A work in progress

[Trotter]

Working on one that is driving me nuts. Seems to be a rash of fake antivirus crap going around...

ComboFix log:

ComboFix 10-03-16.03 - Owner 03/16/2010  19:08:24.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1015.663 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: CleanUp Antivirus *On-access scanning enabled* (Updated) {A9480CD1-A5AC-473C-ABDB-AA329B9E6678}
FW: CleanUp Antivirus *enabled* {5004F310-AD5A-4A7B-BA4E-9BFBD7F5645F}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3441940337-1758453630-3637168011-1003
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2010-02-16 to 2010-03-16  )))))))))))))))))))))))))))))))
.

2010-03-16 22:04 . 2010-03-16 22:04	--------	d-----w-	c:\documents and settings\Owner\Application Data\TeamViewer
2010-03-16 22:04 . 2010-03-16 22:04	--------	d-----w-	c:\program files\TeamViewer
2010-03-16 19:36 . 2010-03-16 19:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 19:36 . 2010-03-16 19:36	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2010-03-16 18:24 . 2010-03-16 18:24	152576	----a-w-	c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-16 18:21 . 2010-03-16 18:21	--------	d-----w-	c:\program files\VS Revo Group
2010-03-16 18:17 . 2010-03-16 18:17	--------	d-----w-	c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-16 17:23 . 2010-03-16 17:23	39544	----a-w-	c:\documents and settings\Administrator.CLARKCOMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 17:18 . 2010-03-16 17:18	--------	d-----w-	c:\documents and settings\Administrator.CLARKCOMPUTER\Application Data\Malwarebytes
2010-03-16 17:18 . 2010-01-07 20:07	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 17:18 . 2010-03-16 17:18	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-03-16 17:18 . 2010-03-16 17:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-16 17:18 . 2010-01-07 20:07	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-03-15 18:10 . 2010-03-15 18:11	--------	d-sh--w-	c:\documents and settings\Owner\Application Data\CleanUp Antivirus
2010-03-15 18:10 . 2010-03-15 18:10	--------	d-sh--w-	c:\documents and settings\All Users\Application Data\CUFBHIRGUPA
2010-03-15 18:10 . 2010-03-15 18:10	2697216	----a-w-	c:\documents and settings\All Users\Application Data\a183887\CUa183.exe
2010-03-15 18:10 . 2010-03-15 18:10	--------	d-sh--w-	c:\documents and settings\All Users\Application Data\a183887
2010-03-10 13:28 . 2009-10-23 15:28	3558912	-c----w-	c:\windows\system32\dllcache\moviemk.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 18:30 . 2008-11-04 23:47	--------	d-----w-	c:\documents and settings\All Users\Application Data\ESET
2010-03-16 18:24 . 2008-04-01 02:18	--------	d-----w-	c:\program files\Java
2010-03-16 18:24 . 2009-11-12 13:46	79488	----a-w-	c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-15 13:41 . 2008-11-08 16:28	--------	d-----w-	c:\documents and settings\Owner\Application Data\Image Zone Express
2010-03-05 15:50 . 2008-11-07 17:04	--------	d-----w-	c:\program files\Auction Client
2010-02-24 14:16 . 2009-10-02 19:19	181632	------w-	c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2006-05-07 01:24	832512	----a-w-	c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-05-07 01:24	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-05-07 01:24	17408	------w-	c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-05-07 01:24	353792	----a-w-	c:\windows\system32\drivers\srv.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}]
2009-06-25 08:53	311808	----a-w-	c:\progra~1\SITERA~1\SiteRank.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd3fd433-147a-482e-a192-614f26e2310c}]
2009-03-11 19:39	1291560	----a-w-	c:\program files\MapQuest Toolbar\mapquesttb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9302e698-7e00-43ab-b867-c6e759bc2ada}"= "c:\program files\MapQuest Toolbar\mapquesttb.dll" [2009-03-11 1291560]

[HKEY_CLASSES_ROOT\clsid\{9302e698-7e00-43ab-b867-c6e759bc2ada}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{e3a72ce3-87ab-41bc-a506-d0c507d265f3}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9302E698-7E00-43AB-B867-C6E759BC2ADA}"= "c:\program files\MapQuest Toolbar\mapquesttb.dll" [2009-03-11 1291560]

[HKEY_CLASSES_ROOT\clsid\{9302e698-7e00-43ab-b867-c6e759bc2ada}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{e3a72ce3-87ab-41bc-a506-d0c507d265f3}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10	35696	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 00:43	69632	----a-w-	c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2006-11-07 21:08	547840	----a-w-	c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp Antivirus]
2010-03-15 18:10	2697216	----a-w-	c:\documents and settings\All Users\Application Data\a183887\CUa183.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12	15360	------w-	c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-10-06 03:13	114688	----a-w-	c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24	54840	----a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-10-06 03:11	98304	----a-w-	c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-11-29 19:22	58928	----a-w-	c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModPS2]
2006-11-07 21:34	53248	----a-w-	c:\windows\ModPS2Key.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	------w-	c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-10-06 03:10	94208	----a-w-	c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42	212992	----a-w-	c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 22:10	56928	----a-w-	c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 23:33	16132608	----a-w-	c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2005-01-27 16:13	36864	----a-w-	c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteRanker]
2009-06-25 08:53	273920	----a-w-	c:\program files\SiteRanker\SiteRankTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 08:17	149280	----a-w-	c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-12-09 10:12	234856	----a-w-	c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\a183887\\CUa183.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [7/1/2006 1:44 AM 69692]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4E7BD74F-2B8D-469E-C8ED-EA2EFAD2ED61} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
AddRemove-Auction Client - c:\program files\Auction Client\AMSAuctionInstaller.exe
AddRemove-NOD32 v3.x FiX 1.1 by TemDono_is1 - c:\program files\ESET\ESET Smart Security\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 19:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-03-16  19:15:04
ComboFix-quarantined-files.txt  2010-03-16 23:14

Pre-Run: 139,426,222,080 bytes free
Post-Run: 140,462,645,248 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DFA83D6731EFA08338E942E49212234A

More to come as I get it scanned. Working remotely via TeamViewer. ComboFix kept breaking the connection... hopefully Malwarebytes and HJT won't do the same.

 

[Trotter]

Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3874
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/16/2010 7:51:42 PM
mbam-log-2010-03-16 (19-51-42).txt

Scan type: Quick Scan
Objects scanned: 125490
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\documents and settings\all users\application data\a183887\cua183.exe (Rogue.CleanUpAntivirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=294&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=294&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=294&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=294&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=294&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Owner\Application Data\CleanUp Antivirus (Rogue.CleanUpAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Application Data\CleanUp Antivirus\Instructions.ini (Rogue.CleanUpAntivirus) -> Quarantined and deleted successfully.

 

[joelm3103]

Seems like Malwarebytes cleaned most of it, just post a HJT log I guess. I ain't pr0 enough yet to scan suggest anything (as discussed before) but I'll take a run through, you gotta wait on Osiris most likely though.

 

[Trotter]

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:17 PM, on 3/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: (no name) - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\PROGRA~1\SITERA~1\SiteRank.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: MapQuest Toolbar Loader - {bd3fd433-147a-482e-a192-614f26e2310c} - C:\Program Files\MapQuest Toolbar\mapquesttb.dll
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: MapQuest Toolbar - {9302e698-7e00-43ab-b867-c6e759bc2ada} - C:\Program Files\MapQuest Toolbar\mapquesttb.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 4527 bytes

I tried twice, but both times I got

For some reason your system denied access write access to the Hosts file. If any hijacked domains are in the file, HijackThis may NOT be able to fix this.
If that happens, you need to edit the file yourself. To do this, click, Start, Run and type:
notepad C:\WindowsSystem32\drivers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as "hosts" ( with quotes ), and reboot.
For Vista: simply exit HijackThis, right click on the HijackTHis icon, choose "Run as Administrator"

Something is still up with this. A new tab in IE opens up with "The webpage cannot be displayed." A Google search from the search bar goes to findgala.com instead of Google.

Also, I can't install any AV (tried MSE and AVG) because of CleanUp Antivirus being on the system. About to try it again.

 

[joelm3103]

From the HJT log, this is what I gathered:

[color=#FF0000]R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: (no name) - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\PROGRA~1\SITERA~1\SiteRank.dll[/color]
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
[color=#FF0000]O2 - BHO: MapQuest Toolbar Loader - {bd3fd433-147a-482e-a192-614f26e2310c} - C:\Program Files\MapQuest Toolbar\mapquesttb.dll
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: MapQuest Toolbar - {9302e698-7e00-43ab-b867-c6e759bc2ada} - C:\Program Files\MapQuest Toolbar\mapquesttb.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll[/color]

Basically: All are valid, Red - Could be deleted without harm.
Inbox.dll (all related items) - seems valid from the research + seems a bit suspicious to me. Should be taken out if not needed.
MapQuest (all related items) - also comes up valid, not sure if it's needed
Siterank.dll - came up valid also, but seems a bit suspicious to me + seems a bit suspicious to me. Should be taken out if not needed.
NCO 2.0 IE BHO - this last entry, is related to Norton and it's product and valid, only should be necessary if Norton was installed.

So in other words, the log seems clean to me; but I'm not pr0 and still learning as much as I can, so you most likely should wait on Osiris's confirmation.

Also if you get chance, can you go into safe mode or ask the person on the remote end to do so and run over the scans again, just to make sure everything is out. Also you can go into safe mode and try uninstalling the av on it and install MSE or AVG.

 

[Trotter]

I can boot it into safe mode through TeamViewer, but I will wait for Osiris to chime in. Not that i don't trust your analysis, mate, but Osiris is one of the few I would trust to work on my computer.

 

[joelm3103]

Haha I know , no offense taken . I was just giving a review on what I thought, since I don't see any other suspicious stuff heh. Hope you get through, after all...I'm like your title, "A work in progress".

 

[Trotter]

Well, I was able to finally get Microsoft Security Essentials installed on this computer. It is downloading updates at this moment and will then perform a system scan. I was beginning to think it wasn't going to every take the installation.

I guess Osiris is out on the town with his lady tonight.

 

[Osiris]

I guess you can ignore my reply to your PM

Remove these entries

R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: MapQuest Toolbar Loader - {bd3fd433-147a-482e-a192-614f26e2310c} - C:\Program Files\MapQuest Toolbar\mapquesttb.dll

O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: MapQuest Toolbar - {9302e698-7e00-43ab-b867-c6e759bc2ada} - C:\Program Files\MapQuest Toolbar\mapquesttb.dll

O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll

O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll

Then reset IE back to default settings so it remove other add-ons that can be enabled or reinstalled later. Upgraded it to IE8 as well.

Then run CCleaner, both sections and remove whatever it finds and use Cleanup! as well.

Then open msconfig and go to Startup, click disable all and then recheck her antivirus, dont reboot yet.

Make sure system restore is disabled so it deletes any infections that may be in it.

Then reboot into safe mode and run Combofix, Malwarebytes, save the logs, then reboot back into normal mode, run combofix and malwarebytes again in that order, save them logs and post them all including a new hijackthis log.

Then reboot again and run the programs once more to see if the infections come back.

How did you know I was out with a lady? I took her, well she took me fishn

 

[Trotter]

I'm just good. what can I say?

I am trying to reboot into safe mode via TeamViewer but I don't think it is going to work. If not I will just go over there tomorrow... but I would rather it work NOW.

Thanks for the help so far. HJT still couldn't get into the HOSTS file... should that be a point of concern?

EDIT: Yeah, TeamViewer can't get into safe mode. Looks like I will be going over there tomorrow to pick it up from there.