[shawshank24]

found an alternate link to the regsearch download and i got it. when i click ok in the program it just disappears... what's going on that most of these programs won't even run for me?

i can still change the background color, images just don't show up.

i found others with the problem and it looks like some of them had to get into the registry and delete unecessary keys that were blocking the image from showing; i'm assuming that's what you had me looking for with the regsearch, it just won't work

Edited by shawshank24, 23 March 2008 - 10:48 AM.

[Advertisements]

my computer isn't running very well right now either... at least with games. i am playing 'the witcher' right now and there are some effects now that are dropping my framerate BIG TIME, which yesterday didn't even cause a stutter...

i have that SUPERanti spyware running, should i disable it?

EDIT: exited out of the program, and i can deal with the effects again... must just be a resource hungry program.

Edited by shawshank24, 23 March 2008 - 11:37 AM.

[shawshank24]

my computer isn't running very well right now either... at least with games. i am playing 'the witcher' right now and there are some effects now that are dropping my framerate BIG TIME, which yesterday didn't even cause a stutter...

i have that SUPERanti spyware running, should i disable it?

EDIT: exited out of the program, and i can deal with the effects again... must just be a resource hungry program.

Edited by shawshank24, 23 March 2008 - 11:37 AM.

[andrewuk]

i found others with the problem and it looks like some of them had to get into the registry and delete unecessary keys that were blocking the image from showing

that is my current thinking.

lets just try a couple of things first. i want to do a rootkit scan on your machine. also, i want to get another full DSS scan.

====STEP 1====
Download Sophos Anti-Rootkit & save it to your desktop after filling out the questionaire and reading the EULA.

Note: You will need to enter your name, e-mail address and location in order to access the download page.

• Double-click sarsfx.exe to extract the files.
• Click the Accept button at the EULA, then Install to the default directory
• At the next prompt, click Yes to start the program
• Make sure the following are checked:
  • Running processes
  • Windows Registry
  • Local Hard Drives
• Click the "Start Scan" button.
• Allow the program to scan your computer - please be patient as it may take some time
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
• In the main window, you will see each of the entries found by the scan (if any)
  
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
• To clean up these entries click on the Clean up checked items button
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
• When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now

====STEP 2====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



In your next reply could i see:
1. the sophos rootkit scan log, if any
2. the 2 DSS logs

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted

andrewuk

[shawshank24]

when i try and run it i get the message 'sarsfx.exe does not currently support vista'

[andrewuk]

try this one.....

Please download Rootkit Revealer (It should be part of the Top 10 Downloads list)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[shawshank24]

tried rootkit revealer and the scan completed. when i go to save, the program like, glitches, and the ony thing i'm able to do is return to the desktop (the program couldn't display on the desktop...)

scan worked, but there's no way i can show you what the results are is my computer so messed up that none of these will work or is it the programs?...

[andrewuk]

no, it may just be vista.....

try this one, i know it works with vista

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

andrewuk

[shawshank24]

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-23 19:47:18
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0x923408AC]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0x92340812]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwQueryLicenseValue + D41 81AA0BB9 1 Byte [ 06 ]
.text ntkrnlpa.exe!KeSetTimerEx + 624 81B01C78 4 Bytes [ AC, 08, 34, 92 ]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81B01EA8 4 Bytes [ 12, 08, 34, 92 ]
_PAGELK C:\Windows\system32\ntkrnlpa.exe entry point in "_PAGELK" section [0x81B354B0]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@CacheSizeInMB 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@CacheStatus 2
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@USBVersion 3145728
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@ReadSpeedKBs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@WriteSpeedKBs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@PhysicalDeviceSizeMB 8191
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@RecommendedCacheSizeMB 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@HasSlowRegions 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@DoRetestDevice 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@DeviceStatus 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\Í—ã’M@LastTestedTime 0x00 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@IconServiceLib IconCodecService.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DdeSendTimeout 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ShutdownWarningDialogTimeout -1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERPostMessageLimit 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ mnmsrvc
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

---- EOF - GMER 1.0.14 ----

[andrewuk]

ok, the background issue is a vista issue which i will go and get some help resolving.

in the meantime, lets wrap up the malware part of this. from a malware point of view your logs are clean

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
clearing away the fix tools.

• Make sure you have an Internet Connection.
• Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
• Click Yes to beging the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

you can now clear away tyhe rest of the fix tools we used.


====STEP 2====
Resetting your restore points (which is about turning system restore off, rebooting, and then turning it back on again).
1. Open System by clicking the Start button, clicking Control Panel, clicking System and Maintenance, and then clicking System.

2. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK.

reboot

1. Open System by clicking the Start button, clicking Control Panel, clicking System and Maintenance, and then clicking System.

2. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.

How to Turn On and Turn Off System Restore in Vista
http://windowshelp.m...6fb3f01033.mspx


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

i will be back with ideas for the desktop background.

andrewuk

[shawshank24]

thank you so much for the help andrewuk.

can't wait to hear how to get my background back!

to add to the problem though, my computer isn't displaying image thumbnails. in my games folder, none of the icons are showing up, and in my pictures folder, no thumbnails are displaying... yesterday i had thumbnails in the pictures folder, so i don't know what happened here...

[andrewuk]

ok, lets try and run combofix again, see if that helps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[shawshank24]

ComboFix 08-03-22.3 - Hello Matthew! 2008-03-24 13:31:26.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2606 [GMT -6:00]
Running from: C:\Users\Hello Matthew!\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Hello Matthew!\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-23 21:05 . 2008-03-23 21:05 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-03-23 21:05 . 2008-03-23 21:05 <DIR> d-------- C:\ProgramData\Lavasoft
2008-03-23 21:05 . 2008-03-23 21:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-23 21:01 . 2008-03-23 21:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-23 21:01 . 2005-08-25 18:19 115,920 --a------ C:\Windows\System32\MSINET.OCX
2008-03-23 17:43 . 2008-03-23 20:51 <DIR> d-------- C:\Program Files\Sophos
2008-03-23 10:47 . 2007-09-05 23:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-03-23 10:47 . 2006-04-27 16:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-03-23 10:47 . 2008-03-22 15:49 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-03-23 10:47 . 2008-03-15 17:16 82,432 --a------ C:\Windows\System32\IEDFix.exe
2008-03-23 10:47 . 2003-06-05 20:13 53,248 --a------ C:\Windows\System32\Process.exe
2008-03-23 10:47 . 2004-07-31 17:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-03-22 19:47 . 2008-03-22 19:47 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-22 19:47 . 2008-03-22 19:47 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-03-22 19:43 . 2008-03-22 19:43 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\SUPERAntiSpyware.com
2008-03-22 19:43 . 2008-03-22 19:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 19:42 . 2008-03-23 21:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 19:27 . 2008-03-22 19:27 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\Malwarebytes
2008-03-22 19:27 . 2008-03-22 19:27 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-03-22 19:27 . 2008-03-22 19:27 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-03-20 13:55 . 2008-03-20 13:55 <DIR> d-------- C:\Users\All Users\LightScribe
2008-03-20 13:55 . 2008-03-20 13:55 <DIR> d-------- C:\ProgramData\LightScribe
2008-03-19 21:17 . 2008-03-19 21:17 <DIR> d-------- C:\Program Files\Soldier of Fortune II - Double Helix
2008-03-19 21:16 . 2008-03-19 21:23 770 --a------ C:\Windows\Sof2.INI
2008-03-19 13:34 . 2008-03-19 13:34 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-03-19 13:30 . 2008-03-19 13:30 <DIR> d-------- C:\Program Files\Firaxis Games
2008-03-19 12:06 . 2008-03-19 12:06 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\Grisoft
2008-03-19 12:06 . 2007-05-30 06:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-03-19 01:16 . 2005-03-04 20:08 32,768 --a------ C:\Program Files\SleepTimer.exe
2008-03-19 00:39 . 2008-03-23 21:02 <DIR> d-a------ C:\Users\All Users\TEMP
2008-03-19 00:39 . 2008-03-23 21:02 <DIR> d-a------ C:\ProgramData\TEMP
2008-03-18 23:56 . 2008-03-18 23:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 23:21 . 2008-03-18 23:21 <DIR> d-------- C:\Users\All Users\vsosdk
2008-03-18 23:21 . 2008-03-18 23:21 <DIR> d-------- C:\ProgramData\vsosdk
2008-03-18 23:10 . 2008-03-18 23:24 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-18 23:10 . 2008-03-18 23:24 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-18 23:10 . 2008-03-18 23:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-18 22:57 . 2008-03-18 22:57 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-03-18 19:45 . 2008-03-18 19:45 <DIR> d-------- C:\Program Files\Sierra
2008-03-18 19:31 . 2008-03-18 19:31 278,984 --a------ C:\Windows\System32\drivers\atksgt.sys
2008-03-18 19:31 . 2008-03-18 19:31 25,416 --a------ C:\Windows\System32\drivers\lirsgt.sys
2008-03-18 19:21 . 2008-03-18 20:01 <DIR> d-------- C:\Program Files\The Witcher
2008-03-18 19:17 . 2008-03-18 19:17 <DIR> d-------- C:\Program Files\Prey
2008-03-18 18:59 . 2008-03-18 22:57 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\Vso
2008-03-18 18:59 . 2008-03-18 22:57 47,360 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.sys
2008-03-18 18:58 . 2008-03-18 18:58 <DIR> d-------- C:\Windows\WinRAR
2008-03-18 18:55 . 2008-03-18 18:55 <DIR> d-------- C:\Users\All Users\Adobe Systems
2008-03-18 18:55 . 2008-03-18 18:55 <DIR> d-------- C:\ProgramData\Adobe Systems
2008-03-18 18:53 . 2008-03-18 18:53 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-03-18 18:46 . 2008-03-18 18:46 <DIR> d-------- C:\Users\All Users\Media Center Programs
2008-03-18 18:46 . 2008-03-18 18:46 <DIR> d-------- C:\ProgramData\Media Center Programs
2008-03-18 18:41 . 2008-03-18 18:41 <DIR> d-------- C:\Program Files\Sierra Entertainment
2008-03-18 18:40 . 2008-03-18 22:57 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\BitTorrent
2008-03-18 18:27 . 2008-03-18 18:27 <DIR> d-------- C:\Program Files\Eidos
2008-03-18 18:00 . 2008-03-18 18:00 <DIR> dr-h----- C:\Users\Hello Matthew!\AppData\Roaming\SecuROM
2008-03-18 17:51 . 2008-03-18 17:51 <DIR> d-------- C:\Program Files\Ubisoft
2008-03-18 17:47 . 2008-03-18 20:02 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\Auslogics
2008-03-18 17:41 . 2008-03-18 17:41 <DIR> d-------- C:\Program Files\Auslogics
2008-03-18 17:40 . 2008-03-18 17:40 <DIR> d-------- C:\Program Files\CCleaner
2008-03-18 17:40 . 2008-03-18 17:40 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-18 17:16 . 2008-03-18 17:16 55 --a------ C:\xmp.bat
2008-03-18 17:09 . 2008-03-18 17:10 <DIR> d-------- C:\Program Files\Analog Devices
2008-03-18 16:39 . 2008-03-18 16:39 <DIR> d-------- C:\Users\All Users\LogiShrd
2008-03-18 16:39 . 2008-03-18 16:39 <DIR> d-------- C:\ProgramData\LogiShrd
2008-03-18 16:38 . 2008-01-09 10:26 301,656 --a------ C:\Windows\System32\BtCoreIf.dll
2008-03-18 16:38 . 2008-03-18 16:38 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-03-18 16:37 . 2008-03-18 16:38 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-03-18 15:39 . 2008-03-18 15:39 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-18 15:38 . 2008-03-18 15:38 <DIR> d-------- C:\Windows\PCHEALTH
2008-03-18 15:38 . 2008-03-18 15:38 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-18 15:37 . 2008-03-18 15:39 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-18 15:37 . 2008-03-18 15:39 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-18 15:37 . 2008-03-18 15:37 <DIR> dr-h----- C:\MSOCache
2008-03-18 15:25 . 2008-03-18 15:25 <DIR> d-------- C:\Users\All Users\EPSON
2008-03-18 15:25 . 2008-03-18 15:25 <DIR> d-------- C:\ProgramData\EPSON
2008-03-18 15:25 . 2006-08-10 00:02 75,264 --a------ C:\Windows\System32\E_FLBBIA.DLL
2008-03-18 15:25 . 2006-04-19 00:00 62,976 --a------ C:\Windows\System32\E_FD4BBIA.DLL
2008-03-18 15:24 . 2006-10-12 22:00 61,952 --a------ C:\Windows\System32\escwiad.dll
2008-03-18 14:55 . 2008-03-18 14:55 0 --a------ C:\Windows\nsreg.dat
2008-03-18 14:49 . 2008-03-22 12:23 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\AVG7
2008-03-18 14:49 . 2008-03-19 12:06 <DIR> d-------- C:\Users\All Users\Grisoft
2008-03-18 14:49 . 2008-03-18 22:45 <DIR> d-------- C:\Users\All Users\avg7
2008-03-18 14:49 . 2008-03-19 12:06 <DIR> d-------- C:\ProgramData\Grisoft
2008-03-18 14:49 . 2008-03-18 22:45 <DIR> d-------- C:\ProgramData\avg7
2008-03-18 14:49 . 2008-03-18 14:49 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-03-18 14:49 . 2008-03-18 14:49 348,160 --a------ C:\Windows\System32\msvcr71.dll
2008-03-18 14:49 . 2008-03-18 14:52 53,768 --a------ C:\Windows\System32\drivers\avgwfp.sys
2008-03-18 14:49 . 2008-03-18 14:49 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-03-18 14:46 . 2008-03-18 14:46 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\Logitech
2008-03-18 14:46 . 2008-03-18 14:46 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-03-18 14:42 . 2008-03-18 14:42 <DIR> d-------- C:\Users\All Users\Logitech
2008-03-18 14:42 . 2008-03-18 14:42 <DIR> d-------- C:\ProgramData\Logitech
2008-03-18 14:42 . 2008-03-18 14:42 <DIR> d-------- C:\Program Files\Logitech
2008-03-18 14:42 . 2008-03-18 16:38 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-18 14:42 . 2008-01-09 10:27 170,512 --a------ C:\Windows\System32\kemutb.dll
2008-03-18 14:42 . 2008-01-09 10:28 141,840 --a------ C:\Windows\System32\KemUtil.dll
2008-03-18 14:42 . 2008-01-09 10:28 117,264 --a------ C:\Windows\System32\KemWnd.dll
2008-03-18 14:42 . 2008-01-09 10:28 76,304 --a------ C:\Windows\System32\KemXML.dll
2008-03-08 15:43 . 2008-03-08 15:43 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 15:42 . 2008-03-20 13:55 <DIR> d-------- C:\Users\Hello Matthew!\AppData\Roaming\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 21:48 593,920 ----a-w C:\Windows\System32\AEADIExt.dll
2008-03-12 21:48 126,768 ----a-w C:\Windows\System32\AEADIAPO.dll
2008-03-05 21:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 21:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 21:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 20:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 20:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-04 15:11 18,804,224 ----a-w C:\Windows\Web\Wallpaper\imageres.dll
2008-03-04 15:11 18,804,224 ----a-w C:\Windows\System32\imageres.dll
2008-02-25 16:05 174 --sha-w C:\Program Files\desktop.ini
2008-02-25 16:02 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-25 16:02 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-02-25 16:02 --------- d-----w C:\Program Files\Windows Mail
2008-02-25 16:02 --------- d-----w C:\Program Files\Windows Journal
2008-02-25 16:02 --------- d-----w C:\Program Files\Windows Defender
2008-02-25 16:02 --------- d-----w C:\Program Files\Windows Collaboration
2008-02-25 16:02 --------- d-----w C:\Program Files\Windows Calendar
2008-02-25 15:52 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-02-25 15:52 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-02-06 04:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-01-19 07:44 986,680 ----a-w C:\Windows\System32\winload.exe
2008-01-19 07:44 926,776 ----a-w C:\Windows\System32\winresume.exe
2008-01-19 07:43 614,968 ----a-w C:\Windows\System32\ci.dll
2008-01-19 07:43 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-01-19 07:43 3,600,440 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-01-19 07:43 3,548,728 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-01-19 07:43 247,352 ----a-w C:\Windows\System32\clfs.sys
2008-01-19 07:42 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe
2008-01-19 07:42 51,768 ----a-w C:\Windows\System32\PSHED.DLL
2008-01-19 07:42 177,208 ----a-w C:\Windows\System32\halmacpi.dll
2008-01-19 07:42 141,880 ----a-w C:\Windows\System32\halacpi.dll
2008-01-19 07:41 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL
2008-01-19 07:41 21,560 ----a-w C:\Windows\System32\kdusb.dll
2008-01-19 07:41 19,512 ----a-w C:\Windows\System32\kdcom.dll
2008-01-19 07:38 46,080 ----a-w C:\Windows\System32\NAPCRYPT.DLL
2008-01-19 07:38 4,595,712 ----a-w C:\Windows\System32\AuthFWSnapin.dll
2008-01-19 07:38 242,744 ----a-w C:\Windows\System32\rsaenh.dll
2008-01-19 07:38 155,704 ----a-w C:\Windows\System32\dssenh.dll
2008-01-19 07:38 131,640 ----a-w C:\Windows\System32\basecsp.dll
2008-01-19 07:38 103,936 ----a-w C:\Windows\System32\NAPHLPR.DLL
2008-01-19 07:38 1,203,792 ----a-w C:\Windows\System32\ntdll.dll
2008-01-19 07:36 99,840 ----a-w C:\Windows\System32\ulib.dll
2008-01-19 07:35 98,304 ----a-w C:\Windows\System32\mssitlb.dll
2008-01-19 07:34 98,816 ----a-w C:\Windows\System32\mfps.dll
2008-01-19 07:33 98,304 ----a-w C:\Windows\System32\makecab.exe
2008-01-19 07:32 258,048 ----a-w C:\Windows\System32\winspool.drv
2008-01-19 07:32 21,504 ----a-w C:\Windows\System32\msacm32.drv
2008-01-19 07:32 166,912 ----a-w C:\Windows\System32\wdmaud.drv
2008-01-19 07:32 1,370,624 ----a-w C:\Windows\System32\Aurora.scr
2008-01-19 07:31 7,680 ----a-w C:\Windows\System32\spwizres.dll
2008-01-19 07:31 57,856 ----a-w C:\Windows\System32\nlsbres.dll
2008-01-19 07:31 118,272 ----a-w C:\Windows\System32\RDPENCDD.dll
2008-01-19 07:30 17,920 ----a-w C:\Windows\System32\netevent.dll
2008-01-19 07:29 705,536 ----a-w C:\Windows\System32\imagesp1.dll
2008-01-19 07:29 58,880 ----a-w C:\Windows\System32\msobjs.dll
2008-01-19 07:28 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-01-19 07:26 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-01-19 06:06 8,147,456 ----a-w C:\Windows\System32\wmploc.DLL
2008-01-19 06:01 14,336 ----a-w C:\Windows\System32\tsddd.dll
2008-01-19 06:01 134,656 ----a-w C:\Windows\System32\rdpdd.dll
2008-01-19 05:52 56,320 ----a-w C:\Windows\System32\vga256.dll
2008-01-19 05:52 21,504 ----a-w C:\Windows\System32\vga64k.dll
2008-01-19 05:52 11,776 ----a-w C:\Windows\System32\framebuf.dll
2008-01-19 05:52 10,752 ----a-w C:\Windows\System32\vga.dll
2008-01-19 05:50 14,848 ----a-w C:\Windows\System32\iscsilog.dll
2008-01-19 05:48 20,992 ----a-w C:\Windows\System32\msdtcVSp1res.dll
2008-01-19 05:48 1,291,264 ----a-w C:\Windows\System32\comres.dll
2008-01-19 05:46 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-19 05:39 13,312 ----a-w C:\Windows\System32\WsmRes.dll
2008-01-19 05:37 2,031,616 ----a-w C:\Windows\System32\win32k.sys
2008-01-19 05:36 289,792 ----a-w C:\Windows\System32\atmfd.dll
2008-01-19 05:33 56,320 ----a-w C:\Windows\System32\graftabl.com
2008-01-19 05:31 8,322,048 ----a-w C:\Windows\System32\spwizimg.dll
2008-01-19 05:27 8,704 ----a-w C:\Windows\System32\kd1394.dll
2008-01-19 05:26 605,696 ----a-w C:\Windows\System32\adtschema.dll
2008-01-19 03:17 100,043 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-01-05 11:36 195,122 ----a-w C:\Windows\System32\winrm.vbs
2008-01-05 11:35 80,047 ----a-w C:\Windows\System32\slmgr.vbs
2008-01-05 11:34 15,181 ----a-w C:\Windows\System32\gatherWirelessInfo.vbs
2008-01-05 11:27 96,760 ----a-w C:\Windows\System32\dfshim.dll
2008-01-05 11:27 84,480 ----a-w C:\Windows\System32\mscories.dll
2008-01-05 11:27 282,112 ----a-w C:\Windows\System32\mscoree.dll
2008-01-05 11:27 158,720 ----a-w C:\Windows\System32\mscorier.dll
2008-01-05 11:21 779,800 ----a-w C:\Windows\System32\PresentationNative_v0300.dll
2008-01-05 11:21 579,584 ----a-w C:\Windows\System32\icardagt.exe
2008-01-05 11:21 350,744 ----a-w C:\Windows\System32\PresentationHost.exe
2008-01-05 11:21 33,304 ----a-w C:\Windows\System32\PresentationHostProxy.dll
2008-01-05 11:21 28,672 ----a-w C:\Windows\System32\TsWpfWrp.exe
2008-01-05 11:21 12,198 ----a-w C:\Windows\System32\gatherWiredInfo.vbs
2008-01-05 11:21 11,776 ----a-w C:\Windows\System32\icardres.dll
2008-01-05 11:21 106,520 ----a-w C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 01:33 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 17:05 143360]
"EPSON Stylus CX6000 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBIA.exe" [2006-10-18 02:01 143360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 01:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 01:38 1008184]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 16:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 16:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 16:06 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 00:17 55824 C:\Windows\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-18 14:50 579072]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 19:34 868352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-18 14:49 219136]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-18 16:38:06 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-03-18 14:49 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{218A2E94-69BF-4740-91B3-61C889E3C032}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{C78A760F-F9EA-40BC-9BAB-AA60A62C68F6}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{7F84E129-AAA4-441B-B300-5F706D87DB26}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas
"{EC49DD35-A410-4858-9937-4BFB92D0012D}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas
"{22F88704-B7F3-43F8-9FFD-0F7D2FF44FC6}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater
"{74132FBA-EDD0-4835-A352-2DE18DDB1C89}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater
"TCP Query User{9D4794D5-98A6-4DFC-83E7-D97EE24C62D7}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{BBE71E08-7BCB-410C-9E8C-8319ADDF3399}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"{700D7A1B-699B-4012-B288-CFE9863E18E2}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{9B4E9F09-2605-4873-A3B8-69A665F10F41}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{3F9BA9AF-2024-40AA-8BCA-614C6CF7E489}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{C97A0BDA-B0D0-4F45-B566-905F6FD6CDCE}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{2FA9833E-5C5A-470C-BF9B-545E5EEB4EBB}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{4D88EE51-B3C4-45C9-B73B-BCE7F271B979}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"TCP Query User{6CB2E23C-D477-4261-BD41-A99507BCE1B9}C:\\program files\\sierra\\fear\\fpupdate.exe"= UDP:C:\program files\sierra\fear\fpupdate.exe:fpupdate
"UDP Query User{6A8C26D1-0388-4F76-9E36-99D63AA18ECA}C:\\program files\\sierra\\fear\\fpupdate.exe"= TCP:C:\program files\sierra\fear\fpupdate.exe:fpupdate
"{1C0A8B65-0D72-46AD-AC1E-FA3C13FBA0D2}"= UDP:C:\Program Files\Sierra\FEAR\FEAR.exe:FEAR
"{DEC433FF-2D1D-463D-BCCA-C7C6B25A69AE}"= TCP:C:\Program Files\Sierra\FEAR\FEAR.exe:FEAR
"{1E476106-E0BD-4054-AA01-5560E7A34C39}"= UDP:C:\Program Files\Sierra\FEAR\FEARMP.exe:FEAR
"{15212A79-F2FA-4610-8201-17F9CAE7BDA4}"= TCP:C:\Program Files\Sierra\FEAR\FEARMP.exe:FEAR

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-18 14:52]
S3 BQJ;BQJ;C:\Users\HELLOM~1\AppData\Local\Temp\BQJ.exe [2008-03-23 19:00]
S3 QOEZ;QOEZ;C:\Users\HELLOM~1\AppData\Local\Temp\QOEZ.exe [2008-03-23 18:49]
S3 UVTLUEPKZQ;UVTLUEPKZQ;C:\Users\HELLOM~1\AppData\Local\Temp\UVTLUEPKZQ.exe [2008-03-23 18:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 03:30:29 C:\Windows\Tasks\User_Feed_Synchronization-{0A4B7E45-9D3B-46DE-81CC-3A72A06FFF83}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 13:32:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 13:33:13
ComboFix-quarantined-files.txt 2008-03-24 19:33:11
.
2008-03-18 20:46:55 --- E O F ---

[shawshank24]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:26 PM, on 3/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.c...Now?lnkctr=mhWN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\Windows\TEMP\E_S3B1C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BQJ - Unknown owner - C:\Users\HELLOM~1\AppData\Local\Temp\BQJ.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: QOEZ - Unknown owner - C:\Users\HELLOM~1\AppData\Local\Temp\QOEZ.exe (file missing)
O23 - Service: UVTLUEPKZQ - Unknown owner - C:\Users\HELLOM~1\AppData\Local\Temp\UVTLUEPKZQ.exe (file missing)

--
End of file - 5741 bytes

[andrewuk]

could you clean out your tempory folders and run combofix one more time.

and let me know if that does the trick.

[shawshank24]

sorry, didn't mean to take so long. i just had a couple of back to back BSOD problems after clearing my temp files, one after, and the other upon reboot.

PAGE_FAULT_IN_NONPAGED_AREA

and MEMORY_MANAGEMENT...

let me try and get that scan again...