Solved Another Virtumonde victim who needs help

Hi. Here's the log:

Services

SERVICE_NAME: ALG
SERVICE_NAME: AudioSrv
SERVICE_NAME: avg8emc
SERVICE_NAME: avg8wd
SERVICE_NAME: CryptSvc
SERVICE_NAME: DcomLaunch
SERVICE_NAME: DefWatch
SERVICE_NAME: Dhcp
SERVICE_NAME: dmserver
SERVICE_NAME: Dnscache
SERVICE_NAME: ERSvc
SERVICE_NAME: Eventlog
SERVICE_NAME: EventSystem
SERVICE_NAME: FastUserSwitchingCompatibility
SERVICE_NAME: gusvc
SERVICE_NAME: helpsvc
SERVICE_NAME: lanmanserver
SERVICE_NAME: lanmanworkstation
SERVICE_NAME: LmHosts
SERVICE_NAME: Netman
SERVICE_NAME: Nla
SERVICE_NAME: PlugPlay
SERVICE_NAME: PolicyAgent
SERVICE_NAME: ProtectedStorage
SERVICE_NAME: RasMan
SERVICE_NAME: RemoteRegistry
SERVICE_NAME: RichVideo
SERVICE_NAME: RpcSs
SERVICE_NAME: SamSs
SERVICE_NAME: Schedule
SERVICE_NAME: seclogon
SERVICE_NAME: SENS
SERVICE_NAME: SharedAccess
SERVICE_NAME: ShellHWDetection
SERVICE_NAME: Spooler
SERVICE_NAME: srservice
SERVICE_NAME: SSDPSRV
SERVICE_NAME: stisvc
SERVICE_NAME: TapiSrv
SERVICE_NAME: TermService
SERVICE_NAME: Themes
SERVICE_NAME: TrkWks
SERVICE_NAME: UMWdf
SERVICE_NAME: usnjsvc
SERVICE_NAME: W32Time
SERVICE_NAME: WebClient
SERVICE_NAME: winmgmt
SERVICE_NAME: wscsvc
SERVICE_NAME: wuauserv
SERVICE_NAME: WZCSVC

Drivers

SERVICE_NAME: ac97intc
SERVICE_NAME: ACPI
SERVICE_NAME: AFD
SERVICE_NAME: agp440
SERVICE_NAME: atapi
SERVICE_NAME: audstub
SERVICE_NAME: AvgLdx86
SERVICE_NAME: AvgMfx86
SERVICE_NAME: AvgTdiX
SERVICE_NAME: Beep
SERVICE_NAME: Cdfs
SERVICE_NAME: Cdrom
SERVICE_NAME: Disk
SERVICE_NAME: dmio
SERVICE_NAME: dmload
SERVICE_NAME: EL90XBC
SERVICE_NAME: Fastfat
SERVICE_NAME: Fdc
SERVICE_NAME: Fips
SERVICE_NAME: Flpydisk
SERVICE_NAME: FltMgr
SERVICE_NAME: Ftdisk
SERVICE_NAME: Gpc
SERVICE_NAME: HTTP
SERVICE_NAME: i8042prt
SERVICE_NAME: Imapi
SERVICE_NAME: INIDVD
SERVICE_NAME: IntelIde
SERVICE_NAME: IpNat
SERVICE_NAME: IPSec
SERVICE_NAME: isapnp
SERVICE_NAME: Kbdclass
SERVICE_NAME: kmixer
SERVICE_NAME: KSecDD
SERVICE_NAME: mnmdd
SERVICE_NAME: Mouclass
SERVICE_NAME: MountMgr
SERVICE_NAME: MRxDAV
SERVICE_NAME: MRxSmb
SERVICE_NAME: Msfs
SERVICE_NAME: mssmbios
SERVICE_NAME: Mup
SERVICE_NAME: NAVAPEL
SERVICE_NAME: NDIS
SERVICE_NAME: NdisTapi
SERVICE_NAME: Ndisuio
SERVICE_NAME: NdisWan
SERVICE_NAME: NDProxy
SERVICE_NAME: NetBIOS
SERVICE_NAME: NetBT
SERVICE_NAME: Npfs
SERVICE_NAME: Ntfs
SERVICE_NAME: Null
SERVICE_NAME: nv
SERVICE_NAME: Parport
SERVICE_NAME: PartMgr
SERVICE_NAME: ParVdm
SERVICE_NAME: PCI
SERVICE_NAME: PptpMiniport
SERVICE_NAME: Processor
SERVICE_NAME: PSched
SERVICE_NAME: Ptilink
SERVICE_NAME: RasAcd
SERVICE_NAME: Rasl2tp
SERVICE_NAME: RasPppoe
SERVICE_NAME: Raspti
SERVICE_NAME: Rdbss
SERVICE_NAME: RDPCDD
SERVICE_NAME: rdpdr
SERVICE_NAME: redbook
SERVICE_NAME: SCDEmu
SERVICE_NAME: serenum
SERVICE_NAME: Serial
SERVICE_NAME: sptd
SERVICE_NAME: sr
SERVICE_NAME: Srv
SERVICE_NAME: swenum
SERVICE_NAME: sysaudio
SERVICE_NAME: Tcpip
SERVICE_NAME: TermDD
SERVICE_NAME: Udfs
SERVICE_NAME: Update
SERVICE_NAME: usbccgp
SERVICE_NAME: usbehci
SERVICE_NAME: usbhub
SERVICE_NAME: usbprint
SERVICE_NAME: usbscan
SERVICE_NAME: usbstor
SERVICE_NAME: usbuhci
SERVICE_NAME: VgaSave
SERVICE_NAME: VolSnap
SERVICE_NAME: Wanarp
SERVICE_NAME: wdmaud

Volume in drive C has no label.
Volume Serial Number is 5816-79C8

Directory of C:\WINDOWS\system32\drivers

08/17/2001 08:20 AM 96,256 ac97intc.sys
08/04/2004 08:00 AM 187,776 acpi.sys
08/04/2004 08:00 AM 11,648 acpiec.sys
08/03/2004 06:39 PM 142,464 aec.sys
08/04/2004 08:00 AM 138,496 afd.sys
08/03/2004 07:07 PM 42,368 AGP440.SYS
08/04/2004 08:00 AM 36,992 amdk6.sys
08/04/2004 08:00 AM 37,376 amdk7.sys
08/04/2004 08:00 AM 60,800 arp1394.sys
08/04/2004 08:00 AM 14,336 asyncmac.sys
08/04/2004 08:00 AM 95,360 atapi.sys
08/04/2004 08:00 AM 59,904 atmarpc.sys
08/04/2004 08:00 AM 31,360 atmepvc.sys
08/04/2004 08:00 AM 55,936 atmlane.sys
08/04/2004 08:00 AM 352,256 atmuni.sys
08/17/2001 09:59 AM 3,072 audstub.sys
08/28/2008 09:41 PM 97,928 avgldx86.sys
08/26/2008 02:24 AM 26,824 avgmfx86.sys
08/26/2008 02:24 AM 76,040 avgtdix.sys
08/04/2004 08:00 AM 4,224 beep.sys
08/04/2004 08:00 AM 71,552 bridge.sys
08/04/2004 08:00 AM 13,952 cbidf2k.sys
08/04/2004 08:00 AM 18,688 cdaudio.sys
08/04/2004 08:00 AM 63,744 cdfs.sys
08/04/2004 08:00 AM 49,536 cdrom.sys
08/04/2004 08:00 AM 262,528 cinemst2.sys
08/04/2004 08:00 AM 49,664 classpnp.sys
08/04/2004 08:00 AM 11,776 cpqdap01.sys
08/04/2004 08:00 AM 36,480 crusoe.sys
08/04/2004 08:00 AM 36,352 disk.sys
08/04/2004 08:00 AM 14,208 diskdump.sys
08/04/2004 08:00 AM 799,744 dmboot.sys
08/04/2004 08:00 AM 153,344 dmio.sys
08/04/2004 08:00 AM 5,888 dmload.sys
08/03/2004 07:07 PM 52,864 DMusic.sys
08/03/2004 07:08 PM 60,288 drmk.sys
08/03/2004 07:07 PM 2,944 drmkaud.sys
08/04/2004 08:00 AM 10,496 dxapi.sys
08/04/2004 08:00 AM 71,040 dxg.sys
08/04/2004 08:00 AM 3,328 dxgthk.sys
08/17/2001 08:11 AM 66,591 el90xbc5.sys
08/04/2004 08:00 AM 143,360 fastfat.sys
08/04/2004 08:00 AM 27,392 fdc.sys
08/04/2004 08:00 AM 34,944 fips.sys
08/04/2004 08:00 AM 20,480 flpydisk.sys
08/21/2006 05:14 AM 128,896 fltmgr.sys
08/04/2004 08:00 AM 12,160 fsvga.sys
08/04/2004 08:00 AM 7,936 fs_rec.sys
08/04/2004 08:00 AM 125,056 ftdisk.sys
09/01/2008 08:12 PM 85,969 gmer.sys
08/04/2004 08:00 AM 36,224 hidclass.sys
08/04/2004 08:00 AM 24,960 hidparse.sys
08/04/2004 08:00 AM 263,040 http.sys
08/04/2004 08:00 AM 52,736 i8042prt.sys
08/04/2004 08:00 AM 41,856 imapi.sys
11/07/2007 10:18 AM 7,936 inidvd.sys
08/04/2004 08:00 AM 5,504 intelide.sys
08/04/2004 08:00 AM 36,096 intelppm.sys
08/04/2004 08:00 AM 29,056 ip6fw.sys
08/04/2004 08:00 AM 32,896 ipfltdrv.sys
08/04/2004 08:00 AM 20,992 ipinip.sys
08/04/2004 08:00 AM 134,912 ipnat.sys
08/04/2004 08:00 AM 74,752 ipsec.sys
08/04/2004 08:00 AM 11,264 irenum.sys
08/04/2004 08:00 AM 35,840 isapnp.sys
08/04/2004 08:00 AM 24,576 kbdclass.sys
08/03/2004 07:07 PM 171,776 kmixer.sys
08/04/2004 08:00 AM 140,928 ks.sys
08/04/2004 08:00 AM 92,032 ksecdd.sys
08/17/2008 03:01 PM 17,144 mbam.sys
08/17/2008 03:01 PM 38,472 mbamswissarmy.sys
08/04/2004 08:00 AM 7,680 mcd.sys
08/04/2004 08:00 AM 63,744 mf.sys
08/04/2004 08:00 AM 4,224 mnmdd.sys
08/04/2004 08:00 AM 30,080 modem.sys
08/04/2004 08:00 AM 23,040 mouclass.sys
08/04/2004 08:00 AM 42,240 mountmgr.sys
08/04/2004 08:00 AM 72,960 mqac.sys
08/04/2004 08:00 AM 181,248 mrxdav.sys
08/04/2004 08:00 AM 451,456 mrxsmb.sys
08/04/2004 08:00 AM 19,072 msfs.sys
08/04/2004 08:00 AM 35,072 msgpc.sys
08/03/2004 06:58 PM 7,552 MSKSSRV.sys
08/03/2004 06:58 PM 5,376 MSPCLOCK.sys
08/03/2004 06:58 PM 4,992 MSPQM.sys
08/04/2004 08:00 AM 15,488 mssmbios.sys
08/04/2004 08:00 AM 107,904 mup.sys
08/04/2004 08:00 AM 182,912 ndis.sys
08/04/2004 08:00 AM 9,600 ndistapi.sys
08/04/2004 08:00 AM 12,928 ndisuio.sys
08/04/2004 08:00 AM 91,776 ndiswan.sys
08/04/2004 08:00 AM 38,016 ndproxy.sys
08/04/2004 08:00 AM 34,560 netbios.sys
08/04/2004 08:00 AM 162,816 netbt.sys
08/04/2004 08:00 AM 61,824 nic1394.sys
08/04/2004 08:00 AM 12,032 nikedrv.sys
08/04/2004 08:00 AM 40,320 nmnt.sys
08/04/2004 08:00 AM 30,848 npfs.sys
08/04/2004 08:00 AM 574,592 ntfs.sys
08/04/2004 08:00 AM 2,944 null.sys
08/03/2004 06:29 PM 1,897,408 nv4_mini.sys
08/04/2004 08:00 AM 12,416 nwlnkflt.sys
08/04/2004 08:00 AM 32,512 nwlnkfwd.sys
08/04/2004 08:00 AM 88,448 nwlnkipx.sys
08/04/2004 08:00 AM 63,232 nwlnknb.sys
08/04/2004 08:00 AM 55,936 nwlnkspx.sys
08/04/2004 08:00 AM 163,584 nwrdr.sys
08/04/2004 08:00 AM 3,456 oprghdlr.sys
08/04/2004 08:00 AM 42,496 p3.sys
08/04/2004 08:00 AM 80,128 parport.sys
08/04/2004 08:00 AM 18,688 partmgr.sys
08/04/2004 08:00 AM 6,784 parvdm.sys
08/04/2004 08:00 AM 68,224 pci.sys
08/04/2004 08:00 AM 25,088 pciidex.sys
08/04/2004 08:00 AM 119,936 pcmcia.sys
08/03/2004 07:15 PM 145,792 portcls.sys
08/04/2004 08:00 AM 35,328 processr.sys
08/04/2004 08:00 AM 69,120 psched.sys
08/04/2004 08:00 AM 17,792 ptilink.sys
08/04/2004 08:00 AM 8,832 rasacd.sys
08/04/2004 08:00 AM 51,328 rasl2tp.sys
08/04/2004 08:00 AM 41,472 raspppoe.sys
08/04/2004 08:00 AM 48,384 raspptp.sys
08/04/2004 08:00 AM 16,512 raspti.sys
08/04/2004 08:00 AM 34,432 rawwan.sys
08/04/2004 08:00 AM 176,512 rdbss.sys
08/04/2004 08:00 AM 4,224 rdpcdd.sys
08/03/2004 11:01 PM 196,864 rdpdr.sys
08/04/2004 08:00 AM 139,400 rdpwd.sys
08/03/2004 06:59 PM 57,472 redbook.sys
08/04/2004 08:00 AM 12,032 rio8drv.sys
08/04/2004 08:00 AM 12,032 riodrv.sys
08/04/2004 08:00 AM 200,064 RMCast.sys
08/04/2004 08:00 AM 30,080 rndismp.sys
08/04/2004 08:00 AM 5,888 rootmdm.sys
01/20/2007 03:11 AM 31,644 scdemu.sys
08/04/2004 08:00 AM 96,256 scsiport.sys
08/04/2004 08:00 AM 67,584 sdbus.sys
08/04/2004 08:00 AM 27,440 secdrv.sys
08/04/2004 08:00 AM 15,488 serenum.sys
08/04/2004 08:00 AM 64,896 serial.sys
08/04/2004 08:00 AM 11,136 sffdisk.sys
08/04/2004 08:00 AM 10,240 sffp_sd.sys
08/04/2004 08:00 AM 11,392 sfloppy.sys
08/04/2004 08:00 AM 14,592 smclib.sys
08/04/2004 08:00 AM 25,472 sonydcam.sys
08/03/2004 07:07 PM 6,400 splitter.sys
12/09/2007 07:35 PM 682,232 sptd.sys
08/04/2004 08:00 AM 73,472 sr.sys
08/04/2004 08:00 AM 336,256 srv.sys
08/04/2004 08:00 AM 48,640 stream.sys
08/04/2004 08:00 AM 4,352 swenum.sys
08/17/2001 10:00 AM 54,272 swmidi.sys
09/24/2001 07:59 AM 57,696 SYMEVENT.SYS
08/03/2004 07:15 PM 60,800 sysaudio.sys
08/04/2004 08:00 AM 14,976 tape.sys
08/04/2004 08:00 AM 359,040 tcpip.sys
08/04/2004 08:00 AM 223,616 tcpip6.sys
08/04/2004 08:00 AM 18,560 tdi.sys
08/04/2004 08:00 AM 12,040 tdpipe.sys
08/04/2004 08:00 AM 21,896 tdtcp.sys
08/04/2004 01:01 AM 40,840 termdd.sys
08/04/2004 08:00 AM 51,712 tosdvd.sys
08/04/2004 08:00 AM 21,376 tsbvcap.sys
08/04/2004 08:00 AM 12,416 tunmp.sys
08/04/2004 08:00 AM 66,176 udfs.sys
08/04/2004 08:00 AM 209,408 update.sys
08/04/2004 08:00 AM 12,672 usb8023.sys
08/04/2004 08:00 AM 23,808 usbcamd.sys
08/04/2004 08:00 AM 23,936 usbcamd2.sys
08/04/2004 12:08 AM 31,616 usbccgp.sys
08/04/2004 08:00 AM 4,736 usbd.sys
08/03/2004 11:08 PM 26,624 usbehci.sys
08/04/2004 08:00 AM 57,600 usbhub.sys
08/04/2004 08:00 AM 16,000 usbintel.sys
08/04/2004 08:00 AM 142,976 usbport.sys
08/04/2004 12:01 AM 25,856 usbprint.sys
08/03/2004 11:58 PM 15,104 usbscan.sys
08/04/2004 08:00 AM 26,496 usbstor.sys
08/04/2004 08:00 AM 20,480 usbuhci.sys
08/04/2004 08:00 AM 58,112 vdmindvd.sys
08/04/2004 08:00 AM 20,992 vga.sys
08/04/2004 08:00 AM 79,744 videoprt.sys
08/04/2004 08:00 AM 52,352 volsnap.sys
08/04/2004 08:00 AM 34,560 wanarp.sys
08/03/2004 07:15 PM 82,944 wdmaud.sys
08/04/2004 08:00 AM 4,352 wmilib.sys
08/11/2004 01:45 AM 18,944 wpdusb.sys
08/04/2004 08:00 AM 12,032 ws2ifsl.sys
189 File(s) 15,159,052 bytes
0 Dir(s) 31,271,448,576 bytes free

 

Not quite what I wanted in that output. Lets run another variation and have a look at it's log.

Code:

@echo off
sc query state= all | findstr /i  "service_name state ">query.txt
echo.>>query.txt
dir C:\WINDOWS\system32\drivers\*.sys /a h >>query.txt
start notepad query.txt
exit
cls

 

Ok, here it is:

SERVICE_NAME: Alerter
STATE : 1 STOPPED
SERVICE_NAME: ALG
STATE : 4 RUNNING
SERVICE_NAME: AppMgmt
STATE : 1 STOPPED
SERVICE_NAME: aspnet_state
DISPLAY_NAME: ASP.NET State Service
STATE : 1 STOPPED
SERVICE_NAME: AudioSrv
STATE : 4 RUNNING
SERVICE_NAME: avg8emc
STATE : 4 RUNNING
SERVICE_NAME: avg8wd
STATE : 4 RUNNING
SERVICE_NAME: BITS
STATE : 1 STOPPED
SERVICE_NAME: Browser
STATE : 1 STOPPED
SERVICE_NAME: CiSvc
STATE : 1 STOPPED
SERVICE_NAME: ClipSrv
STATE : 1 STOPPED
SERVICE_NAME: clr_optimization_v2.0.50727_32
STATE : 1 STOPPED
SERVICE_NAME: COMSysApp
STATE : 1 STOPPED
SERVICE_NAME: CryptSvc
STATE : 4 RUNNING
SERVICE_NAME: DcomLaunch
STATE : 4 RUNNING
SERVICE_NAME: DefWatch
STATE : 4 RUNNING
SERVICE_NAME: Dhcp
STATE : 4 RUNNING
SERVICE_NAME: dmadmin
STATE : 1 STOPPED
SERVICE_NAME: dmserver
STATE : 4 RUNNING
SERVICE_NAME: Dnscache
STATE : 4 RUNNING
SERVICE_NAME: ERSvc
STATE : 4 RUNNING
SERVICE_NAME: Eventlog
STATE : 4 RUNNING
SERVICE_NAME: EventSystem
STATE : 4 RUNNING
SERVICE_NAME: FastUserSwitchingCompatibility
STATE : 4 RUNNING
SERVICE_NAME: gusvc
STATE : 4 RUNNING
SERVICE_NAME: helpsvc
STATE : 4 RUNNING
SERVICE_NAME: HidServ
STATE : 1 STOPPED
SERVICE_NAME: HTTPFilter
STATE : 1 STOPPED
SERVICE_NAME: IDriverT
STATE : 1 STOPPED
SERVICE_NAME: ImapiService
STATE : 1 STOPPED
SERVICE_NAME: lanmanserver
STATE : 4 RUNNING
SERVICE_NAME: lanmanworkstation
STATE : 4 RUNNING
SERVICE_NAME: LmHosts
STATE : 4 RUNNING
SERVICE_NAME: Messenger
STATE : 1 STOPPED
SERVICE_NAME: mnmsrvc
STATE : 1 STOPPED
SERVICE_NAME: MSDTC
STATE : 1 STOPPED
SERVICE_NAME: MSIServer
STATE : 1 STOPPED
SERVICE_NAME: NetDDE
STATE : 1 STOPPED
SERVICE_NAME: NetDDEdsdm
STATE : 1 STOPPED
SERVICE_NAME: Netlogon
STATE : 1 STOPPED
SERVICE_NAME: Netman
STATE : 4 RUNNING
SERVICE_NAME: Nla
STATE : 4 RUNNING
SERVICE_NAME: NMIndexingService
STATE : 1 STOPPED
SERVICE_NAME: Norton AntiVirus Server
STATE : 1 STOPPED
SERVICE_NAME: NtLmSsp
STATE : 1 STOPPED
SERVICE_NAME: NtmsSvc
STATE : 1 STOPPED
SERVICE_NAME: ose
STATE : 1 STOPPED
SERVICE_NAME: PlugPlay
STATE : 4 RUNNING
SERVICE_NAME: PolicyAgent
STATE : 4 RUNNING
SERVICE_NAME: ProtectedStorage
STATE : 4 RUNNING
SERVICE_NAME: RasAuto
STATE : 1 STOPPED
SERVICE_NAME: RasMan
STATE : 4 RUNNING
SERVICE_NAME: RDSessMgr
STATE : 1 STOPPED
SERVICE_NAME: RemoteAccess
STATE : 1 STOPPED
SERVICE_NAME: RemoteRegistry
STATE : 4 RUNNING
SERVICE_NAME: RichVideo
STATE : 4 RUNNING
SERVICE_NAME: RpcLocator
STATE : 1 STOPPED
SERVICE_NAME: RpcSs
STATE : 4 RUNNING
SERVICE_NAME: RSVP
STATE : 1 STOPPED
SERVICE_NAME: SamSs
STATE : 4 RUNNING
SERVICE_NAME: SCardSvr
STATE : 1 STOPPED
SERVICE_NAME: Schedule
STATE : 4 RUNNING
SERVICE_NAME: seclogon
STATE : 4 RUNNING
SERVICE_NAME: SENS
STATE : 4 RUNNING
SERVICE_NAME: SharedAccess
STATE : 4 RUNNING
SERVICE_NAME: ShellHWDetection
STATE : 4 RUNNING
SERVICE_NAME: Spooler
STATE : 4 RUNNING
SERVICE_NAME: srservice
STATE : 4 RUNNING
SERVICE_NAME: SSDPSRV
STATE : 4 RUNNING
SERVICE_NAME: stisvc
STATE : 4 RUNNING
SERVICE_NAME: SwPrv
STATE : 1 STOPPED
SERVICE_NAME: SysmonLog
STATE : 1 STOPPED
SERVICE_NAME: TapiSrv
STATE : 4 RUNNING
SERVICE_NAME: TermService
STATE : 4 RUNNING
SERVICE_NAME: Themes
STATE : 4 RUNNING
SERVICE_NAME: TlntSvr
STATE : 1 STOPPED
SERVICE_NAME: TrkWks
STATE : 4 RUNNING
SERVICE_NAME: UMWdf
STATE : 4 RUNNING
SERVICE_NAME: upnphost
STATE : 1 STOPPED
SERVICE_NAME: UPS
STATE : 1 STOPPED
SERVICE_NAME: usnjsvc
STATE : 4 RUNNING
SERVICE_NAME: VSS
STATE : 1 STOPPED
SERVICE_NAME: W32Time
STATE : 4 RUNNING
SERVICE_NAME: WebClient
STATE : 4 RUNNING
SERVICE_NAME: winmgmt
STATE : 4 RUNNING
SERVICE_NAME: WmdmPmSN
STATE : 1 STOPPED
SERVICE_NAME: Wmi
STATE : 1 STOPPED
SERVICE_NAME: WmiApSrv
STATE : 1 STOPPED
SERVICE_NAME: wscsvc
STATE : 4 RUNNING
SERVICE_NAME: wuauserv
STATE : 4 RUNNING
SERVICE_NAME: WZCSVC
STATE : 4 RUNNING
SERVICE_NAME: xmlprov
STATE : 1 STOPPED

Volume in drive C has no label.
Volume Serial Number is 5816-79C8

Directory of C:\WINDOWS\system32\drivers

08/17/2001 08:20 AM 96,256 ac97intc.sys
08/04/2004 08:00 AM 187,776 acpi.sys
08/04/2004 08:00 AM 11,648 acpiec.sys
08/03/2004 06:39 PM 142,464 aec.sys
08/04/2004 08:00 AM 138,496 afd.sys
08/03/2004 07:07 PM 42,368 AGP440.SYS
08/04/2004 08:00 AM 36,992 amdk6.sys
08/04/2004 08:00 AM 37,376 amdk7.sys
08/04/2004 08:00 AM 60,800 arp1394.sys
08/04/2004 08:00 AM 14,336 asyncmac.sys
08/04/2004 08:00 AM 95,360 atapi.sys
08/04/2004 08:00 AM 59,904 atmarpc.sys
08/04/2004 08:00 AM 31,360 atmepvc.sys
08/04/2004 08:00 AM 55,936 atmlane.sys
08/04/2004 08:00 AM 352,256 atmuni.sys
08/17/2001 09:59 AM 3,072 audstub.sys
08/28/2008 09:41 PM 97,928 avgldx86.sys
08/26/2008 02:24 AM 26,824 avgmfx86.sys
08/26/2008 02:24 AM 76,040 avgtdix.sys
08/04/2004 08:00 AM 4,224 beep.sys
08/04/2004 08:00 AM 71,552 bridge.sys
08/04/2004 08:00 AM 13,952 cbidf2k.sys
08/04/2004 08:00 AM 18,688 cdaudio.sys
08/04/2004 08:00 AM 63,744 cdfs.sys
08/04/2004 08:00 AM 49,536 cdrom.sys
08/04/2004 08:00 AM 262,528 cinemst2.sys
08/04/2004 08:00 AM 49,664 classpnp.sys
08/04/2004 08:00 AM 11,776 cpqdap01.sys
08/04/2004 08:00 AM 36,480 crusoe.sys
08/04/2004 08:00 AM 36,352 disk.sys
08/04/2004 08:00 AM 14,208 diskdump.sys
08/04/2004 08:00 AM 799,744 dmboot.sys
08/04/2004 08:00 AM 153,344 dmio.sys
08/04/2004 08:00 AM 5,888 dmload.sys
08/03/2004 07:07 PM 52,864 DMusic.sys
08/03/2004 07:08 PM 60,288 drmk.sys
08/03/2004 07:07 PM 2,944 drmkaud.sys
08/04/2004 08:00 AM 10,496 dxapi.sys
08/04/2004 08:00 AM 71,040 dxg.sys
08/04/2004 08:00 AM 3,328 dxgthk.sys
08/17/2001 08:11 AM 66,591 el90xbc5.sys
08/04/2004 08:00 AM 143,360 fastfat.sys
08/04/2004 08:00 AM 27,392 fdc.sys
08/04/2004 08:00 AM 34,944 fips.sys
08/04/2004 08:00 AM 20,480 flpydisk.sys
08/21/2006 05:14 AM 128,896 fltmgr.sys
08/04/2004 08:00 AM 12,160 fsvga.sys
08/04/2004 08:00 AM 7,936 fs_rec.sys
08/04/2004 08:00 AM 125,056 ftdisk.sys
09/01/2008 08:12 PM 85,969 gmer.sys
08/04/2004 08:00 AM 36,224 hidclass.sys
08/04/2004 08:00 AM 24,960 hidparse.sys
08/04/2004 08:00 AM 263,040 http.sys
08/04/2004 08:00 AM 52,736 i8042prt.sys
08/04/2004 08:00 AM 41,856 imapi.sys
11/07/2007 10:18 AM 7,936 inidvd.sys
08/04/2004 08:00 AM 5,504 intelide.sys
08/04/2004 08:00 AM 36,096 intelppm.sys
08/04/2004 08:00 AM 29,056 ip6fw.sys
08/04/2004 08:00 AM 32,896 ipfltdrv.sys
08/04/2004 08:00 AM 20,992 ipinip.sys
08/04/2004 08:00 AM 134,912 ipnat.sys
08/04/2004 08:00 AM 74,752 ipsec.sys
08/04/2004 08:00 AM 11,264 irenum.sys
08/04/2004 08:00 AM 35,840 isapnp.sys
08/04/2004 08:00 AM 24,576 kbdclass.sys
08/03/2004 07:07 PM 171,776 kmixer.sys
08/04/2004 08:00 AM 140,928 ks.sys
08/04/2004 08:00 AM 92,032 ksecdd.sys
08/17/2008 03:01 PM 17,144 mbam.sys
08/17/2008 03:01 PM 38,472 mbamswissarmy.sys
08/04/2004 08:00 AM 7,680 mcd.sys
08/04/2004 08:00 AM 63,744 mf.sys
08/04/2004 08:00 AM 4,224 mnmdd.sys
08/04/2004 08:00 AM 30,080 modem.sys
08/04/2004 08:00 AM 23,040 mouclass.sys
08/04/2004 08:00 AM 42,240 mountmgr.sys
08/04/2004 08:00 AM 72,960 mqac.sys
08/04/2004 08:00 AM 181,248 mrxdav.sys
08/04/2004 08:00 AM 451,456 mrxsmb.sys
08/04/2004 08:00 AM 19,072 msfs.sys
08/04/2004 08:00 AM 35,072 msgpc.sys
08/03/2004 06:58 PM 7,552 MSKSSRV.sys
08/03/2004 06:58 PM 5,376 MSPCLOCK.sys
08/03/2004 06:58 PM 4,992 MSPQM.sys
08/04/2004 08:00 AM 15,488 mssmbios.sys
08/04/2004 08:00 AM 107,904 mup.sys
08/04/2004 08:00 AM 182,912 ndis.sys
08/04/2004 08:00 AM 9,600 ndistapi.sys
08/04/2004 08:00 AM 12,928 ndisuio.sys
08/04/2004 08:00 AM 91,776 ndiswan.sys
08/04/2004 08:00 AM 38,016 ndproxy.sys
08/04/2004 08:00 AM 34,560 netbios.sys
08/04/2004 08:00 AM 162,816 netbt.sys
08/04/2004 08:00 AM 61,824 nic1394.sys
08/04/2004 08:00 AM 12,032 nikedrv.sys
08/04/2004 08:00 AM 40,320 nmnt.sys
08/04/2004 08:00 AM 30,848 npfs.sys
08/04/2004 08:00 AM 574,592 ntfs.sys
08/04/2004 08:00 AM 2,944 null.sys
08/03/2004 06:29 PM 1,897,408 nv4_mini.sys
08/04/2004 08:00 AM 12,416 nwlnkflt.sys
08/04/2004 08:00 AM 32,512 nwlnkfwd.sys
08/04/2004 08:00 AM 88,448 nwlnkipx.sys
08/04/2004 08:00 AM 63,232 nwlnknb.sys
08/04/2004 08:00 AM 55,936 nwlnkspx.sys
08/04/2004 08:00 AM 163,584 nwrdr.sys
08/04/2004 08:00 AM 3,456 oprghdlr.sys
08/04/2004 08:00 AM 42,496 p3.sys
08/04/2004 08:00 AM 80,128 parport.sys
08/04/2004 08:00 AM 18,688 partmgr.sys
08/04/2004 08:00 AM 6,784 parvdm.sys
08/04/2004 08:00 AM 68,224 pci.sys
08/04/2004 08:00 AM 25,088 pciidex.sys
08/04/2004 08:00 AM 119,936 pcmcia.sys
08/03/2004 07:15 PM 145,792 portcls.sys
08/04/2004 08:00 AM 35,328 processr.sys
08/04/2004 08:00 AM 69,120 psched.sys
08/04/2004 08:00 AM 17,792 ptilink.sys
08/04/2004 08:00 AM 8,832 rasacd.sys
08/04/2004 08:00 AM 51,328 rasl2tp.sys
08/04/2004 08:00 AM 41,472 raspppoe.sys
08/04/2004 08:00 AM 48,384 raspptp.sys
08/04/2004 08:00 AM 16,512 raspti.sys
08/04/2004 08:00 AM 34,432 rawwan.sys
08/04/2004 08:00 AM 176,512 rdbss.sys
08/04/2004 08:00 AM 4,224 rdpcdd.sys
08/03/2004 11:01 PM 196,864 rdpdr.sys
08/04/2004 08:00 AM 139,400 rdpwd.sys
08/03/2004 06:59 PM 57,472 redbook.sys
08/04/2004 08:00 AM 12,032 rio8drv.sys
08/04/2004 08:00 AM 12,032 riodrv.sys
08/04/2004 08:00 AM 200,064 RMCast.sys
08/04/2004 08:00 AM 30,080 rndismp.sys
08/04/2004 08:00 AM 5,888 rootmdm.sys
01/20/2007 03:11 AM 31,644 scdemu.sys
08/04/2004 08:00 AM 96,256 scsiport.sys
08/04/2004 08:00 AM 67,584 sdbus.sys
08/04/2004 08:00 AM 27,440 secdrv.sys
08/04/2004 08:00 AM 15,488 serenum.sys
08/04/2004 08:00 AM 64,896 serial.sys
08/04/2004 08:00 AM 11,136 sffdisk.sys
08/04/2004 08:00 AM 10,240 sffp_sd.sys
08/04/2004 08:00 AM 11,392 sfloppy.sys
08/04/2004 08:00 AM 14,592 smclib.sys
08/04/2004 08:00 AM 25,472 sonydcam.sys
08/03/2004 07:07 PM 6,400 splitter.sys
12/09/2007 07:35 PM 682,232 sptd.sys
08/04/2004 08:00 AM 73,472 sr.sys
08/04/2004 08:00 AM 336,256 srv.sys
08/04/2004 08:00 AM 48,640 stream.sys
08/04/2004 08:00 AM 4,352 swenum.sys
08/17/2001 10:00 AM 54,272 swmidi.sys
09/24/2001 07:59 AM 57,696 SYMEVENT.SYS
08/03/2004 07:15 PM 60,800 sysaudio.sys
08/04/2004 08:00 AM 14,976 tape.sys
08/04/2004 08:00 AM 359,040 tcpip.sys
08/04/2004 08:00 AM 223,616 tcpip6.sys
08/04/2004 08:00 AM 18,560 tdi.sys
08/04/2004 08:00 AM 12,040 tdpipe.sys
08/04/2004 08:00 AM 21,896 tdtcp.sys
08/04/2004 01:01 AM 40,840 termdd.sys
08/04/2004 08:00 AM 51,712 tosdvd.sys
08/04/2004 08:00 AM 21,376 tsbvcap.sys
08/04/2004 08:00 AM 12,416 tunmp.sys
08/04/2004 08:00 AM 66,176 udfs.sys
08/04/2004 08:00 AM 209,408 update.sys
08/04/2004 08:00 AM 12,672 usb8023.sys
08/04/2004 08:00 AM 23,808 usbcamd.sys
08/04/2004 08:00 AM 23,936 usbcamd2.sys
08/04/2004 12:08 AM 31,616 usbccgp.sys
08/04/2004 08:00 AM 4,736 usbd.sys
08/03/2004 11:08 PM 26,624 usbehci.sys
08/04/2004 08:00 AM 57,600 usbhub.sys
08/04/2004 08:00 AM 16,000 usbintel.sys
08/04/2004 08:00 AM 142,976 usbport.sys
08/04/2004 12:01 AM 25,856 usbprint.sys
08/03/2004 11:58 PM 15,104 usbscan.sys
08/04/2004 08:00 AM 26,496 usbstor.sys
08/04/2004 08:00 AM 20,480 usbuhci.sys
08/04/2004 08:00 AM 58,112 vdmindvd.sys
08/04/2004 08:00 AM 20,992 vga.sys
08/04/2004 08:00 AM 79,744 videoprt.sys
08/04/2004 08:00 AM 52,352 volsnap.sys
08/04/2004 08:00 AM 34,560 wanarp.sys
08/03/2004 07:15 PM 82,944 wdmaud.sys
08/04/2004 08:00 AM 4,352 wmilib.sys
08/11/2004 01:45 AM 18,944 wpdusb.sys
08/04/2004 08:00 AM 12,032 ws2ifsl.sys
189 File(s) 15,159,052 bytes

Directory of C:\Documents and Settings\Pam

 

Hmmm ...... do you have a cd burner, and a blank cd?

 

yes, but that's what started this whole thing. I just got it and have not been able to use it yet. a lite copy of Nero came bundled with the device but I have a complete copy of Roxio although I've only used it for data backup at work.

 

You won't need Nero or Roxio. As long as the drive is installed and working, you're good to go.

Download and install the ISO Recorder version for your operating system. (after selecting the XP SP2 link, click the red text labled Here is the current 32 bit build).



Download and install the Microsoft Diagnostics and Recovery Toolset, choosing the Typical installation during setup

Insert a blank cd into your cd/dvd burner. Browse to C:\Program Files\Microsoft Diagnostics and Recovery Toolset and right click erd50.iso, then select Copy image to CD. Follow the instructions in the following link to finish creating the bootable cd.

http://isorecorder.alexfeinman.com/HowTo.htm (note - only a cd-rw disc need be or can be erased)

Once finished, restart the PC with the cd in the drive and boot to the cd to verify it works properly. If successful, restart the computer but remove the cd upon startup and boot back into normal mode, then post back here to let me know it was successful. I'll post instructions on how to proceed from there. Post a fesh RSIT log at that time too.

 

ok, this sounds like a dumb question even to me but how do I boot to the CD? I restarted windows and it looks the same as ever. In the old days I remember you had to set the bios to boot first from the floppies and then the hard drive if you wanted to boot from the floppy. Is it not like that anymore? It's been awhile

 

The BIOS must be set to boot to CDROM first, and upon startup/restart, with the disk in the drive, it should automatically boot to the cd. If you do get a prompt Press any key to boot from cd, press any key.

I should mention, once you boot to the cd, you will be prompted to connect to an operating system, or connect to no operating system. Select the no operating system. Restart when verified it works and eject the cd immediately upon restart to prevent booting to the cd again.

 

Ok, fixed the bios and was able to boot from the cd. I'm posting the log and then off to bed since I have an early day tomorrow - well today. I'll have a look at your instructions when I get home. Again, thanks for everything you're trying to do here. You guys are amazing.

Here's the RSIT log (I'll leave the computer on so it doesn't change anything)

Logfile of random's system information tool (written by random/random)
Run by Pam at 2008-09-03 01:47:51
Microsoft Windows XP Professional Service Pack 2
System drive C: has 30 GB (77%) free of 38 GB
Total RAM: 767 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:27 AM, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Pam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - g:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177939433945
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - G:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7766 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-28 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-04-09 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"vptray "=C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]
"RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut "=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-28 1235736]
"googletalk "=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"UnlockerAssistant "=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-02 68856]
"MsnMsgr "=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2007-01-20 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-05-25 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Program Files\NavNT\vptray.exe [2001-09-24 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "avgrsstx.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2001-09-24 45056]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe "= "G:\Program Files\Hasbro Interactive\Classic Games\ClassicCard.exe:*:Enabled:ClassicCard "
"C:\Program Files\BitTornado\btdownloadgui.exe "= "C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui "
"C:\WINDOWS\system32\dplaysvr.exe "= "C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper "
"G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe "= "G:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"G:\Program Files\mIRC\mirc.exe "= "G:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC "
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe "= "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD "
"C:\Program Files\AVG\AVG8\avgemc.exe "= "C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe "
"C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe "
"C:\Program Files\Google\Google Talk\googletalk.exe "= "C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\MSN Messenger\msnmsgr.exe "= "C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\Program Files\MSN Messenger\livecall.exe "= "C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e9c1cc0-68ac-11dd-a2dc-00b0d0e66386}]
shell\AutoRun\command - I:\DigitalPhotoKeychain.EXE


List of files/folders created in the last three months

2008-09-03 01:20:39 ----SHD---- C:\RECYCLER
2008-09-03 00:06:05 ----D---- C:\Program Files\Microsoft Diagnostics and Recovery Toolset
2008-09-02 23:50:02 ----D---- C:\Program Files\Alex Feinman
2008-09-01 21:49:30 ----D---- C:\WINDOWS\temp
2008-09-01 21:49:28 ----A---- C:\ComboFix.txt
2008-09-01 21:46:37 ----A---- C:\WINDOWS\PSEXESVC.EXE
2008-09-01 21:45:06 ----A---- C:\Boot.bak
2008-09-01 21:44:56 ----D---- C:\cmdcons
2008-09-01 20:12:03 ----A---- C:\WINDOWS\gmer.ini
2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.exe
2008-09-01 20:12:01 ----A---- C:\WINDOWS\gmer.dll
2008-09-01 17:26:07 ----D---- C:\!KillBox
2008-09-01 16:52:28 ----A---- C:\WINDOWS\MVPHEART.INI
2008-09-01 16:29:55 ----D---- C:\Documents and Settings\Pam\Application Data\Desktopicon
2008-09-01 16:29:54 ----D---- C:\Program Files\Unlocker
2008-09-01 00:59:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-08-30 19:26:41 ----D---- C:\WINDOWS\erdnt
2008-08-30 19:26:18 ----D---- C:\QooBox
2008-08-30 19:26:15 ----A---- C:\WINDOWS\zip.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\VFind.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swxcacls.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swsc.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\swreg.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\sed.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\Nircmd.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\grep.exe
2008-08-30 19:26:15 ----A---- C:\WINDOWS\fdsv.exe
2008-08-30 06:10:29 ----D---- C:\rsit
2008-08-30 05:36:16 ----D---- C:\Documents and Settings\Pam\Application Data\Malwarebytes
2008-08-30 05:36:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-30 05:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 22:57:21 ----D---- C:\Program Files\Trend Micro
2008-08-26 03:44:48 ----HD---- C:\$AVG8.VAULT$
2008-08-26 02:24:58 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-08-26 02:24:24 ----D---- C:\Program Files\AVG
2008-08-26 02:24:23 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-25 23:13:08 ----D---- C:\WINDOWS\system32\NtmsData
2008-08-25 23:05:27 ----D---- C:\Documents and Settings\Pam\Application Data\CyberLink
2008-08-25 22:24:13 ----D---- C:\Program Files\Common Files\LightScribe
2008-08-25 21:59:03 ----A---- C:\WINDOWS\lgfwup.ini
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\Vb6stkit.dll
2008-08-25 21:59:00 ----A---- C:\WINDOWS\system32\VB6KO.DLL
2008-08-25 21:43:31 ----N---- C:\WINDOWS\system32\msxml3a.dll
2008-08-25 20:34:57 ----D---- C:\Documents and Settings\Pam\Application Data\Ahead
2008-08-25 20:34:26 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-25 20:29:17 ----D---- C:\Program Files\Common Files\LightScribe(2)
2008-08-25 19:56:06 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-25 19:52:00 ----D---- C:\Program Files\Nero
2008-08-25 19:52:00 ----D---- C:\Program Files\Common Files\Ahead
2008-08-25 19:52:00 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-25 19:48:39 ----D---- C:\WINDOWS\RegisteredPackages
2008-08-25 17:57:38 ----D---- C:\Documents and Settings\Pam\Application Data\Leadertech
2008-08-25 17:50:39 ----D---- C:\Program Files\Sonic
2008-08-25 17:50:27 ----D---- C:\WINDOWS\system32\DLA
2008-08-25 17:50:24 ----D---- C:\Program Files\Roxio
2008-08-25 17:43:29 ----D---- C:\WINDOWS\Minidump
2008-08-25 17:42:00 ----D---- C:\Program Files\Common Files\Sonic Shared
2008-08-25 17:34:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-08-25 17:01:30 ----D---- C:\Program Files\honestech
2008-08-25 16:44:46 ----D---- C:\Program Files\CyberLink
2008-08-25 16:43:52 ----D---- C:\Program Files\LG USB Booster
2008-08-16 23:32:14 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
2008-08-16 23:19:03 ----D---- C:\Documents and Settings\Pam\Application Data\Yahoo!
2008-08-12 21:02:41 ----A---- C:\WINDOWS\WAVEMIX.INI
2008-08-12 20:56:38 ----A---- C:\WINDOWS\STUDIO2.INI
2008-08-12 20:56:32 ----D---- C:\Program Files\Crayola
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaws.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\javaw.exe
2008-07-17 15:23:18 ----A---- C:\WINDOWS\system32\java.exe
2008-06-24 21:24:56 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-24 09:24:59 ----D---- C:\Program Files\Magellan

List of drivers

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\system32\System32\Drivers\avgtdix.sys []
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\NavNT\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 INIDVD;Initio USB DVD Filter Driver; C:\WINDOWS\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 aou1b0r4;aou1b0r4; C:\WINDOWS\system32\drivers\aou1b0r4.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-01 85969]
S3 mbr;mbr; \??\C:\DOCUME~1\Pam\LOCALS~1\Temp\mbr.sys []
S3 NAVAP;NAVAP; \??\C:\Program Files\NavNT\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080827.038\NAVEX15.sys []
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []

List of services

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]
R2 DefWatch;DefWatch; C:\Program Files\NavNT\defwatch.exe [2001-09-24 32768]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 137200]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2006-01-05 163840]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 Norton AntiVirus Server;Norton AntiVirus Client; C:\Program Files\NavNT\rtvscan.exe [2001-09-24 454656]

-----------------EOF-----------------

 

It's late for me too. I'll get the instructions written up and posted tomorrow evening. Since you're leaving it on, best disable the internet connection till you're back on tomorrow.

 

Some updated info. I think we can stop the hunt. I've no doubt that service or file is not to be found, because they don't exist. They are created (randomly) at boot-time by the Daemon Tools driver sptd.sys (which is legitimate), and the sys file is automatically deleted when the operating system loads. My apologies for the goosechase. I'm sure Geri will be around tomorrow to finish up.

Not all a waste of time, I guess. You now have ISO Recorder for ease of burning ISO images to cd, and you have the safety net of the Recovery Console installed.

 

Wow, that's good news. Firefox still crashes sometimes (mostly when I log onto WindowsBBS) so I'm going to uninstall-reinstall it since I'm not a fan of Explorer even though I'm using it at the moment. Other than that I haven't noticed anything off for a couple of days now. Can I have your permission to private message you about the membership options here?

 

WOW, Well, I'll be dog gone.
Thanks Dave, you're the best...you can put your shirt back on now.

Hi Nokanda

Ok lets try to make clean up easy.

First thing is Unlocker, If this is not causing you any problems you can keep it...My Firewall kept sending up flags with it when ever I tried to do things.
If you want to remove it, it is in Add/Remove programs.

Please delete RSIT.exe and this folder. C:\rsit

Now do this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.


Now this.

Download
OTMoveIt2 by OldTimer to your Desktop.

• Please double-click OTMoveIt2.exe to run it.
• Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Now lets get a On-line scan.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Now the scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Shirt is on. I don't think anyone even noticed it was off.

By all means, yes.

BTW, we created some text files in your userprofile folder. If you click Start>Run and type %userprofile% then hit enter, you will see them (query.txt was 1 of them I remember).
We also created a couple in the drivers folder that can be removed.

C:\WINDOWS\system32\drivers\junk.txt
C:\WINDOWS\system32\drivers\artmcx48.txt

 

had some problems here with the scan. When I got up the scan had finished but the browser crashed when I was saving the file. I reloaded the browser and restarted the scan but it got hung on 15:44 into the scan so I had to reboot. The first scan reported there were infections but I don't remember how many there were. I couldn't see the folder names because the window was too small. .........and then CRASH! anyway, I'm rerunning it now.

 

Hi
OK If you still have problems with Kaspersky then we'll try Panda.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

 

thanks Geri. Kaspersky's still working and it's into its first hour so I'll let it go and see what happens. If it crashes again then I'll try Panda.

 

ok, scan's done. Here's the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 04, 2008 17:14:34
Records in database: 1191804
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan statistics:
Files scanned: 78466
Threat name: 9
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 04:30:10


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05080000.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05080001.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05080002.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06D80000.VBN Infected: not-a-virus:AdWare.Win32.BHO.fd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN Infected: not-a-virus:AdWare.Win32.BHO.fd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08080000.VBN Infected: not-a-virus:AdWare.Win32.BHO.fd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08080001.VBN Infected: not-a-virus:AdWare.Win32.BHO.fb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08140000.VBN Infected: not-virus:Hoax.Win32.Agent.s 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN Infected: Trojan-Downloader.Win32.Agent.bls 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880002.VBN Infected: Trojan-Downloader.Win32.PurityScan.eg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0000.VBN Infected: Trojan-Downloader.Win32.IstBar.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0001.VBN Infected: Trojan-Downloader.Win32.IstBar.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0002.VBN Infected: Trojan-Downloader.Win32.IstBar.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200000.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200001.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200002.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200003.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240000.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240002.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240003.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240004.VBN Infected: Trojan.Win32.Patched.af 1
G:\System Volume Information\_restore{43F793CE-AC1B-48E8-B48E-6E188798D758}\RP226\A0039504.exe Infected: Trojan-Downloader.Win32.IstBar.gen 1
G:\System Volume Information\_restore{43F793CE-AC1B-48E8-B48E-6E188798D758}\RP226\A0039505.exe Infected: Backdoor.Win32.Bifrose.yjw 1
G:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.60 1

The selected area was scanned.

 

Hi
OK that looks good.

You need to empty your Nortons Quarantine folder

You should clean out the restore points on your G Drive.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under "Type a description for your restore point…â€put a name in the box,. Click Create. In the next window click Close.

Let me know how that went and we should be able to mark this resolved.

Thanks
Geri

 

thanks Geri! the quarantine folder is empty and the restore point has been reset. I can finally wake up from this nightmare! do you think I should do one more scan before I defrag?