Jump to content

help with rootkit!


Recommended Posts

I have recently been infected with AVCare, which i was able to remove. At least the visible signs. Malwarebytes, hijackthis, combofix and superantispyware will not run. i have run every other program i know of (RootRepeal, combofix, dr. web, AVIRA rescue cd, Secured2k's BootCD, etc). Thanks in advance for your help!

Link to post
Share on other sites

I was recently able to make some headway. following the instructions found here:

http://forums.spybot.info/showthread.php?p=326924

here is a copy of my combofix log. i am currently running MBAM.

ComboFix 09-08-09.04 - John DeVore 08/10/2009 9:17.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.645 [GMT -4:00]

Running from: c:\documents and settings\John DeVore\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\documents\setup.exe

c:\documents and settings\John DeVore\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\recycler\S-1-5-21-3681305839-2988916622-607333321-1003

c:\windows\Installer\1b07a.msp

c:\windows\Installer\278d6.msp

c:\windows\Installer\2f887f.msp

c:\windows\Installer\42457.msp

c:\windows\run.log

c:\windows\system32\bszip.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ATI64SI

-------\Legacy_I386SI

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))

.

2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- C:\B4BDA73C

2009-08-10 12:25 . 2009-08-10 12:25 -------- d-----w- c:\program files\Trend Micro

2009-08-10 11:57 . 2009-08-10 11:57 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys

2009-08-10 11:57 . 2009-08-10 11:57 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys

2009-08-10 11:57 . 2009-08-10 11:57 -------- d-----w- c:\program files\Prevx

2009-08-10 11:57 . 2009-08-10 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-08-07 18:11 . 2009-08-07 18:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-07 16:20 . 2009-08-07 16:21 -------- d-----w- c:\program files\Tsrend Micro

2009-08-07 14:08 . 2009-08-07 14:08 -------- d--h--w- c:\windows\PIF

2009-08-07 12:11 . 2009-08-07 12:11 -------- d-----w- c:\documents and settings\John DeVore\DoctorWeb

2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\John DeVore\Application Data\Logs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-07 18:09 . 2009-05-11 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-30 01:02 . 2009-02-13 19:12 4713 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-07-15 13:24 . 2007-04-14 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-07-12 23:58 . 2009-04-14 16:26 865544 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe

2009-07-12 23:58 . 2009-04-14 16:26 38664 ------w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe

2009-06-29 16:12 . 2005-05-13 02:44 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2005-05-13 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2005-05-13 02:43 17408 ------w- c:\windows\system32\corpol.dll

2009-06-29 13:50 . 2009-06-29 13:50 -------- d-----w- c:\program files\7-Zip

2009-06-16 14:36 . 2005-05-13 02:44 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2005-05-13 02:43 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:09 . 2005-05-13 02:43 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Auto EPSON Stylus CX4200 Series on DEVORE-D8O3J6BN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]

"Auto EPSON Stylus CX4200 Series on DLAWG-OFFICE"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 53248]

"TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-03-08 24576]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-26 65536]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 122880]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-07 155648]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]

"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]

"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-24 28672]

"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-29 675840]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]

"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2004-05-01 24576]

"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-12-28 270336]

"TFncKy"="TFncKy.exe" [bU]

"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-04-20 28672]

"NDSTray.exe"="NDSTray.exe" [bU]

"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]

c:\documents and settings\John DeVore\Start Menu\Programs\Startup\

Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2009-4-17 12438896]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-2 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-10-15 19:27 110592 ------w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^John DeVore^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVCERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\palmOne\\Hotsync.exe"=

"c:\\Program Files\\VectorWorks 12.0.0\\VectorWorks.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [8/10/2009 7:57 AM 22024]

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [8/10/2009 7:57 AM 27656]

S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [8/10/2009 7:57 AM 4368952]

S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB19 [?]

.

Contents of the 'Scheduled Tasks' folder

2006-03-31 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21134434789.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 01:38]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKCU-Run-AV Care - c:\program files\AV Care\AvCare.exe

HKLM-Run-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

HKLM-Run-net - c:\windows\system32\net.net

HKLM-Run-mmtask - c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://devoreslandandwater.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\John DeVore\Application Data\Mozilla\Firefox\Profiles\elh2j8eg.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.devoreslandandwater.com

FF - prefs.js: network.proxy.type - 2

FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll

FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-10 09:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(332)

c:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\windows\system32\ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\windows\system32\drivers\CDANTSRV.EXE

c:\program files\Toshiba\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\McAfee\MSK\msksrver.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Toshiba\ConfigFree\NDSTray.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\windows\system32\TPSBattM.exe

c:\program files\McAfee\Common Framework\Mctray.exe

c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE

c:\program files\Apoint2K\ApntEx.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-10 9:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-10 13:32

Pre-Run: 31,668,396,032 bytes free

Post-Run: 31,810,174,976 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

222 --- E O F --- 2009-08-07 20:08

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.