Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots Of Bugs!


  • Please log in to reply
73 replies to this topic

#1 mikegru

mikegru

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 23 August 2007 - 08:00 AM

An associate has been using my desktop and about 2 weeks ago it began running really slow. There is obviously something very wrong with this system. Would you please have a look at this HJT log and see if there's anything that can be done short of reformatting? Thanks - Mike

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:39 AM, on 8/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\bdaecsc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\veksox.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
A:\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\bdaecsc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\System32\winsys16_061230.dll start
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [xydzyh] C:\WINDOWS\System32\xydzyh.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [veksox] C:\WINDOWS\veksox.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [clcl14] C:\WINDOWS\System32\clcl14.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\ksayigbi.dll",forkonce
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\WINDOWS\server.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\IEXPLORE.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O15 - Trusted Zone: *.worldspan.com (HKLM)
O15 - Trusted Zone: *.wspan.com (HKLM)
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeuscruise.com/AutomaticUpdat...toUpdateATL.CAB
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us//DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsp10171.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wsp10171.wspan.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2662EB64-C8E1-4859-9ECA-DF3FD9993560}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsp10171.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2662EB64-C8E1-4859-9ECA-DF3FD9993560}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum351.txt
O21 - SSODL: KMHIEVKOlPs - {0425CCC2-AE8F-6668-FE47-7B244BA8E933} - C:\WINDOWS\System32\ytbh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Active HelpAssistants - Unknown owner - C:\WINDOWS\IIS\iissets (file missing)
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - C:\WINDOWS\system\svchest.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing)
O23 - Service: Windows Notification Service (Winnotify) - Unknown owner - C:\WINDOWS\System32\winntify.exe (file missing)

--
End of file - 10171 bytes

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:13 PM

Posted 24 August 2007 - 05:37 AM

Hi and welcome,

You have a real nastie mess here. :thumbsup:
This machine used for work?
I'll hand it to you straight and it's not pretty.

You have at least 1 known password stealer and some backdoor activity, several downloaders and of course a pile of adware including virtumonde, FakeAlert, and several others.

http://vil.nai.com/vil/content/v_132935.htm

Varient of this:
http://www.trendmicro.com/vinfo/virusencyc...T.H&VSect=T

And this:
http://www.sophos.com/security/analyses/trojbckdrpuv.html

This:
http://www.bleepingcomputer.com/startups/w....exe-18985.html

IMO if you have the resorces it would be safer to format & re-install the system from known good backups or from scratch.
Although I can try & help you clean it I cannot guarenty it will be the same or completly safe when we are done.
Formatting/reinstalling is really the only safe way of cleaning this up.
It is a royal pain to have to do this but is the safest and you know for sure it is clean.

You need to get to a known clean computer to change ALL your passwords to any sensitive log-in sites.
if you do banking, CC shopping on this computer you should call your banks and credit card companies to have them check/watch your accounts for fraudulant activity.

This computer needs to be taken OFFline untill we can get it cleaned up or you format it.

This computer must not be used for sensitive log-ins.

The password changing applies to anyone who has used this computer since their passwords may have been stolen as well.

Backdoors present a special issue because they allow the attacker to have complete access to your system and they can do whatever you can except physically touch it.
Quite often there are several security settings changed on the computer to allow easier access (when the attacker returns) and sometimes we may not see these changes.

I suspect at least one rootkit is installed.
These present a real problem because they can be designed to hide anything. Makes for difficult detection and even more difficult removal.

Please let me know that you have understood the above and do let me know what you want to do.

Thanks

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 24 August 2007 - 07:52 AM

Thanks for the good news! Thankfully this computer has not been used for anything sensitive, and has no known passwords to secure sites, however it does have proprietary software that would cost a lot of money to replace. I do not have any of the startup disks as this system was deeded to me by Worldspan, one of our vendors as part of negotiation to conduct business with them. If you are up for a challenge, I would like to try to see what we can do. I've tried restoring to an earlier date, but no luck. Also have tried booting into safe mode to scan, but it won't go there either. I am able to run AVG, but not Adaware or Spybot. I thought about running the Winantivirus (?) that was installed by the spyware, but decided not to before submitting to you guys. Luckily I was able to get HJT on the system because the floppy works - have not tried using the CD drive yet. Also, have not figured out how to access COntrol Panel yet - it's seems to have been disabled ... if you're game, so am I.

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:13 PM

Posted 24 August 2007 - 02:46 PM

Hey,

When you mentioned "associate" I thought this was a work computer and was really concerned about the data being stored on it.

Cleaning.... it will take a few rounds I think. Not too many infections can get out from under me that easy :D

Not sure what you mean with Safe mode. You are unabel to get to safe mode at all?
What happens when you try please?

No control panel.... yeah. I see the infection doing that. It added restrictions to the registry to block you access to control panel.

Winantivirus???
No. Let's not do that. :thumbsup:

That is one software we are going to remove.
It was put there by malware and is a "rogue security app" itself.

OK..... I'm game. Let's go!

Don't run any of these applications I have you use from floppy please. Copy to the affected computer.
If you cant get them copied over to the hard drive -- stop here and let me know.

1.) Download this file and save it to the desktop:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Do nothing with it yet.


2.) Download this file and save it to your desktop.

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Disconnect from internet!!
Preferrably keep offline till you get the fixes done and are ready to post all logs.

3.) Click start> run>Type:

%userprofile%\desktop\combofix.exe /killall%

Hit enter.

You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
You will be asked to reboot.
When finished, it shall produce a log for you. Post that log in your next reply
C:\Combofix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Can you get to safe mode yet?
If you can get to safe mode....Boot to Safe mode (your account)
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum.

Please copy Hijackthis to a permanent location on the hard drive. C:\HJT\Hijackthis.exe is good
It cannot make backups running off the floppy.
Once HJT is moved... create a fresh log and post it here.

We'll have more work to do. Try & keep this computer offline as much as possible.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 24 August 2007 - 05:09 PM

Ok, Although the system would not allow me to copy Hijackthis, I was able to copy SDfix and Combofix to the desktop (I'm copying from floppys). When I enter %userprofile%\desktop\combofix.exe /killall% into 'run' - I get an error message "Windows cannot find 'C:Documents'. Make sure you typed the name correctly and try again" I was supposed to type EXACTLY as you said, including symbols, right?

You asked what happened when trying to get to safe mode - The system hangs with 'Safe Mode" writtem in the 4 corners, but no icons appear - I left it running overnight, and the screen was exactly the same the next morning.

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:13 PM

Posted 25 August 2007 - 12:49 AM

Hi,

for Hijackthis.... rename the one on the floppy to say scanner.exe then copy it to hard drive.
malware might be blocking "hijackthis.exe"

Let me test that combofix command I gave ya. I think I see my error.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:13 PM

Posted 25 August 2007 - 12:57 AM

Hi,

Yep. My error. Make sure combofix is on the desktop.

Type into the run box this:

"%userprofile%\desktop\combofix.exe" /killall

Make sure if you have other programs open like unsaved documents or whatever to save your work first.
ComboFix is going to kill task every possible process so it don't take a long time to run and make it easier to remove infections.

The hangups on safe mode are likely because of Vundo infection.

Let me know if Combofix still spits error.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 27 August 2007 - 09:53 AM

The entry did work - thanks, however the Combofix screen doesn't react when I type "1" to continue. The disclaimer screen has been displayed for over an hour, and it doesn't seem to be working. I did not click the screen, however there are popups which do automatically appear - could they be interfering with Combofix?

#9 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 27 August 2007 - 01:41 PM

I spoke too soon - was able to run everything, and yes, now can access Safe Mode. Her are the logs you requested:

ComboFix 07-08-17.2 - "Worldspan1" 2007-08-27 11:39:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.427 [GMT -4:00]
Command switches used :: /killall
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1.\DriveCleaner Free
C:\DOCUME~1\WORLDS~1\APPLIC~1.\DriveCleaner Free\Logs\update.log
C:\DOCUME~1\WORLDS~1\APPLIC~1.\microsoft\internet explorer\Desktop.htt
C:\DOCUME~1\WORLDS~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\WORLDS~1\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\WORLDS~1\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\WORLDS~1\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\WORLDS~1\APPLIC~1\..\err.log
C:\DOCUME~1\WORLDS~1\APPLIC~1\DriveCleaner Free\Logs\update.log
C:\DOCUME~1\WORLDS~1\APPLIC~1\Microsoft\20509.dat
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp2B.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp2C.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp2D.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp2E.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp3B.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp3C.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\WORLDS~1\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\WORLDS~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\WORLDS~1\Desktop\WinAntiSpyware 2007.lnk
C:\DOCUME~1\WORLDS~1\MYDOCU~1.\asks~1
C:\DOCUME~1\WORLDS~1\STARTM~1\Programs\Startup.\system.exe
C:\dup2.exe
C:\mydelm.bat
C:\Program Files\bravesentry
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\DriveCleaner Free
C:\Program Files\outerinfo
C:\Program Files\winantispyware 2007
C:\Program Files\winantispyware 2007\AsAgents.dll
C:\Program Files\WinAntiSpyware 2007\AsAgents.dll
C:\Program Files\winantispyware 2007\fopnl.dll
C:\Program Files\WinAntiSpyware 2007\fopnl.dll
C:\Program Files\WinAntiSpyware 2007\mfc71.dll
C:\Program Files\winantispyware 2007\mfc71.dll
C:\Program Files\winantispyware 2007\msvcp71.dll
C:\Program Files\WinAntiSpyware 2007\msvcp71.dll
C:\Program Files\WinAntiSpyware 2007\msvcr71.dll
C:\Program Files\winantispyware 2007\msvcr71.dll
C:\Program Files\WinAntiSpyware 2007\was7.exe
C:\Program Files\winantispyware 2007\was7.exe
C:\temp\0c2
C:\temp\0c2\tmpRC.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\WINDOWS\144.exe
C:\WINDOWS\ddaxut.dll
C:\WINDOWS\fijkmp.ini
C:\WINDOWS\iexplore.exe
C:\WINDOWS\mywinsys.ini
C:\WINDOWS\pmkjif.dll
C:\WINDOWS\s32.txt
C:\WINDOWS\server.exe
C:\WINDOWS\sstvut.ini
C:\WINDOWS\svchost.exe
C:\WINDOWS\system\svchest.exe
C:\WINDOWS\system\svchest.reg
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\AlxRes061230.exe
C:\WINDOWS\system32\aoqvsxgv.dll
C:\WINDOWS\system32\aspimgr(2).exe
C:\WINDOWS\system32\awvvtqp.dll
C:\WINDOWS\system32\axjvrgrc.dll
C:\WINDOWS\system32\aynjnmqf.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\bekrajco.dll
C:\WINDOWS\system32\bI5LF01u.exe
C:\WINDOWS\system32\biwgobuy.ini
C:\WINDOWS\system32\bkkackbh.ini
C:\WINDOWS\system32\bkkackbh.tmp
C:\WINDOWS\system32\bxhcxaqu.dll
C:\WINDOWS\system32\cbbafdqs.exe
C:\WINDOWS\system32\ccrniwuq.ini
C:\WINDOWS\system32\chkkyrow.exe
C:\WINDOWS\system32\crgrvjxa.ini
C:\WINDOWS\system32\dbmvbqgj.exe
C:\WINDOWS\system32\dn0425ccc1.dat
C:\WINDOWS\system32\dnoisuja.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\runtime2.sy_
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\System32\drivers\zlujaart.sys
C:\WINDOWS\system32\ecpnaokh.exe
C:\WINDOWS\system32\efccabc.dll
C:\WINDOWS\system32\elsnet.dll
C:\WINDOWS\system32\evbdevoh.exe
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.tmp
C:\WINDOWS\system32\fivfwbcp.exe
C:\WINDOWS\system32\fwfkkyeg.ini
C:\WINDOWS\system32\gebbaxx.dll
C:\WINDOWS\system32\geykkfwf.dll
C:\WINDOWS\system32\gmnyxlwp.dll
C:\WINDOWS\system32\hbkcakkb.dll
C:\WINDOWS\system32\hrum351.txt
C:\WINDOWS\system32\hrum455.txt
C:\WINDOWS\system32\hshwyoyx.ini
C:\WINDOWS\system32\ibgiyask.ini
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\ipv6monl.dll
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\jayovyyt.ini
C:\WINDOWS\system32\ksayigbi.dll
C:\WINDOWS\system32\ksl48.bin
C:\WINDOWS\system32\mjngdsqy.ini
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\mywebhit.ini.tmp
C:\WINDOWS\system32\nllceueu.exe
C:\WINDOWS\system32\noeanoe.dll
C:\WINDOWS\system32\noeanoe.dll.bak
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\pwlxynmg.ini
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak2
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.ini2
C:\WINDOWS\system32\qqstv.tmp
C:\WINDOWS\system32\quwinrcc.dll
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\reginif_olive.exe
C:\WINDOWS\system32\reginig_unknown.exe
C:\WINDOWS\system32\reginix86f.dll
C:\WINDOWS\system32\reginix86g.dll
C:\WINDOWS\system32\reginix86g.exe
C:\WINDOWS\system32\rjevkpdx.dll
C:\WINDOWS\system32\rmekbelh.dll
C:\WINDOWS\system32\scrsys061230.scr
C:\WINDOWS\system32\scrsys16_061230.scr
C:\WINDOWS\system32\sixdiuii.exe
C:\WINDOWS\system32\tlmsryfb.dll
C:\WINDOWS\system32\tmp2E.tmp.dll
C:\WINDOWS\system32\tmpA.tmp.dll
C:\WINDOWS\system32\trxujkhu.exe
C:\WINDOWS\system32\tyyvoyaj.dll
C:\WINDOWS\system32\ueakqeem.exe
C:\WINDOWS\system32\uerouqlk.exe
C:\WINDOWS\system32\umwubbig.exe
C:\WINDOWS\system32\vgxsvqoa.ini
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\wefkfcha.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\winntify.exe
C:\WINDOWS\system32\winsys16_061230.dll
C:\WINDOWS\system32\winsys32_061230.dll
C:\WINDOWS\system32\xvwuvump.exe
C:\WINDOWS\system32\xydzyh.exe
C:\WINDOWS\system32\xyoywhsh.dll
C:\WINDOWS\system32\yjnggrmm.exe
C:\WINDOWS\system32\yqsdgnjm.dll
C:\WINDOWS\system32\yubogwib.dll
C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\Tasks.\At10.job
C:\WINDOWS\Tasks.\At11.job
C:\WINDOWS\Tasks.\At12.job
C:\WINDOWS\Tasks.\At2.job
C:\WINDOWS\Tasks.\At3.job
C:\WINDOWS\Tasks.\At4.job
C:\WINDOWS\Tasks.\At5.job
C:\WINDOWS\Tasks.\At6.job
C:\WINDOWS\Tasks.\At7.job
C:\WINDOWS\Tasks.\At8.job
C:\WINDOWS\Tasks.\At9.job
C:\WINDOWS\tuvtss.dll
C:\WINDOWS\tuxadd.ini
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACTIVE_HELPASSISTANTS
-------\LEGACY_FOPN
-------\LEGACY_GDKFSBTW
-------\LEGACY_MTINEHLG
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_WINNOTIFY
-------\Active HelpAssistants
-------\ApiMon
-------\gdkfsbtw
-------\Indexingbox
-------\mtinehlg
-------\runtime
-------\Winnotify


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-27 10:49 30,288 --a------ C:\WINDOWS\system\svchests.exe
2007-08-27 09:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 17:33 8 --ah----- C:\WINDOWS\system\cnvwavg.dat
2007-08-23 17:33 8 --ah----- C:\WINDOWS\system\bnvwavg.dat
2007-08-23 17:32 18 --ah----- C:\WINDOWS\system\dsvwavg.dat
2007-08-23 17:23 8 --ah----- C:\WINDOWS\system\anvwavg.dat
2007-08-23 11:13 37,376 --a------ C:\WINDOWS\system32\vtr455.dll
2007-08-22 10:34 15,942 --a------ C:\svcovt.exe
2007-08-22 08:51 43,520 --a------ C:\WINDOWS\system32\oeceefqo.dll
2007-08-21 18:22 136 --a------ C:\WINDOWS\Delete.bat
2007-08-21 17:31 25,600 --a------ C:\WINDOWS\bdaecsc.exe
2007-08-21 17:29 <DIR> d-------- C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
2007-08-05 18:09 3 --ah----- C:\WINDOWS\system\nusvwavg.dat
2007-08-03 08:53 1,146 --ah----- C:\WINDOWS\system\swavg.dat
2007-07-28 10:52 17,120 --a------ C:\WINDOWS\system32\ddcyabb.dll
2007-07-27 15:56 126,016 --a------ C:\WINDOWS\system32\ubwdrevi.dll
2007-07-27 11:16 1,368 --ahs---- C:\WINDOWS\system32\ahlhcrah.ini2
2007-07-27 11:15 126,016 --a------ C:\WINDOWS\system32\harchlha.dll
2007-07-27 10:38 126,016 --a------ C:\WINDOWS\system32\vvdiiaxl.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 09:05 125440 --a------ C:\WINDOWS\system32\nluelaqn.dll
2007-08-22 08:51 98304 --a------ C:\WINDOWS\system32\ktctzdfl.dll
2007-08-22 08:51 64512 --a------ C:\WINDOWS\system32\onbgwesy.dll
2007-08-22 08:51 44032 --a------ C:\WINDOWS\system32\ntzlgfoa.dll
2007-08-16 08:12 98816 --a------ C:\WINDOWS\system32\ktctzdfl(5).dll
2007-08-15 08:06 122368 --a------ C:\WINDOWS\system32\nluelaqn(5).dll
2007-08-14 07:59 64512 --a------ C:\WINDOWS\system32\onbgwesy(3).dll
2007-08-14 07:59 41472 --a------ C:\WINDOWS\system32\ntzlgfoa(3).dll
2007-08-13 07:51 41984 --a------ C:\WINDOWS\system32\ntzlgfoa(4).dll
2007-08-13 07:51 122368 --a------ C:\WINDOWS\system32\nluelaqn(6).dll
2007-08-08 09:48 751616 --a------ C:\WINDOWS\system32\imctphoe.dll
2007-08-08 09:48 64000 --a------ C:\WINDOWS\system32\onbgwesy(4).dll
2007-07-23 12:35 126016 --a------ C:\WINDOWS\system32\caxtiwxf.dll
2007-07-22 14:00 7680 --a------ C:\WINDOWS\veksox.exe
2007-07-21 18:12 593920 ---hs---- C:\WINDOWS\system\gvaw.dll
2007-07-21 17:31 1851 --a------ C:\WINDOWS\ipt.exe
2007-07-21 00:03 14208 --a------ C:\WINDOWS\system32\drivers\zlujaart(3).sys
2007-07-17 09:48 --------- d-------- C:\DOCUME~1\WORLDS~1\APPLIC~1\AdobeUM
2007-07-17 08:21 --------- d-------- C:\DOCUME~1\WORLDS~1\APPLIC~1\Sunbelt Software
2007-07-17 08:20 --------- d-------- C:\Program Files\Sunbelt Software
2007-07-17 08:08 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-16 23:59 216 --a------ C:\NTDETECT.EXE
2007-07-16 18:22 517120 --a------ C:\WINDOWS\system32\winlogon.exe
2007-07-16 18:17 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-07-16 18:17 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-07-16 18:04 --------- d-------- C:\Program Files\Yahoo!
2007-07-16 18:04 --------- d-------- C:\Program Files\Messenger
2007-07-16 18:04 --------- d-------- C:\Program Files\ibmhelp
2007-07-16 18:04 --------- d-------- C:\Program Files\Common Files\Scanner
2007-07-16 17:58 6 --a------ C:\WINDOWS\system32\tick48.bin
2007-07-16 16:20 517120 --a------ C:\WINDOWS\system32\winlogon(2).exe
2007-07-16 13:46 15872 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-16 13:39 --------- d-------- C:\Program Files\Lavasoft
2007-07-16 13:25 345 --ahs---- C:\WINDOWS\system32\ojkgxjeq.ini2
2007-07-14 03:29 62464 --a------ C:\WINDOWS\system32\onbgwesy(2).dll
2007-07-13 09:33 12416 --a------ C:\WINDOWS\system32\drivers\zlujaart(4).sys
2007-07-13 03:23 93696 --a------ C:\WINDOWS\system32\ktctzdfl(2).dll
2007-07-13 03:23 121856 --a------ C:\WINDOWS\system32\nluelaqn(2).dll
2007-07-12 11:48 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-12 11:16 4364 --a------ C:\WINDOWS\pchealth\HELPCTR\PackageStore\SkuStore.bin
2007-07-12 03:17 92672 --a------ C:\WINDOWS\system32\ktctzdfl(3).dll
2007-07-11 03:11 74752 --a------ C:\WINDOWS\system32\noeanoe(2).dll
2007-07-11 03:11 123392 --a------ C:\WINDOWS\system32\nluelaqn(3).dll
2007-07-10 03:11 684567 --a------ C:\WINDOWS\system32\libeay32(2).dll
2007-07-10 03:11 147729 --a------ C:\WINDOWS\system32\libssl32(2).dll
2007-07-10 03:05 92672 --a------ C:\WINDOWS\system32\ktctzdfl(4).dll
2007-07-10 03:05 751616 --a------ C:\WINDOWS\system32\imctphoe(2).dll
2007-07-10 03:05 74240 --a------ C:\WINDOWS\system32\noeanoe(3).dll
2007-07-10 03:05 41472 --a------ C:\WINDOWS\system32\ntzlgfoa(2).dll
2007-07-09 07:00 81920 --a------ C:\WINDOWS\system32\winntify(2).exe
2007-07-06 16:05 74752 --a------ C:\WINDOWS\system32\noeanoe(4).dll
2007-07-06 16:05 122880 --a------ C:\WINDOWS\system32\nluelaqn(4).dll
2007-07-05 16:00 75264 --a------ C:\WINDOWS\system32\noeanoe(5).dll
2007-07-03 10:12 73216 --a------ C:\WINDOWS\system32\noeanoe(6).dll
2007-07-03 10:12 53248 --a------ C:\WINDOWS\system32\mstscex.dll
2007-07-03 10:12 12416 --a------ C:\WINDOWS\system32\drivers\zlujaart(2).sys
2007-07-02 16:17 15942 --a------ C:\svcosvt.exe
2007-06-18 11:31 1856512 --a------ C:\DUP1.EXE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
2007-07-21 18:12 593920 ---hs---- C:\WINDOWS\system\gvaw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD545F94-15FB-4DBB-84D9-8EB18E7F9930}]
2007-08-22 08:51 64512 --a------ c:\windows\system32\onbgwesy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-03-27 00:28]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-27 00:20]
"PROMon.exe"="PROMon.exe" [2002-02-22 19:20 C:\WINDOWS\system32\PROMon.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-30 21:01]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 21:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-03 16:42]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" []
"veksox"="C:\WINDOWS\veksox.exe" [2007-07-22 14:00]
"clcl14"="C:\WINDOWS\System32\clcl14.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 03:41]
"Winpopup LAN Messenger"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]
"Fomine WinPopup"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
Worldspan Filter Agent.lnk - C:\wspan\swgw\FilterAgent.exe [2004-12-01 13:44:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"LogonType"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"DisallowCpl"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KMHIEVKOlPs"= {0425CCC2-AE8F-6668-FE47-7B244BA8E933} - C:\WINDOWS\system32\ytbh.dll [2002-08-29 03:41 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AUWinLogon]
AUWinLogon.dll 2006-09-07 11:18 65536 C:\WINDOWS\system32\AUWinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gvaw]
C:\WINDOWS\system\gvaw.dll 2007-07-21 18:12 593920 C:\WINDOWS\system\gvaw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCRecSA]
C:\PROGRA~1\XPOINT\PE\PCRECSA.EXE -noshow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xicon]
C:\PROGRA~1\XPOINT\agent\xicon.exe


*Newly Created Service* - GDKFSBTW
*Newly Created Service* - NMSCFG

Contents of the 'Scheduled Tasks' folder
2007-08-27 16:00:07 C:\WINDOWS\Tasks\At13.job
2007-08-26 17:01:07 C:\WINDOWS\Tasks\At14.job
2007-08-26 18:01:14 C:\WINDOWS\Tasks\At15.job
2007-08-26 19:01:14 C:\WINDOWS\Tasks\At16.job
2007-08-26 20:00:56 C:\WINDOWS\Tasks\At17.job
2007-08-26 21:01:02 C:\WINDOWS\Tasks\At18.job
2007-08-26 22:00:51 C:\WINDOWS\Tasks\At19.job
2007-08-26 23:01:04 C:\WINDOWS\Tasks\At20.job
2007-08-27 00:00:49 C:\WINDOWS\Tasks\At21.job
2007-08-27 01:00:55 C:\WINDOWS\Tasks\At22.job
2007-08-27 02:01:00 C:\WINDOWS\Tasks\At23.job
2007-08-27 03:00:52 C:\WINDOWS\Tasks\At24.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-27 12:26:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-27 12:28:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-27 12:28

--- E O F ---

----------------------------------



SDFix: Version 1.100

Run by Worldspan1 on Mon 08/27/2007 at 01:22 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Infected Winlogon.exe Found!

Winlogon File Locations:

C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
C:\WINDOWS\system32\winlogon.exe

Modified Files Are Listed Below:

C:\WINDOWS\system32\winlogon.exe

Note: SDFix Does Not Repair This File!


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\14.TMP - Deleted
C:\svcosvt.exe - Deleted
C:\WINDOWS\system32\id_cost.dol - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\mstscex.dll - Deleted
C:\WINDOWS\system32\ps.dat - Deleted
C:\WINDOWS\system32\windows_log.txt - Deleted
C:\WINDOWS\tcb.pmw - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP927\A0092136.dll
C:\WINDOWS\system\gvaw.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP915\A0076227.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP915\A0077225.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP915\A0077242.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP916\A0078242.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP916\A0078259.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP916\A0078275.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP916\A0078286.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP917\A0079300.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP917\A0079313.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP917\A0079328.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP919\A0079355.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP919\A0079368.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP919\A0079387.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP920\A0079400.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP920\A0079411.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP920\A0079423.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP920\A0079444.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP920\A0079468.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP920\A0079482.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP921\A0080486.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP921\A0080499.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP921\A0080526.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP921\A0080534.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0080600.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0080620.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0080644.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0080665.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0081662.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0082663.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0083665.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0084663.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0085663.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0086664.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0087663.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0087685.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0087700.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0087714.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0087728.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP922\A0087739.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP923\A0088750.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP923\A0089742.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP923\A0090739.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP923\A0091780.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP924\A0092019.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP924\A0092033.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP924\A0092070.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP924\A0092085.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP924\A0092106.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP928\A0093174.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP928\A0093185.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP928\A0094190.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP928\A0096191.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP929\A0100191.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP930\A0101191.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP930\A0104192.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP934\A0107191.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP934\A0110217.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP939\A0118223.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP939\A0118230.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP939\A0128239.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP939\A0130237.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP940\A0135238.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP944\A0140245.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0141237.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0142238.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0143238.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0144238.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0144248.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0145245.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0146246.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP945\A0147250.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP946\A0148247.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP946\A0150250.exe
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP947\A0152250.exe
C:\WINDOWS\system32\ahlhcrah.tmp
C:\WINDOWS\system32\goljfrth.tmp
C:\WINDOWS\system32\goljfrth.tmp2
C:\WINDOWS\system32\ojkgxjeq.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished

_____________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:59 PM, on 8/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\veksox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\BOOKS\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [veksox] C:\WINDOWS\veksox.exe
O4 - HKLM\..\Run: [clcl14] C:\WINDOWS\System32\clcl14.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O15 - Trusted Zone: *.worldspan.com (HKLM)
O15 - Trusted Zone: *.wspan.com (HKLM)
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeuscruise.com/AutomaticUpdat...toUpdateATL.CAB
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us//DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsp7589.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wsp7589.wspan.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2662EB64-C8E1-4859-9ECA-DF3FD9993560}: NameServer = 194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsp7589.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2662EB64-C8E1-4859-9ECA-DF3FD9993560}: NameServer = 194.54.90.226
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wsp7589.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{2662EB64-C8E1-4859-9ECA-DF3FD9993560}: NameServer = 194.54.90.226
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wsp7589.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{2662EB64-C8E1-4859-9ECA-DF3FD9993560}: NameServer = 194.54.90.226
O21 - SSODL: KMHIEVKOlPs - {0425CCC2-AE8F-6668-FE47-7B244BA8E933} - C:\WINDOWS\system32\ytbh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing)

--
End of file - 7589 bytes

#10 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 28 August 2007 - 07:42 AM

Blender,

Are you still there? How bad do the logs look?

Mike

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:13 PM

Posted 29 August 2007 - 08:00 AM

Hi Mike,

Sorry for delay. Storms in area kept me off computer.

I'm gonna need some time for some looking around & research.
You still have alot of problems and at least one system file is "patched" (infected) and we need a safe method to replace it.
I'm quite suprised this thing boots.

Can you keep this thing offline? Right now it is a malware magnet and if we can keep it offline we have a better chance.
You have another computer you can use for transfering files/logs etc near by?

Also advise to backup what you can because with malware infections this bad it is not all too uncommon to lose the system.

Better delete Combofix too please. There is another version being worked on and this one should be deleted.

You have XP CD handy?
I wanna be able to get to recovery console.

gimme a few hours and I'll be back.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 29 August 2007 - 08:18 AM

Thanks for your reply - I've been looking for you - hope you didn't experience any damage w/storms. I have some experience w/them too - I was in New Orleans the day before Katring came, and thanks to Avis rent a car, was able to rent a car and drive back to Florida.

the computer's been offline ever since you suggested taking it down. There's not really anything I really need on the hard drive except the Worldspan system - it's not backed up, and Worldspan did not give me system disks. If at all possible, I would like to try to keep that program. I could probably get another copy, but it would likely be real expensive.

XP came pre-loaded, so I don't have the disks for it either, however I believe we may have an XP upgrade package at home if that might help.

Should I try to install Zone Alarm?

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:13 PM

Posted 29 August 2007 - 08:38 AM

Hi,

As long as it is offline I don't wanna install ZA yet.
No internet = no worries about anything getting in/out.
I'm kinda leary on doing big changes like adding a firewall till we need to and things are more stable.

This is one heck of a mess and we gotta be careful.

Check your PM in a few please.

As for T-Storm damage... no none here. (at least not in my immediate area)
I pull pretty much everything offline when it storms... I been hit twice personally by lightning and a couple times lost computer equip. & TV, etc. I usually pretty much hide. lol
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 04 September 2007 - 12:10 PM

Blender - I have the password, and am at C:\WINDOWS

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:13 PM

Posted 04 September 2007 - 12:49 PM

*note*

Some t-shooting was done in PM & by phone.

----------------------------

<<edit>>
Seeing you are now at reovery console... might as well carry on with that.

Type the following commands and hit enter after each one:
Note where I have the spaces. Commands are not case sensitive but spaces where indicated is important.

cd system32
ren winlogon.exe winlogon.exe.vir
copy c:\windows\ServicePackFiles\i386\winlogon.exe c:\windows\system32


you should get 1 files copied message.

Type exit nd hit "enter" to exit the recovery console.

You will most likely need to change your Boot config in bios again to boot from Hdd.
Let it go to normal windows.

-------------------------------------

You will need either a USB pen drive or a CDRom to copy these files to for transfer to the afftected computer.

You will need:

New Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

New SDFix:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Place ComboFix on the affected computer's desktop. (allow overwrite of the old one)
Right click combofix.exe> properties> and uncheck "read only" if it is checked.

Place SDFix on the desktop (allow overwrite of the old one)
Right click SDFix> properties> and uncheck "read only" if it is checked.

Right click CounterSpy by clock and shut it down.
Open AVG Antispyware and Click "change state" for Resident Shields if it is enabled.
Close AVG window and Exit AVG by right clicking it by the clock then choosing Exit.
Temporarily disable antivirus.
Exit any other non needed programs.

Double click ComboFix.exe and let it run.
Follow its prompts.
Don't run anything else while CF is running.
Don't click in CF window else the program might hang.

CF will most likely want to restart machine.

Once restarted and log file is presented.. you can close the log. I'll get it later.

Boot up to SAFE mode. (your account)
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Please post back here the following logs:

C:\ComboFix.txt
C:\SDFix\report.txt
New Hijackthis log
Let me know how the system is running.
Please don't connect it to internet yet till I tell you its OK.
I don't want internet for updating resident apps till we pull off some remaining junk that may pull down piles of new junk.
There will be more work to do.

Can you zip up the following folders please and upload them for me?

C:\Qoobox
C:\SDFix\Backups.zip

http://www.thespykiller.co.uk/index.php?board=1.0

Start yourself a new topic (use the username you use here please so I can find you)

Put in topic title "Request by Blender"
Put in body of messege the link to our thread here.
then press the browse button and then navigate to & select the requested files.
press Post to upload the files

It is normal you will not see the file you just posted cus only approved members can see em to download them.

Let me know here when you have posted.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users