[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Got some spyware need help removing...

Posted on 2008-02-07
22
Medium Priority
?
1,416 Views
Last Modified: 2013-11-22
Got a some spyware on my box :P Need a little help getting it all the way off. I have posted my HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:41 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Inter-Tel\Personal Communicator\Tray Portal\TrayPortal.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\SJphone 1.65\SJphone.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.24/qqest/Login/Login.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O1 - Hosts: 67.154.183.18 support.bhnmi.net
O3 - Toolbar: Inter-Tel® Personal Communicator - {E80A0D27-B798-4F62-9CF3-3FCF47F3E3B3} - C:\Program Files\Inter-Tel\Personal Communicator\IE PORTAL\IEPortal.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [4870009a] rundll32.exe "C:\WINDOWS\system32\uexchvps.dll",b
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Inter-Tel 7000 Tray Portal] C:\Program Files\Inter-Tel\Personal Communicator\\Tray Portal\TrayPortal.exe /autolaunch
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SJphone 1.65.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Call this number - res://C:\Program Files\Inter-Tel\Personal Communicator\IE PORTAL\IEPortal.dll/DialScript.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bhtel-vcore
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.bhnmi.com/XTSAC.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail.ncacleaning.com/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189189200437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189197317938
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://support.bhnmi.net/NELX.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://support.bluehaven.local/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O17 - HKLM\Software\..\Telephony: DomainName = bhnmi.bhcorp.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DFC55BE-ACBD-4A91-A71D-8C3F0A43CBC8}: NameServer = 192.168.1.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: RamPrx - {5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af} - C:\WINDOWS\Installer\{5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af}\RamPrx.dll
O21 - SSODL: zip - {81792a70-0071-41a3-91fd-dca99d926df4} - C:\WINDOWS\Installer\{81792a70-0071-41a3-91fd-dca99d926df4}\zip.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
 
--
End of file - 14753 bytes

Open in new window

0
Comment
Question by:bhnmi
  • 10
  • 6
  • 3
19 Comments
 
LVL 21

Accepted Solution

by:
briancassin earned 2000 total points
ID: 20843245
I will review your hijack this logfile

in the meantime do the following

Download  combofix.exe and save it to your desktop
Close any open browsers.
Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply along with a fresh HJT log as well
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe



If combofix reports it removed files then continue on through this if not then post it's logfile and a hijack this logfile

I would then get

http://www.ccleaner.com   download it and run it to clear out all the windows junk files and make the scans faster.

http://www.superantispyware.com download it update it and run it

http://security.kolla.de spybot s&d - download it install it (do not install tea timer, ) update it then run it

http://lavasoft.com - adaware - download it run it and then uninstall it
http://pack.google.com/intl/en/pack_installer_new.html?hl=en&gl=us&utm_source=en_US-et-more&utm_medium=et&utm_campaign=en_US&ciNum=11    - select to only download and install spyware doctor.

online anti virus scanners

http://www.pandasoftware.com   - panda activescan
http://www.bitdefender.com 
http://housecall.trendmicro.com


Additionally I would download and run rootkit revealer if it comes up with anything odd post it up here.
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
0
 
LVL 21

Expert Comment

by:briancassin
ID: 20843336
Ok here is what is in your hijack this that is bad

C:\Program Files\Inter-Tel\Personal Communicator\Tray Portal\TrayPortal.exe  - I am not sure what this is, if this is something you did not install or know about remove it otherwise leave it



F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O4 - HKLM\..\Run: [4870009a] rundll32.exe "C:\WINDOWS\system32\uexchvps.dll",b


if you did not add this to your trusted sites then this needs to be removed
Trusted Zone: *.bhtel-vcore


I am assuming this is something in house developed if not and you do not know what this is remove it
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.bhnmi.com/XTSAC.cab

O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://support.bhnmi.net/NELX.cab

your going to need SDfix
follow the instructions on downloading and using it here then post the logfile back here
http://forums.majorgeeks.com/showthread.php?p=869653

0
 
LVL 21

Expert Comment

by:briancassin
ID: 20843354
You have the worm known as
WORM_SDBOT.ER
also known as WORM_FALSU.A  and Spybot.eas worm

specific information and removal instruction are here
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSDBOT%2EER&VSect=Sn
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
LVL 20

Expert Comment

by:IndiGenus
ID: 20843632
I would propose that you run SDFix on this first, as it will target that 03 directly and any other bots, then combofix as briancassin had advised. Then probably a follow up script.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open,
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Please also upload a fresh HijackThis log.
0
 
LVL 21

Expert Comment

by:briancassin
ID: 20843893
IndiGenius,

I had posted to use SDFix in my comment - 02.07.2008 at 01:19PM EST
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20843953
Sorry briancassin, missed that at the end of your post.
My apologies,
Dave
0
 
LVL 21

Expert Comment

by:briancassin
ID: 20843964
no prob
0
 
LVL 12

Author Comment

by:bhnmi
ID: 20844030
All this are applications that are ok


if you did not add this to your trusted sites then this needs to be removed
Trusted Zone: *.bhtel-vcore


I am assuming this is something in house developed if not and you do not know what this is remove it
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.bhnmi.com/XTSAC.cab

O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://support.bhnmi.net/NELX.cab

C:\Program Files\Inter-Tel\Personal Communicator\Tray Portal\TrayPortal.exe  - I am not sure what this is, if this is something you did not install or know about remove it otherwise leave it

Ran the program you linked me to in the first post, combofix. It ran rebooted and froze for a LONG time when creating the log. It did remove somethings, but it was stuck on displaying the log and I had to power off my box.

Here is my new hijack log, I will await your review before taking action. No pop ups yet :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:25 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Inter-Tel\Personal Communicator\Tray Portal\TrayPortal.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\SJphone 1.65\SJphone.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.24/qqest/Login/Login.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Inter-Tel® Personal Communicator - {E80A0D27-B798-4F62-9CF3-3FCF47F3E3B3} - C:\Program Files\Inter-Tel\Personal Communicator\IE PORTAL\IEPortal.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Inter-Tel 7000 Tray Portal] C:\Program Files\Inter-Tel\Personal Communicator\\Tray Portal\TrayPortal.exe /autolaunch
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SJphone 1.65.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Call this number - res://C:\Program Files\Inter-Tel\Personal Communicator\IE PORTAL\IEPortal.dll/DialScript.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bhtel-vcore
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.bhnmi.com/XTSAC.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://mail.ncacleaning.com/ConnectComputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189189200437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189197317938
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://support.bhnmi.net/NELX.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://support.bluehaven.local/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O17 - HKLM\Software\..\Telephony: DomainName = bhnmi.bhcorp.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DFC55BE-ACBD-4A91-A71D-8C3F0A43CBC8}: NameServer = 192.168.1.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bhnmi.bhcorp.local
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: RamPrx - {5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af} - C:\WINDOWS\Installer\{5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af}\RamPrx.dll
O21 - SSODL: zip - {81792a70-0071-41a3-91fd-dca99d926df4} - C:\WINDOWS\Installer\{81792a70-0071-41a3-91fd-dca99d926df4}\zip.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
 
--
End of file - 15432 bytes

Open in new window

0
 
LVL 12

Author Comment

by:bhnmi
ID: 20844070
Here is the deletions from the combofix log
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINDOWS\system32\byxwxuu.dll
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\byxwxuu.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\dirdwyic.dll
C:\WINDOWS\system32\dspkpcas.dll
C:\WINDOWS\system32\hggefee.dll
C:\WINDOWS\system32\nnnnnmk.dll
C:\WINDOWS\system32\sacpkpsd.ini
C:\WINDOWS\system32\spvhcxeu.ini
C:\WINDOWS\system32\uexchvps.dll
C:\WINDOWS\system32\uhawahdd.dll
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\winfkx32.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wmuwvxus.dll
C:\WINDOWS\system32\yayaxus.dll

Open in new window

0
 
LVL 21

Expert Comment

by:briancassin
ID: 20844146
Yeah you have a lot of bad items in your system.

Run the SDFix s posted above then rerun combofix... xombofix froze because it encountered something that is probably trying to prevent it from doing it's job or because it had a lot of things to delete..
0
 
LVL 21

Expert Comment

by:briancassin
ID: 20844166
I looked at the hijack this log aside from the things I had mentioned before

"if you did not add this to your trusted sites then this needs to be removed
Trusted Zone: *.bhtel-vcore


I am assuming this is something in house developed if not and you do not know what this is remove it
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.bhnmi.com/XTSAC.cab

O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://support.bhnmi.net/NELX.cab

C:\Program Files\Inter-Tel\Personal Communicator\Tray Portal\TrayPortal.exe  - I am not sure what this is, if this is something you did not install or know about remove it otherwise leave it"

everything else is gone so it looks clean HOWEVER your system is not finished being cleaned up especially considering combofix locked up
0
 
LVL 12

Author Comment

by:bhnmi
ID: 20844751
Ran SDfix and rebooted and it finished. Then I ran combofix again and it completed with out needing a reboot.
0
 
LVL 21

Expert Comment

by:briancassin
ID: 20844861
OK what does the logfiles from those say ?
0
 
LVL 21

Expert Comment

by:briancassin
ID: 20844874
When you are finished with all of this Your going to also want to clear out your system restore as this could restore the malware and spyware 9 times out of 10 it hides out in system restore.
0
 
LVL 12

Author Comment

by:bhnmi
ID: 20844911
Combofix log.
ComboFix 08-02.05.3 - jeitzen 2008-02-07 12:16:23.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1299 [GMT -8:00]
Running from: C:\Documents and Settings\jeitzen\Desktop\ComboFix.exe
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((   Files Created from 2008-01-07 to 2008-02-07  )))))))))))))))))))))))))))))))
.
 
2008-02-07 12:12 . 2008-02-07 12:12	10,240	--a------	C:\Program Files\tmp832656.exe
2008-02-07 12:12 . 2008-02-07 12:12	8,421	--a------	C:\Program Files\tmp836343.exe
2008-02-07 12:11 . 2008-02-07 12:11	46,080	--a------	C:\Program Files\tmp747718.exe
2008-02-07 12:11 . 2008-02-07 12:11	10,240	--a------	C:\Program Files\tmp747671.exe
2008-02-07 12:11 . 2008-02-07 12:11	10,240	--a------	C:\Program Files\tmp747546.exe
2008-02-07 12:11 . 2008-02-07 12:11	8,421	--a------	C:\Program Files\tmp747828.exe
2008-02-07 12:11 . 2008-02-07 12:11	8,421	--a------	C:\Program Files\tmp747703.exe
2008-02-07 11:37 . 2008-02-07 11:37	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-02-07 11:18 . 2008-02-07 12:04	<DIR>	d--------	C:\SDFix
2008-02-07 10:01 . 2008-02-07 10:01	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-02-07 10:01 . 2008-02-07 11:03	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-07 09:55 . 2008-02-07 09:55	<DIR>	d--------	C:\Program Files\Trend Micro
2008-02-07 09:26 . 2008-02-07 09:26	10,240	--a------	C:\Program Files\tmp241634437.exe
2008-02-04 14:11 . 2004-05-13 00:39	876,653	--a--c---	C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-02-04 10:18 . 2008-02-04 10:18	<DIR>	d--------	C:\Program Files\PowerISO
2008-01-24 11:34 . 2008-01-24 11:34	<DIR>	d--------	C:\WINDOWS\A6W_DATA
2008-01-24 11:34 . 2008-01-24 11:34	31,437	--a------	C:\WINDOWS\Run32A60.mch
2008-01-24 11:34 . 2008-01-24 11:34	35	--a------	C:\WINDOWS\A6W.INI
2008-01-24 09:57 . 2008-01-24 09:58	<DIR>	d--------	C:\www
2008-01-24 09:48 . 2008-01-24 09:48	<DIR>	d--------	C:\Program Files\EasyPHP 2.0b1
2008-01-24 08:56 . 2008-01-24 08:56	<DIR>	d--------	C:\Program Files\MMTaskbar
2008-01-22 13:27 . 2008-01-22 13:27	<DIR>	d--------	C:\Program Files\svtsp
2008-01-22 13:27 . 2005-08-24 15:19	77,824	--a------	C:\WINDOWS\system32\svtsp.tsp
2008-01-19 23:07 . 2008-01-19 23:07	33,292	--a------	C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 13:00 . 2008-01-16 13:05	98,683,025	--a------	C:\sb-65_2.img
2008-01-14 09:50 . 2008-01-14 09:50	0	--ah-----	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-14 09:50 . 2008-01-14 09:50	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-14 09:50 . 2008-01-14 09:50	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-01-14 09:48 . 2008-01-14 09:48	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\LogiShrd
2008-01-14 09:46 . 2008-01-14 09:47	<DIR>	d--------	C:\Program Files\Common Files\Logishrd
2008-01-14 09:46 . 2007-09-21 03:00	53,248	--a------	C:\WINDOWS\system32\LBTCoIns.DLL
2008-01-14 09:45 . 2008-01-14 09:45	<DIR>	d--------	C:\Documents and Settings\jeitzen\Application Data\InstallShield
2008-01-14 09:45 . 2008-01-14 09:45	<DIR>	d--------	C:\DOCUME~1\jeitzen\APPLIC~1\InstallShield
2008-01-14 09:43 . 2008-01-22 11:13	<DIR>	d--------	C:\Program Files\Orb Networks
2008-01-14 09:35 . 2008-01-14 09:35	<DIR>	d--------	C:\Documents and Settings\jeitzen\Application Data\Creative
2008-01-14 09:35 . 2008-01-14 09:35	<DIR>	d--------	C:\DOCUME~1\jeitzen\APPLIC~1\Creative
2008-01-14 09:20 . 1999-10-10 09:00	41,984	---------	C:\WINDOWS\Ctregrun.exe
2008-01-14 09:20 . 2003-06-12 23:25	7,062	--a------	C:\WINDOWS\system32\audiopid.vxd
2008-01-14 09:18 . 2008-01-22 11:04	<DIR>	d--------	C:\WINDOWS\CtDrvInstall
2008-01-14 09:18 . 2006-06-15 10:18	90,112	-ra------	C:\WINDOWS\CtDrvIns.exe
2008-01-14 09:18 . 2005-07-06 09:07	36,864	-ra------	C:\WINDOWS\system32\CtCamMgr.dll
2008-01-14 09:18 . 2004-07-05 09:00	24,576	-ra------	C:\WINDOWS\system32\CtCamPin.crl
2008-01-14 09:17 . 2008-01-14 09:17	<DIR>	d--------	C:\Program Files\muvee Technologies
2008-01-14 09:15 . 2008-01-14 09:15	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\muvee Technologies
2008-01-14 09:13 . 2008-01-22 11:17	<DIR>	d--------	C:\Program Files\SightSpeed
2008-01-14 09:10 . 2008-01-22 11:17	<DIR>	d--------	C:\Program Files\Creative
2008-01-14 09:06 . 2004-08-03 23:10	10,880	--a------	C:\WINDOWS\system32\drivers\NdisIP.sys
2008-01-14 09:06 . 2004-08-03 23:10	10,880	--a--c---	C:\WINDOWS\system32\dllcache\ndisip.sys
2008-01-14 09:06 . 2004-08-03 22:58	5,504	--a------	C:\WINDOWS\system32\drivers\MSTEE.sys
2008-01-14 09:06 . 2004-08-03 22:58	5,504	--a--c---	C:\WINDOWS\system32\dllcache\mstee.sys
2008-01-11 09:14 . 2008-01-11 09:14	<DIR>	d--------	C:\Documents and Settings\jeitzen\Application Data\Realtime Soft
2008-01-11 09:14 . 2008-01-11 09:14	<DIR>	d--------	C:\DOCUME~1\jeitzen\APPLIC~1\Realtime Soft
2008-01-09 08:34 . 2008-01-09 08:34	<DIR>	d--h-----	C:\WINDOWS\PIF
2008-01-09 08:31 . 2006-05-01 12:04	<DIR>	d--------	C:\xhtml
2008-01-09 08:31 . 2008-01-09 08:39	<DIR>	d--------	C:\jd009 - myfreetemplates.com
2008-01-09 08:31 . 2004-04-28 10:44	<DIR>	d--------	C:\jd_b040
2008-01-09 08:31 . 2006-05-01 12:07	26,750	---------	C:\preview.jpg
2008-01-09 08:31 . 2006-05-01 11:07	4,682	---------	C:\products.html
2008-01-09 08:31 . 2006-05-01 12:07	4,488	---------	C:\preview.thumb.jpg
2008-01-09 08:31 . 2006-05-01 11:06	4,122	---------	C:\tutorials.html
2008-01-09 08:31 . 2003-07-06 13:03	507	--a------	C:\morewebmaster-resources.htm
2008-01-08 08:29 . 2008-01-08 08:29	<DIR>	d--------	C:\Program Files\MapInfo MapX
2008-01-08 08:29 . 2005-04-19 10:10	1,265,716	--a------	C:\WINDOWS\system32\cxlib-1-6.dll
2008-01-08 08:29 . 2005-04-19 10:10	1,249,334	--a------	C:\WINDOWS\system32\cxlibw-1-6.dll
2008-01-08 08:29 . 2005-09-06 17:55	610,304	--a------	C:\WINDOWS\system32\pvxodbc.dll
2008-01-08 08:29 . 2005-09-06 17:54	253,952	--a------	C:\WINDOWS\system32\pvxio.dll
2008-01-08 08:28 . 2008-01-08 08:28	<DIR>	d--------	C:\Program Files\Common Files\Crystal Decisions
2008-01-08 08:27 . 2008-01-08 08:27	<DIR>	d--------	C:\Program Files\Sage1
2008-01-08 08:27 . 1996-06-28 12:26	49,152	--a------	C:\WINDOWS\system32\BIVBX30.32N
2008-01-08 08:27 . 1996-06-28 12:26	35,328	--a------	C:\WINDOWS\system32\BIVBX30.32C
2008-01-08 07:06 . 2008-02-05 08:01	<DIR>	d--------	C:\Documents and Settings\jeitzen\Application Data\AdobeUM
2008-01-08 07:06 . 2008-02-05 08:01	<DIR>	d--------	C:\DOCUME~1\jeitzen\APPLIC~1\AdobeUM
2008-01-07 14:30 . 2008-01-07 14:30	<DIR>	d--------	C:\WINDOWS\Pool Studio
2008-01-07 14:30 . 2008-01-07 14:30	<DIR>	d--------	C:\StructureStudios
2008-01-07 07:59 . 2008-01-07 07:59	374,968	--a------	C:\ringtonespod2chargers.mp3
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:15	---------	d-----w	C:\Program Files\Symantec AntiVirus
2008-02-07 17:38	---------	d-----w	C:\Program Files\SJphone 1.65
2008-02-06 15:54	---------	d-----w	C:\Documents and Settings\jeitzen\Application Data\VMware
2008-02-06 15:54	---------	d-----w	C:\DOCUME~1\jeitzen\APPLIC~1\VMware
2008-02-04 14:20	---------	d-----w	C:\Documents and Settings\jeitzen\Application Data\FileZilla
2008-02-04 14:20	---------	d-----w	C:\DOCUME~1\jeitzen\APPLIC~1\FileZilla
2008-01-22 19:29	---------	d-----w	C:\Program Files\IrfanView
2008-01-22 19:27	---------	d-----w	C:\Program Files\BitTorrent_DNA
2008-01-22 19:16	---------	d-----w	C:\Program Files\VideoLAN
2008-01-22 19:15	---------	d-----w	C:\Program Files\Stellar Phoenix NTFS Data Recovery
2008-01-22 19:12	---------	d-----w	C:\Program Files\Symantec
2008-01-22 19:11	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-22 19:02	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2008-01-15 15:38	---------	d-----w	C:\Program Files\SimulationExams
2008-01-15 15:37	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-01-15 15:37	249,856	------w	C:\WINDOWS\Setup1.exe
2008-01-14 17:46	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-14 17:46	---------	d-----w	C:\Program Files\Common Files\Logitech
2007-12-20 16:26	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-12-20 16:14	---------	d-----w	C:\Program Files\Hewlett-Packard
2007-12-14 17:17	---------	d-----w	C:\Program Files\FileZilla Client
2007-11-15 18:07	76,304	----a-w	C:\WINDOWS\system32\KemXML.dll
2007-11-15 18:07	170,512	----a-w	C:\WINDOWS\system32\kemutb.dll
2007-11-15 18:07	141,840	----a-w	C:\WINDOWS\system32\KemUtil.dll
2007-11-15 18:07	117,264	----a-w	C:\WINDOWS\system32\KemWnd.dll
2007-11-15 18:06	301,656	----a-w	C:\WINDOWS\system32\BtCoreIf.dll
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2005-09-10 02:55	7,155,864	----a-w	C:\Program Files\NGhost10.msi
2005-09-10 02:55	37,766,164	----a-w	C:\Program Files\Data1.cab
2005-09-10 02:55	35	----a-w	C:\Program Files\SCSSDist.ini
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E80A0D27-B798-4F62-9CF3-3FCF47F3E3B3}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
 
[HKEY_CLASSES_ROOT\clsid\{e80a0d27-b798-4f62-9cf3-3fcf47f3e3b3}]
[HKEY_CLASSES_ROOT\IESylantro.IEObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{14331F2E-2A22-44BB-AA82-687EFC87079A}]
[HKEY_CLASSES_ROOT\IESylantro.IEObj]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-09-17 07:44 67128]
"Inter-Tel 7000 Tray Portal"="C:\Program Files\Inter-Tel\Personal Communicator\\Tray Portal\TrayPortal.exe" [2007-02-03 22:56 1405010]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 15:13 1207080]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 09:07 843776]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 16:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 18:49 125632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 12:00 53248]
"MediaLifeService"="C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" [2005-06-03 16:09 110739]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 02:00 143360]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"FileZilla Server Interface"="C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 06:55 937984]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"SonicWALLNetExtender"="C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2007-10-23 16:09 562608]
"HPWQTOOLBOX"="C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" [2005-06-01 14:54 335872]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 01:12 24576]
"Bluetooth Connection Assistant"="LBTWIZ.exe" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-19 23:05 217088]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 12:00 53248]
 
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 22:37:20 561213]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-09-17 07:44:23 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-14 09:46:52 784912]
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2008-01-24 08:56:48 294912]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-03-01 02:55:18 972320]
SJphone 1.65.lnk - C:\WINDOWS\Installer\{E1A45BFD-FD3E-45D7-AD5C-A29A506C2EB3}\SoftphoneIcon.exe [2007-10-30 11:48:34 20480]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 1 (0x1)
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 12:00 69632]
"{A00CA75C-DEDD-4474-9088-5D6363D69338}"= C:\WINDOWS\system32\byxwxuu.dll [ ]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamPrx"= {5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af} - C:\WINDOWS\Installer\{5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af}\RamPrx.dll [2008-02-07 09:26 14374]
"zip"= {81792a70-0071-41a3-91fd-dca99d926df4} - C:\WINDOWS\Installer\{81792a70-0071-41a3-91fd-dca99d926df4}\zip.dll [2008-02-07 09:26 39462]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
 
R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-13 18:01]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 02:00]
R3 SSLDrv;SSL-VPN NetExtender Adapter;C:\WINDOWS\system32\DRIVERS\SSLDrv.sys [2007-08-28 16:31]
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##ze_file1#Drivers#PRINTERS#Deskjet 9800]
\Shell\AutoRun\command - X:\autorun.exe -c
 
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 12:17:32
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\MMTaskbar\shellhook.dll
-> C:\WINDOWS\Installer\{5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af}\RamPrx.dll
.
Completion time: 2008-02-07 12:18:04
ComboFix-quarantined-files.txt  2008-02-07 20:18:01
ComboFix2.txt  2008-02-07 18:52:34
.
2008-01-15 11:01:58	--- E O F ---  

Open in new window

0
 
LVL 12

Author Comment

by:bhnmi
ID: 20844920
SDfix log

SDFix: Version 1.138
 
Run by Administrator on Thu 02/07/2008 at 11:39 AM
 
Microsoft Windows XP [Version 5.1.2600]
 
Running From: C:\SDFix
 
Safe Mode:
Checking Services: 
 
 
Restoring Windows Registry Values
Restoring Windows Default Hosts File
 
Rebooting...
 
 
Normal Mode:
Checking Files: 
 
Trojan Files Found:
 
C:\Program Files\Setup.exe  - Deleted
 
 
 
 
 
Removing Temp Files...
 
ADS Check:
 
 
 
                                 Final Check:
 
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 12:01:01
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...
 
scanning hidden services & system hive ...
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:de,4b,bc,88,76,72,b7,06,26,88,c9,b6,f9,f2,78,1c,32,8a,62,9f,66,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:de,4b,bc,88,76,72,b7,06,26,88,c9,b6,f9,f2,78,1c,32,8a,62,9f,66,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:de,4b,bc,88,76,72,b7,06,26,88,c9,b6,f9,f2,78,1c,32,8a,62,9f,66,..
 
scanning hidden registry entries ...
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\n\21]
"DisplayName"="\xd8a8\x344\xd8a8\x344\1"
"DeviceDesc"="\xd8a8\x344\xd8a8\x344\1"
"ProviderName"="\x27d4\21\xee18\x7c90\x2844\21\b"
"MFG"="\x5e8"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xa14\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"c:\dell\drivers\r134873\smbus\smbusati.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000007a
 
scanning hidden files ...
 
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
 
 
Remaining Services:
------------------
 
 
 
Authorized Application Key Export:
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Hewlett-Packard\\HP Deskjet 9800 Series\\Toolbox\\HPWQTBX.exe"="C:\\Program Files\\Hewlett-Packard\\HP Deskjet 9800 Series\\Toolbox\\HPWQTBX.exe:*:Disabled:Toolbox for HP Printing System for Windows"
"C:\\Program Files\\Inter-Tel\\Personal Communicator\\Tray Portal\\TrayPortal.exe"="C:\\Program Files\\Inter-Tel\\Personal Communicator\\Tray Portal\\TrayPortal.exe:*:Enabled:Inter-Tel Personal Communicator For Windows"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\SJphone 1.65\\SJphone.exe"="C:\\Program Files\\SJphone 1.65\\SJphone.exe:*:Enabled:SJphone 1.65"
 
Remaining Files:
---------------
 
File Backups: - C:\SDFix\backups\backups.zip
 
Files with Hidden Attributes:
 
Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed  4 Aug 2004         4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed  4 Aug 2004        73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Mon 17 Sep 2007         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu  7 Feb 2008        14,374 ..SHR --- "C:\WINDOWS\Installer\{5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af}\RamPrx.dll"
Thu  7 Feb 2008        39,462 ..SHR --- "C:\WINDOWS\Installer\{81792a70-0071-41a3-91fd-dca99d926df4}\zip.dll"
Wed 12 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT7A.tmp"
Wed 12 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\243d2aaf5ff8e39b62f16b2a566918fb\BIT78.tmp"
Wed 12 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT7C.tmp"
Thu 24 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT9.tmp"
Wed 12 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\853e0b70ea7110340ec607fe469d0b7d\BIT79.tmp"
Wed 12 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT7B.tmp"
Wed 12 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT7D.tmp"
Wed  9 Jan 2008        30,208 ...H. --- "C:\Documents and Settings\jeitzen\Application Data\Microsoft\Word\~WRL0327.tmp"
Mon  7 Jan 2008        30,208 ...H. --- "C:\Documents and Settings\jeitzen\Application Data\Microsoft\Word\~WRL1873.tmp"
 
Finished!

Open in new window

0
 
LVL 12

Author Comment

by:bhnmi
ID: 20845075
System restore is disabled by Group Policy on all machines.
0
 
LVL 21

Expert Comment

by:briancassin
ID: 20846557
Ok take and copy the contents between the lines

--------------------------------------------------------------------------------------------------

File::
C:\Program Files\tmp832656.exe
C:\Program Files\tmp836343.exe
C:\Program Files\tmp747718.exe
C:\Program Files\tmp747671.exe
C:\Program Files\tmp747546.exe
C:\Program Files\tmp747828.exe
C:\Program Files\tmp747703.exe
C:\Program Files\tmp241634437.exe
C:\WINDOWS\Run32A60.mch
C:\jd009 - myfreetemplates.com
C:\WINDOWS\Setup1.exe
C:\WINDOWS\Installer\{5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af}\RamPrx.dll
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
------------------------------------------------------------------------------------------------------

save the file as CFScript.txt
drag CFScript into Combofix to make it run again

check the new combofix logfile and verify the above entries are gone. If it is not removing them you may have to get a bart pe bootdisk and manually remove the entries.

you also need to manually remove these from the registry
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A00CA75C-DEDD-4474-9088-5D6363D69338}"= C:\WINDOWS\system32\byxwxuu.dll [ ]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamPrx"= {5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af} - C:\WINDOWS\Installer\{5aa9eef0-cca5-46f2-a0a8-d58b4ffe78af}\RamPrx.dll

"zip"= {81792a70-0071-41a3-91fd-dca99d926df4} - C:\WINDOWS\Installer\{81792a70-0071-41a3-91fd-dca99d926df4}\zip.dll [2008-02-07 09:26 39462]

you'll also want to run VX2 finder
it can be downloaded here
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

continue with running the other apps I mentioned.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22408380
500 to briancassin, he did all the work.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
If you are like me and like multiple layers of protection, read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question