Working on one that is driving me nuts. Seems to be a rash of fake antivirus crap going around...
ComboFix log:
More to come as I get it scanned. Working remotely via TeamViewer. ComboFix kept breaking the connection... hopefully Malwarebytes and HJT won't do the same.
ComboFix log:
Code:
ComboFix 10-03-16.03 - Owner 03/16/2010 19:08:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.663 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: CleanUp Antivirus *On-access scanning enabled* (Updated) {A9480CD1-A5AC-473C-ABDB-AA329B9E6678}
FW: CleanUp Antivirus *enabled* {5004F310-AD5A-4A7B-BA4E-9BFBD7F5645F}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-3441940337-1758453630-3637168011-1003
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.
2010-03-16 22:04 . 2010-03-16 22:04 -------- d-----w- c:\documents and settings\Owner\Application Data\TeamViewer
2010-03-16 22:04 . 2010-03-16 22:04 -------- d-----w- c:\program files\TeamViewer
2010-03-16 19:36 . 2010-03-16 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 19:36 . 2010-03-16 19:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 18:24 . 2010-03-16 18:24 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-16 18:21 . 2010-03-16 18:21 -------- d-----w- c:\program files\VS Revo Group
2010-03-16 18:17 . 2010-03-16 18:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-16 17:23 . 2010-03-16 17:23 39544 ----a-w- c:\documents and settings\Administrator.CLARKCOMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 17:18 . 2010-03-16 17:18 -------- d-----w- c:\documents and settings\Administrator.CLARKCOMPUTER\Application Data\Malwarebytes
2010-03-16 17:18 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 17:18 . 2010-03-16 17:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 17:18 . 2010-03-16 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-16 17:18 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 18:10 . 2010-03-15 18:11 -------- d-sh--w- c:\documents and settings\Owner\Application Data\CleanUp Antivirus
2010-03-15 18:10 . 2010-03-15 18:10 -------- d-sh--w- c:\documents and settings\All Users\Application Data\CUFBHIRGUPA
2010-03-15 18:10 . 2010-03-15 18:10 2697216 ----a-w- c:\documents and settings\All Users\Application Data\a183887\CUa183.exe
2010-03-15 18:10 . 2010-03-15 18:10 -------- d-sh--w- c:\documents and settings\All Users\Application Data\a183887
2010-03-10 13:28 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 18:30 . 2008-11-04 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-03-16 18:24 . 2008-04-01 02:18 -------- d-----w- c:\program files\Java
2010-03-16 18:24 . 2009-11-12 13:46 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-15 13:41 . 2008-11-08 16:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express
2010-03-05 15:50 . 2008-11-07 17:04 -------- d-----w- c:\program files\Auction Client
2010-02-24 14:16 . 2009-10-02 19:19 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2006-05-07 01:24 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-05-07 01:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-05-07 01:24 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-05-07 01:24 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}]
2009-06-25 08:53 311808 ----a-w- c:\progra~1\SITERA~1\SiteRank.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd3fd433-147a-482e-a192-614f26e2310c}]
2009-03-11 19:39 1291560 ----a-w- c:\program files\MapQuest Toolbar\mapquesttb.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9302e698-7e00-43ab-b867-c6e759bc2ada}"= "c:\program files\MapQuest Toolbar\mapquesttb.dll" [2009-03-11 1291560]
[HKEY_CLASSES_ROOT\clsid\{9302e698-7e00-43ab-b867-c6e759bc2ada}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{e3a72ce3-87ab-41bc-a506-d0c507d265f3}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9302E698-7E00-43AB-B867-C6E759BC2ADA}"= "c:\program files\MapQuest Toolbar\mapquesttb.dll" [2009-03-11 1291560]
[HKEY_CLASSES_ROOT\clsid\{9302e698-7e00-43ab-b867-c6e759bc2ada}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{e3a72ce3-87ab-41bc-a506-d0c507d265f3}]
[HKEY_CLASSES_ROOT\mapquestTb.AOLToolBand]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 00:43 69632 ----a-w- c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2006-11-07 21:08 547840 ----a-w- c:\windows\zHotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp Antivirus]
2010-03-15 18:10 2697216 ----a-w- c:\documents and settings\All Users\Application Data\a183887\CUa183.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-10-06 03:13 114688 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-10-06 03:11 98304 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-11-29 19:22 58928 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModPS2]
2006-11-07 21:34 53248 ----a-w- c:\windows\ModPS2Key.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-10-06 03:10 94208 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 22:10 56928 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 23:33 16132608 ----a-w- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2005-01-27 16:13 36864 ----a-w- c:\windows\ShowWnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteRanker]
2009-06-25 08:53 273920 ----a-w- c:\program files\SiteRanker\SiteRankTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 08:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-12-09 10:12 234856 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\a183887\\CUa183.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [7/1/2006 1:44 AM 69692]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4E7BD74F-2B8D-469E-C8ED-EA2EFAD2ED61} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
AddRemove-Auction Client - c:\program files\Auction Client\AMSAuctionInstaller.exe
AddRemove-NOD32 v3.x FiX 1.1 by TemDono_is1 - c:\program files\ESET\ESET Smart Security\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 19:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-03-16 19:15:04
ComboFix-quarantined-files.txt 2010-03-16 23:14
Pre-Run: 139,426,222,080 bytes free
Post-Run: 140,462,645,248 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - DFA83D6731EFA08338E942E49212234A
More to come as I get it scanned. Working remotely via TeamViewer. ComboFix kept breaking the connection... hopefully Malwarebytes and HJT won't do the same.