxctle.ocx
00:02:09 | Registered: C:\WINDOWS\system32\hhctrl.ocx
00:02:09 | Registered: C:\WINDOWS\system32\licmgr10.dll
00:02:09 | Registered: C:\WINDOWS\system32\mpg4ds32.ax
00:02:12 | Registered: C:\WINDOWS\system32\msdxm.ocx
00:02:12 | Registered: C:\WINDOWS\system32\proctexe.ocx
00:02:12 | Registered: C:\WINDOWS\system32\tdc.ocx
00:02:13 | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
00:02:15 | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
00:02:15 | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
00:02:15 | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
00:02:15 | Registered: C:\WINDOWS\system32\quartz.dll
00:02:17 | Registered: C:\WINDOWS\system32\danim.dll
00:02:17 | Registered: C:\WINDOWS\system32\dmscript.dll
00:02:17 | Registered: C:\WINDOWS\system32\dmstyle.dll
00:02:17 | Registered: C:\WINDOWS\system32\dxmasf.dll
00:02:17 | Registered: C:\WINDOWS\system32\dxtmsft.dll
00:02:17 | Registered: C:\WINDOWS\system32\dxtrans.dll
00:02:17 | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
00:02:17 | Registered: C:\WINDOWS\system32\atl.dll
00:02:18 | Registered: C:\WINDOWS\system32\corpol.dll
00:02:18 | Registered: C:\WINDOWS\system32\jscript.dll
00:02:18 | Registered: C:\WINDOWS\system32\dispex.dll
00:02:18 | Registered: C:\WINDOWS\system32\scrrun.dll
00:02:18 | Registered: C:\WINDOWS\system32\scrobj.dll
00:02:18 | Registered: C:\WINDOWS\system32\vbscript.dll
00:02:18 | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
00:02:19 | Registered: C:\WINDOWS\system32\activeds.dll
00:02:19 | Registered: C:\WINDOWS\system32\audiodev.dll
00:02:19 | Registered: C:\WINDOWS\system32\browsewm.dll
00:02:19 | Registered: C:\WINDOWS\system32\cabview.dll
00:02:19 | Registered: C:\WINDOWS\system32\cdfview.dll
00:02:19 | Registered: C:\WINDOWS\system32\clbcatex.dll
00:02:19 | Registered: C:\WINDOWS\system32\clbcatq.dll
00:02:19 | Registered: C:\WINDOWS\system32\comcat.dll
00:02:20 | Registered: C:\WINDOWS\system32\cscui.dll
00:02:20 | Registered: C:\WINDOWS\system32\credui.dll
00:02:20 | Registered: C:\WINDOWS\system32\datime.dll
00:02:20 | Registered: C:\WINDOWS\system32\devmgr.dll
00:02:20 | Registered: C:\WINDOWS\system32\dfsshlex.dll
00:02:21 | Registered: C:\WINDOWS\system32\dmdlgs.dll
00:02:21 | Registered: C:\WINDOWS\system32\dmdskmgr.dll
00:02:21 | Registered: C:\WINDOWS\system32\dmloader.dll
00:02:21 | Registered: C:\WINDOWS\system32\dmocx.dll
00:02:21 | Registered: C:\WINDOWS\system32\dmview.ocx
00:02:21 | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
00:02:21 | Registered: C:\WINDOWS\system32\dsuiext.dll
00:02:21 | DllInstalled: C:\WINDOWS\system32\dsquery.dll
00:02:21 | Registered: C:\WINDOWS\system32\dsquery.dll
00:02:22 | Registered: C:\WINDOWS\system32\dskquoui.dll
00:02:22 | Registered: C:\WINDOWS\system32\els.dll
00:02:22 | Registered: C:\WINDOWS\system32\es.dll
00:02:22 | Registered: C:\WINDOWS\system32\fontext.dll
00:02:22 | Registered: C:\WINDOWS\system32\hlink.dll
00:02:23 | Registered: C:\WINDOWS\system32\hnetcfg.dll
00:02:23 | Registered: C:\WINDOWS\system32\iedkcs32.dll
00:02:23 | Registered: C:\WINDOWS\system32\iepeers.dll
00:02:23 | Registered: C:\WINDOWS\system32\ils.dll
00:02:23 | Registered: C:\WINDOWS\system32\inetcfg.dll
00:02:24 | Registered: C:\WINDOWS\system32\inetcomm.dll
00:02:24 | Registered: C:\WINDOWS\system32\laprxy.dll
00:02:25 | Registered: C:\WINDOWS\system32\lmrt.dll
00:02:25 | Registered: C:\WINDOWS\system32\mlang.dll
00:02:26 | Registered: C:\WINDOWS\system32\mmcndmgr.dll
00:02:26 | Registered: C:\WINDOWS\system32\mmcshext.dll
00:02:27 | Registered: C:\WINDOWS\system32\mscoree.dll
00:02:27 | Registered: C:\WINDOWS\system32\mshtmled.dll
00:02:28 | Registered: C:\WINDOWS\system32\msoeacct.dll
00:02:28 | Registered: C:\WINDOWS\system32\msr2c.dll
00:02:28 | DllInstalled: C:\WINDOWS\system32\mydocs.dll
00:02:28 | Registered: C:\WINDOWS\system32\mydocs.dll
00:02:28 | Registered: C:\WINDOWS\system32\mstime.dll
00:02:28 | Registered: C:\WINDOWS\system32\netcfgx.dll
00:02:28 | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
00:02:28 | Registered: C:\WINDOWS\system32\netplwiz.dll
00:02:29 | Registered: C:\WINDOWS\system32\netman.dll
00:02:29 | Registered: C:\WINDOWS\system32\netshell.dll
00:02:29 | Registered: C:\WINDOWS\system32\ntmsevt.dll
00:02:29 | Registered: C:\WINDOWS\system32\ntmsmgr.dll
00:02:30 | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
00:02:30 | Registered: C:\WINDOWS\system32\ntmssvc.dll
00:02:30 | DllInstalled: C:\WINDOWS\system32\occache.dll
00:02:30 | Registered: C:\WINDOWS\system32\occache.dll
00:02:30 | Registered: C:\WINDOWS\system32\ole32.dll
00:02:30 | Registered: C:\WINDOWS\system32\oleaut32.dll
00:02:30 | Registered: C:\WINDOWS\system32\oleacc.dll
00:02:30 | Registered: C:\WINDOWS\system32\olepro32.dll
00:02:30 | DllInstalled: C:\WINDOWS\system32\photowiz.dll
00:02:31 | Registered: C:\WINDOWS\system32\photowiz.dll
00:02:31 | Registered: C:\WINDOWS\system32\remotepg.dll
00:02:31 | Registered: C:\WINDOWS\system32\rpcrt4.dll
00:02:31 | Registered: C:\WINDOWS\system32\rshx32.dll
00:02:31 | Registered: C:\WINDOWS\system32\sendmail.dll
00:02:31 | Registered: C:\WINDOWS\system32\slayerxp.dll
00:02:31 | Registered: C:\WINDOWS\system32\shell32.dll
00:02:40 | DllInstalled: C:\WINDOWS\system32\shell32.dll
00:02:40 | Registered: C:\WINDOWS\system32\shmedia.dll
00:02:41 | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
00:02:41 | Registered: C:\WINDOWS\system32\shimgvw.dll
00:02:41 | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
00:02:41 | Registered: C:\WINDOWS\system32\shsvcs.dll
00:02:42 | Registered: C:\WINDOWS\system32\srclient.dll
00:02:42 | Unregistered: C:\WINDOWS\system32\stobject.dll
00:02:42 | Registered: C:\WINDOWS\system32\stobject.dll
00:02:42 | Registered: C:\WINDOWS\system32\twext.dll
00:02:43 | DllInstalled: C:\WINDOWS\system32\urlmon.dll
00:02:43 | Registered: C:\WINDOWS\system32\urlmon.dll
00:02:43 | Registered: C:\WINDOWS\system32\userenv.dll
00:02:43 | Registered: C:\WINDOWS\system32\winhttp.dll
00:02:43 | DllInstalled: C:\WINDOWS\system32\wininet.dll
00:02:43 | Registered: C:\WINDOWS\system32\zipfldr.dll
00:02:43 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdadc.dll
00:02:43 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdaenum.dll
00:02:43 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdaer.dll
00:02:44 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdaipp.dll
00:02:44 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdaora.dll
00:02:44 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdaosp.dll
00:02:44 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdaps.dll
00:02:45 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdasc.dll
00:02:45 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdasql.dll
00:02:45 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdatt.dll
00:02:45 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdaurl.dll
00:02:46 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdmeng.dll
00:02:46 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msdmine.dll
00:02:46 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msmdcb80.dll
00:02:47 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msmdgd80.dll
00:02:48 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msolap80.dll
00:02:48 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msolui80.dll
00:02:48 | Registered: C:\Programmer\Fælles filer\system\Ole DB\msxactps.dll
00:02:48 | Registered: C:\Programmer\Fælles filer\system\Ole DB\oledb32.dll
00:02:48 | Registered: C:\Programmer\Fælles filer\system\Ole DB\oledb32r.dll
00:02:49 | Registered: C:\Programmer\Fælles filer\system\Ole DB\sqloledb.dll
00:02:49 | Registered: C:\Programmer\Fælles filer\system\Ole DB\sqlxmlx.dll

 

Oh no! That should not have happened!

Open Dial-a-fix up again and click the hammer icon.
Select Reset Network Interfaces then click Go.
Exit when complete.

If access is not restored, reboot and check it again.

 

That didnt help. I still can't get online. It seems there's a TCP/IP problem, that's what I gather from the error messages anyway. Since the messages show up in Danish I'm having a bit of a problem completely understanding them.

 

If there's any way you can download a file and get it to your pc, download Winsock XP Fix. Copy it to your desktop. Close all open programs and connections. Run Winsock XP Fix and select Fix. Reboot.

If that does not cure the problem, or you are otherwise unable to get the file, lets see if restoring a backup will help.

Navigate to C:\Windows\ERDNT\sUBs and double click Erdnt.exe
Reboot when complete and see if it's fixed.

 

Okay ... PHEW! The second part worked. THank you!

 

Whew! is right. I'm very puzzled and surprized that Dial-a-fix broke your connection though.

The registry backup you just restored might contain some bad guys, so please do a scan with dss and post the log here.

Don't suppose the Start Menu just happens to be working now?

 

WOW!!! Amazingly the Start Menu is now working fine! So, was this just your round about way of fixing it?

I wil run a DSS scan now.

 

ROFL!

Good to hear it's working. My intention was for it to be working without the loss of your internet, and a subsequent emergency restore operation.
Big thank you goes to sUBs, the author of ComboFix, for packing Erunt registry backups into his tool.

 

Here's the dss log

Deckard's System Scanner v20071014.68
Run by AW on 2008-07-24 22:42:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AW.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:53 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\AW\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {9711a5a7-66d5-d249-6f94-8d518c0317f0} - {0f7130c8-15d8-49f6-942d-5d667a5a1179} - C:\WINDOWS\system32\qtlwvf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD} - C:\WINDOWS\system32\hgGxWnKC.dll (file missing)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\khfFUKeF.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat
O4 - Global Startup: ARSA.lnk = ?
O4 - Global Startup: opera.lnk = C:\Programmer\Opera\opera.exe
O4 - Global Startup: seccenter.lnk = C:\Programmer\BitDefender\BitDefender 2008\seccenter.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfFUKeF - khfFUKeF.dll (file missing)
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe (file missing)
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6879 bytes

-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 22:42:39 0 d-------- C:\Programmer\Trend Micro
2008-07-24 16:28:49 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-24 10:35:20 0 dr-h----- C:\Documents and Settings\AW\Recent
2008-07-24 00:05:10 88096 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-23 23:27:02 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-07-23 23:26:06 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-23 15:29:05 0 d-------- C:\Documents and Settings\AW\Application Data\DeepBurner
2008-07-23 15:28:47 0 d-------- C:\Programmer\Astonsoft
2008-07-22 20:36:56 0 d-------- C:\Documents and Settings\AW\Application Data\FastStone
2008-07-22 20:36:41 0 d-------- C:\Programmer\FastStone Image Viewer
2008-07-18 20:51:59 0 d-------- C:\Programmer\Photo Story 3 for Windows
2008-07-18 20:38:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Anvsoft
2008-07-09 22:16:39 0 d-------- C:\WINDOWS\Prefetch
2008-07-09 21:51:01 0 d-------- C:\WINDOWS\system32\da-dk
2008-07-09 21:51:00 0 d-------- C:\WINDOWS\system32\da
2008-07-09 21:51:00 0 d-------- C:\WINDOWS\l2schemas
2008-07-09 21:43:48 0 d-------- C:\WINDOWS\network diagnostic
2008-07-03 20:09:58 0 d-------- C:\Programmer\Tweaking Toolbox XP 2
2008-07-02 09:47:04 0 d-------- C:\WINDOWS\pss
2008-07-02 09:27:34 0 d--hs---- C:\WINDOWS\CSC
2008-07-01 09:21:52 0 d-------- C:\Documents and Settings\AW\Application Data\Bitdefender
2008-07-01 09:20:39 0 d-------- C:\Programmer\BitDefender
2008-07-01 09:20:39 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-30 22:42:39 0 d-------- C:\Documents and Settings\AW\.housecall6.6
2008-06-30 16:33:20 0 d-------- C:\kav
2008-06-30 11:06:49 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-30 09:57:43 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-30 09:46:18 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer\BitDefender
2008-06-28 23:59:03 0 d-------- C:\Documents and Settings\AW\Application Data\Viewpoint
2008-06-28 17:58:50 0 d-------- C:\Documents and Settings\AW\Application Data\DivX


-- Find3M Report ---------------------------------------------------------------

2008-07-24 20:19:38 486858 --a------ C:\WINDOWS\system32\perfh006.dat
2008-07-24 20:19:38 100716 --a------ C:\WINDOWS\system32\perfc006.dat
2008-07-24 00:05:08 0 d-------- C:\Programmer\Apple Software Update
2008-07-23 22:07:27 0 d-------- C:\Programmer\RecordNow!
2008-07-23 22:07:26 0 d-------- C:\Programmer\Fælles filer
2008-07-23 21:49:15 0 d-------- C:\Documents and Settings\AW\Application Data\Skype
2008-07-23 21:35:58 0 d-------- C:\Documents and Settings\AW\Application Data\skypePM
2008-07-17 09:11:09 0 d-------- C:\Programmer\Fælles filer\Adobe
2008-07-09 21:51:21 0 d-------- C:\Programmer\Messenger
2008-07-09 21:50:59 0 d-------- C:\Programmer\Movie Maker
2008-07-09 21:46:57 0 d-------- C:\Programmer\Windows NT
2008-07-06 09:26:36 0 d-------- C:\Programmer\Opera
2008-06-29 09:04:30 0 d-------- C:\Documents and Settings\AW\Application Data\Yahoo!
2008-06-28 18:14:29 0 d-------- C:\Documents and Settings\AW\Application Data\LimeWire
2008-06-27 20:13:43 0 d-------- C:\Documents and Settings\AW\Application Data\Apple Computer
2008-06-23 21:47:02 0 d-------- C:\Programmer\LimeWire
2008-06-18 18:11:19 0 d-------- C:\Documents and Settings\AW\Application Data\Adobe
2008-06-17 18:28:38 0 d-------- C:\Programmer\iTunes
2008-06-17 18:28:21 0 d-------- C:\Programmer\iPod
2008-06-17 18:27:56 0 d-------- C:\Programmer\Bonjour
2008-06-17 18:27:45 0 d-------- C:\Programmer\QuickTime
2008-06-17 18:25:58 0 d-------- C:\Programmer\Fælles filer\Apple
2008-06-01 16:35:33 0 d--h----- C:\Programmer\InstallShield Installation Information
2008-06-01 16:35:24 0 d-------- C:\Programmer\Teknowebwork LLC


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f7130c8-15d8-49f6-942d-5d667a5a1179}]
C:\WINDOWS\system32\qtlwvf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD}]
C:\WINDOWS\system32\hgGxWnKC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}]
C:\WINDOWS\system32\khfFUKeF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix "= "C:\WINDOWS\system32\CF16725.exe" [08/26/2004 05:53 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical "=00000000
"NoLogoff "=0 (0x0)
"NoToolbarsOnTaskbar "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoBandCustomize "=0 (0x0)
"NoMovingBands "=0 (0x0)
"NoCloseDragDropBands "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoActiveDesktop "=0 (0x0)
"NoSaveSettings "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BA2A2046-75A4-47C0-A09C-F0DCC706D39B} "= C:\WINDOWS\system32\khfFUKeF.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFUKeF]
khfFUKeF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan




-- End of Deckard's System Scanner: finished at 2008-07-24 22:43:22 ------------

 

Scan with HijackThis and place a check next to the following entries.

O2 - BHO: {9711a5a7-66d5-d249-6f94-8d518c0317f0} - {0f7130c8-15d8-49f6-942d-5d667a5a1179} - C:\WINDOWS\system32\qtlwvf.dll (file missing)
O2 - BHO: (no name) - {8B5A3E2B-27E4-4346-8428-0DC6DE87F2AD} - C:\WINDOWS\system32\hgGxWnKC.dll (file missing)
O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\WINDOWS\system32\khfFUKeF.dll (file missing)
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat
O4 - Global Startup: ARSA.lnk = ?
O20 - Winlogon Notify: khfFUKeF - khfFUKeF.dll (file missing)

Now click Fix Checked and exit when it completes.


Highlight and copy the contents of the code box below.

Code:

reg delete  "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks" /v {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} /f
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.


Restart and create a new HijackThis log, then post it here.

 

New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:49 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Opera\opera.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat
O4 - Global Startup: opera.lnk = C:\Programmer\Opera\opera.exe
O4 - Global Startup: seccenter.lnk = C:\Programmer\BitDefender\BitDefender 2008\seccenter.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe (file missing)
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6287 bytes

 

Missed one.

O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF16725.exe /c C:\FixCombo\Combobatch.bat

Fix that and run a new scan. Let me know if it's gone.

OK Pippi, it's been a long haul. How's your computer behaving now? Feel free to browse around a bit (day or so if you want) before making a determination.

You should probably re-install Service Pack 3
The registry backup we applied earlier was made prior to SP3 being installed.

 

Okay, I guess I just missedthat one ... it's gone now.

I will let you know how the laptop is working afer using it a bit.

I do have another qustion though. Before all this happened I had ARSA and Bitdefender as Startups and showing down in the right hand icon tray. They are no longer there when I reboot. How can I fix that?

 

Highlight and copy the contents of the code box below.

Code:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v  "BitDefender Antiphishing Helper" /t REG_SZ /d  "\ "C:\Programmer\BitDefender\BitDefender 2008\IEShow.exe\" " /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v BDAgent /t REG_SZ /d  "\ "C:\Programmer\BitDefender\BitDefender 2008\bdagent.exe\" " /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v AGRSMMSG /t REG_SZ /d AGRSMMSG.exe /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ARSA /t REG_SZ /d  "\ "C:\Programmer\AnswersThatWork\A Really Small App\A_Really_Small_App.exe\" -startup" /f
exit
cls

Click Start>Run and type cmd then hit Enter to open a command window.
Right click and Paste the copied text into the command window.
The command window will close on it's own.
Restart the computer and let me know the results.