trouble in Tulsa
IE will only open some web pages. Other pages never load and seem to lock-up. any addy typed into the addy bar will not load, favorites will not load. I did the best I could on the "5 steps before you post". I could not run the online scan and couldn't update my OS. I've included the Deckards log and combofix log (I didn't complete the combofix perfectly) and will attach the extra text from HJT.
thanks soo much
-jason
Deckard's System Scanner v20071014.68
Run by Larry on 2008-05-24 12:44:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
24: 2008-05-24 17:45:21 UTC - RP24 - Deckard's System Scanner Restore Point
23: 2008-05-23 23:27:24 UTC - RP23 - Installed AVG 7.5
22: 2008-05-23 23:05:19 UTC - RP22 - ComboFix created restore point
21: 2008-05-23 21:51:06 UTC - RP21 - Software Distribution Service 3.0
20: 2008-05-23 21:48:52 UTC - RP20 - Software Distribution Service 3.0
-- First Restore Point --
1: 2008-05-17 18:28:54 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 479 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-24 12:47:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\E-KEY\CeEKey.exe
C:\Program Files\Toshiba\Power Management\CePMTray.exe
C:\Program Files\Toshiba\TouchPad\TPTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Toshiba\Ivp\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1187627992\ee\aolsoftware.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Larry\Desktop\dss(2).exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187627992\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4BF2E7B7-69F4-4178-B669-257C7C8A4072} (WebCamX Control) - http://autoamigos.dnsalias.net/WebCamX.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38129.6474074074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDANTSRV.EXE
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 8160 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ENECBPTH (ENE Cardbus Patch Driver) - c:\windows\system32\drivers\enecbpth.sys <Not Verified; EnE Technology Inc.; EnE Cardbus Patch Driver for Windows (R) 2000/XP>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcEPIOMngr - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcTPIOMngr - c:\windows\system32\drivers\tpiomngr.sys
R2 MDC8021X (WPA Security Protocol (IEEE 802.1x) v2.2.0.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R3 EPOWER (Compal E-POWER Driver) - c:\windows\system32\drivers\hkdrv.sys <Not Verified; Compal Electronic Inc.; EPOWER>
S3 C-Dilla - c:\windows\system32\drivers\cdant.sys <Not Verified; Macrovision; Licence Management System>
S3 MR97310_VGA_DUAL_CAMERA (VGA Dual-Mode Camera) - c:\windows\system32\drivers\mr97310v.sys <Not Verified; Mars Semiconductor Corp.; USB Dual-Mode Camera>
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 C-DillaSrv - c:\windows\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT>
R2 CeEPwrSvc - c:\program files\toshiba\power management\ceepwrsvc.exe <Not Verified; COMPAL ELECTRONIC INC.; CeEPwrSvc Module>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-05-22 12:35:00 398 --a------ C:\WINDOWS\Tasks\WebReg 20040802123519.job
-- Files created between 2008-04-24 and 2008-05-24 -----------------------------
2008-05-23 18:28:15 0 d-------- C:\Documents and Settings\Larry\Application Data\AVG7
2008-05-23 18:28:05 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-23 18:04:59 68096 --a------ C:\WINDOWS\zip.exe
2008-05-23 18:04:59 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-23 18:04:59 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-23 18:04:59 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-23 18:04:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-23 18:04:59 98816 --a------ C:\WINDOWS\sed.exe
2008-05-23 18:04:59 80412 --a------ C:\WINDOWS\grep.exe
2008-05-23 18:04:59 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-23 17:14:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:14:33 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 16:44:10 0 d-------- C:\Documents and Settings\Larry\Application Data\U3
2008-05-22 20:59:36 0 d-------- C:\Program Files\Panda Security
2008-05-17 13:35:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-17 13:00:53 0 d-------- C:\WINDOWS\Prefetch
-- Find3M Report ---------------------------------------------------------------
2008-05-23 16:53:33 0 d-------- C:\Documents and Settings\Larry\Application Data\MSN6
2008-05-22 16:58:31 0 d-------- C:\Program Files\Yahoo!
2008-05-22 16:56:48 0 d-------- C:\Program Files\Canon
2008-05-17 12:47:50 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-24 10:34:54 0 d-------- C:\Program Files\remoteAP
2008-04-07 09:39:08 0 d-------- C:\Documents and Settings\Larry\Application Data\Canon
2008-04-02 09:27:43 0 d-------- C:\Documents and Settings\Larry\Application Data\Real
2008-03-27 16:48:18 381459 --a------ C:\WINDOWS\system32\Instcodec.exe
2008-03-27 14:18:58 0 d-------- C:\Program Files\Common Files\AOL
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [05/29/2003 07:26 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [05/29/2003 07:14 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [03/30/2002 08:40 AM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [01/02/2003 06:16 PM]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [07/29/2003 06:19 PM]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [07/23/2003 08:03 PM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [07/18/2003 05:24 PM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 12:29 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [10/17/2002 03:21 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/22/2004 04:55 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [09/01/2003 06:42 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/22/2005 11:51 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1187627992\ee\AOLSoftware.exe" [05/25/2007 12:16 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [05/23/2008 06:27 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 07:00 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [5/22/2004 3:23:51 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [8/12/2003 6:51:05 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a
-- End of Deckard's System Scanner: finished at 2008-05-24 12:49:35 ------------
ComboFix 08-05-21.3 - Larry 2008-05-24 15:40:20.4 - NTFSx86
Running from: C:\Documents and Settings\Larry\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.
2008-05-24 12:56 . 2008-05-24 12:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 12:44 . 2008-05-24 12:44 <DIR> d-------- C:\Deckard
2008-05-23 18:28 . 2008-05-23 18:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-23 18:28 . 2008-05-24 12:43 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\AVG7
2008-05-23 17:14 . 2008-05-23 17:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 17:14 . 2008-05-23 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 16:44 . 2008-05-23 18:16 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\U3
2008-05-22 20:59 . 2008-05-22 20:59 <DIR> d-------- C:\Program Files\Panda Security
2008-05-17 13:35 . 2008-05-23 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-17 13:28 . 2003-05-29 19:12 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-17 13:27 . 2008-05-17 13:27 1,396 --a------ C:\WINDOWS\system32\wpa.bak
2008-05-17 12:56 . 2006-02-28 07:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-05-17 12:55 . 2006-02-28 07:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-05-17 12:54 . 2006-02-28 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-17 12:53 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-17 12:49 . 2008-05-17 12:49 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-17 12:48 . 2006-02-28 07:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-05-17 12:36 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SETA5.tmp
2008-05-17 12:35 . 2006-02-28 07:00 1,086,058 -ra------ C:\WINDOWS\SET66.tmp
2008-05-17 12:35 . 2006-02-28 07:00 1,042,903 -ra------ C:\WINDOWS\SET63.tmp
2008-05-17 12:35 . 2006-02-28 07:00 13,753 -ra------ C:\WINDOWS\SET72.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 23:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-23 21:53 --------- d-----w C:\Documents and Settings\Larry\Application Data\MSN6
2008-05-22 21:58 --------- d-----w C:\Program Files\Yahoo!
2008-05-22 21:56 --------- d-----w C:\Program Files\Canon
2008-04-24 15:34 --------- d-----w C:\Program Files\remoteAP
2008-04-07 14:39 --------- d-----w C:\Documents and Settings\Larry\Application Data\Canon
2008-03-27 21:48 381,459 ----a-w C:\WINDOWS\system32\Instcodec.exe
2008-03-27 19:18 --------- d-----w C:\Program Files\Common Files\AOL
.
((((((((((((((((((((((((((((( [email protected]_18.10.46.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 22:55:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 17:42:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 23:27:55 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-05-23 23:28:00 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-05-23 23:28:00 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-05-23 23:28:02 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-05-23 23:28:01 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-05-23 23:28:01 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-05-29 19:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-05-29 19:14 114688]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 08:40 122880]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 18:16 172032]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-07-29 18:19 638976]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-07-23 20:03 135168]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-07-18 17:24 49152]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 15:21 159744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-22 16:55 77824]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 06:42 176128]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-22 11:51 180269]
"HostManager"="C:\Program Files\Common Files\AOL\1187627992\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-23 18:27 579584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-23 18:27 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-05-22 15:23:51 113664]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-08-12 18:51:05 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Toshiba\\Ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1187627992\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-10 12:44]
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 18:29]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 17:35:00 C:\WINDOWS\Tasks\WebReg 20040802123519.job"
- C:\Program Files\Hewlett-Packard\webreg\bin\hpqwrg.exeC/TaskName 20040802123519 /N
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 15:42:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-24 15:43:41
ComboFix-quarantined-files.txt 2008-05-24 20:43:32
ComboFix2.txt 2008-05-24 18:09:55
ComboFix3.txt 2008-05-24 00:32:49
ComboFix4.txt 2008-05-23 23:11:11
Pre-Run: 48,834,015,232 bytes free
Post-Run: 48,824,053,760 bytes free
137 --- E O F --- 2008-05-24 18:00:41
thanks soo much
-jason
Deckard's System Scanner v20071014.68
Run by Larry on 2008-05-24 12:44:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
24: 2008-05-24 17:45:21 UTC - RP24 - Deckard's System Scanner Restore Point
23: 2008-05-23 23:27:24 UTC - RP23 - Installed AVG 7.5
22: 2008-05-23 23:05:19 UTC - RP22 - ComboFix created restore point
21: 2008-05-23 21:51:06 UTC - RP21 - Software Distribution Service 3.0
20: 2008-05-23 21:48:52 UTC - RP20 - Software Distribution Service 3.0
-- First Restore Point --
1: 2008-05-17 18:28:54 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 479 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-24 12:47:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\E-KEY\CeEKey.exe
C:\Program Files\Toshiba\Power Management\CePMTray.exe
C:\Program Files\Toshiba\TouchPad\TPTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Toshiba\Ivp\ISM\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1187627992\ee\aolsoftware.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Larry\Desktop\dss(2).exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187627992\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4BF2E7B7-69F4-4178-B669-257C7C8A4072} (WebCamX Control) - http://autoamigos.dnsalias.net/WebCamX.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38129.6474074074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDANTSRV.EXE
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 8160 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ENECBPTH (ENE Cardbus Patch Driver) - c:\windows\system32\drivers\enecbpth.sys <Not Verified; EnE Technology Inc.; EnE Cardbus Patch Driver for Windows (R) 2000/XP>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SrvcEKIOMngr - c:\windows\system32\drivers\ekiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcEPIOMngr - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcTPIOMngr - c:\windows\system32\drivers\tpiomngr.sys
R2 MDC8021X (WPA Security Protocol (IEEE 802.1x) v2.2.0.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R3 EPOWER (Compal E-POWER Driver) - c:\windows\system32\drivers\hkdrv.sys <Not Verified; Compal Electronic Inc.; EPOWER>
S3 C-Dilla - c:\windows\system32\drivers\cdant.sys <Not Verified; Macrovision; Licence Management System>
S3 MR97310_VGA_DUAL_CAMERA (VGA Dual-Mode Camera) - c:\windows\system32\drivers\mr97310v.sys <Not Verified; Mars Semiconductor Corp.; USB Dual-Mode Camera>
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 C-DillaSrv - c:\windows\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT>
R2 CeEPwrSvc - c:\program files\toshiba\power management\ceepwrsvc.exe <Not Verified; COMPAL ELECTRONIC INC.; CeEPwrSvc Module>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-05-22 12:35:00 398 --a------ C:\WINDOWS\Tasks\WebReg 20040802123519.job
-- Files created between 2008-04-24 and 2008-05-24 -----------------------------
2008-05-23 18:28:15 0 d-------- C:\Documents and Settings\Larry\Application Data\AVG7
2008-05-23 18:28:05 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-23 18:04:59 68096 --a------ C:\WINDOWS\zip.exe
2008-05-23 18:04:59 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-23 18:04:59 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-23 18:04:59 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-23 18:04:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-23 18:04:59 98816 --a------ C:\WINDOWS\sed.exe
2008-05-23 18:04:59 80412 --a------ C:\WINDOWS\grep.exe
2008-05-23 18:04:59 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-23 17:14:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 17:14:33 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 16:44:10 0 d-------- C:\Documents and Settings\Larry\Application Data\U3
2008-05-22 20:59:36 0 d-------- C:\Program Files\Panda Security
2008-05-17 13:35:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-17 13:00:53 0 d-------- C:\WINDOWS\Prefetch
-- Find3M Report ---------------------------------------------------------------
2008-05-23 16:53:33 0 d-------- C:\Documents and Settings\Larry\Application Data\MSN6
2008-05-22 16:58:31 0 d-------- C:\Program Files\Yahoo!
2008-05-22 16:56:48 0 d-------- C:\Program Files\Canon
2008-05-17 12:47:50 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-24 10:34:54 0 d-------- C:\Program Files\remoteAP
2008-04-07 09:39:08 0 d-------- C:\Documents and Settings\Larry\Application Data\Canon
2008-04-02 09:27:43 0 d-------- C:\Documents and Settings\Larry\Application Data\Real
2008-03-27 16:48:18 381459 --a------ C:\WINDOWS\system32\Instcodec.exe
2008-03-27 14:18:58 0 d-------- C:\Program Files\Common Files\AOL
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [05/29/2003 07:26 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [05/29/2003 07:14 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [03/30/2002 08:40 AM]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [01/02/2003 06:16 PM]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [07/29/2003 06:19 PM]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [07/23/2003 08:03 PM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [07/18/2003 05:24 PM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 12:29 PM]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [10/17/2002 03:21 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/22/2004 04:55 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [09/01/2003 06:42 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/22/2005 11:51 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1187627992\ee\AOLSoftware.exe" [05/25/2007 12:16 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [05/23/2008 06:27 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 07:00 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [5/22/2004 3:23:51 PM]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [8/12/2003 6:51:05 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a
-- End of Deckard's System Scanner: finished at 2008-05-24 12:49:35 ------------
ComboFix 08-05-21.3 - Larry 2008-05-24 15:40:20.4 - NTFSx86
Running from: C:\Documents and Settings\Larry\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.
2008-05-24 12:56 . 2008-05-24 12:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 12:44 . 2008-05-24 12:44 <DIR> d-------- C:\Deckard
2008-05-23 18:28 . 2008-05-23 18:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-23 18:28 . 2008-05-24 12:43 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\AVG7
2008-05-23 17:14 . 2008-05-23 17:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 17:14 . 2008-05-23 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 16:44 . 2008-05-23 18:16 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\U3
2008-05-22 20:59 . 2008-05-22 20:59 <DIR> d-------- C:\Program Files\Panda Security
2008-05-17 13:35 . 2008-05-23 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-17 13:28 . 2003-05-29 19:12 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-17 13:27 . 2008-05-17 13:27 1,396 --a------ C:\WINDOWS\system32\wpa.bak
2008-05-17 12:56 . 2006-02-28 07:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-05-17 12:55 . 2006-02-28 07:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-05-17 12:54 . 2006-02-28 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-17 12:53 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-17 12:49 . 2008-05-17 12:49 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-17 12:49 . 2008-05-17 12:49 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-17 12:48 . 2006-02-28 07:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-05-17 12:36 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SETA5.tmp
2008-05-17 12:35 . 2006-02-28 07:00 1,086,058 -ra------ C:\WINDOWS\SET66.tmp
2008-05-17 12:35 . 2006-02-28 07:00 1,042,903 -ra------ C:\WINDOWS\SET63.tmp
2008-05-17 12:35 . 2006-02-28 07:00 13,753 -ra------ C:\WINDOWS\SET72.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 23:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-23 21:53 --------- d-----w C:\Documents and Settings\Larry\Application Data\MSN6
2008-05-22 21:58 --------- d-----w C:\Program Files\Yahoo!
2008-05-22 21:56 --------- d-----w C:\Program Files\Canon
2008-04-24 15:34 --------- d-----w C:\Program Files\remoteAP
2008-04-07 14:39 --------- d-----w C:\Documents and Settings\Larry\Application Data\Canon
2008-03-27 21:48 381,459 ----a-w C:\WINDOWS\system32\Instcodec.exe
2008-03-27 19:18 --------- d-----w C:\Program Files\Common Files\AOL
.
((((((((((((((((((((((((((((( [email protected]_18.10.46.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 22:55:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 17:42:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 23:27:55 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-05-23 23:28:00 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-05-23 23:28:00 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-05-23 23:28:02 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-05-23 23:28:01 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-05-23 23:28:01 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-05-29 19:26 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-05-29 19:14 114688]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 08:40 122880]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 18:16 172032]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-07-29 18:19 638976]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-07-23 20:03 135168]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-07-18 17:24 49152]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 15:21 159744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-22 16:55 77824]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 06:42 176128]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-22 11:51 180269]
"HostManager"="C:\Program Files\Common Files\AOL\1187627992\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-23 18:27 579584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-23 18:27 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-05-22 15:23:51 113664]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-08-12 18:51:05 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Toshiba\\Ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1187627992\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2006-07-10 12:44]
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 18:29]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 17:35:00 C:\WINDOWS\Tasks\WebReg 20040802123519.job"
- C:\Program Files\Hewlett-Packard\webreg\bin\hpqwrg.exeC/TaskName 20040802123519 /N
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 15:42:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-24 15:43:41
ComboFix-quarantined-files.txt 2008-05-24 20:43:32
ComboFix2.txt 2008-05-24 18:09:55
ComboFix3.txt 2008-05-24 00:32:49
ComboFix4.txt 2008-05-23 23:11:11
Pre-Run: 48,834,015,232 bytes free
Post-Run: 48,824,053,760 bytes free
137 --- E O F --- 2008-05-24 18:00:41
