Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blender - Box #2


  • Please log in to reply
100 replies to this topic

#1 mikegru

mikegru

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 14 September 2007 - 08:12 AM

Hi Blender,

Would you please take a look a at this Hijackthis and rootcheck log?

********************************* ROOTCHK-(22-08-07)-LOG, by ejvindh
Fri 09/14/2007 8:38:55.59

Driver Runtime (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver suhdlog.sys (visible) is present. Run SDFIX by AndyManchesta.

********************************* ROOTCHK-LOG-end


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 08:38:55
Windows 5.1.2600 Service Pack 1
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden files: 0

---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:19 AM, on 9/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [{5C-CC-CC-C1-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\owinpmdt.exe CHD003
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinpmdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsp9309.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wsp9309.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsp9309.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wsp9309.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wsp9309.wspan.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\~~install.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9309 bytes

BC AdBot (Login to Remove)

 


m

#2 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 14 September 2007 - 01:43 PM

Hi, The root check message said to run SDfix, so I ran it in safe mode, as you had me do earlier, however there is a message on the blue screen that says "A subdirectory or file backupreg already exists ."

There doesn't seem to be any movement, and I don't want to do anything else that mess things up more.

Please advise - Thanks - Mike

#3 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 14 September 2007 - 02:45 PM

Oops .... Never Mind! :thumbsup: SDFix just took a long time to run. It's complete now, and here is the log. No more popups or error messages so far. I'm working on the UBCD4Win, but likely won't be done until tomorrow.

Mike


SDFix: Version 1.104

Run by Worldspan1 on Fri 09/14/2007 at 02:46 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
runtime
smtpdrv
suhdlog.sys

ImagePath:
\??\C:\WINDOWS\System32\drivers\runtime.sys
System32\DRIVERS\smtpdrv.sys
\??\c:\suhdlog.sys

runtime - Deleted
smtpdrv - Deleted
suhdlog.sys - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\1D.TMP - Deleted
C:\Documents and Settings\Worldspan1\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\Documents and Settings\Worldspan1\Start Menu\Programs\Startup\Think-Adz.lnk - Deleted
C:\Program Files\Setup.exe - Deleted
C:\suhdlog.sys - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\System32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\System32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\3_exception.nls - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted


Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Worldspan1\NetHood\images on www.boyscouting.com\Desktop.ini
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Fav2h.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Fav2s.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Off23C.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Off23Ch.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Off23Cs.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro23Dh.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro23Ds.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro2h.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro2s.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro3h.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro3s.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro4.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro4h.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro4s.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro5h.tmp
C:\Documents and Settings\Worldspan1\Application Data\Microsoft\Office\Shortcut Bar\Pro5s.tmp
C:\Documents and Settings\Worldspan1\My Documents\~WRL0002.tmp
C:\Documents and Settings\Worldspan1\My Documents\~WRL0003.tmp
C:\Documents and Settings\Worldspan1\My Documents\~WRL0004.tmp
C:\Documents and Settings\Worldspan1\My Documents\~WRL1120.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\~WRL0004.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\~WRL1988.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\~WRL2298.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\~WRL2530.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\Meeting and PLC agenda\~WRL1702.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\Meeting and PLC agenda\~WRL2668.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\Meeting and PLC agenda\~WRL2686.tmp
C:\Documents and Settings\Worldspan1\My Documents\scout\Meeting and PLC agenda\~WRL3008.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished!

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:39 AM

Posted 20 September 2007 - 03:06 AM

Hi Mike,

Sorry to leave you hanging like this.
I had some internet issues and was busy with work.

Can you post me a fresh Hijackthis log from this machine please?

I'd also like to see a startuplist log.
Start Hijackthis
Click "config"
Click "misc tools"
check both options beside "generate startuplist log" then generate the log.
Say OK & post results.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:39 AM

Posted 20 September 2007 - 04:10 AM

Hi again Mike,

I'd like to run an online scan of this machine too.
Kaspersky preferred please.

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

If the log is too big to copy/paste here or has personal info all over it please upload it here:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 20 September 2007 - 07:44 AM

Hi again,
I ran SDFix as recommended by one of the other programs you sent me, and there are no more popups. There's probably more bad stuff here though. With the little surfing we do here, I didn't think we needed a firewall, but after these episodes, we're all getting firewalls after we're done. Here are the initial files you asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:54 AM, on 9/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\hoyc6iyw.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\rnjkv6h4.exe
C:\WINDOWS\avp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\1lxooryu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{5C-CC-CC-C1-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MS_upd_38691.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsp9141.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wsp9141.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsp9141.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wsp9141.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wsp9141.wspan.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\~~install.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9141 bytes

------------------------------------

StartupList report, 9/20/2007, 8:39:00 AM
StartupList version: 1.52.2
Started from : C:\Hijack This\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\hoyc6iyw.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\rnjkv6h4.exe
C:\WINDOWS\avp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\1lxooryu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Worldspan1\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
Hpm.lnk = C:\wspan\swgw\Hpm.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
MS_upd_38691.exe
Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
Worldspan Filter Agent.lnk = swgw\FilterAgent.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
{5C-CC-CC-C1-ZN} = c:\windows\system32\dwdsrngt.exe CHD003
avp = C:\WINDOWS\avp.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Winpopup LAN Messenger = C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
Fomine WinPopup = C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
BookingBuilder GDS Interface = C:\WINDOWS\System32\LMGDSInt.EXE
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

LaunchMagic.com, Inc. - IECTRL2 - C:\WINDOWS\System32\LMIECTR2.dll - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/d/4...0367/wmavax.CAB

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/msaudio.cab

[{00000162-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/B...4B9/wma9dmo.cab

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[WSSystemInfo Class]
InProcServer32 = C:\wspan\GoRes\WSSystemInformation.dll
CODEBASE = http://go.worldspan.com/diagtool/WSSystemInformation.cab

[F-Secure Online Scanner 3.1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-secure.com/ols/fscax.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shock...director/sw.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

[SystemObject Class]
InProcServer32 = C:\WINDOWS\System32\LMUtils.dll
CODEBASE = http://www.bookingbuilder.com/files/LMUTILS.CAB

[{3253534D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/3...980/wms9dmo.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[{41564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/A...01F/wmvadvd.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1143230576984

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[WSFileIO Class 3]
InProcServer32 = C:\wspan\GoRes\wsfileio3.dll
CODEBASE = http://go.worldspan.com/Dlls/WSFileIO3.cab

[WSFileIO Class 2]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WSFileIO2.dll
CODEBASE = https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab

[BrowserConfig Class]
InProcServer32 = C:\wspan\GoRes\wsbrowserconfig.dll
CODEBASE = https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[FTPCtrl Class]
InProcServer32 = C:\wspan\GoRes\WSPANFTP.dll
CODEBASE = http://gopublic.wspan.com/secure/DLLs/wsftp.cab

[ToolCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ConnectivyTool.dll
CODEBASE = http://go.worldspan.com/diagtool/ConnectivityTool.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[WspGoCal Class]
InProcServer32 = C:\wspan\GoRes\WspanCal.dll
CODEBASE = http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ieatgpc.dll
CODEBASE = https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab

[Wsploadctrl Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSPLOA~1.OCX
CODEBASE = http://home.wspan.com/control/wfwload.cab

[WSFileIO Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WSFileIO.dll
CODEBASE = http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab

[{F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108}]
CODEBASE = https://gopublic.wspan.com/Secure/Dlls/WSClient.cab

[Microsoft Common Dialog Control, version 6.0]
InProcServer32 = C:\WINDOWS\System32\comdlg32.ocx
CODEBASE = https://gopublic.wspan.com/secure/dlls/Comdlg32.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Rezident Driver: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\system32\drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
bkchrkzq: system32\drivers\lhheulnf.sys (system)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Eacfilt Miniport: System32\DRIVERS\eacfilt.sys (manual start)
IBM eGatherer Diagnostics: \??\C:\WINDOWS\System32\EGATHDRV.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Iomega Devices Disk Filter Services: System32\DRIVERS\iomdisk.sys (system)
Iomega Activity Disk2: "" (disabled)
Iomega App Services: "C:\PROGRA~1\Iomega\System32\AppServices.exe" (autostart)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
Nortel Extranet Access Protocol: System32\DRIVERS\ipsecw2k.sys (manual start)
Nortel IPSECSHM Adapter: System32\DRIVERS\ipsecw2k.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
MSSQLSERVER: C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NIC Management Service Configuration Driver: \??\C:\WINDOWS\System32\drivers\NMSCFG.SYS (manual start)
Intel® NMS: C:\WINDOWS\System32\NMSSvc.exe (autostart)
NetGroup Packet Filter Driver: system32\drivers\npf.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PMEM: \??\C:\WINDOWS\system32\drivers\PMEMNT.SYS (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (disabled)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Packet Capture Protocol v.0 (experimental): "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Schedule: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLSERVERAGENT: C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE -i MSSQLSERVER (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{96B5CDEE-CEAE-4BC3-8F89-732D72BBAB3D} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB Root Hub (usbport): System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\WORLDS~1\LOCALS~1\Tempmbroit.exe||C:\DOCUME~1\WORLDS~1\LOCALS~1\Tempmbroit.exe||C:\Documents and Settings\Worldspan1\Start Menu\Programs\Startup\MSwin--2117338479.exe||C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Update_0707_KB77012.exe||C:\DOCUME~1\WORLDS~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\WORLDS~1\Cookies\index.dat||C:\DOCUME~1\WORLDS~1\LOCALS~1\History\History.IE5\index.dat||C:\Program Files\157693406.exe||C:\Program Files\168529765.exe||C:\Program Files\174022843.exe||C:\Program Files\174225500.exe||C:\Program Files\174277328.exe||c:\docume~1\worlds~1\locals~1\temp\glb10d0.tmp||c:\docume~1\worlds~1\locals~1\temp\glb10d5.tmp||C:\DOCUME~1\WORLDS~1\LOCALS~1\Tempmbroit.exe||C:\Program Files\235737250.exe||C:\Program Files\239416953.exe||C:\Program Files\239769859.exe||C:\Program Files\240374093.exe||C:\Program Files\258370312.exe


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,726 bytes
Report generated in 0.297 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#7 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 20 September 2007 - 01:42 PM

Hey Tammy,

Here's the Kaspersky file:

KASPERSKY ONLINE SCANNER REPORT
Thursday, September 20, 2007 2:38:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 20/09/2007
Kaspersky Anti-Virus database records: 421175
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 63444
Number of viruses found: 12
Number of infected objects: 38
Number of suspicious objects: 5
Duration of the scan process: 02:08:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Worldspan1\Application Data\Fomine Software\Fomine WinPopup\History.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Worldspan1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Worldspan1\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Worldspan1\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Worldspan1\Local Settings\Application Data\Identities\{C171C7E7-6E73-471B-A344-011419206A52}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Application Data\Identities\{C171C7E7-6E73-471B-A344-011419206A52}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Application Data\Identities\{C171C7E7-6E73-471B-A344-011419206A52}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Application Data\Identities\{C171C7E7-6E73-471B-A344-011419206A52}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Application Data\Identities\{C171C7E7-6E73-471B-A344-011419206A52}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Temp\Perflib_Perfdata_5ec.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Temp\Perflib_Perfdata_7ac.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Temp\~DF9047.tmp Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Temp\~DFCCB8.tmp Object is locked skipped
C:\Documents and Settings\Worldspan1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\ntuser.dat Object is locked skipped
C:\Documents and Settings\Worldspan1\ntuser.dat.LOG Object is locked skipped
C:\Hijack This\backups\backup-20070618-155104-332 Suspicious: Exploit.HTML.Mht skipped
C:\Hijack This\backups\backup-20070618-155105-546 Suspicious: Exploit.HTML.Mht skipped
C:\Hijack This\hijackthis 6-14-07.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Hijackthis2\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Hijackthis2\hijackthisref.log Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\ucleaner_setup.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped
C:\SDFix\backups\backups.zip/backups/avp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/setup.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cji skipped
C:\SDFix\backups\backups.zip/backups/setup.exe Infected: Trojan-Downloader.Win32.Zlob.cji skipped
C:\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.mg skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP224\A0067364.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP231\A0067636.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP232\A0068640.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP238\A0069787.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.chd skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP238\A0069787.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP240\A0070245.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP240\A0070246.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP241\A0070300.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.chd skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP241\A0070300.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP244\A0070380.exe Infected: not-virus:Hoax.Win32.Renos.ka skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP244\A0070381.exe Infected: not-virus:Hoax.Win32.Renos.ka skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP244\A0070382.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP244\A0070385.dll Infected: Trojan-Downloader.Win32.Agent.dlf skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP245\A0070506.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cji skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP245\A0070506.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP245\A0070508.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP245\A0070512.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP245\A0070513.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cji skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP245\A0070513.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP247\A0071561.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP248\A0071590.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP250\A0071656.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP251\change.log Object is locked skipped
C:\VundoFix Backups\awtqn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migapp.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz_a.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\rdchost.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\sessmgr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\httpod51.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\ssinc51.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\ups.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311542$\pci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ311542$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311542$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ318966$\spuninst\Q318966.log Object is locked skipped
C:\WINDOWS\1lxooryu.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\avp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\hoyc6iyw.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\qgpzxlnb.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\rnjkv6h4.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B0B53DFA-D8F5-43A4-832F-BAF28C3D1F2A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_70c.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\wrirtbm6.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

Scan process completed.

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:39 AM

Posted 20 September 2007 - 06:22 PM

Hi Mike,

Yes 3rd party firewalls would benifet.
The outgoing protection is just as important as incomming cus if something slips past your AV protection you have a better chance to block its communications with "mother ship" to go pick up all its friends.

Ok... still lots of work to do here. Hopefullly Combofix takes care of most.

1. Download this file and save it to your desktop.

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

disconnect machine from internet

2. Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply
C:\combofix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Once Combofix has produced the log you can re-connect to internet.

Post also a new hijackthis log please.

-------------------------------------

Then install this hosts file on the machine:

http://www.mvps.org/winhelp2002/hosts.htm <-- info page

If you download this file:

http://www.mvps.org/winhelp2002/hosts.zip

Unzip it to its own folder then double click mvps.bat it will do it all for you.
It renames your current hosts file and creates a new one.

If you notice your surfing slows to a dead crawl do this:

Click start> run> type services.msc and hit enter.
Scroll to DNS Client and double click it.
Change the "startup type" to Manual
Apply & OK changes.

Reboot.

Surfing should be much faster and a ton of junk sites will be blocked.
Purpose of this is to try & block alot of the crap sites your computer is contacting for more malware.
Alot of sites will look kinda funny with blank spots where ads normally would be but you will get used to it.

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 21 September 2007 - 06:37 AM

Good morning Tammy,
Here are the logs from Combofix and Hijackthis

ComboFix 07-09-20.1 - "Worldspan1" 2007-09-21 7:10:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.209 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\restore_pt.vbs".
Script execution was terminated.
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\WORLDS~1\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\WORLDS~1\LOCALS~1\APPLIC~1.\n.ini
C:\Program Files\Microsoft Security Adviser
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\f02WtR

.
((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-20 08:45 <DIR> d-------- C:\WINDOWS\LastGood
2007-09-20 08:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-19 16:20 21,504 --a------ C:\WINDOWS\1lxooryu.exe
2007-09-17 15:56 21,504 --a------ C:\WINDOWS\rnjkv6h4.exe
2007-09-17 15:55 21,504 --a------ C:\WINDOWS\hoyc6iyw.exe
2007-09-15 14:03 21,504 --a------ C:\WINDOWS\qgpzxlnb.exe
2007-09-14 14:32 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-07 11:59 21,504 --a------ C:\WINDOWS\wrirtbm6.exe
2007-09-04 11:14 0 --a------ C:\winxplogon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 17:26 --------- d-------- C:\DOCUME~1\WORLDS~1\APPLIC~1\AdobeUM
2007-09-06 12:56 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-06 08:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-06 08:30 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-20 18:28 --------- d-------- C:\Program Files\WMR11
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2006-12-08 18:39 742 --a------ C:\Program Files\herqikcg.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 03:11]
"{5C-CC-CC-C1-ZN}"="c:\windows\system32\dwdsrngt.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 20:30]
"Winpopup LAN Messenger"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]
"Fomine WinPopup"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]
"BookingBuilder GDS Interface"="C:\WINDOWS\System32\LMGDSInt.EXE" [2006-11-20 15:48]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
BookingBuilder Desktop.lnk - C:\Program Files\BookingBuilder\BBDesktop.exe [2006-04-03 09:25:34]
Hpm.lnk - C:\wspan\swgw\Hpm.exe [2004-12-02 01:38:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
MS_upd_38691.exe [2007-09-17 16:10:24]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]
Worldspan Filter Agent.lnk - C:\wspan\swgw\FilterAgent.exe [2006-03-15 12:35:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"LogonType"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoManageMyComputerVerb"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\~~install.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\System32\DRIVERS\iomdisk.sys
R2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\System32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S0 bkchrkzq;bkchrkzq;C:\WINDOWS\System32\drivers\lhheulnf.sys
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 07:14:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 7:15:05
C:\ComboFix-quarantined-files.txt ... 2007-09-21 07:14
C:\ComboFix2.txt ... 2007-06-14 17:53
C:\ComboFix3.txt ... 2006-06-30 18:58
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:48 AM, on 9/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\hoyc6iyw.exe
C:\WINDOWS\rnjkv6h4.exe
C:\WINDOWS\1lxooryu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\DivXCodecUpdateChecker.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{5C-CC-CC-C1-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MS_upd_38691.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsp8942.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wsp8942.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsp8942.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wsp8942.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wsp8942.wspan.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\~~install.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8942 bytes

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:39 AM

Posted 22 September 2007 - 12:00 PM

Hi Mike,

Can you create restore point?
Seems Combofix had an issue trying to create a restore point before it continued on.

OK... round II

Open notepad and copy/paste the text in the code box below into it:

File::

C:\WINDOWS\1lxooryu.exe
C:\WINDOWS\rnjkv6h4.exe
C:\WINDOWS\hoyc6iyw.exe
C:\WINDOWS\qgpzxlnb.exe
C:\WINDOWS\wrirtbm6.exe
C:\winxplogon.sys
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\MS_upd_38691.exe 

Suspect::

C:\Program Files\herqikcg.txt

Driver::

bkchrkzq

Rootkit::

C:\WINDOWS\System32\drivers\lhheulnf.sys

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{5C-CC-CC-C1-ZN}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"=-
"ForceClassicControlPanel"=-
"NoAutoUpdate"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"=-

Save this as CFScript.txt
Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 24 September 2007 - 08:38 AM

Hi Wendy - Yes, I can create a restore point - did so just now. Do you still want me to continue with the steps you described?

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:39 AM

Posted 25 September 2007 - 03:27 PM

Hi Mike,

Sorry I didn't get back yesterday. Internet was acting up.

Yes please go ahead with above instructions.
Grab a new Combofix.exe though please to replace the other one.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Let me know if any troubles.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 25 September 2007 - 05:15 PM

Hey Blender,

OK, I ran your script, and a file was sent to Bleepingcomputer for review. Her is the COmbofix log you requested -Thanks,
Mike


ComboFix 07-09-21.2 - "Worldspan1" 2007-09-25 17:59:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.237 [GMT -4:00]
* Created a new restore point

FILE::
C:\WINDOWS\1lxooryu.exe
C:\WINDOWS\rnjkv6h4.exe
C:\WINDOWS\hoyc6iyw.exe
C:\WINDOWS\qgpzxlnb.exe
C:\WINDOWS\wrirtbm6.exe
C:\winxplogon.sys
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\MS_upd_38691.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Avenger
C:\winxplogon.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\bkchrkzq


((((((((((((((((((((((((( Files Created from 2007-08-25 to 2007-09-25 )))))))))))))))))))))))))))))))
.

2007-09-25 08:33 <DIR> d-------- C:\BBMSOLog
2007-09-25 08:32 454,656 --a------ C:\WINDOWS\system32\VistaDB20.dll
2007-09-25 08:32 348,160 --a------ C:\WINDOWS\system32\VistaDBCOM20.DLL
2007-09-21 07:38 <DIR> d-------- C:\Hosts
2007-09-20 08:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-14 14:32 <DIR> d-------- C:\WINDOWS\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-25 14:47 --------- d-------- C:\DOCUME~1\WORLDS~1\APPLIC~1\AdobeUM
2007-09-25 08:32 --------- d-------- C:\Program Files\BookingBuilder
2007-09-25 08:32 --------- d-------- C:\DOCUME~1\WORLDS~1\APPLIC~1\BookingBuilder
2007-09-06 12:56 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-06 08:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-06 08:30 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-20 18:28 --------- d-------- C:\Program Files\WMR11
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2006-12-08 18:39 742 --a------ C:\Program Files\herqikcg.txt
.

((((((((((((((((((((((((((((( snapshot_2007-09-21_ 71432.45 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 278,528 2007-01-29 15:34:12 C:\WINDOWS\system32\duzactx.dll
----a-w 315,392 2007-01-29 15:34:12 C:\WINDOWS\system32\dzactx.dll
----a-w 150,528 2004-02-23 05:00:00 C:\WINDOWS\system32\TLBINF32.DLL
----a-w 667,936 2007-01-13 03:21:24 C:\WINDOWS\system32\wodHttp.dll
----a-w 262,144 2007-09-25 21:59:10 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-09-24 20:25:40 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-24 20:25:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-24 20:25:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 821,728 2007-09-22 07:11:00 C:\WINDOWS\system32\drivers\avg7core.sys
----atw 16,384 2007-09-25 22:06:28 C:\WINDOWS\Temp\Perflib_Perfdata_708.dat
.
----a-w 278,528 2005-03-19 20:37:26 C:\WINDOWS\system32\duzactx.dll
----a-w 311,296 2005-03-19 20:37:26 C:\WINDOWS\system32\dzactx.dll
----a-w 153,600 1998-06-18 05:00:00 C:\WINDOWS\system32\TLBINF32.DLL
----a-w 663,840 2006-10-24 04:12:24 C:\WINDOWS\system32\wodHttp.dll
----a-w 262,144 2007-09-21 11:08:58 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-09-17 12:41:29 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-17 12:41:29 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-17 12:41:29 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 821,600 2007-09-04 07:10:56 C:\WINDOWS\system32\drivers\avg7core.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 03:11]
"{5C-CC-CC-C1-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"BookingBuilder GDS Interface"="C:\Program Files\BookingBuilder\LMGDSInt.EXE" [2007-05-29 18:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 20:30]
"Winpopup LAN Messenger"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]
"Fomine WinPopup"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]
"BookingBuilder GDS Interface"="C:\Program Files\BookingBuilder\LMGDSInt.EXE" [2007-05-29 18:06]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
BookingBuilder Desktop.lnk - C:\Program Files\BookingBuilder\BBDesktop.exe [2006-04-03 09:25:34]
Hpm.lnk - C:\wspan\swgw\Hpm.exe [2004-12-02 01:38:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]
Worldspan Filter Agent.lnk - C:\wspan\swgw\FilterAgent.exe [2006-03-15 12:35:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"LogonType"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoManageMyComputerVerb"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\WORLDS~1\LOCALS~1\Temp\~~install.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\System32\DRIVERS\iomdisk.sys
R2 BBComm;BookingBuilder Communication Service;C:\Program Files\BookingBuilder\BBComm.EXE
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\System32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys
S2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-25 18:07:01
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-25 18:10:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-25 18:10
C:\ComboFix2.txt ... 2007-09-21 07:15
C:\ComboFix3.txt ... 2007-06-14 17:53
.
--- E O F ---

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:39 AM

Posted 26 September 2007 - 01:13 AM

Hi,

Looking much better.
I couldn't find the upload ComboFix did.

Can you zip up c:\qoobox and upload it to here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Please include link to this thread so I know where these files came from.

Once uploaded you can delete qoobox.zip.

What is in here?

C:\Hosts

Right click this file:

C:\Program Files\herqikcg.txt

open with.... notepad.
Anything in there you recognize?

If it's not personal/company info can you post its contents please.

Can you post a fresh hijackthis log please.
Also can you contact WorldSpan and ask if they set these restrictions:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"LogonType"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoManageMyComputerVerb"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

Might be easier to email them with the above info.
Don't do anything with those keys yet. I'll write something to fix em if warented.

Then let's get an online scan done please.

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Let me know how the system is running.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 26 September 2007 - 08:47 AM

Hi Blender,

Running OK, but this morning, every time I open an Excel file, the computer closes the program after a few minutes.

I've submitted the Qoobox.zip file to the link you requested. In the Hosts folder, there are 2 files: Hosts, a 622 kb file created 9/21/07, modified 9/6/07 and mvps, a dos batch file created 9/21/07, and modified 9/6/07.

herqikcg contains the following text:
Files to delete:
C:\WINDOWS\System32\z149.exe
C:\WINDOWS\sysvx_.exe
C:\WINDOWS\System32\nordsys.exe
C:\WINDOWS\System32\cmd32.exe
c:\windows\system32\mstds.exe
C:\WINDOWS\System32\dmrhm.exe
C:\WINDOWS\System32\taskdir.exe
C:\WINDOWS\System32\svch1p.dll
C:\WINDOWS\System32\rpcc.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe

Regarding the restrictions with the registry keys, Worldspan told me the restrictions were originally changed to protect certain areas from being changed by the user as originally, the hardware was owner by Worldspan. Now, with all hardware customer owned, these restrictions are not necessary, so Worldspan will work just fine with everything set to Windows default settings. He told me the only thing Worldspan would have changed was policy settings.

I will run kaspersky and post the results for you when it's finished.

Thanks
Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users