1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Another Virtumonde victim who needs help

Discussion in 'Malware and Virus Removal Archive' started by Nokanda, 2008/08/29.

  1. 2008/08/29
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    [Resolved] Another Virtumonde victim who needs help

    I have read many posts regarding this virus and have been given a small ray of hope by seeing the many [RESOLVED] precursors in the titles.

    I am usually very careful about downloading executables (meaning usually never) but I just purchased a DVD burner and in my excitement to start using it I went on the torrent sites for a good program that converts file types to playable DVDs in a regular player. I thought I had a "safe" one with over a thousand seeders but instead I ended up with my desktop wallpaper changed to a virus warning, my screensaver (and the option to set it) are now gone, my restore points have all disappeared, Firefox keeps opening on its own and keeps crashing when I try to use it (so I'm using Explorer), AVG keeps finding 6 files every day even though I keep emptying the vault, and everything, especially bootup, is extremely slow. I can't F8 to safe mode either. I did have Norton running but it didn't detect a thing even though it updates every day. I got AVG after the fact thanks to your recommendation on your site. The HijackThis log is posted below. I hope someone can help me get rid of this annoying and agressive virus.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:57:50 PM, on 8/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Documents and Settings\Pam\sccs.exe
    C:\Documents and Settings\Pam\css.exe
    C:\Documents and Settings\Pam\ppxcs.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\AVG\AVG8\avgupd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\Pam\sccs.exe
    O4 - HKLM\..\Run: [lphcjttj0ec2c] C:\WINDOWS\system32\lphcjttj0ec2c.exe
    O4 - HKLM\..\Run: [Css] C:\Documents and Settings\Pam\css.exe
    O4 - HKLM\..\Run: [ppxcs] C:\Documents and Settings\Pam\ppxcs.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "g:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Pam\LOCALS~1\Temp\a..exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/chuzzle/sis/popcaploader_v10.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Pam/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

    --
    End of file - 8221 bytes
     
  2. 2008/08/29
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Nokanda
    Welcome to Windowsbbs. :)

    OK lets get this off your system.

    We'll try MBAM first and then a scan to see things better.

    Please do this in the order given.

    Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

    Double click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select 'Perform Quick Scan', then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Post the entire report in your next reply along with a fresh HijackThis log.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Now do this.

    • Download RSIT by random/random and save it to your desktop.
    • Double click RSIT.exe to start the tool and click Continue at the disclaimer.
    • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
    • Please post the contents of both logs here in your next reply.

    Thanks
    Geri
     
    Geri,
    #2

  3. to hide this advert.

  4. 2008/08/30
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Thanks so much for your quick response Geri. I feel like I know you after seeing your name attached to so many posts.

    First the MBAM log:

    Malwarebytes' Anti-Malware 1.25
    Database version: 1097
    Windows 5.1.2600 Service Pack 2

    6:02:17 AM 8/30/2008
    mbam-log-08-30-2008 (06-02-17).txt

    Scan type: Quick Scan
    Objects scanned: 47873
    Time elapsed: 14 minute(s), 18 second(s)

    Memory Processes Infected: 3
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 9
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 11

    Memory Processes Infected:
    C:\Documents and Settings\Pam\sccs.exe (Trojan.Agent) -> Unloaded process successfully.
    C:\Documents and Settings\Pam\css.exe (Trojan.Agent) -> Unloaded process successfully.
    C:\Documents and Settings\Pam\ppxcs.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sccs (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\css (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ppxcs (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjttj0ec2c (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Somefox (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Pam\sccs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\css.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\ppxcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\intelOP.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\Local Settings\Temporary Internet Files\Content.IE5\5KWJHPSX\scom[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\Local Settings\Temporary Internet Files\Content.IE5\874EWTOM\proxit[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\Local Settings\Temporary Internet Files\Content.IE5\CNPLV5P0\IMSP[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Pam\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


    Now the fresh HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:20:23 AM, on 8/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "g:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Pam/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

    --
    End of file - 7701 bytes
     
  5. 2008/08/30
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Now the info.txt log:

    info.txt logfile of random's system information tool 2008-08-30 06:10:51

    Uninstall list

    --> "g:\program files\mirc\mirc.exe" -uninstall
    -->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    A Series of Unfortunate Events (remove only)--> "g:\Program Files\A Series of Unfortunate Events\Uninstall.exe "
    ACDSee 32-->D:\PROGRA~1\ACDSEE32\UNWISE.EXE D:\PROGRA~1\ACDSEE32\INSTALL.LOG
    Adobe Download Manager 2.2 (Remove Only)--> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe "
    Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
    Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
    Agatha Christie - And Then There Were None-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E4628D0D-5DC8-49EC-985A-F0C12EDBF1D2}\setup.exe" -l0x9 -uninst
    Apple Software Update-->MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
    Audacity 1.2.6--> "g:\Program Files\Audacity\unins000.exe "
    AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
    Betrapped--> "g:\Program Files\Betrapped\ReflexiveArcade\unins000.exe "
    Bingo Blowout-->C:\Program Files\Common Files\CA Shared\BIUninst.exe /C:\Program Files\Bingo Blowout\Support\InstallerBlowout.dll
    Bingo Gala-->C:\Program Files\Common Files\CA Shared\BIUninstML.exe /C:\Program Files\Bingo Gala\Support\InstallerGala.dll
    BitTornado 0.3.17-->C:\Program Files\BitTornado\uninst.exe
    Board Games-->C:\WINDOWS\uninst.exe -f "g:\Program Files\Cosmi\Board Games\DeIsL1.isu" -c "g:\Program Files\Cosmi\Board Games\_ISREG32.DLL "
    Booster 1.03--> "C:\Program Files\LG USB Booster\unins000.exe "
    BSPlayer--> "g:\Program Files\Webteh\BSplayerPro\uninstall.exe "
    CA Yahoo! Anti-Spy (remove only)--> "C:\Program Files\CA Yahoo! Anti-Spy\uninstall.exe "
    Card Games-->C:\WINDOWS\uninst.exe -f "g:\Program Files\Cosmi\Card Games\DeIsL1.isu" -c "g:\Program Files\Cosmi\Card Games\_ISREG32.DLL "
    Chocolatier 2 - Secret Ingredients--> "C:\WINDOWS\Chocolatier 2 - Secret Ingredients\uninstall.exe" "/U:g:\Program Files\Chocolatier 2 - Secret Ingredients\Uninstall\uninstall.xml "
    Cinema Tycoon Gold (remove only)-->g:\Program Files\Cinema Tycoon Gold\Uninstall.exe
    Clue-->C:\WINDOWS\IsUninst.exe -f "g:\Program Files\Hasbro Interactive\Clue\Uninst.isu "
    Deep Sea Tycoon-->g:\Program Files\Deep Sea Tycoon\uninstall.exe
    DirectX Media Runtime 5.1-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DXM51.INF,Uninstall.NT
    DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
    EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
    EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
    EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\Setup.exe" -l0x9 -anything
    Fairy Godmother Tycoon (remove only)-->g:\Program Files\Fairy Godmother Tycoon\Uninstall.exe
    FileZilla (remove only)--> "g:\Program Files\FileZilla\uninstall.exe "
    Fish Tycoon--> "g:\Program Files\Fish Tycoon\unins000.exe "
    Flower Story - Fairy Quest--> "C:\WINDOWS\Flower Story - Fairy Quest\uninstall.exe" "/U:g:\Program Files\Flower Story - Fairy Quest\Uninstall\uninstall.xml "
    Free Video to Mp3 Converter version 2.7--> "g:\Program Files\DVDVIDEOSOFT\Free Video to Mp3 Converter\unins000.exe "
    Google Earth-->MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
    Google Talk (remove only)--> "C:\Program Files\Google\Google Talk\uninstall.exe "
    Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll "
    Google Updater--> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
    Greek Goddesses of Solitaire--> "C:\WINDOWS\Greek Goddesses of Solitaire\uninstall.exe" "/U:g:\Program Files\Greek Goddesses of Solitaire\Uninstall\uninstall.xml "
    Harry Potter and the Goblet of Fire™-->g:\Program Files\Electronic Arts\Harry Potter and the Goblet of Fire\EAUninstall.exe
    Hidden Wonders of the Depths--> "C:\WINDOWS\Hidden Wonders of the Depths\uninstall.exe" "/U:g:\Program Files\Hidden Wonders of the Depths\Uninstall\uninstall.xml "
    HijackThis 2.0.2--> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hospital Tycoon-->g:\Program Files\Codemasters\Hospital Tycoon\uninstall.exe
    Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
    Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
    Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
    Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
    Jojos Fashion Show--> "C:\WINDOWS\Jojos Fashion Show\uninstall.exe" "/U:g:\Program Files\Jojos Fashion Show\Uninstall\uninstall.xml "
    LiveUpdate 1.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
    Lizardtech Express View Browser Plug-in-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C066DCF1-6E5D-4197-A290-7F1F30538DB6}\Setup.exe" -l0x9
    Lottso! de Luxe-->g:\Program Files\Lottso! de Luxe\Uninstal.exe
    Magellan POI File Editor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{104A059B-CD20-4632-A8F6-D8C80E14782D}\Setup.exe" -l0x9
    Magic Academy (remove only)-->g:\Program Files\Magic Academy\Uninstall.exe
    Malwarebytes' Anti-Malware--> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe "
    Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
    Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
    Microsoft Office Word Viewer 2003-->MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
    Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Microsoft Word Supplemental Templates and Wizards-->MsiExec.exe /I{E59219D4-23B8-11D3-A179-00C04F6C9FA4}
    Mozilla Firefox (2.0.0.16)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
    MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
    Mystery Case Files - Ravenhearst (remove only)-->g:\Program Files\Mystery Case Files - Ravenhearst\Uninstall.exe
    Mystery Case Files Huntsville--> "C:\WINDOWS\Mystery Case Files Huntsville\uninstall.exe" "/U:g:\Program Files\Mystery Case Files Huntsville\Uninstall\uninstall.xml "
    Mystery Case Files Prime Suspects--> "C:\WINDOWS\Mystery Case Files Prime Suspects\uninstall.exe" "/U:g:\Program Files\Mystery Case Files Prime Suspects\Uninstall\uninstall.xml "
    neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
    Norton AntiVirus Corporate Edition-->MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
    Oscar Spring Edtion 2001-->C:\WINDOWS\UnGins.exe "d:\Program Files\Oscar\install.log "
    Paint Shop Pro 7 ESD-->MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
    Paparazzi (remove only)-->g:\Program Files\Paparazzi\Uninstall.exe
    Parker Brothers Classic Card Games-->g:\Program Files\Hasbro Interactive\Classic Games\PBUninst.exe
    Phanku eTaxCanada 2006-->MsiExec.exe /I{7C978807-9607-4166-92A1-5FF7BC971FE8}
    PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
    PowerISO--> "C:\Program Files\PowerISO\uninstall.exe "
    PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
    QuickTax 2007-->MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
    QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
    Scrabble Complete-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B36649A3-D0DD-4706-B042-F5B384529C7A}\Setup.exe" -l0x9
    SecurDisc Viewer-->MsiExec.exe /X{BE90CE58-41DE-4708-9291-A9D1D49B1033}
    Security Update for Windows Media Player 9 (KB936782)--> "C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB896423)--> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB923689)--> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB924270)--> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe "
    The Game Of Life-->C:\WINDOWS\uninst.exe -f "d:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL2.isu" -cd:\PROGRA~1\HASBRO~1\THEGAM~1\_ISREG32.DLL
    The Sims Carnival - BumperBlast--> "C:\WINDOWS\The Sims Carnival - BumperBlast\uninstall.exe" "/U:g:\Program Files\The Sims Carnival - BumperBlast\Uninstall\uninstall.xml "
    The Sims™ Life Stories-->g:\Program Files\Electronic Arts\The Sims Life Stories\EAUninstall.exe
    Update for Windows XP (KB898461)--> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe "
    Update for Windows XP (KB922582)--> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe "
    Update for Windows XP (KB938828)--> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe "
    Virtual Villagers - The Lost Children-->g:\Program Files\Alawar\BFG_VirtualVillagers_TheLostChildren\Uninstall.exe
    Virtual Villagers (remove only)-->g:\Program Files\Virtual Villagers\Uninstall.exe
    Virtual Villagers The Secret City--> "g:\Program Files\Virtual Villagers The Secret City\ReflexiveArcade\unins000.exe "
    Westward (remove only)-->g:\Program Files\Westward\Uninstall.exe
    Wildlife Tycoon Venture Africa--> "g:\Program Files\Wildlife Tycoon Venture Africa\ReflexiveArcade\unins000.exe "
    Windows Installer 3.1 (KB893803)--> "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe "
    Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
    Windows Live Sign-in Assistant-->MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
    Windows Media Format Runtime--> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
    WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
    Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
    Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
    Zoo Tycoon Expanded--> "G:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove

    Security center information

    AV: AVG Anti-Virus Free

    Environment variables

    "ComSpec "=%SystemRoot%\system32\cmd.exe
    "Path "=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
    "windir "=%SystemRoot%
    "FP_NO_HOST_CHECK "=NO
    "OS "=Windows_NT
    "PROCESSOR_ARCHITECTURE "=x86
    "PROCESSOR_LEVEL "=15
    "PROCESSOR_IDENTIFIER "=x86 Family 15 Model 0 Stepping 7, GenuineIntel
    "PROCESSOR_REVISION "=0007
    "NUMBER_OF_PROCESSORS "=1
    "PATHEXT "=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP "=%SystemRoot%\TEMP
    "TMP "=%SystemRoot%\TEMP
    "CLASSPATH "=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
    "QTJAVA "=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
    "PROJSO "=C:\Program Files\Common Files\LizardTech Shared\GDAL_LIB\proj.dll
    "PROJ_LIB "=C:\Program Files\Common Files\LizardTech Shared\GDAL_ETC
    "GDAL_DATA "=C:\Program Files\Common Files\LizardTech Shared\GDAL_ETC

    -----------------EOF-----------------
     
  6. 2008/08/30
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    and finally the log.txt log:

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-08-30 06:10:29
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 29 GB (75%) free of 38 GB
    Total RAM: 767 MB (55% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:10:48 AM, on 8/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "g:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Pam/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

    --
    End of file - 7733 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At25.job
    C:\WINDOWS\tasks\At26.job
    C:\WINDOWS\tasks\At27.job
    C:\WINDOWS\tasks\At28.job
    C:\WINDOWS\tasks\At29.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At30.job
    C:\WINDOWS\tasks\At31.job
    C:\WINDOWS\tasks\At32.job
    C:\WINDOWS\tasks\At33.job
    C:\WINDOWS\tasks\At34.job
    C:\WINDOWS\tasks\At35.job
    C:\WINDOWS\tasks\At36.job
    C:\WINDOWS\tasks\At37.job
    C:\WINDOWS\tasks\At38.job
    C:\WINDOWS\tasks\At39.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At40.job
    C:\WINDOWS\tasks\At41.job
    C:\WINDOWS\tasks\At42.job
    C:\WINDOWS\tasks\At43.job
    C:\WINDOWS\tasks\At44.job
    C:\WINDOWS\tasks\At45.job
    C:\WINDOWS\tasks\At46.job
    C:\WINDOWS\tasks\At47.job
    C:\WINDOWS\tasks\At48.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At9.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
    "DAEMON Tools "=g:\Program Files\DAEMON Tools\daemon.exe [2007-04-03 165784]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "=msapsspc.dll schannel.dll digest.dll msnsspc.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "NoDispScrSavPage "=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "G:\Program Files\Shareaza Lite\Shareaza.exe "= "G:\Program Files\Shareaza Lite\Shareaza.exe:*:Enabled:Shareaza Lite "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "J:\CDS\Nero\Installation\SetupX.exe "= "J:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup "
    "C:\Documents and Settings\Pam\ppxcs.exe "= "C:\Documents and Settings\Pam\ppxcs.exe:*:Disabled:ppxcs "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    File associations

    .reg - open - regedit.exe "%1" %*
    .scr - open - "%1" %*

    List of files/folders created in the last three months

    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 aqyq9qbu;aqyq9qbu; C:\WINDOWS\system32\drivers\aqyq9qbu.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

    -----------------EOF-----------------
     
  7. 2008/08/30
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Nokanda

    P2P software ( Limewire, BitTorrent uTorrent etc… ) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here,
    here and here.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Malware and Virus removal.


    Ok we need some files scanned.

    • Please go to Jotti's malware scan
    • Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time
      • C:\Documents and Settings\Pam\ppxcs.exe
        C:\WINDOWS\system32\msxml3a.dll
        C:\WINDOWS\WAVEMIX.INI
        C:\WINDOWS\system32\drivers\aqyq9qbu.sys
    • Click on the submit button
    • Please post the results in your next reply.

    Now please do this.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post the Combofix log
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the combofix log and the Jotti results.

    Thanks
    Geri
     
    Geri,
    #6
  8. 2008/08/30
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Hi Geri. Yes, I know about the P2P programs. I got this computer system used and Shareaza, Bearshare, and Limewire were already installed on it. I did do an uninstall the first week I had the system and the programs are no longer on the start menu. The folders were deleted manually long ago since the uninstall did not do that. I was surprised myself to see them show up in the log files. I guess the uninstall didn't remove everything.
     
    Last edited: 2008/08/30
  9. 2008/08/30
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Ok for a while I thought combofix was stuck but I left it alone and it finally finished. Here is the combofix log:

    `ComboFix 08-08-30.01 - Pam 2008-08-30 19:27:01.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.487 [GMT -4:00]
    Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\#SharedObjects\YJPYQTGV\bin.clearspring.com
    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\#SharedObjects\YJPYQTGV\bin.clearspring.com\clearspring.sol
    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\#SharedObjects\YJPYQTGV\interclick.com
    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\#SharedObjects\YJPYQTGV\interclick.com\ud.sol
    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\Pam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\WINDOWS\msettings.ini
    C:\WINDOWS\system32\mdm.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
    .

    2008-08-30 06:10 . 2008-08-30 06:10 <DIR> d-------- C:\rsit
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-30 05:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-29 22:57 . 2008-08-29 22:57 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-26 03:44 . 2008-08-29 01:54 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-08-26 02:24 . 2008-08-30 18:53 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Program Files\AVG
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-26 02:24 . 2008-08-28 21:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-26 02:24 . 2008-08-26 02:24 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-08-26 02:24 . 2008-08-26 02:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05 . 2008-08-25 23:05 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24 . 2008-08-28 23:48 <DIR> d-------- C:\Program Files\Common Files\LightScribe
    2008-08-25 22:02 . 2007-11-07 10:18 7,936 -ra------ C:\WINDOWS\system32\drivers\inidvd.sys
    2008-08-25 21:59 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59 . 1998-07-22 00:00 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:59 . 2001-08-29 21:00 59,904 --a------ C:\WINDOWS\system32\wbemdisp.tlb
    2008-08-25 21:59 . 2008-08-26 04:10 0 --a------ C:\WINDOWS\lgfwup.ini
    2008-08-25 21:58 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
    2008-08-25 21:43 . 2007-01-08 22:17 27,168 --------- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34 . 2008-08-25 20:35 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34 . 2008-08-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29 . 2008-08-25 21:30 <DIR> d-------- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52 . 2008-08-25 19:52 <DIR> d-------- C:\Program Files\Nero
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 17:57 . 2008-08-25 17:57 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50 . 2008-08-25 21:30 <DIR> d-------- C:\WINDOWS\system32\DLA
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Sonic
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Roxio
    2008-08-25 17:42 . 2008-08-25 21:31 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34 . 2008-08-25 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01 . 2008-08-25 17:01 <DIR> d-------- C:\Program Files\honestech
    2008-08-25 16:44 . 2008-08-25 16:48 <DIR> d-------- C:\Program Files\CyberLink
    2008-08-25 16:43 . 2008-08-25 22:02 <DIR> d-------- C:\Program Files\LG USB Booster
    2008-08-16 23:32 . 2008-08-16 23:34 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02 . 1995-07-05 14:11 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56 . 2008-08-12 20:56 <DIR> d-------- C:\Program Files\Crayola
    2008-08-12 20:56 . 2008-08-12 20:56 154 --a------ C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:14 . 2008-08-12 20:14 7,680 --ahs---- C:\WINDOWS\Thumbs.db

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-29 01:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-08-27 12:08 --------- d-----w C:\Program Files\Google
    2008-08-26 01:39 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
    2008-08-25 21:54 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-25 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-17 03:32 --------- d-----w C:\Program Files\Yahoo!
    2008-08-17 03:32 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-08-17 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-08-03 18:21 --------- d-----w C:\Program Files\Bingo Blowout
    2008-07-17 19:23 --------- d-----w C:\Program Files\Java
    2007-02-24 23:38 0 --sha-w C:\WINDOWS\system32\Windowsupdates\updatefiles.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 06:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:46 68856]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
    "DAEMON Tools "= "g:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29 165784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "vptray "= "C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-05-25 08:06 282624]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 21:56 1235736]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    --a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-05-25 08:06 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    --a------ 2001-09-24 07:59 73728 C:\Program Files\NavNT\vptray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "G:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe "=
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe "=
    "C:\\WINDOWS\\system32\\dplaysvr.exe "=
    "G:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "G:\\Program Files\\mIRC\\mirc.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2625:UDP "= 2625:UDP:Windows Media Format SDK (wmplayer.exe)
    "2624:UDP "= 2624:UDP:Windows Media Format SDK (wmplayer.exe)
    "2627:UDP "= 2627:UDP:Windows Media Format SDK (wmplayer.exe)


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    \Shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE

    *Newly Created Service* - CATCHME
    *Newly Created Service* - NAVAP
    *Newly Created Service* - NAVENG
    *Newly Created Service* - NAVEX15
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-Acrobat Assistant 8 - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    MSConfigStartUp-AdaptecDirectCD - C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Pam\Application Data\Mozilla\Firefox\Profiles\31v7d95s.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-30 19:30:12
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    Completion time: 2008-08-30 21:42:03
    ComboFix-quarantined-files.txt 2008-08-31 01:33:50

    Pre-Run: 30,059,573,248 bytes free
    Post-Run: 31,405,596,672 bytes free

    183 --- E O F --- 2007-09-04 05:32:05


    and here are the jotti results:

    C:\Documents and Settings\Pam\ppxcs.exe
    The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


    File: msxml3a.dll
    Status: OK
    MD5: 81795efefd0b954482800a7019a11d3c
    Packers detected: -

    Scanner results
    Scan taken on 30 Aug 2008 23:03:47 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing



    File: WAVEMIX.INI
    Status: OK
    MD5: 433c5b3c85e3f2cf7e235dbafdfc12f7
    Packers detected: -

    Scanner results
    Scan taken on 30 Aug 2008 23:05:49 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing



    C:\WINDOWS\system32\drivers\aqyq9qbu.sys

    The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
     
  10. 2008/08/30
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK those are not showing in the CF log, so please run RSIT.exe again and post the log.txt log.

    Thanks
    Geri
     
    Geri,
    #9
  11. 2008/08/30
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Thanks Geri, here it is:

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-08-30 23:47:41
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 30 GB (79%) free of 38 GB
    Total RAM: 767 MB (56% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:47:57 PM, on 8/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "g:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Pam/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

    --
    End of file - 7788 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At25.job
    C:\WINDOWS\tasks\At26.job
    C:\WINDOWS\tasks\At27.job
    C:\WINDOWS\tasks\At28.job
    C:\WINDOWS\tasks\At29.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At30.job
    C:\WINDOWS\tasks\At31.job
    C:\WINDOWS\tasks\At32.job
    C:\WINDOWS\tasks\At33.job
    C:\WINDOWS\tasks\At34.job
    C:\WINDOWS\tasks\At35.job
    C:\WINDOWS\tasks\At36.job
    C:\WINDOWS\tasks\At37.job
    C:\WINDOWS\tasks\At38.job
    C:\WINDOWS\tasks\At39.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At40.job
    C:\WINDOWS\tasks\At41.job
    C:\WINDOWS\tasks\At42.job
    C:\WINDOWS\tasks\At43.job
    C:\WINDOWS\tasks\At44.job
    C:\WINDOWS\tasks\At45.job
    C:\WINDOWS\tasks\At46.job
    C:\WINDOWS\tasks\At47.job
    C:\WINDOWS\tasks\At48.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At9.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
    "DAEMON Tools "=g:\Program Files\DAEMON Tools\daemon.exe [2007-04-03 165784]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "=msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    List of files/folders created in the last three months

    2008-08-30 21:54:13 ----D---- C:\WINDOWS\temp
    2008-08-30 21:51:29 ----A---- C:\ComboFix.txt
    2008-08-30 19:29:48 ----A---- C:\WINDOWS\PSEXESVC.EXE
    2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
    2008-08-30 19:26:18 ----D---- C:\QooBox
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 av1fj8p7;av1fj8p7; C:\WINDOWS\system32\drivers\av1fj8p7.sys []
    S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
    S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
    S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S2 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

    -----------------EOF-----------------
     
  12. 2008/08/31
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Nokanda
    Ok please do this.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
    C:\WINDOWS\system32\drivers\av1fj8p7.sys
    
    Driver::
    av1fj8p7 
    Please post the combofix log and a new log.txt from RSIT.

    Thanks
    Geri
     
  13. 2008/08/31
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Hi Geri. Once again, thank you so much for all your help with this.

    Here are the logs. First though, I saw a message when Combo Fix first opened that said it couldn't open 2 files because they were in use by another process. The program halted. I ran it again and this time it only had that message for 1 file but this time the program started up with the disclaimer window and created the log below:

    ComboFix 08-08-30.01 - Pam 2008-08-31 22:45:59.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.482 [GMT -4:00]
    Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Pam\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
    .

    2008-08-30 06:10 . 2008-08-30 06:10 <DIR> d-------- C:\rsit
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-30 05:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-29 22:57 . 2008-08-29 22:57 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-26 03:44 . 2008-08-31 00:46 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-08-26 02:24 . 2008-08-31 22:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Program Files\AVG
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-26 02:24 . 2008-08-28 21:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-26 02:24 . 2008-08-26 02:24 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-08-26 02:24 . 2008-08-26 02:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05 . 2008-08-25 23:05 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24 . 2008-08-28 23:48 <DIR> d-------- C:\Program Files\Common Files\LightScribe
    2008-08-25 22:02 . 2007-11-07 10:18 7,936 -ra------ C:\WINDOWS\system32\drivers\inidvd.sys
    2008-08-25 21:59 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59 . 1998-07-22 00:00 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:59 . 2001-08-29 21:00 59,904 --a------ C:\WINDOWS\system32\wbemdisp.tlb
    2008-08-25 21:59 . 2008-08-26 04:10 0 --a------ C:\WINDOWS\lgfwup.ini
    2008-08-25 21:58 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
    2008-08-25 21:43 . 2007-01-08 22:17 27,168 --------- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34 . 2008-08-25 20:35 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34 . 2008-08-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29 . 2008-08-25 21:30 <DIR> d-------- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52 . 2008-08-25 19:52 <DIR> d-------- C:\Program Files\Nero
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 17:57 . 2008-08-25 17:57 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50 . 2008-08-25 21:30 <DIR> d-------- C:\WINDOWS\system32\DLA
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Sonic
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Roxio
    2008-08-25 17:42 . 2008-08-25 21:31 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34 . 2008-08-25 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01 . 2008-08-25 17:01 <DIR> d-------- C:\Program Files\honestech
    2008-08-25 16:44 . 2008-08-25 16:48 <DIR> d-------- C:\Program Files\CyberLink
    2008-08-25 16:43 . 2008-08-25 22:02 <DIR> d-------- C:\Program Files\LG USB Booster
    2008-08-16 23:32 . 2008-08-16 23:34 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02 . 1995-07-05 14:11 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56 . 2008-08-12 20:56 <DIR> d-------- C:\Program Files\Crayola
    2008-08-12 20:56 . 2008-08-12 20:56 154 --a------ C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:14 . 2008-08-12 20:14 7,680 --ahs---- C:\WINDOWS\Thumbs.db

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-31 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-08-27 12:08 --------- d-----w C:\Program Files\Google
    2008-08-26 01:39 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
    2008-08-25 21:54 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-25 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-17 03:32 --------- d-----w C:\Program Files\Yahoo!
    2008-08-17 03:32 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-08-17 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-08-03 18:21 --------- d-----w C:\Program Files\Bingo Blowout
    2008-07-17 19:23 --------- d-----w C:\Program Files\Java
    2007-02-24 23:38 0 --sha-w C:\WINDOWS\system32\Windowsupdates\updatefiles.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 06:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:46 68856]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
    "DAEMON Tools "= "g:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29 165784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "vptray "= "C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-05-25 08:06 282624]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 21:56 1235736]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    --a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-05-25 08:06 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    --a------ 2001-09-24 07:59 73728 C:\Program Files\NavNT\vptray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "G:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe "=
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe "=
    "C:\\WINDOWS\\system32\\dplaysvr.exe "=
    "G:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "G:\\Program Files\\mIRC\\mirc.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2625:UDP "= 2625:UDP:Windows Media Format SDK (wmplayer.exe)
    "2624:UDP "= 2624:UDP:Windows Media Format SDK (wmplayer.exe)
    "2627:UDP "= 2627:UDP:Windows Media Format SDK (wmplayer.exe)

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-28 21:41]
    R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 21:42]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 21:48]
    R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-26 02:24]
    R3 INIDVD;Initio USB DVD Filter Driver;C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 10:18]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    \Shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-31 22:47:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\DOCUME~1\Pam\LOCALS~1\Temp\RGIB.tmp 7075 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    Completion time: 2008-08-31 22:50:10
    ComboFix-quarantined-files.txt 2008-09-01 02:49:45
    ComboFix2.txt 2008-08-31 01:51:29

    Pre-Run: 31,411,683,328 bytes free
    Post-Run: 31,402,766,336 bytes free

    163 --- E O F --- 2007-09-04 05:32:05
     
  14. 2008/08/31
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    and here is the RSIT log:

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-09-01 00:06:39
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 30 GB (79%) free of 38 GB
    Total RAM: 767 MB (55% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:06:47 AM, on 9/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "g:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Pam/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

    --
    End of file - 7989 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At25.job
    C:\WINDOWS\tasks\At26.job
    C:\WINDOWS\tasks\At27.job
    C:\WINDOWS\tasks\At28.job
    C:\WINDOWS\tasks\At29.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At30.job
    C:\WINDOWS\tasks\At31.job
    C:\WINDOWS\tasks\At32.job
    C:\WINDOWS\tasks\At33.job
    C:\WINDOWS\tasks\At34.job
    C:\WINDOWS\tasks\At35.job
    C:\WINDOWS\tasks\At36.job
    C:\WINDOWS\tasks\At37.job
    C:\WINDOWS\tasks\At38.job
    C:\WINDOWS\tasks\At39.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At40.job
    C:\WINDOWS\tasks\At41.job
    C:\WINDOWS\tasks\At42.job
    C:\WINDOWS\tasks\At43.job
    C:\WINDOWS\tasks\At44.job
    C:\WINDOWS\tasks\At45.job
    C:\WINDOWS\tasks\At46.job
    C:\WINDOWS\tasks\At47.job
    C:\WINDOWS\tasks\At48.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At9.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
    "DAEMON Tools "=g:\Program Files\DAEMON Tools\daemon.exe [2007-04-03 165784]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "=msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    List of files/folders created in the last three months

    2008-08-31 22:50:16 ----A---- C:\ComboFix.txt
    2008-08-31 22:47:39 ----D---- C:\WINDOWS\temp
    2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
    2008-08-30 19:26:18 ----D---- C:\QooBox
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 adkor0q0;adkor0q0; C:\WINDOWS\system32\drivers\adkor0q0.sys []
    S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
    S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
    S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S2 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

    -----------------EOF-----------------
     
  15. 2008/08/31
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    My system is working much better the last couple of days, not so slow except during boot up. Firefox still crashes though so I may have to uninstall and reinstall it once this is all over since I'm not a big fan of exporer. I do so much appreciate all the help you've given.
     
  16. 2008/08/31
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    Ok we will need to try this again, only this time in safe mode. That file renamed itself.

    First delete the CFScript you have on your desktop.

    Now do this,

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    KillAll::
    File::
    C:\WINDOWS\system32\drivers\adkor0q0.sys 
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At25.job
    C:\WINDOWS\tasks\At26.job
    C:\WINDOWS\tasks\At27.job
    C:\WINDOWS\tasks\At28.job
    C:\WINDOWS\tasks\At29.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At30.job
    C:\WINDOWS\tasks\At31.job
    C:\WINDOWS\tasks\At32.job
    C:\WINDOWS\tasks\At33.job
    C:\WINDOWS\tasks\At34.job
    C:\WINDOWS\tasks\At35.job
    C:\WINDOWS\tasks\At36.job
    C:\WINDOWS\tasks\At37.job
    C:\WINDOWS\tasks\At38.job
    C:\WINDOWS\tasks\At39.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At40.job
    C:\WINDOWS\tasks\At41.job
    C:\WINDOWS\tasks\At42.job
    C:\WINDOWS\tasks\At43.job
    C:\WINDOWS\tasks\At44.job
    C:\WINDOWS\tasks\At45.job
    C:\WINDOWS\tasks\At46.job
    C:\WINDOWS\tasks\At47.job
    C:\WINDOWS\tasks\At48.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At9.job
    
    Driver::
    adkor0q0 
    Reboot into safe mode.
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. If it doesn't reboot then reboot it yourself back to normal windows. A log will open when it's complete. Post the contents of that log and another RSIT Log.txt
    The combofix log should be located here,
    C:\combofix.txt

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Thanks
    Geri
     
  17. 2008/08/31
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    Have to ran that yet? please let me know if you haven't
     
  18. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    This may or may not be relevant: When I started Combofix after I restarted in safe mode the program reported it couldn't open the file because it was in use by another system but this time Combofix continued to load and I was able to load the script. Here is the Combofix log:

    ComboFix 08-08-30.01 - Pam 2008-09-01 8:04:00.4 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.623 [GMT -4:00]
    Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Pam\Desktop\CFScript.txt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At25.job
    C:\WINDOWS\tasks\At26.job
    C:\WINDOWS\tasks\At27.job
    C:\WINDOWS\tasks\At28.job
    C:\WINDOWS\tasks\At29.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At30.job
    C:\WINDOWS\tasks\At31.job
    C:\WINDOWS\tasks\At32.job
    C:\WINDOWS\tasks\At33.job
    C:\WINDOWS\tasks\At34.job
    C:\WINDOWS\tasks\At35.job
    C:\WINDOWS\tasks\At36.job
    C:\WINDOWS\tasks\At37.job
    C:\WINDOWS\tasks\At38.job
    C:\WINDOWS\tasks\At39.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At40.job
    C:\WINDOWS\tasks\At41.job
    C:\WINDOWS\tasks\At42.job
    C:\WINDOWS\tasks\At43.job
    C:\WINDOWS\tasks\At44.job
    C:\WINDOWS\tasks\At45.job
    C:\WINDOWS\tasks\At46.job
    C:\WINDOWS\tasks\At47.job
    C:\WINDOWS\tasks\At48.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At9.job

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
    .

    2008-08-30 06:10 . 2008-08-30 06:10 <DIR> d-------- C:\rsit
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-30 05:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-29 22:57 . 2008-08-29 22:57 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-26 03:44 . 2008-08-31 00:46 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-08-26 02:24 . 2008-08-31 22:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Program Files\AVG
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-26 02:24 . 2008-08-28 21:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-26 02:24 . 2008-08-26 02:24 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-08-26 02:24 . 2008-08-26 02:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05 . 2008-08-25 23:05 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24 . 2008-08-28 23:48 <DIR> d-------- C:\Program Files\Common Files\LightScribe
    2008-08-25 22:02 . 2007-11-07 10:18 7,936 -ra------ C:\WINDOWS\system32\drivers\inidvd.sys
    2008-08-25 21:59 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59 . 1998-07-22 00:00 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:59 . 2001-08-29 21:00 59,904 --a------ C:\WINDOWS\system32\wbemdisp.tlb
    2008-08-25 21:59 . 2008-08-26 04:10 0 --a------ C:\WINDOWS\lgfwup.ini
    2008-08-25 21:58 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
    2008-08-25 21:43 . 2007-01-08 22:17 27,168 --------- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34 . 2008-08-25 20:35 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34 . 2008-08-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29 . 2008-08-25 21:30 <DIR> d-------- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52 . 2008-08-25 19:52 <DIR> d-------- C:\Program Files\Nero
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 17:57 . 2008-08-25 17:57 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50 . 2008-08-25 21:30 <DIR> d-------- C:\WINDOWS\system32\DLA
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Sonic
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Roxio
    2008-08-25 17:42 . 2008-08-25 21:31 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34 . 2008-08-25 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01 . 2008-08-25 17:01 <DIR> d-------- C:\Program Files\honestech
    2008-08-25 16:44 . 2008-08-25 16:48 <DIR> d-------- C:\Program Files\CyberLink
    2008-08-25 16:43 . 2008-08-25 22:02 <DIR> d-------- C:\Program Files\LG USB Booster
    2008-08-16 23:32 . 2008-08-16 23:34 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02 . 1995-07-05 14:11 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56 . 2008-08-12 20:56 <DIR> d-------- C:\Program Files\Crayola
    2008-08-12 20:56 . 2008-08-12 20:56 154 --a------ C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:14 . 2008-08-12 20:14 7,680 --ahs---- C:\WINDOWS\Thumbs.db

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-01 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-08-27 12:08 --------- d-----w C:\Program Files\Google
    2008-08-26 01:39 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
    2008-08-25 21:54 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-25 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-17 03:32 --------- d-----w C:\Program Files\Yahoo!
    2008-08-17 03:32 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-08-17 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-08-03 18:21 --------- d-----w C:\Program Files\Bingo Blowout
    2008-07-17 19:23 --------- d-----w C:\Program Files\Java
    2007-02-24 23:38 0 --sha-w C:\WINDOWS\system32\Windowsupdates\updatefiles.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 06:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:46 68856]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
    "DAEMON Tools "= "g:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29 165784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "vptray "= "C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-05-25 08:06 282624]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 21:56 1235736]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    --a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-05-25 08:06 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    --a------ 2001-09-24 07:59 73728 C:\Program Files\NavNT\vptray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "G:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe "=
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe "=
    "C:\\WINDOWS\\system32\\dplaysvr.exe "=
    "G:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "G:\\Program Files\\mIRC\\mirc.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2625:UDP "= 2625:UDP:Windows Media Format SDK (wmplayer.exe)
    "2624:UDP "= 2624:UDP:Windows Media Format SDK (wmplayer.exe)
    "2627:UDP "= 2627:UDP:Windows Media Format SDK (wmplayer.exe)

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-28 21:41]
    R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 21:42]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 21:48]
    R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-26 02:24]
    R3 INIDVD;Initio USB DVD Filter Driver;C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 10:18]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    \Shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-01 08:08:20
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-01 8:15:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-01 12:14:27
    ComboFix2.txt 2008-09-01 05:15:00
    ComboFix3.txt 2008-09-01 02:50:16
    ComboFix4.txt 2008-08-31 01:51:29

    Pre-Run: 32,214,458,368 bytes free
    Post-Run: 31,403,827,200 bytes free

    227 --- E O F --- 2007-09-04 05:32:05
     
  19. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    and here is the RSIT log:

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-09-01 08:20:46
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 30 GB (79%) free of 38 GB
    Total RAM: 767 MB (65% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:21:05 AM, on 9/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    G:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "g:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Pam/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

    --
    End of file - 7985 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
    "DAEMON Tools "=g:\Program Files\DAEMON Tools\daemon.exe [2007-04-03 165784]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "=msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    List of files/folders created in the last three months

    2008-09-01 08:15:18 ----D---- C:\WINDOWS\temp
    2008-09-01 08:15:05 ----A---- C:\ComboFix.txt
    2008-09-01 08:03:08 ----D---- C:\ComboFix
    2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
    2008-08-30 19:26:18 ----D---- C:\QooBox
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 alh5hg1f;alh5hg1f; C:\WINDOWS\system32\drivers\alh5hg1f.sys []
    S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
    S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
    S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S2 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

    -----------------EOF-----------------
     
  20. 2008/09/01
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK this just does not want to go away:(

    One more time. this time in normal mode.:rolleyes:

    • Please go to Jotti's malware scan
    • Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time
      • C:\WINDOWS\system32\DRIVERS\inidvd.sys
    • Click on the submit button
    • Please post the results in your next reply.


    Please delete the CFScript you have.

    Now Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Code:
    KillAll::
    File::
    C:\WINDOWS\system32\drivers\alh5hg1f.sys
    
    Folder::
    C:\WINDOWS\system32\Windowsupdates
    
    Driver::
    alh5hg1f 
    Please post the CF log and a new RSIT log and the Jotti results.

    Thanks
    Geri
     
  21. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Hi Geri, once again the message came up that the file could not be opened because it was in use by another process but Combofix did continue to load and did finish. Here is the Jotti log:

    File: inidvd.sys
    Status:
    OK
    MD5: 5f798ff524694c54543a5735b1e87904
    Packers detected:
    -
    Scanner results
    Scan taken on 01 Sep 2008 16:23:28 (GMT)
    A-Squared
    Found nothing
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    CPsecure
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    F-Secure Anti-Virus
    Found nothing
    Fortinet
    Found nothing
    Ikarus
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    Panda Antivirus
    Found nothing
    Sophos Antivirus
    Found nothing
    VirusBuster
    Found nothing
    VBA32
    Found nothing


    and here is the Combofix log:

    ComboFix 08-08-30.01 - Pam 2008-09-01 12:29:34.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.532 [GMT -4:00]
    Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Pam\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\Windowsupdates
    C:\WINDOWS\system32\Windowsupdates\updatefiles.dat

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
    .

    2008-08-30 06:10 . 2008-08-30 06:10 <DIR> d-------- C:\rsit
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-30 05:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-29 22:57 . 2008-08-29 22:57 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-26 03:44 . 2008-08-31 00:46 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-08-26 02:24 . 2008-09-01 08:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Program Files\AVG
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-26 02:24 . 2008-08-28 21:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-26 02:24 . 2008-08-26 02:24 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-08-26 02:24 . 2008-08-26 02:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05 . 2008-08-25 23:05 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24 . 2008-08-28 23:48 <DIR> d-------- C:\Program Files\Common Files\LightScribe
    2008-08-25 22:02 . 2007-11-07 10:18 7,936 -ra------ C:\WINDOWS\system32\drivers\inidvd.sys
    2008-08-25 21:59 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59 . 1998-07-22 00:00 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:59 . 2001-08-29 21:00 59,904 --a------ C:\WINDOWS\system32\wbemdisp.tlb
    2008-08-25 21:59 . 2008-08-26 04:10 0 --a------ C:\WINDOWS\lgfwup.ini
    2008-08-25 21:58 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
    2008-08-25 21:43 . 2007-01-08 22:17 27,168 --------- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34 . 2008-08-25 20:35 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34 . 2008-08-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29 . 2008-08-25 21:30 <DIR> d-------- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52 . 2008-08-25 19:52 <DIR> d-------- C:\Program Files\Nero
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 17:57 . 2008-08-25 17:57 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50 . 2008-08-25 21:30 <DIR> d-------- C:\WINDOWS\system32\DLA
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Sonic
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Roxio
    2008-08-25 17:42 . 2008-08-25 21:31 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34 . 2008-08-25 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01 . 2008-08-25 17:01 <DIR> d-------- C:\Program Files\honestech
    2008-08-25 16:44 . 2008-08-25 16:48 <DIR> d-------- C:\Program Files\CyberLink
    2008-08-25 16:43 . 2008-08-25 22:02 <DIR> d-------- C:\Program Files\LG USB Booster
    2008-08-16 23:32 . 2008-08-16 23:34 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02 . 1995-07-05 14:11 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56 . 2008-08-12 20:56 <DIR> d-------- C:\Program Files\Crayola
    2008-08-12 20:56 . 2008-08-12 20:56 154 --a------ C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:14 . 2008-08-12 20:14 7,680 --ahs---- C:\WINDOWS\Thumbs.db

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-01 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-08-27 12:08 --------- d-----w C:\Program Files\Google
    2008-08-26 01:39 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
    2008-08-25 21:54 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-25 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-17 03:32 --------- d-----w C:\Program Files\Yahoo!
    2008-08-17 03:32 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-08-17 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-08-03 18:21 --------- d-----w C:\Program Files\Bingo Blowout
    2008-07-17 19:23 --------- d-----w C:\Program Files\Java
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 06:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:46 68856]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
    "DAEMON Tools "= "g:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29 165784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "vptray "= "C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-05-25 08:06 282624]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 21:56 1235736]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    --a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-05-25 08:06 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    --a------ 2001-09-24 07:59 73728 C:\Program Files\NavNT\vptray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "G:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe "=
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe "=
    "C:\\WINDOWS\\system32\\dplaysvr.exe "=
    "G:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "G:\\Program Files\\mIRC\\mirc.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2625:UDP "= 2625:UDP:Windows Media Format SDK (wmplayer.exe)
    "2624:UDP "= 2624:UDP:Windows Media Format SDK (wmplayer.exe)
    "2627:UDP "= 2627:UDP:Windows Media Format SDK (wmplayer.exe)

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-28 21:41]
    R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 21:42]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 21:48]
    R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-26 02:24]
    R3 INIDVD;Initio USB DVD Filter Driver;C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 10:18]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    \Shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-01 12:33:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-01 12:39:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-01 16:39:01
    ComboFix2.txt 2008-09-01 12:15:05
    ComboFix3.txt 2008-09-01 05:15:00
    ComboFix4.txt 2008-09-01 02:50:16
    ComboFix5.txt 2008-09-01 16:28:53

    Pre-Run: 31,391,551,488 bytes free
    Post-Run: 31,381,815,296 bytes free

    181 --- E O F --- 2007-09-04 05:32:05
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.