Sign In
Create Account
0
I have recently been infected with AVCare, which i was able to remove. At least the visible signs. Malwarebytes, hijackthis, combofix and superantispyware will not run. i have run every other program i know of (RootRepeal, combofix, dr. web, AVIRA rescue cd, Secured2k's BootCD, etc). Thanks in advance for your help!
Back to top
#2
Posted 10 August 2009 - 01:51 PM
-
- Members
-
- 18 posts
New Member
I was recently able to make some headway. following the instructions found here:
http://forums.spybot...ad.php?p=326924
here is a copy of my combofix log. i am currently running MBAM.
ComboFix 09-08-09.04 - John DeVore 08/10/2009 9:17.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.645 [GMT -4:00]
Running from: c:\documents and settings\John DeVore\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\documents\setup.exe
c:\documents and settings\John DeVore\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\recycler\S-1-5-21-3681305839-2988916622-607333321-1003
c:\windows\Installer\1b07a.msp
c:\windows\Installer\278d6.msp
c:\windows\Installer\2f887f.msp
c:\windows\Installer\42457.msp
c:\windows\run.log
c:\windows\system32\bszip.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ATI64SI
-------\Legacy_I386SI
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- C:\B4BDA73C
2009-08-10 12:25 . 2009-08-10 12:25 -------- d-----w- c:\program files\Trend Micro
2009-08-10 11:57 . 2009-08-10 11:57 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-08-10 11:57 . 2009-08-10 11:57 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-08-10 11:57 . 2009-08-10 11:57 -------- d-----w- c:\program files\Prevx
2009-08-10 11:57 . 2009-08-10 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-08-07 18:11 . 2009-08-07 18:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-07 16:20 . 2009-08-07 16:21 -------- d-----w- c:\program files\Tsrend Micro
2009-08-07 14:08 . 2009-08-07 14:08 -------- d--h--w- c:\windows\PIF
2009-08-07 12:11 . 2009-08-07 12:11 -------- d-----w- c:\documents and settings\John DeVore\DoctorWeb
2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\John DeVore\Application Data\Logs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 18:09 . 2009-05-11 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 01:02 . 2009-02-13 19:12 4713 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-07-15 13:24 . 2007-04-14 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-12 23:58 . 2009-04-14 16:26 865544 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-07-12 23:58 . 2009-04-14 16:26 38664 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-06-29 16:12 . 2005-05-13 02:44 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-05-13 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-05-13 02:43 17408 ------w- c:\windows\system32\corpol.dll
2009-06-29 13:50 . 2009-06-29 13:50 -------- d-----w- c:\program files\7-Zip
2009-06-16 14:36 . 2005-05-13 02:44 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-05-13 02:43 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2005-05-13 02:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Auto EPSON Stylus CX4200 Series on DEVORE-D8O3J6BN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"Auto EPSON Stylus CX4200 Series on DLAWG-OFFICE"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 53248]
"TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-03-08 24576]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 65536]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-07 155648]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 28672]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-29 675840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2004-05-01 24576]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-12-28 270336]
"TFncKy"="TFncKy.exe" [BU]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-04-20 28672]
"NDSTray.exe"="NDSTray.exe" [BU]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]
c:\documents and settings\John DeVore\Start Menu\Programs\Startup\
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2009-4-17 12438896]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-2 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-18 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 19:27 110592 ------w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^John DeVore^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVCERSvc"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\palmOne\\Hotsync.exe"=
"c:\\Program Files\\VectorWorks 12.0.0\\VectorWorks.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [8/10/2009 7:57 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [8/10/2009 7:57 AM 27656]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [8/10/2009 7:57 AM 4368952]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
Contents of the 'Scheduled Tasks' folder
2006-03-31 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21134434789.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 01:38]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKCU-Run-AV Care - c:\program files\AV Care\AvCare.exe
HKLM-Run-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
HKLM-Run-net - c:\windows\system32\net.net
HKLM-Run-mmtask - c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://devoreslandandwater.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\John DeVore\Application Data\Mozilla\Firefox\Profiles\elh2j8eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.devoreslandandwater.com
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 09:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\TPSBattM.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-10 9:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 13:32
Pre-Run: 31,668,396,032 bytes free
Post-Run: 31,810,174,976 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
222 --- E O F --- 2009-08-07 20:08
http://forums.spybot...ad.php?p=326924
here is a copy of my combofix log. i am currently running MBAM.
ComboFix 09-08-09.04 - John DeVore 08/10/2009 9:17.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.645 [GMT -4:00]
Running from: c:\documents and settings\John DeVore\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\documents\setup.exe
c:\documents and settings\John DeVore\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\recycler\S-1-5-21-3681305839-2988916622-607333321-1003
c:\windows\Installer\1b07a.msp
c:\windows\Installer\278d6.msp
c:\windows\Installer\2f887f.msp
c:\windows\Installer\42457.msp
c:\windows\run.log
c:\windows\system32\bszip.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ATI64SI
-------\Legacy_I386SI
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- C:\B4BDA73C
2009-08-10 12:25 . 2009-08-10 12:25 -------- d-----w- c:\program files\Trend Micro
2009-08-10 11:57 . 2009-08-10 11:57 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-08-10 11:57 . 2009-08-10 11:57 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-08-10 11:57 . 2009-08-10 11:57 -------- d-----w- c:\program files\Prevx
2009-08-10 11:57 . 2009-08-10 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-08-07 18:11 . 2009-08-07 18:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-07 16:20 . 2009-08-07 16:21 -------- d-----w- c:\program files\Tsrend Micro
2009-08-07 14:08 . 2009-08-07 14:08 -------- d--h--w- c:\windows\PIF
2009-08-07 12:11 . 2009-08-07 12:11 -------- d-----w- c:\documents and settings\John DeVore\DoctorWeb
2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\John DeVore\Application Data\Logs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 18:09 . 2009-05-11 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 01:02 . 2009-02-13 19:12 4713 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-07-15 13:24 . 2007-04-14 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-12 23:58 . 2009-04-14 16:26 865544 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-07-12 23:58 . 2009-04-14 16:26 38664 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-06-29 16:12 . 2005-05-13 02:44 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-05-13 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-05-13 02:43 17408 ------w- c:\windows\system32\corpol.dll
2009-06-29 13:50 . 2009-06-29 13:50 -------- d-----w- c:\program files\7-Zip
2009-06-16 14:36 . 2005-05-13 02:44 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-05-13 02:43 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2005-05-13 02:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Auto EPSON Stylus CX4200 Series on DEVORE-D8O3J6BN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"Auto EPSON Stylus CX4200 Series on DLAWG-OFFICE"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 53248]
"TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-03-08 24576]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 65536]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-07 155648]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 28672]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-29 675840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2004-05-01 24576]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-12-28 270336]
"TFncKy"="TFncKy.exe" [BU]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-04-20 28672]
"NDSTray.exe"="NDSTray.exe" [BU]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]
c:\documents and settings\John DeVore\Start Menu\Programs\Startup\
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2009-4-17 12438896]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-2 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-18 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 19:27 110592 ------w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^John DeVore^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVCERSvc"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\palmOne\\Hotsync.exe"=
"c:\\Program Files\\VectorWorks 12.0.0\\VectorWorks.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [8/10/2009 7:57 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [8/10/2009 7:57 AM 27656]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [8/10/2009 7:57 AM 4368952]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
Contents of the 'Scheduled Tasks' folder
2006-03-31 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21134434789.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 01:38]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKCU-Run-AV Care - c:\program files\AV Care\AvCare.exe
HKLM-Run-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
HKLM-Run-net - c:\windows\system32\net.net
HKLM-Run-mmtask - c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://devoreslandandwater.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\John DeVore\Application Data\Mozilla\Firefox\Profiles\elh2j8eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.devoreslandandwater.com
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 09:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\TPSBattM.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-10 9:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 13:32
Pre-Run: 31,668,396,032 bytes free
Post-Run: 31,810,174,976 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
222 --- E O F --- 2009-08-07 20:08
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
