Solved Another Virtumonde victim who needs help

Hi
The new RSIT log please.

I have a feeling that the driver was still not deleted and we will need to get tougher on it.

Geri

 

Hi Geri

This may or may not have a connection. I checked Services under Computer Management and found the following:

Remote Access Auto Connection Manager - Manual
Remote Access Connection Manager - Started - Manual
Remote Desktop Help Session Manager - Manual
Remote Procedure Call (RPC) - Started - Automatic
Remote Procedure Call (RPC) Locator - Manual
Remote Registry - Started - Automatic

When I got this compute I had these all stopped and set to manual. I didn't change them since I'm not sure if the programs you have me using need access but if they don't I'd like to change them back.

Also, Secondary Logon is started and set to Automatic. I can't remember if it was stopped and set to manual before all this started.


Here is the RSIT log:

Logfile of random's system information tool (written by random/random)
Run by Pam at 2008-09-01 14:25:42
Microsoft Windows XP Professional Service Pack 2
System drive C: has 30 GB (78%) free of 38 GB
Total RAM: 767 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:51 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Pam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Pam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7731 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
"RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
"googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
"MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "avgrsstx.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "=msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
"C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
"C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
"G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
"C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
"C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
"C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


List of files/folders created in the last three months

2008-09-01 13:08:23 ----SHD---- C:\RECYCLER
2008-09-01 12:39:22 ----D---- C:\WINDOWS\temp
2008-09-01 12:39:20 ----A---- C:\ComboFix.txt
2008-09-01 12:28:49 ----D---- C:\ComboFix
2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
2008-08-30 19:26:18 ----D---- C:\QooBox
2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
2008-08-30 06:10:29 ----D---- C:\rsit
2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

List of drivers

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 acsc4pqc;acsc4pqc; C:\WINDOWS\system32\drivers\acsc4pqc.sys []
S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

List of services

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

-----------------EOF-----------------

 

Hi
OK here is what I have.

Remote Access Auto Connection Manager - Disabled
Remote Access Connection Manager - Started - Manual
Remote Desktop Help Session Manager - Manual
Remote Procedure Call (RPC) - Started - Automatic
Remote Procedure Call (RPC) Locator - Manual
Remote Registry - Started - Automatic <Don't have
Secondary Logon is started and set to Automatic

They may reset themselves? not sure. You can change them back but please wait until we're done.

OK Lets try this.

Delete the CFScript you have. and use this one.

Code:

KillAll::
RootKit::
C:\WINDOWS\system32\drivers\acsc4pqc.sys

Driver::
acsc4pqc

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 

Please post the CF log and a new RSIT log.

Thanks
Geri

 

Once again Combofix reported the file could not be opened because it was being used by another process. Combofix continued to load and run but this time there were some error windows popping up. The first one was "pc.cfexe has encountered a problem and needs to close ". I clicked on "don't send" to microsoft. The next one was "catchme.cfexe - DLL initialization failed. The appliction failed to initialize because the window station is shutting down ". There were no buttons to push so I closed it.

here is the Combofix log:

ComboFix 08-08-30.01 - Pam 2008-09-01 15:06:27.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.463 [GMT -4:00]
Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pam\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_acsc4pqc


((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-08-30 06:10 . 2008-08-30 06:10 <DIR> d-------- C:\rsit
2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Malwarebytes
2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-30 05:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-30 05:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-29 22:57 . 2008-08-29 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 03:44 . 2008-08-31 00:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-26 02:24 . 2008-09-01 08:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Program Files\AVG
2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-26 02:24 . 2008-08-28 21:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-26 02:24 . 2008-08-26 02:24 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-26 02:24 . 2008-08-26 02:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-25 23:05 . 2008-08-25 23:05 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\CyberLink
2008-08-25 22:24 . 2008-08-28 23:48 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-08-25 22:02 . 2007-11-07 10:18 7,936 -ra------ C:\WINDOWS\system32\drivers\inidvd.sys
2008-08-25 21:59 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2008-08-25 21:59 . 1998-07-22 00:00 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL
2008-08-25 21:59 . 2001-08-29 21:00 59,904 --a------ C:\WINDOWS\system32\wbemdisp.tlb
2008-08-25 21:59 . 2008-08-26 04:10 0 --a------ C:\WINDOWS\lgfwup.ini
2008-08-25 21:58 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-08-25 21:43 . 2007-01-08 22:17 27,168 --------- C:\WINDOWS\system32\msxml3a.dll
2008-08-25 20:34 . 2008-08-25 20:35 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Ahead
2008-08-25 20:34 . 2008-08-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-25 20:29 . 2008-08-25 21:30 <DIR> d-------- C:\Program Files\Common Files\LightScribe(2)
2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-25 19:52 . 2008-08-25 19:52 <DIR> d-------- C:\Program Files\Nero
2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-25 17:57 . 2008-08-25 17:57 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Leadertech
2008-08-25 17:50 . 2008-08-25 21:30 <DIR> d-------- C:\WINDOWS\system32\DLA
2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Sonic
2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Roxio
2008-08-25 17:42 . 2008-08-25 21:31 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-08-25 17:34 . 2008-08-25 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-25 17:01 . 2008-08-25 17:01 <DIR> d-------- C:\Program Files\honestech
2008-08-25 16:44 . 2008-08-25 16:48 <DIR> d-------- C:\Program Files\CyberLink
2008-08-25 16:43 . 2008-08-25 22:02 <DIR> d-------- C:\Program Files\LG USB Booster
2008-08-16 23:32 . 2008-08-16 23:34 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Yahoo!
2008-08-12 21:02 . 1995-07-05 14:11 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
2008-08-12 20:56 . 2008-08-12 20:56 <DIR> d-------- C:\Program Files\Crayola
2008-08-12 20:56 . 2008-08-12 20:56 154 --a------ C:\WINDOWS\STUDIO2.INI
2008-08-12 20:14 . 2008-08-12 20:14 7,680 --ahs---- C:\WINDOWS\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-27 12:08 --------- d-----w C:\Program Files\Google
2008-08-26 01:39 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-08-25 21:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-25 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-17 03:32 --------- d-----w C:\Program Files\Yahoo!
2008-08-17 03:32 --------- d-----w C:\Program Files\Common Files\Scanner
2008-08-17 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-03 18:21 --------- d-----w C:\Program Files\Bingo Blowout
2008-07-17 19:23 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((( snapshot@2008-08-30_19.37.54.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 06:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:46 68856]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"vptray "= "C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-05-25 08:06 282624]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
"LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 21:56 1235736]
"googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-05-25 08:06 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2001-09-24 07:59 73728 C:\Program Files\NavNT\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"G:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe "=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe "=
"C:\\WINDOWS\\system32\\dplaysvr.exe "=
"G:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"G:\\Program Files\\mIRC\\mirc.exe "=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2625:UDP "= 2625:UDP:Windows Media Format SDK (wmplayer.exe)
"2624:UDP "= 2624:UDP:Windows Media Format SDK (wmplayer.exe)
"2627:UDP "= 2627:UDP:Windows Media Format SDK (wmplayer.exe)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-28 21:41]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 21:42]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 21:48]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-26 02:24]
R3 INIDVD;Initio USB DVD Filter Driver;C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 10:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
\Shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-08-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 15:22:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-01 15:28:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-01 19:28:05
ComboFix2.txt 2008-09-01 16:39:20
ComboFix3.txt 2008-09-01 12:15:05
ComboFix4.txt 2008-09-01 05:15:00
ComboFix5.txt 2008-09-01 19:04:50

Pre-Run: 31,367,356,416 bytes free
Post-Run: 31,305,605,120 bytes free

185 --- E O F --- 2007-09-04 05:32:05

 

and here is the RSIT log:

Logfile of random's system information tool (written by random/random)
Run by Pam at 2008-09-01 15:32:03
Microsoft Windows XP Professional Service Pack 2
System drive C: has 30 GB (78%) free of 38 GB
Total RAM: 767 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:06 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Pam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Pam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7578 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
"RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
"googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
"MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "avgrsstx.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "=msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
"C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
"C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
"G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
"C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
"C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
"C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


List of files/folders created in the last three months

2008-09-01 15:28:29 ----D---- C:\WINDOWS\temp
2008-09-01 15:28:27 ----A---- C:\ComboFix.txt
2008-09-01 15:04:46 ----D---- C:\ComboFix
2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
2008-08-30 19:26:18 ----D---- C:\QooBox
2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
2008-08-30 06:10:29 ----D---- C:\rsit
2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

List of drivers

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 ampq7etv;ampq7etv; C:\WINDOWS\system32\drivers\ampq7etv.sys []
S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

List of services

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

-----------------EOF-----------------

 

Hi
UUURRRR

OK lets try something else.

Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Download Unlocker
Once installed:
Locate the file
C:\WINDOWS\system32\drivers\ampq7etv.sys
Right-click and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

If it deletes empty your recycle bin.


Open “Notepad” Copy the contents of the code box below to the blank Notepad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the “File name” type in: fix.reg
In the “Save As Type” select: All Files
Once saved, Go to your desktop double click “fix.reg file” and let it merge with the registry.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 

Now Reboot you computer

Now post a new RSIT log.

Thanks
Geri

 

I agree - ARRRRRRRRRRRGH!!!

I installed unlocker and I've got show hidden files and folders checked but the file is not showing up in the drivers directory. I did a search of "my computer" using *q7e*.* and nothing showed up. I did another RSIT and it's still there under the S3 title. I can't find the file so I can't unlock. Do you still want me to run the fix.reg file?

 

Do you still want me to run the fix.reg file?

Yes, run that.

I'll post more instructions, let me know if that merged with the registry.

 

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.

• Please double-click Killbox.exe to run it.
• Select:
  • Replace on Reboot
  • then Put a Check on the Use Dummy box.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\drivers\ampq7etv.sys
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

Now see it the file is there and just right click and delete.

 

ok, here is the RSIT log after the fix.reg job.

I did a search for this new one (S3 artmcx48;artmcx48; C:\WINDOWS\system32\drivers\artmcx48.sys ) and it's not on the results list.

No, I don't have Killbox but I'm off to do that now.

Logfile of random's system information tool (written by random/random)
Run by Pam at 2008-09-01 17:19:01
Microsoft Windows XP Professional Service Pack 2
System drive C: has 30 GB (78%) free of 38 GB
Total RAM: 767 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:02 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Pam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7615 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
"RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
"googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"UnlockerAssistant "=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
"MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "avgrsstx.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
"C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
"C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
"G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
"C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
"C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
"C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


List of files/folders created in the last three months

2008-09-01 16:52:28 ----A---- C:\WINDOWS\MVPHEART.INI
2008-09-01 16:41:08 ----SHD---- C:\RECYCLER
2008-09-01 16:29:55 ----D---- C:\Documents and Settings\Pam\Application Data\Desktopicon
2008-09-01 16:29:54 ----D---- C:\Program Files\Unlocker
2008-09-01 15:28:29 ----D---- C:\WINDOWS\temp
2008-09-01 15:28:27 ----A---- C:\ComboFix.txt
2008-09-01 15:04:46 ----D---- C:\ComboFix
2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
2008-08-30 19:26:18 ----D---- C:\QooBox
2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
2008-08-30 06:10:29 ----D---- C:\rsit
2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

List of drivers

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 artmcx48;artmcx48; C:\WINDOWS\system32\drivers\artmcx48.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

List of services

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

-----------------EOF-----------------

 

Killbox keeps halting. I've tried twice and both times I got a popup error that says "PendingFileRenameOperations Registry Data has been Removed by External Process! "

 

OK
I want to make sure you used this file path.

C:\WINDOWS\system32\drivers\ampq7etv.sys

 

yes I did. the second time I tried I even copied and pasted it from here.

 

OK check to see if that file is there, if so delete it. If not then we need another RSIT log.

Thanks
Geri

 

I have tried every way I can think of to find either one of those files. A search using *.sys came up with over 350 files but none of them are even close.

Here is the RSIT log:

Logfile of random's system information tool (written by random/random)
Run by Pam at 2008-09-01 18:52:13
Microsoft Windows XP Professional Service Pack 2
System drive C: has 30 GB (78%) free of 38 GB
Total RAM: 767 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:14 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Pam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7602 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
"RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
"googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"UnlockerAssistant "=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
"MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "avgrsstx.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
"C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
"C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
"G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
"C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
"C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
"C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


List of files/folders created in the last three months

2008-09-01 17:26:07 ----D---- C:\!KillBox
2008-09-01 16:52:28 ----A---- C:\WINDOWS\MVPHEART.INI
2008-09-01 16:41:08 ----SHD---- C:\RECYCLER
2008-09-01 16:29:55 ----D---- C:\Documents and Settings\Pam\Application Data\Desktopicon
2008-09-01 16:29:54 ----D---- C:\Program Files\Unlocker
2008-09-01 15:28:29 ----D---- C:\WINDOWS\temp
2008-09-01 15:28:27 ----A---- C:\ComboFix.txt
2008-09-01 15:04:46 ----D---- C:\ComboFix
2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
2008-08-30 19:26:18 ----D---- C:\QooBox
2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
2008-08-30 06:10:29 ----D---- C:\rsit
2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

List of drivers

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 artmcx48;artmcx48; C:\WINDOWS\system32\drivers\artmcx48.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

List of services

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

-----------------EOF-----------------

 

one more thing. I disabled norton so I don't know why it keeps showing up.

 

OK I have one more thing to try, if this doesn't work I'll have to call in the Sensei, the Guru of all malware removal the big dog.
.
Click Start > Run
Copy and paste the bolded Command below into the run box and click OK.

rmdel C:\WINDOWS\system32\drivers\artmcx48.sys

OK any prompts, let me know of any messages if any.

Now post a new RSIT log.

Thanks
Geri

 

I copied the line and pasted it into run and got a message saying "Windows can't find 'rmdel'. Make sure you typed the name correctly, and then try again. "

 

OK
Please do not reboot you computer, or if you do you will need to post a new RSIT log because the name will change.

I'll have the mild manered noahdfear step in here, only to become Superman when he takes off his shirt... just kidding, never seen him with his shirt off. but I've heard rumers from the ladies.

Thanks.

 

you're the best Geri. even when I'm not in the mood to laugh you've accomplished that. You've gone over and above in my humble opionion. As I said in my first post - I never download executables and I've kicked myself a thousand times over in the last week for going against my own rules. This has been an extremely difficult lesson made a thousand times worse because I KNEW BETTER.