lkckclckl1i1i Netherlands group redirect

[taylor710]

TrendMicro is catching attempted redirects to at least three sites, the most common being lkckclckl1i1i.com. This occurs without regard to a browser being open. I have run Malwarebytes (both in safe mode and not in safe mode). I have run HT, GMER, Stinger, Spybot and AdAware all to no avail. I have researched the Internet to see if anyone has a specific name for the malware responsible for this particular redirect, but find nothing. Accordingly, I have gone through the pinned instructions on this forum and posting and attaching as directed therein.

MBAM Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4342

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

7/23/2010 3:14:09 PM

mbam-log-2010-07-23 (15-14-09).txt

Scan type: Quick scan

Objects scanned: 204093

Time elapsed: 13 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by chaggerty at 15:35:52.26 on Fri 07/23/2010

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2250 [GMT -5:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {D9E128E8-9757-4EDE-8EE7-98A7E88BDB83}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmproxy.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Syscan\DocketSCAN\DocketSCAN.exe

C:\Program Files\American Systems\Print Screen Deluxe\psdeluxe.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\chaggerty\Desktop\Fix Programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///F:/Public/DSB/Intranet/index.htm

uDefault_Page_URL = file:///F:/Public/DSB/Intranet/index.htm

mDefault_Page_URL = file:///F:/Public/DSB/Intranet/index.htm

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [JobHisInit] c:\program files\rmclient\JobHisInit.exe

mRun: [MplSetUp] c:\program files\rmclient\MplSetUp.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow

mRun: [OE] c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\docket~1.lnk - c:\program files\syscan\docketscan\DocketSCAN.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\prints~1.lnk - c:\program files\american systems\print screen deluxe\psdeluxe.exe

uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

mPolicies-system: disablecad = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: cey-ebanking.com\server174

Trusted Zone: ibbexpress.com\www

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://dsb2006/Imaging/alttiff.ocx

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {3C19742C-0C07-4672-A2E5-AE5EA7291E79} = 172.22.140.7,208.247.248.5

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-1-14 52240]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2009-1-14 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-1-14 36368]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-1-14 335888]

R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\TmPfw.exe [2009-1-14 488768]

R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2009-1-14 652552]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-6 135664]

S3 rexesvr;BeyondLogic RmtExec Server;c:\windows\system32\rexesvr.exe [2006-9-6 61440]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-23 20:35:03 0 ----a-w- c:\documents and settings\chaggerty\defogger_reenable

2010-07-23 15:52:57 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-22 18:16:51 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-22 17:51:25 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0

2010-07-22 14:04:01 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-22 14:04:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-07-22 13:24:12 0 d-----w- c:\docume~1\chagge~1\applic~1\Malwarebytes

2010-07-22 13:20:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-22 13:20:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-22 13:20:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-22 13:20:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-21 21:40:57 0 d-----w- c:\windows\pss

2010-07-14 13:32:01 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-06 13:35:30 617984 ----a-w- c:\windows\system32\Skylon2.dll

2010-07-06 13:35:30 468480 ----a-w- c:\windows\system32\WriterPDF.dll

2010-07-06 13:35:30 303616 ----a-w- c:\windows\system32\LanYard.dll

==================== Find3M ====================

2010-07-08 19:05:00 87029 ----a-w- c:\windows\fonts\AdobeFnt07.lst

2010-07-06 13:35:40 46801 ----a-w- c:\program files\INSTALL.LOG

2010-06-30 14:55:38 385132 ----a-w- c:\windows\system32\GPMicrGP.dll

2010-06-30 14:54:50 1364075 ----a-w- c:\windows\system32\GPDepGP.dll

2010-06-30 14:52:58 229484 ----a-w- c:\windows\system32\GPOFACGP.dll

2010-06-30 14:52:52 319597 ----a-w- c:\windows\system32\GPEFundGP.dll

2010-06-30 14:52:44 3125361 ----a-w- c:\windows\system32\GPInterfaceGP.dll

2010-06-30 14:52:20 802923 ----a-w- c:\windows\system32\GPLibGP.dll

2010-06-30 14:52:12 979053 ----a-w- c:\windows\system32\FillersGP.dll

2010-06-30 14:52:04 36977 ----a-w- c:\windows\system32\GPSignatureGP.dll

2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-28 22:31:40 257536 ----a-w- c:\windows\system32\Abyss.dll

2009-04-08 14:25:54 608 --sha-w- c:\windows\system32\winzvprt5.sys

2009-02-11 19:59:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021120090212\index.dat

============= FINISH: 15:37:09.46 ===============

ark.zip

Attach.zip

[Tigger93]

Hi there.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some tools from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
  
• In the Mode menu click "Advanced mode" if not already selected.
  
• Choose "Yes" at the Warning prompt.
  
• Expand the "Tools" menu.
  
• Click "Resident".
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• In the File menu click "Exit" to exit Spybot Search & Destroy.
  

-------------

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

[taylor710]

I am at home now, but will be at work again tomorrow morning. I will proceed as you direct. And thank you so much for the quick response.

[taylor710]

Success is ours!! (or so it appears for the nonce). After following your direction re: TeaTimer, I ran ComboFix, which appears to have found at least one issue. Here are the log files for both ComboFix and HijackThis. Please note that the HijackThis log is post-ComboFix. If you note anything other than the rootkit "serial.sys" issue, please comment. I will report that MalwareBytes on an earlier scan had detected and quarantined 3 items:

HKEY_LOCAL_MACHIE\SYSTEM\CurrentControlSet\Services\6to4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn

C:\WINDOWS\SYSTEM32\6to4v32.dll

I deleted these using the MalwareBytes button. I assume that while these may have been the overt culprits, the "serial.sys" file must be a residual that was not cleaned. Am I on the right track here, or do we have two unrelated issues?

Anyway, here are the two logs that you requested, and thanks again for your assistance and guidance:

ComboFix Log:

ComboFix 10-07-23.04 - chaggerty 07/24/2010 8:33.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2522 [GMT -5:00]

Running from: c:\documents and settings\chaggerty\Desktop\Fix Programs\ComboFix.exe

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {D9E128E8-9757-4EDE-8EE7-98A7E88BDB83}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\INSTALL.LOG

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))

.

2010-07-23 16:11 . 2010-07-23 16:11 -------- d-----w- c:\documents and settings\chaggerty\Application Data\AdobeUM

2010-07-23 16:11 . 2010-07-23 16:11 -------- d-----w- c:\documents and settings\chaggerty\Local Settings\Application Data\Adobe

2010-07-23 15:52 . 2010-07-23 15:52 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-22 18:16 . 2010-07-22 18:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-22 17:59 . 2010-07-22 17:59 -------- d-----w- c:\documents and settings\chaggerty\Local Settings\Application Data\Sunbelt Software

2010-07-22 17:51 . 2010-07-22 17:56 -------- d-----w- c:\documents and settings\chaggerty\Local Settings\Application Data\Temp

2010-07-22 17:50 . 2010-07-23 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-07-22 17:33 . 2010-07-22 17:33 -------- d-----w- c:\documents and settings\chaggerty\Application Data\Lavasoft

2010-07-22 14:04 . 2010-07-22 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-22 14:04 . 2010-07-22 14:08 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-22 13:24 . 2010-07-22 13:24 -------- d-----w- c:\documents and settings\chaggerty\Application Data\Malwarebytes

2010-07-22 13:20 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-22 13:20 . 2010-07-22 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-22 13:20 . 2010-07-22 13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-22 13:20 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-14 13:32 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-13 18:41 . 2010-07-13 18:41 -------- d-----w- c:\documents and settings\jenny\Local Settings\Application Data\Temp

2010-07-08 13:20 . 2010-07-08 13:20 -------- d-----w- c:\documents and settings\jenny\GPTemp

2010-07-06 13:41 . 2010-07-06 13:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-07-06 13:36 . 2010-07-06 13:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-07-06 13:35 . 2010-03-04 17:32 617984 ----a-w- c:\windows\system32\Skylon2.dll

2010-07-06 13:35 . 2010-03-04 17:32 468480 ----a-w- c:\windows\system32\WriterPDF.dll

2010-07-06 13:35 . 2010-03-04 17:32 303616 ----a-w- c:\windows\system32\LanYard.dll

2010-06-29 19:40 . 2010-06-29 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-23 22:50 . 2005-07-22 14:54 -------- d-----w- c:\documents and settings\jenny\Application Data\AdobeUM

2010-07-23 22:09 . 2010-07-23 22:09 503808 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-455c8869-n\msvcp71.dll

2010-07-23 22:09 . 2010-07-23 22:09 499712 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-455c8869-n\jmc.dll

2010-07-23 22:09 . 2010-07-23 22:09 348160 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-455c8869-n\msvcr71.dll

2010-07-23 22:09 . 2010-07-23 22:09 12800 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-557823a2-n\decora-d3d.dll

2010-07-23 22:09 . 2010-07-23 22:08 61440 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-557823a2-n\decora-sse.dll

2010-07-23 18:25 . 2010-07-23 18:25 388096 ----a-r- c:\documents and settings\chaggerty\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-23 18:08 . 2007-05-07 13:37 -------- d-----w- c:\program files\Lavasoft

2010-07-23 15:54 . 2010-07-23 15:54 503808 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-42881900-n\msvcp71.dll

2010-07-23 15:54 . 2010-07-23 15:54 499712 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-42881900-n\jmc.dll

2010-07-23 15:54 . 2010-07-23 15:54 348160 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-42881900-n\msvcr71.dll

2010-07-23 15:53 . 2010-07-23 15:53 61440 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-51b47714-n\decora-sse.dll

2010-07-23 15:53 . 2010-07-23 15:53 12800 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-51b47714-n\decora-d3d.dll

2010-07-23 15:53 . 2005-03-06 22:11 -------- d-----w- c:\program files\Common Files\Java

2010-07-23 15:52 . 2005-03-06 22:11 -------- d-----w- c:\program files\Java

2010-07-22 17:57 . 2006-12-26 14:01 -------- d-----w- c:\program files\Google

2010-07-20 21:01 . 2009-04-08 14:25 -------- d-----w- c:\program files\BankTrack

2010-06-30 14:55 . 2009-06-30 13:04 385132 ----a-w- c:\windows\system32\GPMicrGP.dll

2010-06-30 14:54 . 2009-06-30 13:04 1364075 ----a-w- c:\windows\system32\GPDepGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 229484 ----a-w- c:\windows\system32\GPOFACGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 319597 ----a-w- c:\windows\system32\GPEFundGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 3125361 ----a-w- c:\windows\system32\GPInterfaceGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 802923 ----a-w- c:\windows\system32\GPLibGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 979053 ----a-w- c:\windows\system32\FillersGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 36977 ----a-w- c:\windows\system32\GPSignatureGP.dll

2010-06-28 14:29 . 2007-11-30 14:31 49960 ----a-w- c:\documents and settings\chaggerty\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe

2010-05-28 20:39 . 2005-06-10 15:20 49960 ----a-w- c:\documents and settings\jenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-28 18:09 . 2007-03-07 14:49 -------- d-----w- c:\program files\MSECache

2010-05-21 19:14 . 2009-10-09 15:25 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 17:20 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 22:31 . 2006-10-12 13:33 257536 ----a-w- c:\windows\system32\Abyss.dll

2009-04-08 14:25 . 2009-04-08 14:25 608 --sha-w- c:\windows\SYSTEM32\winzvprt5.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2001-11-17 135168]

"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-05 40960]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2008-05-15 873856]

c:\documents and settings\jenny\Start Menu\Programs\Startup\

Launch Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2010-5-20 196440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

DocketSCAN.lnk - c:\program files\Syscan\DocketSCAN\DocketSCAN.exe [2007-4-13 391680]

Print Screen Deluxe.LNK - c:\program files\American Systems\Print Screen Deluxe\psdeluxe.exe [2005-5-11 602112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [1/14/2009 11:46 AM 52240]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [1/14/2009 10:31 AM 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [1/14/2009 10:31 AM 36368]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [1/14/2009 10:31 AM 335888]

R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\Client Server Security Agent\TmPfw.exe [1/14/2009 10:31 AM 488768]

R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [1/14/2009 10:31 AM 652552]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2010 8:36 AM 135664]

S3 rexesvr;BeyondLogic RmtExec Server;c:\windows\SYSTEM32\rexesvr.exe [9/6/2006 10:25 AM 61440]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 13:36]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 13:36]

2010-07-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

.

.

------- Supplementary Scan -------

.

uStart Page = file:///F:/Public/DSB/Intranet/index.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: cey-ebanking.com\server174

Trusted Zone: ibbexpress.com\www

TCP: {3C19742C-0C07-4672-A2E5-AE5EA7291E79} = 172.22.140.7,208.247.248.5

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-24 08:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(196)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\basfipm.exe

c:\program files\Dell\OpenManage\Client\Iap.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Trend Micro\Client Server Security Agent\ntrtscan.exe

c:\program files\Trend Micro\Client Server Security Agent\tmlisten.exe

c:\program files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe

.

**************************************************************************

.

Completion time: 2010-07-24 08:51:05 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-24 13:51

Pre-Run: 26,322,071,552 bytes free

Post-Run: 26,401,624,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 150EC0F532A6AB75E028A247ADC1FDEF

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:55:35 AM, on 7/24/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmproxy.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Syscan\DocketSCAN\DocketSCAN.exe

C:\Program Files\American Systems\Print Screen Deluxe\psdeluxe.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Public/DSB/Intranet/index.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - Global Startup: DocketSCAN.lnk = C:\Program Files\Syscan\DocketSCAN\DocketSCAN.exe

O4 - Global Startup: Print Screen Deluxe.LNK = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file:///F:/Public/DSB/Intranet/index.htm

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://dsb2006/Imaging/alttiff.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = durandstatebank.com

O17 - HKLM\Software\..\Telephony: DomainName = durandstatebank.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C19742C-0C07-4672-A2E5-AE5EA7291E79}: NameServer = 172.22.140.7,208.247.248.5

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = durandstatebank.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{3C19742C-0C07-4672-A2E5-AE5EA7291E79}: NameServer = 172.22.140.7,208.247.248.5

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = durandstatebank.com

O17 - HKLM\System\CS2\Services\Tcpip\..\{3C19742C-0C07-4672-A2E5-AE5EA7291E79}: NameServer = 172.22.140.7,208.247.248.5

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

O23 - Service: BeyondLogic RmtExec Server (rexesvr) - Unknown owner - C:\WINDOWS\System32\rexesvr.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe

O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe

O23 - Service: BancPac (WinVNC) - AT&T Research Labs Cambridge - C:\PROGRAM FILES\INTERCEPT\BANCSUPP.EXE

--

End of file - 8425 bytes

[Tigger93]

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\SYSTEM32\winzvprt5.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.
  

[taylor710]

As requested, here are the resulting logs after running the batch file. As the self-taught IT guy here I like to become as aware of these issues as possible, so would you mind explaining what we have done with this command?

Combofix Log:

ComboFix 10-07-24.06 - chaggerty 07/26/2010 8:10.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2465 [GMT -5:00]

Running from: c:\documents and settings\chaggerty\Desktop\Fix Programs\ComboFix.exe

Command switches used :: c:\documents and settings\chaggerty\Desktop\Fix Programs\CFScript.txt

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {D9E128E8-9757-4EDE-8EE7-98A7E88BDB83}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::

"c:\windows\SYSTEM32\winzvprt5.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\SYSTEM32\winzvprt5.sys

.

((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))

.

2010-07-23 22:09 . 2010-07-23 22:09 503808 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-455c8869-n\msvcp71.dll

2010-07-23 22:09 . 2010-07-23 22:09 499712 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-455c8869-n\jmc.dll

2010-07-23 22:09 . 2010-07-23 22:09 348160 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-455c8869-n\msvcr71.dll

2010-07-23 22:09 . 2010-07-23 22:09 12800 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-557823a2-n\decora-d3d.dll

2010-07-23 22:08 . 2010-07-23 22:09 61440 ----a-w- c:\documents and settings\jenny\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-557823a2-n\decora-sse.dll

2010-07-23 18:25 . 2010-07-23 18:25 388096 ----a-r- c:\documents and settings\chaggerty\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-23 16:11 . 2010-07-23 16:11 -------- d-----w- c:\documents and settings\chaggerty\Application Data\AdobeUM

2010-07-23 16:11 . 2010-07-23 16:11 -------- d-----w- c:\documents and settings\chaggerty\Local Settings\Application Data\Adobe

2010-07-23 15:54 . 2010-07-23 15:54 503808 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-42881900-n\msvcp71.dll

2010-07-23 15:54 . 2010-07-23 15:54 499712 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-42881900-n\jmc.dll

2010-07-23 15:54 . 2010-07-23 15:54 348160 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-42881900-n\msvcr71.dll

2010-07-23 15:53 . 2010-07-23 15:53 61440 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-51b47714-n\decora-sse.dll

2010-07-23 15:53 . 2010-07-23 15:53 12800 ----a-w- c:\documents and settings\chaggerty\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-51b47714-n\decora-d3d.dll

2010-07-23 15:52 . 2010-07-23 15:52 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-22 18:16 . 2010-07-22 18:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-22 17:59 . 2010-07-22 17:59 -------- d-----w- c:\documents and settings\chaggerty\Local Settings\Application Data\Sunbelt Software

2010-07-22 17:51 . 2010-07-22 17:56 -------- d-----w- c:\documents and settings\chaggerty\Local Settings\Application Data\Temp

2010-07-22 17:50 . 2010-07-23 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-07-22 17:33 . 2010-07-22 17:33 -------- d-----w- c:\documents and settings\chaggerty\Application Data\Lavasoft

2010-07-22 14:04 . 2010-07-22 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-22 14:04 . 2010-07-22 14:08 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-22 13:24 . 2010-07-22 13:24 -------- d-----w- c:\documents and settings\chaggerty\Application Data\Malwarebytes

2010-07-22 13:20 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-22 13:20 . 2010-07-22 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-22 13:20 . 2010-07-22 13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-22 13:20 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-14 13:32 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-13 18:41 . 2010-07-13 18:41 -------- d-----w- c:\documents and settings\jenny\Local Settings\Application Data\Temp

2010-07-08 13:20 . 2010-07-08 13:20 -------- d-----w- c:\documents and settings\jenny\GPTemp

2010-07-06 13:41 . 2010-07-06 13:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-07-06 13:36 . 2010-07-06 13:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-07-06 13:35 . 2010-03-04 17:32 617984 ----a-w- c:\windows\system32\Skylon2.dll

2010-07-06 13:35 . 2010-03-04 17:32 468480 ----a-w- c:\windows\system32\WriterPDF.dll

2010-07-06 13:35 . 2010-03-04 17:32 303616 ----a-w- c:\windows\system32\LanYard.dll

2010-06-29 19:40 . 2010-06-29 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-23 22:50 . 2005-07-22 14:54 -------- d-----w- c:\documents and settings\jenny\Application Data\AdobeUM

2010-07-23 18:08 . 2007-05-07 13:37 -------- d-----w- c:\program files\Lavasoft

2010-07-23 15:53 . 2005-03-06 22:11 -------- d-----w- c:\program files\Common Files\Java

2010-07-23 15:52 . 2005-03-06 22:11 -------- d-----w- c:\program files\Java

2010-07-22 17:57 . 2006-12-26 14:01 -------- d-----w- c:\program files\Google

2010-07-20 21:01 . 2009-04-08 14:25 -------- d-----w- c:\program files\BankTrack

2010-06-30 14:55 . 2009-06-30 13:04 385132 ----a-w- c:\windows\system32\GPMicrGP.dll

2010-06-30 14:54 . 2009-06-30 13:04 1364075 ----a-w- c:\windows\system32\GPDepGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 229484 ----a-w- c:\windows\system32\GPOFACGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 319597 ----a-w- c:\windows\system32\GPEFundGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 3125361 ----a-w- c:\windows\system32\GPInterfaceGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 802923 ----a-w- c:\windows\system32\GPLibGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 979053 ----a-w- c:\windows\system32\FillersGP.dll

2010-06-30 14:52 . 2009-06-30 13:04 36977 ----a-w- c:\windows\system32\GPSignatureGP.dll

2010-06-28 14:29 . 2007-11-30 14:31 49960 ----a-w- c:\documents and settings\chaggerty\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe

2010-05-28 20:39 . 2005-06-10 15:20 49960 ----a-w- c:\documents and settings\jenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-28 18:09 . 2007-03-07 14:49 -------- d-----w- c:\program files\MSECache

2010-05-21 19:14 . 2009-10-09 15:25 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 17:20 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 22:31 . 2006-10-12 13:33 257536 ----a-w- c:\windows\system32\Abyss.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2001-11-17 135168]

"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-05 40960]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2008-05-15 873856]

c:\documents and settings\jenny\Start Menu\Programs\Startup\

Launch Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2010-5-20 196440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

DocketSCAN.lnk - c:\program files\Syscan\DocketSCAN\DocketSCAN.exe [2007-4-13 391680]

Print Screen Deluxe.LNK - c:\program files\American Systems\Print Screen Deluxe\psdeluxe.exe [2005-5-11 602112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [1/14/2009 11:46 AM 52240]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [1/14/2009 10:31 AM 36368]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [1/14/2009 10:31 AM 335888]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2010 8:36 AM 135664]

S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [1/14/2009 10:31 AM 230928]

S3 rexesvr;BeyondLogic RmtExec Server;c:\windows\SYSTEM32\rexesvr.exe [9/6/2006 10:25 AM 61440]

S3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\Client Server Security Agent\TmPfw.exe [1/14/2009 10:31 AM 488768]

S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [1/14/2009 10:31 AM 652552]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 13:36]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-06 13:36]

2010-07-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

.

.

------- Supplementary Scan -------

.

uStart Page = file:///F:/Public/DSB/Intranet/index.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: cey-ebanking.com\server174

Trusted Zone: ibbexpress.com\www

TCP: {3C19742C-0C07-4672-A2E5-AE5EA7291E79} = 172.22.140.7,208.247.248.5

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-26 08:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-07-26 08:16:00

ComboFix-quarantined-files.txt 2010-07-26 13:15

ComboFix2.txt 2010-07-24 13:51

Pre-Run: 26,281,136,128 bytes free

Post-Run: 26,268,049,408 bytes free

- - End Of File - - 03F784437DE489F9CF11B6F7C5C04504

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:19:43 AM, on 7/26/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Syscan\DocketSCAN\DocketSCAN.exe

C:\Program Files\American Systems\Print Screen Deluxe\psdeluxe.exe

C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Public/DSB/Intranet/index.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-21-4267568208-1066106845-3760798311-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - Global Startup: DocketSCAN.lnk = C:\Program Files\Syscan\DocketSCAN\DocketSCAN.exe

O4 - Global Startup: Print Screen Deluxe.LNK = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file:///F:/Public/DSB/Intranet/index.htm

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://dsb2006/Imaging/alttiff.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = durandstatebank.com

O17 - HKLM\Software\..\Telephony: DomainName = durandstatebank.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C19742C-0C07-4672-A2E5-AE5EA7291E79}: NameServer = 172.22.140.7,208.247.248.5

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = durandstatebank.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{3C19742C-0C07-4672-A2E5-AE5EA7291E79}: NameServer = 172.22.140.7,208.247.248.5

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = durandstatebank.com

O17 - HKLM\System\CS2\Services\Tcpip\..\{3C19742C-0C07-4672-A2E5-AE5EA7291E79}: NameServer = 172.22.140.7,208.247.248.5

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

O23 - Service: BeyondLogic RmtExec Server (rexesvr) - Unknown owner - C:\WINDOWS\System32\rexesvr.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe

O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe

O23 - Service: BancPac (WinVNC) - AT&T Research Labs Cambridge - C:\PROGRAM FILES\INTERCEPT\BANCSUPP.EXE

--

End of file - 8295 bytes

[Tigger93]

We we're just removing a leftover malware file.

Go start -> run and type in comobfix /Uninstall and press OK.

Everything looks good now. Are you still having any problems?

[taylor710]

Yes, everything seems to be fine now and once again, I thank you for your assistance!

I will uninstall combofix and I will reset the defogger setting.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!