Can't Access Control Panel

Toshiba SATELLITE
February 9, 2009 at 09:29:58
Specs: Vista, 1gb
I had the same issue with the tdsserv virus as some others in the forum. I followed all the instructions to eliminate the virus and I believe it is completely gone. BUT I have another problem. Some where along the line I have made my control panel unable to be accessed. Which makes me unable to uninstal the programs and has made my email not work. I try to open it, the screen pops up and then it is gone. I am using Vista. What should I do?



See More: Cant Access Control Panel

Report •


#1
February 9, 2009 at 14:09:53
Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
February 9, 2009 at 17:49:46
Here you go


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:05 PM, on 2/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
C:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-2361973826-4266691698-2216676552-1000\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-2361973826-4266691698-2216676552-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-21-2361973826-4266691698-2216676552-1000\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - S-1-5-21-2361973826-4266691698-2216676552-1000 Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe (User '?')
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls...
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--
End of file - 7240 bytes


Report •

#3
February 9, 2009 at 18:52:22
I don't see an antivirus program running, to continue to need to install one.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

We will need to disable the antivirus program to run some scans. To do this click the AVG icon in the systray (bottom right of your screen)> then click exit.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any other antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

Related Solutions

#4
February 9, 2009 at 19:55:46
ComboFix 09-02-08.02 - VistaUser 2009-02-09 22:35:54.2 - NTFSx86
Running from: c:\users\VistaUser\Desktop\toolb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\VistaUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\windows\Tasks\qmomlmyq.job

.
((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-09 22:18 . 2009-02-09 22:18 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-09 22:12 . 2009-02-09 22:14 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-09 22:12 . 2009-02-09 22:12 <DIR> d-------- c:\users\All Users\avg8
2009-02-09 22:12 . 2009-02-09 22:12 <DIR> d-------- c:\programdata\avg8
2009-02-09 22:12 . 2009-02-09 22:12 <DIR> d-------- c:\program files\AVG
2009-02-09 22:12 . 2009-02-09 22:12 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-09 22:12 . 2009-02-09 22:12 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-09 22:12 . 2009-02-09 22:12 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-09 20:43 . 2009-02-09 20:43 <DIR> d-------- c:\program files\Trend Micro
2009-02-09 10:25 . 2009-02-09 10:25 576 --a------ c:\windows\System32\SAVED STUFF.reg
2009-02-09 09:18 . 2009-02-09 09:18 <DIR> d-------- c:\users\VistaUser\DoctorWeb
2009-02-08 23:41 . 2009-02-08 23:42 62,041,337 --a------ c:\windows\MEMORY.DMP
2009-02-08 23:40 . 2009-02-08 23:40 898 --a------ C:\backup.reg
2009-02-08 22:56 . 2009-02-08 22:56 <DIR> d-------- c:\program files\CCleaner
2009-02-08 20:04 . 2009-02-08 20:04 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\Malwarebytes
2009-02-08 20:01 . 2009-02-08 20:01 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-08 20:01 . 2009-02-08 20:01 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-08 20:01 . 2009-02-08 22:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-08 20:01 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-08 20:01 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-08 13:18 . 98,304 c:\windows\System32\K
2009-02-08 09:11 . 2009-02-08 09:11 112,344 --a------ c:\users\VistaUser\dDYytbEN.exe
2009-02-08 09:11 . 2009-02-08 09:11 73,728 --a------ c:\users\VistaUser\sYaXqX.exe
2009-02-08 00:26 . 2009-02-08 00:26 112,344 --a------ c:\users\VistaUser\GcJMVZi.exe
2009-02-08 00:26 . 2009-02-08 00:26 29,696 --a------ c:\users\VistaUser\yFBJfu.exe
2009-02-08 00:05 . 2009-02-08 00:05 112,344 --a------ c:\users\VistaUser\TwfIRdtG.exe
2009-02-08 00:05 . 2009-02-08 00:05 73,728 --a------ c:\users\VistaUser\kqSpiPGegV.exe
2009-02-08 00:01 . 2009-02-08 13:32 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-07 23:53 . 2009-02-07 23:53 112,344 --a------ c:\users\VistaUser\wzimVgxJa.exe
2009-02-07 23:53 . 2009-02-07 23:53 73,728 --a------ c:\users\VistaUser\otvSlSKijYr.exe
2009-02-07 23:53 . 2009-02-07 23:53 29,696 --a------ c:\users\VistaUser\wSHLuFPbS.exe
2009-02-07 23:47 . 2009-02-08 13:00 28,672 --a------ c:\users\VistaUser\ieframes.dll
2009-02-07 22:18 . 2009-02-08 20:08 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\Twain
2009-02-07 21:15 . 2009-02-07 21:15 <DIR> d-------- c:\windows\System32\tov02
2009-02-07 21:15 . 2009-02-09 09:24 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\cogad
2009-02-07 21:15 . 2009-02-08 22:26 <DIR> d-------- C:\Temp
2009-02-03 17:12 . 2009-02-07 21:17 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\LimeWire
2009-01-22 10:14 . 2009-01-22 10:14 <DIR> dr------- c:\users\Public\Music
2009-01-19 12:09 . 2009-01-19 12:09 <DIR> d-------- c:\program files\Maxtor
2009-01-17 18:57 . 2009-01-17 18:57 <DIR> d-------- c:\users\Guest\AppData\Roaming\HP
2009-01-17 18:56 . 2009-01-17 18:56 <DIR> d-------- c:\users\Guest\AppData\Roaming\Apple Computer
2009-01-16 14:00 . 2009-01-19 11:56 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-16 14:00 . 2009-01-19 11:53 <DIR> d-------- c:\users\All Users\Maxtor
2009-01-16 14:00 . 2009-01-19 11:53 <DIR> d-------- c:\programdata\Maxtor
2009-01-16 13:12 . 2008-08-17 05:33 678,408 --a------ c:\windows\System32\gpprefcl.dll
2009-01-14 18:20 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-12 19:48 . 2009-02-07 23:11 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 04:55 --------- d-----w c:\program files\LimeWire
2009-01-27 01:51 --------- d-----w c:\users\VistaUser\AppData\Roaming\HP
2009-01-19 17:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 08:04 --------- d-----w c:\program files\Windows Mail
2009-01-15 08:03 --------- d-----w c:\programdata\Microsoft Help
2009-01-05 18:52 --------- d-----w c:\users\VistaUser\AppData\Roaming\Skype
2009-01-05 14:51 --------- d-----w c:\users\VistaUser\AppData\Roaming\skypePM
2009-01-04 06:25 --------- d-----w c:\programdata\Yahoo!
2009-01-04 06:24 --------- d-----w c:\program files\Yahoo!
2009-01-03 12:40 --------- d-----w c:\programdata\Logishrd
2009-01-01 19:04 683,825 ----a-w c:\windows\unins000.exe
2008-12-23 08:47 138,240 ----a-w c:\windows\system32\drivers\Rtlh86.sys
2008-12-23 08:47 10,240 ----a-w c:\windows\System32\RtNicProp32.dll
2008-12-22 23:51 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-12-22 23:51 56 ---ha-w c:\programdata\ezsidmv.dat
2008-12-22 23:49 --------- d-----w c:\programdata\Skype
2008-12-22 23:49 --------- d-----w c:\program files\Skype
2008-12-22 23:49 --------- d-----w c:\program files\Common Files\Skype
2008-12-22 22:41 --------- d-----w c:\users\VistaUser\AppData\Roaming\Leadertech
2008-12-22 22:40 --------- d-----w c:\program files\Common Files\LogiShrd
2008-12-22 22:39 --------- d-----w c:\programdata\Logitech
2008-12-22 22:39 --------- d-----w c:\program files\Logitech
2008-12-19 15:37 --------- d-----w c:\users\Guest\AppData\Roaming\Nero
2008-12-17 02:45 --------- d-----w c:\users\VistaUser\AppData\Roaming\Apple Computer
2008-12-11 21:51 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-12-11 21:51 --------- d-----w c:\program files\Java
2008-12-11 20:55 --------- d-----w c:\users\VistaUser\AppData\Roaming\Nero
2008-11-28 16:30 2,514,000 ----a-w c:\windows\System32\xsciter.dll
2008-11-28 16:29 289,792 ----a-w c:\windows\System32\sciter-bn.dll
2008-11-12 19:53 357,888 ----a-w c:\windows\System32\sciter-wp.dll
2008-03-26 15:20 174 --sha-w c:\program files\desktop.ini
.

------- Sigcheck -------

2008-10-29 01:29 2944512 8f06e2c9c496e3ca58dde99929e72a34 c:\windows\explorer.exe
2007-08-26 22:10 2940416 d0b9e1fe366f151275d95eb7830662ca c:\windows\SoftwareDistribution\Download\f411dcb0df2de951a1b7d68be5b8fec7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
2007-08-26 21:01 2940416 dcfdfdd783954b8828c3346805f8ba27 c:\windows\SoftwareDistribution\Download\f411dcb0df2de951a1b7d68be5b8fec7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
2006-11-02 04:45 2940416 9c3dba991ffd9ee5c4588a31c7af26a4 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
2008-10-29 01:20 2940416 555d44749f9e2ffe60d775d784dc973e c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
2008-10-27 21:15 2940416 cb51188dc9c4565e31e8ccdd2838f526 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
2008-01-18 22:33 2944512 99603b79de7c854f0ba977bae67195b5 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
2008-10-29 01:29 2944512 8f06e2c9c496e3ca58dde99929e72a34 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
2008-10-29 22:59 2944512 6bb66ce2275fbe8f5b6407126cad7b89 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

2006-11-02 04:45 25600 77d28a5a44293556a5875c575954cdf2 c:\windows\System32\ctfmon.exe
2006-11-02 04:45 25600 77d28a5a44293556a5875c575954cdf2 c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9cad793a67953\ctfmon.exe

2008-01-18 22:33 142848 318dba5f3d01d8a568a04cc78f3b3161 c:\windows\System32\spoolsv.exe
2006-11-02 04:45 141824 edf04f3e611c7005feb9e0009aaad516 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6000.16386_none_d414e125c49db442\spoolsv.exe
2008-01-18 22:33 142848 318dba5f3d01d8a568a04cc78f3b3161 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\spoolsv.exe

2008-01-18 22:33 41984 d498a2dc3fbb9e391743e7b333d2c2e7 c:\windows\System32\userinit.exe
2006-11-02 04:45 41472 f2a9e17153c0a4ffeba8a0a90559b5f3 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe
2008-01-18 22:33 41984 d498a2dc3fbb9e391743e7b333d2c2e7 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 219136]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1250816]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 225280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 434176]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 69632]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-09 1601304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3903149176-3258793174-869572741-1169]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CB5CD5D1-AC00-48C8-ABC9-1034919BE982}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{345ED04C-AB39-48B3-A48F-687A2AE32DD6}"= Disabled:UDP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\HPZnui01.exe:hpznui01.exe
"{8E9A16FF-6F63-41FF-8809-220EDEB8D96D}"= Disabled:TCP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\HPZnui01.exe:hpznui01.exe
"{512A0E57-98DE-43F7-B7BA-9ACD004E31DE}"= Disabled:UDP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{E8642A7B-31F6-485D-92CB-5BFCC8A60B4A}"= Disabled:TCP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{97EB0209-6D11-4A99-BD6E-544C86A19162}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{DDCD31B4-DDFF-478B-AEE3-331E9CED960E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{14F87513-4E35-4A9B-AB07-A5C9BE4DBCB6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{CC27CF06-26DC-4133-8E42-5B09D30B5903}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{686F1168-2BFB-4AAB-B9C8-81DCCDADA8A0}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{52614A6D-0424-4DEB-B1BD-C495B3AA9E25}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{88B4E16C-3B1A-4304-8179-E6180545DE9E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{638EC97B-75BE-45DD-947C-9854AA116158}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{6B478D55-68EC-48B6-A1FF-85B21B353E21}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{AC81E149-ECB1-4535-BBF3-8E3A3F506BDA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{10F45645-4369-43D3-A4DC-B041E3AB76F0}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{4769FEB8-2029-4031-96B5-5E8D96CED75F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{FDA18387-F00B-4657-BFC9-CC1441079A07}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{52076204-6DCC-4F23-8045-4EB98D4ED002}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{1F280C5F-FF96-49EA-A939-F4703FC28610}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AEC2C551-96CA-4D92-BF83-2E139F3A6F58}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{C4CC3471-E3E5-4EBF-9498-27701C2915A0}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{C3DAC921-6C73-48F0-969F-F89DA87566D7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{1A53171C-77B5-43A1-994C-F77F54892B8E}"= Disabled:UDP:c:\users\tfrankman\AppData\Local\Temp\7zS722B.tmp\setup\HPZnui01.exe:hpznui01.exe
"{35B65FB8-829F-4E4E-9D66-FEFA3CDA0FB6}"= Disabled:TCP:c:\users\tfrankman\AppData\Local\Temp\7zS722B.tmp\setup\HPZnui01.exe:hpznui01.exe
"TCP Query User{055EC3F3-A8B6-4FB3-B9D6-536F8A4190DB}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{6ED4A784-89BC-438A-A751-3652D057C3FC}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{AD14BA6F-97C8-48C1-B804-C44473A247ED}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{0DFF18CC-283A-4157-B305-E66DD7A07241}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AEF5E9BC-B8CC-4D01-94F1-01FA14BC2FBC}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{30B89E82-27AD-4A02-9F1F-1C115F4F7F1F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{51A01C63-1193-4B08-A762-886D7788BBF0}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{430BD12C-8AAB-4425-AF59-85E5EE69ABFA}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"UDP Query User{28F9DADB-789C-4702-BFEC-399DAE17AA96}c:\\program files\\microsoft office\\office12\\outlook.exe"= TCP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{3AA07BCF-B0D2-44E8-B173-77E93B143190}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{7D25AC28-45F0-4194-9C8B-75CB766B0A04}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{46B462EC-067C-4AAE-9062-47EF3EBEBCF7}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{0BCBE296-7773-40FB-8995-1922BB1F2C71}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{30D60116-D96E-4336-9AAC-CDFF54C7EF6A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DBC96159-F6A0-4352-BA3E-DD7C36E9A40B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{19930133-D269-415E-9535-2F8C98BAFADB}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{71FA94EC-EA48-46E3-879D-BC9B9F009E58}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{92503E0F-DD10-4CC3-AD5E-2F791A306F76}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{63D6DC47-3A66-4060-AFC4-2B47F4EF40DE}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{B5207F2F-2B69-415D-92FF-E2FEACAED766}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E680A7B-0AC6-403A-B6CF-78D79CDD7EDA}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E1D9C97-A650-4A8F-A36F-C38458308FF1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E2DA363A-0B51-428A-87BE-B5826A0D91B7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{05B6F6C3-8C50-4C17-8FD6-F8ECB557276B}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{02A8262C-1010-4917-A7DD-751775C91E3C}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D8E67D2A-EB14-4C3B-BF25-D3B81B435A83}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{13733B92-DDCF-40FA-A48F-6CC25DF90063}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FAC00164-5898-4D54-A3B4-CB12FA76956F}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Windows\\system32\\wininit.exe"= c:\windows\system32\wininit.exe:*:enabled:@shell32.dll,-1

R1 wdd;wdd; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-09 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-09 107272]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-09 298264]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX
*Deregistered* - AFD
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - cdfs
*Deregistered* - CLFS
*Deregistered* - Compbatt
*Deregistered* - crcdisk
*Deregistered* - CSC
*Deregistered* - DfsC
*Deregistered* - DXGKrnl
*Deregistered* - Ecache
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - HTTP
*Deregistered* - iScsiPrt
*Deregistered* - KSecDD
*Deregistered* - lltdio
*Deregistered* - luafv
*Deregistered* - LVPr2Mon
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - MRxDAV
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PEAUTH
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - rspndr
*Deregistered* - secdrv
*Deregistered* - Smb
*Deregistered* - spldr
*Deregistered* - srv
*Deregistered* - srv2
*Deregistered* - srvnet
*Deregistered* - StillCam
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tcpipreg
*Deregistered* - tdx
*Deregistered* - TermDD
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - Wanarpv6
*Deregistered* - Wdf01000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac40f979-c1b4-11dd-9353-0016d4fc4409}]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 22:40:19
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-02-09 22:42:51
ComboFix-quarantined-files.txt 2009-02-10 03:42:47

Pre-Run: 79,201,570,816 bytes free
Post-Run: 79,221,874,688 bytes free

321 --- E O F --- 2009-02-06 12:42:33


Report •

#5
February 9, 2009 at 20:15:59
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\users\VistaUser\dDYytbEN.exe
c:\users\VistaUser\sYaXqX.exe
c:\users\VistaUser\GcJMVZi.exe
c:\users\VistaUser\yFBJfu.exe
c:\users\VistaUser\TwfIRdtG.exe
c:\users\VistaUser\kqSpiPGegV.exe
c:\users\VistaUser\wzimVgxJa.exe
c:\users\VistaUser\otvSlSKijYr.exe
c:\users\VistaUser\wSHLuFPbS.exe

Folder::
c:\users\VistaUser\AppData\Roaming\cogad

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#6
February 9, 2009 at 21:19:26
I am running the Combofix and received a Blue screen error. Then a message came up saying and Unauthorized change was made to Windows. It takes me to the Windows website to Validate the Windows program an then tells me it is unable to Validate. I tired running it again and it went to a black screen. Should I do it in Safe Mode?

Report •

#7
February 10, 2009 at 07:09:06
Ok after a couple trys it worked. Here it is:

ComboFix 09-02-08.02 - VistaUser 2009-02-10 9:55:37.5 - NTFSx86 NETWORK
Running from: c:\users\VistaUser\Desktop\toolb.exe
Command switches used :: c:\users\VistaUser\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\users\VistaUser\AppData\Roaming\cogad
c:\users\VistaUser\dDYytbEN.exe
c:\users\VistaUser\GcJMVZi.exe
c:\users\VistaUser\kqSpiPGegV.exe
c:\users\VistaUser\otvSlSKijYr.exe
c:\users\VistaUser\sYaXqX.exe
c:\users\VistaUser\TwfIRdtG.exe
c:\users\VistaUser\wSHLuFPbS.exe
c:\users\VistaUser\wzimVgxJa.exe
c:\users\VistaUser\yFBJfu.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-09 22:18 . 2009-02-09 23:19 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-09 22:12 . 2009-02-09 22:14 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-09 22:12 . 2009-02-09 22:12 <DIR> d-------- c:\users\All Users\avg8
2009-02-09 22:12 . 2009-02-09 22:12 <DIR> d-------- c:\programdata\avg8
2009-02-09 22:12 . 2009-02-09 22:12 <DIR> d-------- c:\program files\AVG
2009-02-09 22:12 . 2009-02-09 22:12 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-09 22:12 . 2009-02-09 22:12 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-09 22:12 . 2009-02-09 22:12 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-09 20:43 . 2009-02-09 20:43 <DIR> d-------- c:\program files\Trend Micro
2009-02-09 10:25 . 2009-02-09 10:25 576 --a------ c:\windows\System32\SAVED STUFF.reg
2009-02-09 09:18 . 2009-02-09 09:18 <DIR> d-------- c:\users\VistaUser\DoctorWeb
2009-02-08 23:41 . 2009-02-10 00:16 178,054,689 --a------ c:\windows\MEMORY.DMP
2009-02-08 23:40 . 2009-02-08 23:40 898 --a------ C:\backup.reg
2009-02-08 22:56 . 2009-02-08 22:56 <DIR> d-------- c:\program files\CCleaner
2009-02-08 20:04 . 2009-02-08 20:04 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\Malwarebytes
2009-02-08 20:01 . 2009-02-08 20:01 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-08 20:01 . 2009-02-08 20:01 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-08 20:01 . 2009-02-08 22:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-08 20:01 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-08 20:01 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-08 13:18 . 98,304 c:\windows\System32\K
2009-02-08 00:01 . 2009-02-08 13:32 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-07 23:47 . 2009-02-08 13:00 28,672 --a------ c:\users\VistaUser\ieframes.dll
2009-02-07 22:18 . 2009-02-08 20:08 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\Twain
2009-02-07 21:15 . 2009-02-07 21:15 <DIR> d-------- c:\windows\System32\tov02
2009-02-07 21:15 . 2009-02-08 22:26 <DIR> d-------- C:\Temp
2009-02-03 17:12 . 2009-02-07 21:17 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\LimeWire
2009-01-22 10:14 . 2009-01-22 10:14 <DIR> dr------- c:\users\Public\Music
2009-01-19 12:09 . 2009-01-19 12:09 <DIR> d-------- c:\program files\Maxtor
2009-01-17 18:57 . 2009-01-17 18:57 <DIR> d-------- c:\users\Guest\AppData\Roaming\HP
2009-01-17 18:56 . 2009-01-17 18:56 <DIR> d-------- c:\users\Guest\AppData\Roaming\Apple Computer
2009-01-16 14:00 . 2009-01-19 11:56 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-16 14:00 . 2009-01-19 11:53 <DIR> d-------- c:\users\All Users\Maxtor
2009-01-16 14:00 . 2009-01-19 11:53 <DIR> d-------- c:\programdata\Maxtor
2009-01-16 13:12 . 2008-08-17 05:33 678,408 --a------ c:\windows\System32\gpprefcl.dll
2009-01-14 18:20 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-12 19:48 . 2009-02-07 23:11 <DIR> d-------- c:\users\VistaUser\AppData\Roaming\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 04:55 --------- d-----w c:\program files\LimeWire
2009-01-27 01:51 --------- d-----w c:\users\VistaUser\AppData\Roaming\HP
2009-01-19 17:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 08:04 --------- d-----w c:\program files\Windows Mail
2009-01-15 08:03 --------- d-----w c:\programdata\Microsoft Help
2009-01-05 18:52 --------- d-----w c:\users\VistaUser\AppData\Roaming\Skype
2009-01-05 14:51 --------- d-----w c:\users\VistaUser\AppData\Roaming\skypePM
2009-01-04 06:25 --------- d-----w c:\programdata\Yahoo!
2009-01-04 06:24 --------- d-----w c:\program files\Yahoo!
2009-01-03 12:40 --------- d-----w c:\programdata\Logishrd
2009-01-01 19:04 683,825 ----a-w c:\windows\unins000.exe
2008-12-23 08:47 138,240 ----a-w c:\windows\system32\drivers\Rtlh86.sys
2008-12-23 08:47 10,240 ----a-w c:\windows\System32\RtNicProp32.dll
2008-12-22 23:51 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-12-22 23:51 56 ---ha-w c:\programdata\ezsidmv.dat
2008-12-22 23:49 --------- d-----w c:\programdata\Skype
2008-12-22 23:49 --------- d-----w c:\program files\Skype
2008-12-22 23:49 --------- d-----w c:\program files\Common Files\Skype
2008-12-22 22:41 --------- d-----w c:\users\VistaUser\AppData\Roaming\Leadertech
2008-12-22 22:40 --------- d-----w c:\program files\Common Files\LogiShrd
2008-12-22 22:39 --------- d-----w c:\programdata\Logitech
2008-12-22 22:39 --------- d-----w c:\program files\Logitech
2008-12-19 15:37 --------- d-----w c:\users\Guest\AppData\Roaming\Nero
2008-12-17 02:45 --------- d-----w c:\users\VistaUser\AppData\Roaming\Apple Computer
2008-12-11 21:51 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-12-11 21:51 --------- d-----w c:\program files\Java
2008-12-11 20:55 --------- d-----w c:\users\VistaUser\AppData\Roaming\Nero
2008-11-28 16:30 2,514,000 ----a-w c:\windows\System32\xsciter.dll
2008-11-28 16:29 289,792 ----a-w c:\windows\System32\sciter-bn.dll
2008-11-12 19:53 357,888 ----a-w c:\windows\System32\sciter-wp.dll
2008-03-26 15:20 174 --sha-w c:\program files\desktop.ini
.

------- Sigcheck -------

2008-10-29 01:29 2944512 8f06e2c9c496e3ca58dde99929e72a34 c:\windows\explorer.exe
2007-08-26 22:10 2940416 d0b9e1fe366f151275d95eb7830662ca c:\windows\SoftwareDistribution\Download\f411dcb0df2de951a1b7d68be5b8fec7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
2007-08-26 21:01 2940416 dcfdfdd783954b8828c3346805f8ba27 c:\windows\SoftwareDistribution\Download\f411dcb0df2de951a1b7d68be5b8fec7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
2006-11-02 04:45 2940416 9c3dba991ffd9ee5c4588a31c7af26a4 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
2008-10-29 01:20 2940416 555d44749f9e2ffe60d775d784dc973e c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
2008-10-27 21:15 2940416 cb51188dc9c4565e31e8ccdd2838f526 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
2008-01-18 22:33 2944512 99603b79de7c854f0ba977bae67195b5 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
2008-10-29 01:29 2944512 8f06e2c9c496e3ca58dde99929e72a34 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
2008-10-29 22:59 2944512 6bb66ce2275fbe8f5b6407126cad7b89 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

2006-11-02 04:45 25600 77d28a5a44293556a5875c575954cdf2 c:\windows\System32\ctfmon.exe
2006-11-02 04:45 25600 77d28a5a44293556a5875c575954cdf2 c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9cad793a67953\ctfmon.exe

2008-01-18 22:33 142848 318dba5f3d01d8a568a04cc78f3b3161 c:\windows\System32\spoolsv.exe
2006-11-02 04:45 141824 edf04f3e611c7005feb9e0009aaad516 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6000.16386_none_d414e125c49db442\spoolsv.exe
2008-01-18 22:33 142848 318dba5f3d01d8a568a04cc78f3b3161 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\spoolsv.exe

2008-01-18 22:33 41984 d498a2dc3fbb9e391743e7b333d2c2e7 c:\windows\System32\userinit.exe
2006-11-02 04:45 41472 f2a9e17153c0a4ffeba8a0a90559b5f3 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe
2008-01-18 22:33 41984 d498a2dc3fbb9e391743e7b333d2c2e7 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-09_22.41.16.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 48,640 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 49,152 ----a-w c:\windows\NIRCMD.exe
- 2009-02-10 03:12:46 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-10 15:00:28 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-10 15:00:28 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-10 03:12:37 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-10 15:00:28 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-10 15:00:28 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-10 03:14:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-10 14:59:09 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-10 03:14:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-10 14:59:09 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-10 03:14:07 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-10 14:59:09 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-06 17:35:56 1,486,208 ----a-w c:\windows\System32\LegitCheckControl.DLL
- 2009-02-10 01:34:14 101,610 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-10 05:27:54 102,194 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-10 01:34:14 597,602 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-10 05:27:54 598,588 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-10 01:31:31 7,206 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2361973826-4266691698-2216676552-1000_UserData.bin
+ 2009-02-10 05:21:40 8,178 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2361973826-4266691698-2216676552-1000_UserData.bin
- 2009-02-10 01:31:30 50,626 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-10 05:21:40 51,878 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-09 14:52:10 5,236 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-02-10 05:08:13 8,212 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-02-10 01:31:28 42,280 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-10 05:11:05 43,266 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-10 03:04:07 234,804 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-02-10 14:28:11 237,368 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 219136]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1250816]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 225280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 434176]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 69632]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-09 1601304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3903149176-3258793174-869572741-1169]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CB5CD5D1-AC00-48C8-ABC9-1034919BE982}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{345ED04C-AB39-48B3-A48F-687A2AE32DD6}"= Disabled:UDP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\HPZnui01.exe:hpznui01.exe
"{8E9A16FF-6F63-41FF-8809-220EDEB8D96D}"= Disabled:TCP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\HPZnui01.exe:hpznui01.exe
"{512A0E57-98DE-43F7-B7BA-9ACD004E31DE}"= Disabled:UDP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{E8642A7B-31F6-485D-92CB-5BFCC8A60B4A}"= Disabled:TCP:c:\users\tfrankman\AppData\Local\Temp\7zS4E1.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{97EB0209-6D11-4A99-BD6E-544C86A19162}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{DDCD31B4-DDFF-478B-AEE3-331E9CED960E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{14F87513-4E35-4A9B-AB07-A5C9BE4DBCB6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{CC27CF06-26DC-4133-8E42-5B09D30B5903}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{686F1168-2BFB-4AAB-B9C8-81DCCDADA8A0}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{52614A6D-0424-4DEB-B1BD-C495B3AA9E25}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{88B4E16C-3B1A-4304-8179-E6180545DE9E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{638EC97B-75BE-45DD-947C-9854AA116158}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{6B478D55-68EC-48B6-A1FF-85B21B353E21}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{AC81E149-ECB1-4535-BBF3-8E3A3F506BDA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{10F45645-4369-43D3-A4DC-B041E3AB76F0}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{4769FEB8-2029-4031-96B5-5E8D96CED75F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{FDA18387-F00B-4657-BFC9-CC1441079A07}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{52076204-6DCC-4F23-8045-4EB98D4ED002}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{1F280C5F-FF96-49EA-A939-F4703FC28610}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AEC2C551-96CA-4D92-BF83-2E139F3A6F58}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{C4CC3471-E3E5-4EBF-9498-27701C2915A0}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{C3DAC921-6C73-48F0-969F-F89DA87566D7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{1A53171C-77B5-43A1-994C-F77F54892B8E}"= Disabled:UDP:c:\users\tfrankman\AppData\Local\Temp\7zS722B.tmp\setup\HPZnui01.exe:hpznui01.exe
"{35B65FB8-829F-4E4E-9D66-FEFA3CDA0FB6}"= Disabled:TCP:c:\users\tfrankman\AppData\Local\Temp\7zS722B.tmp\setup\HPZnui01.exe:hpznui01.exe
"TCP Query User{055EC3F3-A8B6-4FB3-B9D6-536F8A4190DB}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{6ED4A784-89BC-438A-A751-3652D057C3FC}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{AD14BA6F-97C8-48C1-B804-C44473A247ED}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{0DFF18CC-283A-4157-B305-E66DD7A07241}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AEF5E9BC-B8CC-4D01-94F1-01FA14BC2FBC}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{30B89E82-27AD-4A02-9F1F-1C115F4F7F1F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{51A01C63-1193-4B08-A762-886D7788BBF0}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{430BD12C-8AAB-4425-AF59-85E5EE69ABFA}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"UDP Query User{28F9DADB-789C-4702-BFEC-399DAE17AA96}c:\\program files\\microsoft office\\office12\\outlook.exe"= TCP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{3AA07BCF-B0D2-44E8-B173-77E93B143190}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{7D25AC28-45F0-4194-9C8B-75CB766B0A04}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{46B462EC-067C-4AAE-9062-47EF3EBEBCF7}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{0BCBE296-7773-40FB-8995-1922BB1F2C71}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{30D60116-D96E-4336-9AAC-CDFF54C7EF6A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DBC96159-F6A0-4352-BA3E-DD7C36E9A40B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{19930133-D269-415E-9535-2F8C98BAFADB}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{71FA94EC-EA48-46E3-879D-BC9B9F009E58}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{92503E0F-DD10-4CC3-AD5E-2F791A306F76}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{63D6DC47-3A66-4060-AFC4-2B47F4EF40DE}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{B5207F2F-2B69-415D-92FF-E2FEACAED766}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E680A7B-0AC6-403A-B6CF-78D79CDD7EDA}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E1D9C97-A650-4A8F-A36F-C38458308FF1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E2DA363A-0B51-428A-87BE-B5826A0D91B7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{05B6F6C3-8C50-4C17-8FD6-F8ECB557276B}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{02A8262C-1010-4917-A7DD-751775C91E3C}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D8E67D2A-EB14-4C3B-BF25-D3B81B435A83}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{13733B92-DDCF-40FA-A48F-6CC25DF90063}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FAC00164-5898-4D54-A3B4-CB12FA76956F}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Windows\\system32\\wininit.exe"= c:\windows\system32\wininit.exe:*:enabled:@shell32.dll,-1

R1 wdd;wdd; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-09 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-09 107272]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-09 298264]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - cdfs
*Deregistered* - CLFS
*Deregistered* - Compbatt
*Deregistered* - crcdisk
*Deregistered* - CSC
*Deregistered* - DfsC
*Deregistered* - DXGKrnl
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - HTTP
*Deregistered* - iScsiPrt
*Deregistered* - KSecDD
*Deregistered* - lltdio
*Deregistered* - luafv
*Deregistered* - LVPr2Mon
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - MRxDAV
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PEAUTH
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - rspndr
*Deregistered* - secdrv
*Deregistered* - Smb
*Deregistered* - spldr
*Deregistered* - srv
*Deregistered* - srv2
*Deregistered* - srvnet
*Deregistered* - StillCam
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tcpipreg
*Deregistered* - tdx
*Deregistered* - TermDD
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - Wanarpv6
*Deregistered* - Wdf01000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac40f979-c1b4-11dd-9353-0016d4fc4409}]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 10:00:29
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'Explorer.exe'(1368)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
r Running Proce
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\Logitech\QuickCam\LU\LULnchr.exe
c:\program files\Logitech\QuickCam\LU\LogitechUpdate.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-10 10:06:22 - machine was rebooted [VistaUser]
ComboFix-quarantined-files.txt 2009-02-10 15:06:08
ComboFix2.txt 2009-02-10 03:42:52

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 76,872,822,784 bytes free

386 --- E O F --- 2009-02-06 12:42:33


Report •

#8
February 10, 2009 at 16:31:42

Try the following:

Right click on Computer and left click manage. Go to services, look for sl ui notification service and stop it if it's started, then go to software licensing and do the same, stop it, it'll bring up a window about ready boost go ahead and stop the service. Then under software licencing put it back to automatic and start the service, then go back to sl ui notifation service and do the same, set to automatic and start the service.


Report •

#9
February 10, 2009 at 18:59:34
First I really appreciate your help with this. It has been very difficult trying to get any work done with my laptop and today I could finally do a little bit of catching up.
Ok I followed this and when I try to start the Software licensing I revieve and error1053 and says the service did not respond in timely fashion. When I tried to Start the SLUI I get error 1068 The dependency service or group failed to start.


Report •

#10
February 11, 2009 at 15:46:34
Open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making net stop readyboost the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
net stop readyboost
net stop slsvc
net stop SLUINotify
net start SLUINotify
net start slsvc
net start readyboost
@cls


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.bat then save it to your desktop.

Doubleclick Fix.bat and let it run. It should take just a second.


You'll see a black screen flash,thats normal.

Restart the computer and see if control panel works.


Report •

#11
February 12, 2009 at 11:03:34
No it did not fix the issue. The screen opens up and then shuts down. I am also recieving errors that my Windows will not validate through MSFT. when I go to try and fix that issue nothing has worked. Please let me know what to do next.

Report •

#12
February 13, 2009 at 15:32:49
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
Folder::
c:\windows\System32\tov02
C:\Temp

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#13
February 14, 2009 at 08:38:37
Ok, I ran the program but the forum thread will not allow me to attach the report. I am not sure why but once I attach the report the screen goes blank and it won't confirm my post. What now? Would it be best to reformat or do think this is a fixable problem?

Report •

#14
February 14, 2009 at 17:40:42
Send it in a pm. Just click private messages under one of my post...maybe it will post that way.

I know that formating will work...nothing else has yet.

Try this hotfix before formating.

http://support.microsoft.com/kb/936686/en-us


Report •

#15
February 16, 2009 at 13:15:13
I tired to install the hotfix. I recieve a message that says it is already installed on my computer. The other proplem that keeps coming up is that the MSFT Windows will not Validate on the MSFT website so I cannot get the computer to take updates properly. I think it is time to reload the computer. couple things. How do I save all my Outlook 2007, emails and contacts? Do I just do a restore on the computer or is there another way? What else do I need to take care of when reloading the programs?


Report •

#16
February 16, 2009 at 15:12:46
I'm not much on outlook. This link should help:

http://www.online-tech-tips.com/ms-office-tips/export-outlook-contacts/

And a system restore is most likely the best way to reinstall windows provided that the restore point (restore date) is before your control panel stopped working.


Report •

#17
February 20, 2009 at 17:03:21
Well the end of this story is that the virus won and I had to reinstall everything on my computer. Thanks for your help.

Report •

#18
February 20, 2009 at 18:59:38
Thanks for the follow up.

Report •


Ask Question