Virus from Limewire ... lost desktop and start menu

Thanks for the submission! For the record (and so Geri knows), here's a list of the items (rogue) removed by ComboFix.

Files
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\
C:\WINDOWS\system32\CKnWxGgh.ini
C:\WINDOWS\system32\CKnWxGgh.ini2
C:\WINDOWS\system32\cnljkjsd.ini
C:\WINDOWS\system32\dsjkjlnc.dll
C:\WINDOWS\system32\ejyyqhvo.dll
C:\WINDOWS\system32\eWebControl.dll
C:\WINDOWS\system32\hgGxWnKC.dll
C:\WINDOWS\system32\hwtddw.dll
C:\WINDOWS\system32\khfFUKeF.dll
C:\WINDOWS\system32\lxwpemcr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nhalhlwm.ini
C:\WINDOWS\system32\qtlwvf.dll
C:\WINDOWS\system32\srdevljt.dll
C:\WINDOWS\system32\tjlvedrs.ini
C:\WINDOWS\system32\vtyffbih.dll

Services
Legacy_IPRIP
Service_Iprip

 

Sorry

You can do one of two things

1. Open Task Manager and click File>New Task (Run) then type notepad and hit enter. Paste the text, save it to the desktop then use Task Manager to run the reg file.

2. Use Task Manager and type cmd then hit enter to open a command window, then paste the contents of the code box below. The command window will close on it's own.

Code:

reg delete  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" /v {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} /f
reg delete  "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC" /f
exit
cls

 

Ok, I figured out how to get to notepad.


I did all the rest and below is the HJT log. No change occured fter reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:14, on 2008-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Opera\opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - Startup: AOM.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programmer\WIDCOMM\Bluetooth-software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6377 bytes

 

Please open Task Manager>File>New Task and type explorer then hit enter.
Let me know what happens.

 

Hi Pippi

Lets get a uninstall list and a on-line scan.

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
• Click "Open Uninstall Manager "
• Click "Save List" (generates uninstall_list.txt)
• Click Save, copy and paste the results in your next post.

Now a On-line scan.

Scanning with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Please post the Kaspersky results along with the uninstall list..

Thanks
Geri

 

Okay, well my laptop is from Denmark so the alert I get is in Danish. But basically it says Windows cannot find explorer. Make sure you have typed the name correctly and try again. If you are looking for a file you should click on start and then Search.

 

This time, New Task then click Browse
Navigate to C:\Windows and look for explorer.exe
If you find it, select it then click OK and tell me if your desktop/taskbar appear

If not present in C:\Windows, navigate to C:\Windows\system32\dllcache and locate it there
Once located, right click on it and select Copy, then go back to C:\Windows and right click in the Browse dialog then Paste
Now select the copy in C:\Windows and see if it starts

If all of the above fails, do you have a Windows cd?

 

Thank you so much!!! The copy and paste from dllcache worked! I appreciate all the help!

 

Now we need to check a registry key to make sure explorer will run at logon. Please click Start>Run and type cmd then hit enter to open a command window. Highlight and copy the contents of the code box below, then right click and paste it into the command window.

Code:

reg query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | findstr  "Shell" > "%userprofile%\desktop\winlgn.txt "
start notepad  "%userprofile%\desktop\winlgn.txt "
exit
cls

The command window will close on it's own and a text file will open. Post the results of that text here. The text file will be located on the desktop (winlgn.txt) and can be deleted.

 

The text file is empty and he alert I get says it cant be found.

 

Well that's not good. Please see if you have the file C:\Windows\System32\reg.exe

I would also like you to click Start>Run and type regedit then hit enter. Let me know if the registry editor opens.

 

Nope.

Yes.

 

regedit - good
reg.exe missing - not good

Please see if there's a copy of reg.exe in the system32\dllcache folder, and if there is, copy it to system32.
Then repeat the command window procedure above.

 

Every time I try to open My Computer or My Documents or any folder on the Desktop I am brought to the Search for files and folders.

When I go to Run and enter Regedit I get to Registry Editor with HKEY folders. Before I would get to a black screen where I could enter the code you gave me.

I have rebooted and still have my Desktop and Start menu though.

I'm confused.

 

Copy the contents of the code box below then paste it into a command window.

Code:

if exist %systemroot%\system32\dllcache\reg.exe copy %systemroot%\system32\dllcache\reg.exe %systemroot%\system32 && reg query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | findstr  "Shell" > "%userprofile%\desktop\winlgn.txt "
start notepad  "%userprofile%\desktop\winlgn.txt "
exit
cls

If reg.exe is present in the dllcache, it will be copied to the system32 folder and the registry query will be executed, then the notepad file will open.

See if this fixes the My Computer problem. Copy the bolded command below, click Start>Run and paste it in, then hit Enter.

regsvr32 /i shell32.dll

 

The notepad open but I get the message that the file cannot be found.

That does seem to fix it. It appers I now have folders in the right places though no text files.

 

Please paste the contents of the code box below into a command window then post the resulting log (that should open).

Code:

@echo off
dir %Systemdrive%\reg.exe /a h /s > check.txt
start notepad check.txt
exit
cls

I would also like for you to run dss.exe again and post the main.txt log that opens.

Is it possible that the text files are indeed there, but don't look like text files (the name is right but the icon isn't)?

 

Code:

@echo off
dir %Systemdrive%\reg.exe /a h /s > check.txt
start notepad check.txt
exit
cls

Disken i drev C har ikke noget navn. (Translation>Disk in drive C has no name)
Diskens serienummer er 741B-B249

Indhold af C:\WINDOWS\$NtServicePackUninstall$

2003-04-25 12:00 52,224 reg.exe
1 fil(er) 52,224 byte

Indhold af C:\WINDOWS\ServicePackFiles\i386

2004-08-26 17:53 54,272 reg.exe
1 fil(er) 54,272 byte

Indhold af C:\WINDOWS\SoftwareDistribution\Download\356d46e859f782675d397bcca10ab892

2008-04-14 09:05 54,272 reg.exe
1 fil(er) 54,272 byte

Indhold af C:\WINDOWS\system32

2004-08-26 17:53 54,272 reg.exe
1 fil(er) 54,272 byte

Deckard's System Scanner v20071014.68
Run by AW on 2008-07-08 18:58:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AW.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58, on 2008-07-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Opera\opera.exe
C:\WINDOWS\System32\dllhost.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\AW\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programmer\BitDefender\BitDefender 2008\IEToolbar.dll
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://o.aolcdn.com/pictures/ap/Resources/2.0.5.78/cab/aolpPlugins.10.5.0.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147204693517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166232462731
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://plugin.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D21389F-D13F-418B-9E1C-0BE1A05BA6BD}: NameServer = 10.2.2.10,10.2.2.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O23 - Service: aawservice - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programmer\Fælles filer\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programmer\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programmer\Fælles filer\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5849 bytes

-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-08 11:59:34 0 dr-h----- C:\Documents and Settings\AW\Recent
2008-07-03 20:09:58 0 d-------- C:\Programmer\Tweaking Toolbox XP 2
2008-07-02 12:22:34 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-02 09:47:04 0 d-------- C:\WINDOWS\pss
2008-07-02 09:27:34 0 d--hs---- C:\WINDOWS\CSC
2008-07-01 09:21:52 0 d-------- C:\Documents and Settings\AW\Application Data\Bitdefender
2008-07-01 09:20:39 0 d-------- C:\Programmer\BitDefender
2008-07-01 09:20:39 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-30 22:42:39 0 d-------- C:\Documents and Settings\AW\.housecall6.6
2008-06-30 22:37:27 0 d-------- C:\Programmer\Trend Micro
2008-06-30 16:33:20 0 d-------- C:\kav
2008-06-30 11:06:49 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-30 09:57:43 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-30 09:46:18 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer\BitDefender
2008-06-28 23:59:03 0 d-------- C:\Documents and Settings\AW\Application Data\Viewpoint
2008-06-28 17:58:50 0 d-------- C:\Documents and Settings\AW\Application Data\DivX
2008-06-23 21:46:41 0 d-------- C:\Programmer\LimeWire
2008-06-17 18:28:46 0 d-------- C:\Documents and Settings\AW\Application Data\Apple Computer
2008-06-17 18:28:21 0 d-------- C:\Programmer\iPod
2008-06-17 18:28:13 0 d-------- C:\Programmer\iTunes
2008-06-17 18:27:56 0 d-------- C:\Programmer\Bonjour
2008-06-17 18:26:59 0 d-------- C:\Programmer\QuickTime
2008-06-17 18:26:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-17 18:26:31 0 d-------- C:\Programmer\Apple Software Update
2008-06-17 18:26:22 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-17 18:25:58 0 d-------- C:\Programmer\Fælles filer\Apple
2008-06-17 18:25:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-07-08 18:58:05 0 d-------- C:\Documents and Settings\AW\Application Data\Skype
2008-07-08 16:06:47 0 d-------- C:\Documents and Settings\AW\Application Data\skypePM
2008-07-06 09:26:36 0 d-------- C:\Programmer\Opera
2008-06-29 20:50:14 0 d-------- C:\Programmer\Fælles filer
2008-06-29 09:04:30 0 d-------- C:\Documents and Settings\AW\Application Data\Yahoo!
2008-06-28 18:14:29 0 d-------- C:\Documents and Settings\AW\Application Data\LimeWire
2008-06-18 18:12:06 0 d-------- C:\Programmer\Fælles filer\Adobe
2008-06-18 18:11:19 0 d-------- C:\Documents and Settings\AW\Application Data\Adobe
2008-06-01 16:35:33 0 d--h----- C:\Programmer\InstallShield Installation Information
2008-06-01 16:35:24 0 d-------- C:\Programmer\Teknowebwork LLC
2008-06-01 15:12:28 486008 --a------ C:\WINDOWS\system32\perfh006.dat
2008-06-01 15:12:28 100208 --a------ C:\WINDOWS\system32\perfc006.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical "=00000000
"NoLogoff "=0 (0x0)
"NoToolbarsOnTaskbar "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoBandCustomize "=0 (0x0)
"NoMovingBands "=0 (0x0)
"NoCloseDragDropBands "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoActiveDesktop "=0 (0x0)
"NoSaveSettings "=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan




-- End of Deckard's System Scanner: finished at 2008-07-08 18:59:23 ------------

 

Paste the following in a command window and post the resulting log.

Code:

reg query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | findstr  "Shell" >winlgn.txt
start notepad winlgn.txt
exit
cls

BTW, since you don't have an English operating system, what is the correct word for Desktop in your operating system's language?

What about the text file?