1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Another Virtumonde victim who needs help

Discussion in 'Malware and Virus Removal Archive' started by Nokanda, 2008/08/29.

Page 3 of 5
  1. 2008/09/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    ROFL Geri!

    Hi Nokanda :)

    Lets see if we can root out this nasty. Please do not restart your machine unless instructed to.

    Download GMER

    Right click and extract it to it's own folder on the desktop.

    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
    Click on Scan.
    When the scan has completed, click Copy and paste the results (if any) into this topic.
     
    noahdfear,
    #41
  2. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Thanks for helping noahdfear. Here are the results of the scan:

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-09-01 20:19:45
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.14 ----

    SSDT sptd.sys ZwCreateKey [0xF74270D0]
    SSDT sptd.sys ZwEnumerateKey [0xF742CE2C]
    SSDT sptd.sys ZwEnumerateValueKey [0xF742D1BA]
    SSDT sptd.sys ZwOpenKey [0xF74270B0]
    SSDT sptd.sys ZwQueryKey [0xF742D292]
    SSDT sptd.sys ZwQueryValueKey [0xF742D112]
    SSDT sptd.sys ZwSetValueKey [0xF742D324]

    ---- Kernel code sections - GMER 1.0.14 ----

    ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload F6FE462C 5 Bytes JMP 82D951C8
    ? System32\Drivers\artmcx48.SYS The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.14 ----

    .text C:\WINDOWS\Explorer.EXE[1512] SHELL32.dll!SHFileOperationW 7CA6D1B9 5 Bytes JMP 00BE1102 C:\Program Files\Unlocker\UnlockerHook.dll
    .text C:\Program Files\MSN Messenger\MsnMsgr.Exe[1764] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F743D886] sptd.sys
    IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F743D832] sptd.sys
    IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F745F892] sptd.sys
    IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F743D886] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7427AD4] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7427C1A] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7427B9C] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7428748] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F742861E] sptd.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F743CACA] sptd.sys

    ---- Devices - GMER 1.0.14 ----

    Device \FileSystem\Ntfs \Ntfs 82FD41E8
    Device \FileSystem\Fastfat \FatCdrom 82DEF510
    Device \FileSystem\Udfs \UdfsCdRom 82C7A7A0
    Device \FileSystem\Udfs \UdfsDisk 82C7A7A0
    Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\PCI_NTPNP4592 \Device\00000044 sptd.sys
    Device \Driver\usbuhci \Device\USBPDO-0 82D941E8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 82F681E8
    Device \Driver\dmio \Device\DmControl\DmConfig 82F681E8
    Device \Driver\dmio \Device\DmControl\DmPnP 82F681E8
    Device \Driver\dmio \Device\DmControl\DmInfo 82F681E8
    Device \Driver\usbuhci \Device\USBPDO-1 82D941E8
    Device \Driver\usbuhci \Device\USBPDO-2 82D941E8
    Device \Driver\usbuhci \Device\USBPDO-3 82D941E8
    Device \Driver\usbstor \Device\00000060 82BA87A0
    Device \Driver\usbehci \Device\USBPDO-4 82D7D1E8
    Device \Driver\usbstor \Device\00000061 82BA87A0
    Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\usbstor \Device\00000062 82BA87A0
    Device \Driver\usbstor \Device\00000063 82BA87A0
    Device \Driver\Ftdisk \Device\HarddiskVolume1 82FD61E8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 82FD61E8
    Device \Driver\Cdrom \Device\CdRom0 82DC8470
    Device \Driver\Cdrom \Device\CdRom1 82DC8470
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82FD51E8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82FD51E8
    Device \Driver\atapi \Device\Ide\IdePort0 82FD51E8
    Device \Driver\atapi \Device\Ide\IdePort1 82FD51E8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82FD51E8
    Device \Driver\Cdrom \Device\CdRom2 82DC8470
    Device \Driver\Cdrom \Device\CdRom3 82DC8470
    Device \Driver\NetBT \Device\NetBT_Tcpip_{57708DF5-912C-46FC-AF62-9F02D1009D5C} 82C971E8
    Device \Driver\Cdrom \Device\CdRom4 82DC8470
    Device \Driver\NetBT \Device\NetBt_Wins_Export 82C971E8
    Device \Driver\NetBT \Device\NetbiosSmb 82C971E8
    Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\usbuhci \Device\USBFDO-0 82D941E8
    Device \Driver\usbuhci \Device\USBFDO-1 82D941E8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82DB91E8
    Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\usbehci \Device\USBFDO-2 82D7D1E8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 82DB91E8
    Device \Driver\usbuhci \Device\USBFDO-3 82D941E8
    Device \Driver\usbuhci \Device\USBFDO-4 82D941E8
    Device \Driver\Ftdisk \Device\FtControl 82FD61E8
    Device \Driver\artmcx48 \Device\Scsi\artmcx481Port2Path0Target1Lun0 82C901E8
    Device \Driver\artmcx48 \Device\Scsi\artmcx481Port2Path0Target0Lun0 82C901E8
    Device \Driver\artmcx48 \Device\Scsi\artmcx481 82C901E8
    Device \FileSystem\Fastfat \Fat 82DEF510

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs 82BAF7A0

    ---- Registry - GMER 1.0.14 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 g:\Program Files\DAEMON Tools\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0xAD 0x0F 0x22 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0E 0x43 0xFF 0x7A ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x49 0x34 0xCF 0xA0 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x8B 0xF4 0x6F 0x5F ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 g:\Program Files\DAEMON Tools\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x14 0xAD 0x0F 0x22 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0E 0x43 0xFF 0x7A ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x49 0x34 0xCF 0xA0 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x8B 0xF4 0x6F 0x5F ...

    ---- Files - GMER 1.0.14 ----

    File C:\Documents and Settings\Pam\Local Settings\Temporary Internet Files\Content.IE5\LSKR4K0J\videoByTag[2].xml 0 bytes

    ---- EOF - GMER 1.0.14 ----
     
    Nokanda,
    #42


  3. to hide this advert.

  4. 2008/09/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    By the time you tried Geri's Killbox instructions, the file had already changed names. Please review those instructions, then execute them using the following filename/path.

    C:\WINDOWS\system32\drivers\artmcx48.sys

    Once you've restarted, please run RSIT again and post the log.

    P.S. - you can just copy the above path and paste it into the address window of Killbox. ;)
     
    noahdfear,
    #43
  5. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    I got the same response as the first time - PendingFileRenameOperations Registry Data has been removed by External Process!

    I think this thing has a cloaking device.
     
    Nokanda,
    #44
  6. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Here's the RSIT file even though Killbox didn't work

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-09-01 20:56:46
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 30 GB (78%) free of 38 GB
    Total RAM: 767 MB (55% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:56:47 PM, on 9/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

    --
    End of file - 7683 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
    "UnlockerAssistant "=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    List of files/folders created in the last three months

    2008-09-01 20:12:03 ----A---- C:\WINDOWS\gmer.ini
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer_uninstall.cmd
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.exe
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.dll
    2008-09-01 17:26:07 ----D---- C:\!KillBox
    2008-09-01 16:52:28 ----A---- C:\WINDOWS\MVPHEART.INI
    2008-09-01 16:41:08 ----SHD---- C:\RECYCLER
    2008-09-01 16:29:55 ----D---- C:\Documents and Settings\Pam\Application Data\Desktopicon
    2008-09-01 16:29:54 ----D---- C:\Program Files\Unlocker
    2008-09-01 15:28:29 ----D---- C:\WINDOWS\temp
    2008-09-01 15:28:27 ----A---- C:\ComboFix.txt
    2008-09-01 15:04:46 ----D---- C:\ComboFix
    2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
    2008-08-30 19:26:18 ----D---- C:\QooBox
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 artmcx48;artmcx48; C:\WINDOWS\system32\drivers\artmcx48.sys []
    S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-01 85969]
    S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
    S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
    S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

    -----------------EOF-----------------
     
    Nokanda,
    #45
  7. 2008/09/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Do you have a Windows XP operating system cd? If so, do you know how to boot to the cd?
     
    noahdfear,
    #46
  8. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    sadly, no, I don't have it. I got the system used with everything pre-loaded and no disks. a friend had it hanging around and offered it to me when my last system, which was much too old, died. never thought to make a boot cd either.
     
    Nokanda,
    #47
  9. 2008/09/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Not a problem. ;)

    You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that we can use it to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System (you apparently have XP Pro SP2 ?? ) then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!

    Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, click No to continue scanning. ComboFix should exit and produce a log. Please post the contents of that log.

    Click here to see an image of how to install the Recovery Console using ComboFix.
     
    noahdfear,
    #48
  10. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    ok, done. Here is the Combofix log:

    ComboFix 08-08-30.01 - Pam 2008-09-01 21:45:12.7 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.476 [GMT -4:00]
    Running from: C:\Documents and Settings\Pam\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Pam\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
    .

    2008-09-01 20:12 . 2008-09-01 20:12 250 --a------ C:\WINDOWS\gmer.ini
    2008-09-01 17:26 . 2008-09-01 17:26 <DIR> d-------- C:\!KillBox
    2008-09-01 16:52 . 2008-09-01 20:10 365 --a------ C:\WINDOWS\MVPHEART.INI
    2008-09-01 16:29 . 2008-09-01 16:44 <DIR> d-------- C:\Program Files\Unlocker
    2008-09-01 16:29 . 2008-09-01 16:29 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Desktopicon
    2008-08-30 06:10 . 2008-08-30 06:10 <DIR> d-------- C:\rsit
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-30 05:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-30 05:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-30 05:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-29 22:57 . 2008-08-29 22:57 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-26 03:44 . 2008-08-31 00:46 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-08-26 02:24 . 2008-09-01 08:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Program Files\AVG
    2008-08-26 02:24 . 2008-08-26 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-26 02:24 . 2008-08-28 21:41 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-26 02:24 . 2008-08-26 02:24 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-08-26 02:24 . 2008-08-26 02:24 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05 . 2008-08-25 23:05 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24 . 2008-08-28 23:48 <DIR> d-------- C:\Program Files\Common Files\LightScribe
    2008-08-25 22:02 . 2007-11-07 10:18 7,936 -ra------ C:\WINDOWS\system32\drivers\inidvd.sys
    2008-08-25 21:59 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59 . 1998-07-22 00:00 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:59 . 2001-08-29 21:00 59,904 --a------ C:\WINDOWS\system32\wbemdisp.tlb
    2008-08-25 21:59 . 2008-08-26 04:10 0 --a------ C:\WINDOWS\lgfwup.ini
    2008-08-25 21:58 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
    2008-08-25 21:43 . 2007-01-08 22:17 27,168 --------- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34 . 2008-08-25 20:35 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34 . 2008-08-25 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29 . 2008-08-25 21:30 <DIR> d-------- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56 . 2008-08-25 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52 . 2008-08-25 19:52 <DIR> d-------- C:\Program Files\Nero
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52 . 2008-08-26 04:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 17:57 . 2008-08-25 17:57 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50 . 2008-08-25 21:30 <DIR> d-------- C:\WINDOWS\system32\DLA
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Sonic
    2008-08-25 17:50 . 2008-08-25 17:50 <DIR> d-------- C:\Program Files\Roxio
    2008-08-25 17:42 . 2008-08-25 21:31 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34 . 2008-08-25 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01 . 2008-08-25 17:01 <DIR> d-------- C:\Program Files\honestech
    2008-08-25 16:44 . 2008-08-25 16:48 <DIR> d-------- C:\Program Files\CyberLink
    2008-08-25 16:43 . 2008-08-25 22:02 <DIR> d-------- C:\Program Files\LG USB Booster
    2008-08-16 23:32 . 2008-08-16 23:34 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02 . 1995-07-05 14:11 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56 . 2008-08-12 20:56 <DIR> d-------- C:\Program Files\Crayola
    2008-08-12 20:56 . 2008-08-12 20:56 154 --a------ C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:14 . 2008-08-12 20:14 7,680 --ahs---- C:\WINDOWS\Thumbs.db

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-01 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-08-27 12:08 --------- d-----w C:\Program Files\Google
    2008-08-26 01:39 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
    2008-08-25 21:54 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-25 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-17 03:32 --------- d-----w C:\Program Files\Yahoo!
    2008-08-17 03:32 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-08-17 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-08-03 18:21 --------- d-----w C:\Program Files\Bingo Blowout
    2008-07-17 19:23 --------- d-----w C:\Program Files\Java
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-30_19.37.54.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    + 2008-09-02 00:12:01 884,736 ----a-w C:\WINDOWS\gmer.dll
    + 2008-04-18 01:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe
    + 2008-09-02 00:12:01 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    2008-07-28 06:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:46 68856]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "vptray "= "C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-05-25 08:06 282624]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-28 21:56 1235736]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
    "UnlockerAssistant "= "C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 00:15 15872]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    --a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-01-20 03:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-05-25 08:06 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    --a------ 2001-09-24 07:59 73728 C:\Program Files\NavNT\vptray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "G:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe "=
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe "=
    "C:\\WINDOWS\\system32\\dplaysvr.exe "=
    "G:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "G:\\Program Files\\mIRC\\mirc.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2625:UDP "= 2625:UDP:Windows Media Format SDK (wmplayer.exe)
    "2624:UDP "= 2624:UDP:Windows Media Format SDK (wmplayer.exe)
    "2627:UDP "= 2627:UDP:Windows Media Format SDK (wmplayer.exe)

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-28 21:41]
    R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 21:42]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 21:48]
    R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-26 02:24]
    R3 INIDVD;Initio USB DVD Filter Driver;C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 10:18]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    \Shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE

    *Newly Created Service* - GMER
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Pam\Application Data\Mozilla\Firefox\Profiles\31v7d95s.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-01 21:46:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\INIDVD]
    "ImagePath "=multi: "system32\DRIVERS\inidvd.sys\00 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    Completion time: 2008-09-01 21:49:22
    ComboFix-quarantined-files.txt 2008-09-02 01:48:19
    ComboFix2.txt 2008-09-01 19:28:27
    ComboFix3.txt 2008-09-01 16:39:20
    ComboFix4.txt 2008-09-01 12:15:05
    ComboFix5.txt 2008-09-02 01:44:16

    Pre-Run: 31,284,858,880 bytes free
    Post-Run: 31,257,075,712 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    186 --- E O F --- 2007-09-04 05:32:05
     
    Nokanda,
    #49
  11. 2008/09/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Good, but since you allowed ComboFix to do a full scan, lets make sure our little rooter hasn't changed names again. Please post a new RSIT log.
     
    noahdfear,
    #50
  12. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    Here's the RSIT log, it doesn't appear to have changed yet:

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-09-01 22:16:46
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 30 GB (78%) free of 38 GB
    Total RAM: 767 MB (60% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:16:48 PM, on 9/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

    --
    End of file - 7679 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
    "UnlockerAssistant "=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    List of files/folders created in the last three months

    2008-09-01 21:49:30 ----D---- C:\WINDOWS\temp
    2008-09-01 21:49:28 ----A---- C:\ComboFix.txt
    2008-09-01 21:46:37 ----A---- C:\WINDOWS\PSEXESVC.EXE
    2008-09-01 21:45:06 ----A---- C:\Boot.bak
    2008-09-01 21:44:56 ----D---- C:\cmdcons
    2008-09-01 20:12:03 ----A---- C:\WINDOWS\gmer.ini
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer_uninstall.cmd
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.exe
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.dll
    2008-09-01 17:26:07 ----D---- C:\!KillBox
    2008-09-01 16:52:28 ----A---- C:\WINDOWS\MVPHEART.INI
    2008-09-01 16:29:55 ----D---- C:\Documents and Settings\Pam\Application Data\Desktopicon
    2008-09-01 16:29:54 ----D---- C:\Program Files\Unlocker
    2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
    2008-08-30 19:26:18 ----D---- C:\QooBox
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 artmcx48;artmcx48; C:\WINDOWS\system32\drivers\artmcx48.sys []
    S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-01 85969]
    S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
    S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
    S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

    -----------------EOF-----------------
     
    Nokanda,
    #51
  13. 2008/09/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Great! Please print these instructions for reference while in the recovery Console.


    Copy the bolded command below to your clipboard.

    echo.>C:\WINDOWS\system32\drivers\artmcx48.txt

    Click Start>Run and type cmd then hit enter to open a command window.
    Right click in the window and select Paste to paste the command in the window, then hit Enter.
    Close the command window.


    Now, restart the computer.
    Upon starting, you will be presented with a screen (for 2 seconds) with options of booting the XP operating system or the Recovery Console.
    Use the up/down arrow key(s) to select the Microsoft Windows Recovery Console.


    When the Recovery Console starts you will be ask which system to logon to, and it should list C:\Windows as number 1.
    Type a 1 and hit Enter
    If prompted for the Administartor password, type the password of the Administrator account, or just hit Enter if a password was never created.

    Once logged onto the system you should have a flashing cursor at a C:\Windows> prompt.


    Step 1
    First, type the following command and hit Enter.

    listsvc

    Verify whether artmcx48 is in the list and press the spacebar until you are back at the C:\Windows> prompt.
    If listed, type the following command and hit enter, else skip to step 2.

    disable artmcx48


    Step2
    Now type the following commands, one line at a time, hitting Enter after each line.


    attrib -r -h -s C:\WINDOWS\system32\drivers\artmcx48.sys
    ren C:\WINDOWS\system32\drivers\artmcx48.sys oldartmcx48.sys
    ren C:\WINDOWS\system32\drivers\artmcx48.txt artmcx48.sys
    disable artmcx48
    exit


    Please make very sure to use the proper spacing when typing the above commands. I have inserted a caret ^ into the same commands below where a space bleongs, so there's no question as to where to place them.


    attrib^-r^-h^-s^C:\WINDOWS\system32\drivers\artmcx48.sys
    ren^C:\WINDOWS\system32\drivers\artmcx48.sys^oldartmcx48.sys
    ren^C:\WINDOWS\system32\drivers\artmcx48.txt^artmcx48.sys
    disable^artmcx48
    exit


    Once you type Exit and hit Enter, the machine will restart. No interaction will be required for the system to boot into the operating system. As soon as you logon, run RSIT and post the new log.
     
    noahdfear,
    #52
  14. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    ok, listsvc did not list it.

    attrib -r -h -s C:\WINDOWS\system32\drivers\artmcx48.sys - this gave me an error message (the parameters are not valid) - I had to leave out the spaces (-r-h-s)

    ren C:\WINDOWS\system32\drivers\artmcx48.sys oldartmcx48.sys - this gave me an error message - the system cannot find the file or directory specified

    ren C:\WINDOWS\system32\drivers\artmcx48.txt artmcx48.sys - the gave me the same error message as the previous command

    disable artmcx48 - this gave me an error message - the registry entry for the artmcx48 service cannot be located

    Here is the RSIT log and it's changed again - S3 a1t1ef8z;a1t1ef8z; C:\WINDOWS\system32\drivers\a1t1ef8z.sys []

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-09-01 23:05:17
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 30 GB (78%) free of 38 GB
    Total RAM: 767 MB (65% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:05:26 PM, on 9/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

    --
    End of file - 7616 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
    "UnlockerAssistant "=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    List of files/folders created in the last three months

    2008-09-01 21:49:30 ----D---- C:\WINDOWS\temp
    2008-09-01 21:49:28 ----A---- C:\ComboFix.txt
    2008-09-01 21:46:37 ----A---- C:\WINDOWS\PSEXESVC.EXE
    2008-09-01 21:45:06 ----A---- C:\Boot.bak
    2008-09-01 21:44:56 ----D---- C:\cmdcons
    2008-09-01 20:12:03 ----A---- C:\WINDOWS\gmer.ini
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer_uninstall.cmd
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.exe
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.dll
    2008-09-01 17:26:07 ----D---- C:\!KillBox
    2008-09-01 16:52:28 ----A---- C:\WINDOWS\MVPHEART.INI
    2008-09-01 16:29:55 ----D---- C:\Documents and Settings\Pam\Application Data\Desktopicon
    2008-09-01 16:29:54 ----D---- C:\Program Files\Unlocker
    2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
    2008-08-30 19:26:18 ----D---- C:\QooBox
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 a1t1ef8z;a1t1ef8z; C:\WINDOWS\system32\drivers\a1t1ef8z.sys []
    S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-01 85969]
    S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
    S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
    S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

    -----------------EOF-----------------
     
    Nokanda,
    #53
  15. 2008/09/01
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    how does RSIT find it when nothing else can?
     
    Nokanda,
    #54
  16. 2008/09/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    OK ..... this might take a bit more digging. First, highlight and copy the contents of the code box below.

    Code:
    @echo off
echo.>C:\WINDOWS\system32\drivers\junk.txt
echo Services>query.txt
echo.>>query.txt
sc query type= service | findstr /i  "service_name ">>query.txt
echo.>>query.txt
echo Drivers>>query.txt
echo.>>query.txt
sc query type= driver | findstr /i  "service_name ">>query.txt
echo.>>query.txt
dir C:\WINDOWS\system32\drivers\*.sys>>query.txt
start notepad query.txt
exit
cls
    Open a command window and paste it in.
    Print the query.txt file that opens for reference, making note of whether or not it shows the rootkit in the directory output and/or the Services/Drivers output.

    Boot back into the Recovery Console and execute the listsvc command, then check the output against your list of Services and Drivers. If it follows suit, it will have a name similar to what we've been seeing and not on your list if it changes again.

    a1t1ef8z
    artmcx48
    aqyq9qbu
    av1fj8p7

    Once you've located it, execute the disabled command using it's name;

    disabled servicename

    Now, at the C:\Windows> prompt, type the following commands, substituting the correct driver name if needed.


    cd system32
    cd drivers
    attrib -r a1t1ef8z.sys
    attrib -h a1t1ef8z.sys
    attrib -s a1t1ef8z.sys
    ren a1t1ef8z.sys olda1t1ef8z.sys
    ren junk.txt a1t1ef8z.sys
    exit

    At the C:\WINDOWS\system32\drivers> prompt, you can also type dir *.sys to get a list of all files and check it against the Directory list in query.txt to help identify the driver name, if using the name of the service fails, or if the service isn't listed.
     
    noahdfear,
    #55
  17. 2008/09/02
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    again, no success. the file is just not there. I did a bit of exploring though and found some things. On Aug 25th at 9:30p (date and time this thing hit me) a directory was created in the wbem directory called "repository ". inside that directory there is only 1 file and the date stamp changes all the time. the file is called $WinMgmt.CFG and has 20 bites. There is also another directory datestamped Aug 25th at 9:30p called FS. Inside that directory are 7 files that all have the datestamp Sep 2nd 9:23a (the time I logged back into windows from the console). The files are:

    INDEX.BTR 1,016Kb
    OBJECTS.DATA 5,520Kb
    MAPPING2.MAP 4Kb
    INDEX.MAP 1Kb
    MAPPING1.MAP 1Kb
    MAPPING.VER 1Kb
    OBJECTS.MAP 3Kb

    Since I know nothing about this stuff they could be legitimate but the date and times stamps made me wonder about them. Other directories that showed up with an Aug 25th date stamp are DLA, DLLCACHE (with a file called FNTCACHE.DAT), NTMSDATA, RESTORE, WBEM (the one with all the files listed above).
     
    Nokanda,
    #56
  18. 2008/09/02
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    sorry forgot to paste the RSIT log. It's changed once again.

    Logfile of random's system information tool (written by random/random)
    Run by Pam at 2008-09-02 09:23:28
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 30 GB (78%) free of 38 GB
    Total RAM: 767 MB (65% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:23:33 AM, on 9/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Documents and Settings\Pam\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Pam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

    --
    End of file - 7621 bytes

    Scheduled tasks folder

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
    EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
    SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
    {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
    "LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
    "AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
    "googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
    "UnlockerAssistant "=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
    "MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS "= "avgrsstx.dll "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
    "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
    "C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
    "C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
    "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
    "C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
    "G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
    "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
    "C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
    "C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
    "C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
    "C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
    shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


    List of files/folders created in the last three months

    2008-09-01 21:49:30 ----D---- C:\WINDOWS\temp
    2008-09-01 21:49:28 ----A---- C:\ComboFix.txt
    2008-09-01 21:46:37 ----A---- C:\WINDOWS\PSEXESVC.EXE
    2008-09-01 21:45:06 ----A---- C:\Boot.bak
    2008-09-01 21:44:56 ----D---- C:\cmdcons
    2008-09-01 20:12:03 ----A---- C:\WINDOWS\gmer.ini
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer_uninstall.cmd
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.exe
    2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.dll
    2008-09-01 17:26:07 ----D---- C:\!KillBox
    2008-09-01 16:52:28 ----A---- C:\WINDOWS\MVPHEART.INI
    2008-09-01 16:29:55 ----D---- C:\Documents and Settings\Pam\Application Data\Desktopicon
    2008-09-01 16:29:54 ----D---- C:\Program Files\Unlocker
    2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
    2008-08-30 19:26:18 ----D---- C:\QooBox
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
    2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
    2008-08-30 06:10:29 ----D---- C:\rsit
    2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
    2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
    2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
    2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
    2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
    2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
    2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
    2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
    2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
    2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
    2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
    2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
    2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
    2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
    2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
    2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
    2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
    2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
    2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
    2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
    2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
    2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
    2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
    2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
    2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
    2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
    2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
    2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
    2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
    2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
    2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

    List of drivers

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
    R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
    R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
    R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
    R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S3 asgy41co;asgy41co; C:\WINDOWS\system32\drivers\asgy41co.sys []
    S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-01 85969]
    S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
    S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
    S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

    List of services

    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
    R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
    R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
    R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

    -----------------EOF-----------------
     
    Nokanda,
    #57
  19. 2008/09/02
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    All of the files you mentioned are fine. Download mbr.exe and save it to your desktop.
    Double click mbr.exe to run it.
    It will open and close very quickly and produce the file mbr.log on the desktop.
    Double click mbr.log to open it and post it's contents.


    I'll check it this evening.
     
    noahdfear,
    #58
  20. 2008/09/02
    Nokanda Lifetime Subscription

    Nokanda Well-Known Member Thread Starter

    Joined:
    2008/08/29
    Messages:
    85
    Likes Received:
    0
    ok, thanks.

    Here is the log:

    Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
     
    Nokanda,
    #59
  21. 2008/09/02
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please paste the contents of the code box below into a command window and post the log it produces.

    Code:
    @echo off
echo Services>query.txt
echo.>>query.txt
sc query type= service | findstr /i  "service_name ">>query.txt
echo.>>query.txt
echo Drivers>>query.txt
echo.>>query.txt
sc query type= driver | findstr /i  "service_name ">>query.txt
echo.>>query.txt
dir C:\WINDOWS\system32\drivers\*.sys>>query.txt
start notepad query.txt
exit
cls
     
    noahdfear,
    #60
Page 3 of 5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...