Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups, Malware, Slow Computer


  • This topic is locked This topic is locked
14 replies to this topic

#1 mikegru

mikegru

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 13 October 2008 - 09:00 AM

Good Day,
Having an awful time with this PC. Last a screen popped up saying I had a virus and asking me to click on the window to get software to disable the virus. Ran AVG and Spybot and at least the screen is gone, but computer runs very slow and will not access my hotmail account. Please take a look at my hijack this log, and if you have any suggestions to get me back running, I would be most grateful. Worldspan and Booking Builder are OK.

Thank you - Mike


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:34 AM, on 10/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Winpopup Server\WinpopupServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\LMGDSFNC.EXE
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LMGDSINT.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\system32\LMIECTR2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKLM\..\Run: [{c4ba7a11-f914-f6e7-77bc-b7f7649330aa}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\omrtwuarrdh.dll" DllStub
O4 - HKLM\..\Run: [0425cc6e] rundll32.exe "C:\WINDOWS\system32\psjpqcwj.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM0716fff2] Rundll32.exe "C:\WINDOWS\system32\nqfewafg.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O15 - Trusted Zone: *.worldspan.com
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: *.wspan.com
O15 - Trusted Zone: http://*.wspan.com
O15 - Trusted Zone: *.worldspan.com (HKLM)
O15 - Trusted Zone: http://*.worldspan.com (HKLM)
O15 - Trusted Zone: *.wspan.com (HKLM)
O15 - Trusted Zone: http://*.wspan.com (HKLM)
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207763034171
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - https://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trams.webex.com/client/v_mywebex-t2...ort/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go.wspan.com/secure/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsp01001.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wsp01001.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsp01001.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wsp01001.wspan.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Winpopup Server - Fomine Software - C:\Program Files\Winpopup Server\WinpopupServer.exe

--
End of file - 8180 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:26 PM

Posted 21 October 2008 - 07:17 PM

Hello, mikegru.
:) to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.
  • About 1 in 100 times the computer will not longer be able to boot after running Combofix. This requires experienced hands to restore the system to bootability.
  • There are several malware infections that "target" Combofix. Experienced Helpers are aware of these infections, and take steps to remove them prior to the use of Combofix. If you do not, various things can happen depending on the infection -- from Combofix being unable to run, to the deletion of the folder C:\Windows\System32, requiring a clean install to repair.
  • Combofix makes some rather significant changes to the internals of XP and Vista in order to work. It can therefore be very dangerous!!
  • The real power of Combofix comes not as a general purposed malware remover. It is rather modest in that capacity. Combofix is powerful because it provides to the experienced Helper a convenient and powerful front-end to Scripts. It is because of its scripting strengths, and its unique reporting capabilities, that you see Combofix often recommended. But not because of its abilities as a general malware scanner.
  • Many malware removal experts will not respond to a request for help if they see that Combofix was run by the end-user without supervision. You might find after running Combofix that your system problems are worse, and nobody is willing to help you.
  • There are several general purpose anti-malware utilities where the Author(s) intended the application for general use by end-users without Supervision. Combofix is not one of them, and you would be advised to honor that position taken by its Author.
How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • ComboFix may ask to reboot the machine. If asked, DO NOT REBOOT THE MACHINE YOURSELF!! (Unless you enjoy installing windows :thumbsup: )
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 22 October 2008 - 08:45 AM

Are you saying that if Combofix asks to reboot the PC, I should not reboot? Will Combofix reboot itself automatically, or should I just ignore or cancel the reboot prompt? That statement is not clear to me.
Mike

#4 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 22 October 2008 - 10:36 AM

Hi - Here is the Combofix log.
Thanks
Mike

ComboFix 08-10-21.04 - Worldspan1 2008-10-22 10:01:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.225 [GMT -4:00]
Running from: C:\Documents and Settings\Worldspan1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM0716fff2.txt
C:\WINDOWS\BM0716fff2.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jwcqpjsp.ini2
C:\WINDOWS\system32\jwcqpjsp.tmp
C:\WINDOWS\system32\psjpqcwj.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-22 to 2008-10-22 )))))))))))))))))))))))))))))))
.

2008-09-24 11:02 . 2008-09-24 11:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-24 11:02 . 2008-09-24 11:02 <DIR> d-------- C:\Documents and Settings\Worldspan1\Application Data\SUPERAntiSpyware.com
2008-09-24 11:02 . 2008-09-24 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-24 11:01 . 2008-09-24 11:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-24 09:55 . 2008-09-24 09:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-24 09:44 . 2008-09-24 13:44 <DIR> d-------- C:\Hijackthis
2008-09-24 09:22 . 2008-10-22 05:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-24 09:13 . 2008-09-24 09:13 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-24 09:13 . 2008-09-24 09:13 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-24 09:13 . 2008-09-24 09:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-24 09:12 . 2008-10-22 08:59 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-24 09:12 . 2008-09-24 09:12 <DIR> d-------- C:\Program Files\AVG
2008-09-24 09:12 . 2008-09-24 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-24 09:08 . 2008-09-24 09:13 8,192 --a------ C:\Documents and Settings\RESAGE~3
2008-09-24 09:08 . 2008-09-24 09:13 8,192 --a------ C:\Documents and Settings\ADMIN~3.WKX
2008-09-23 18:33 . 2008-09-23 18:34 243 --a------ C:\WINDOWS\wininit.ini
2008-09-23 17:32 . 2008-09-23 17:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-23 17:32 . 2008-09-23 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 17:19 . 2008-09-23 17:19 262,144 --a------ C:\Documents and Settings\RESAGE~2
2008-09-23 17:19 . 2008-09-23 17:19 262,144 --a------ C:\Documents and Settings\ADMIN~2.WKX
2008-09-23 17:12 . 2008-09-23 17:15 262,144 --a------ C:\Documents and Settings\RESAGE~1
2008-09-23 17:12 . 2008-09-23 17:15 262,144 --a------ C:\Documents and Settings\ADMIN~1.WKX
2008-09-23 16:55 . 2008-09-24 10:05 <DIR> d-------- C:\Program Files\Twain
2008-09-23 16:43 . 2008-09-23 16:43 71,711 --a------ C:\WINDOWS\system32\avemomexbt.exe
2008-09-23 16:42 . 2008-09-25 04:44 <DIR> d-------- C:\WINDOWS\system32\mC19
2008-09-23 16:42 . 2008-09-24 12:19 <DIR> d-------- C:\WINDOWS\system32\ip5
2008-09-23 16:42 . 2008-09-24 12:19 <DIR> d-------- C:\WINDOWS\system32\ep
2008-09-23 16:42 . 2008-09-23 16:42 <DIR> d-------- C:\WINDOWS\system32\dnf
2008-09-23 16:42 . 2008-09-24 12:19 <DIR> d-------- C:\WINDOWS\system32\aES
2008-09-23 16:42 . 2008-09-23 16:42 <DIR> d-------- C:\Temp\mtc2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( snapshot@2008-09-24_10.26.38.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 15:02:20 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 15:02:20 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Fomine WinPopup"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 1051136]
"Winpopup LAN Messenger"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 1051136]
"BookingBuilder GDS Interface"="C:\WINDOWS\System32\LMGDSInt.EXE" [2006-08-31 454656]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-03-27 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-27 106496]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-30 81920]
"BookingBuilder GDS Interface"="C:\WINDOWS\System32\LMGDSInt.EXE" [2006-08-31 454656]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"PROMon.exe"="PROMon.exe" [2002-02-22 C:\WINDOWS\system32\PROMon.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BookingBuilder Desktop.lnk - C:\Program Files\BookingBuilder\BBDesktop.exe [2006-04-13 2240512]
Hpm.lnk - C:\wspan\swgw\Hpm.exe [2004-12-01 172032]
Worldspan Filter Agent.lnk - C:\wspan\swgw\FilterAgent.exe [2006-03-15 127035]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"DisableWindowsUpdateAccess"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dllhost.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-24 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-24 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-24 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-24 76040]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-04-04 11113]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 149952]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 149952]

*Newly Created Service* - NMSCFG
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-{c4ba7a11-f914-f6e7-77bc-b7f7649330aa} - C:\WINDOWS\system32\omrtwuarrdh.dll
HKLM-Run-0425cc6e - C:\WINDOWS\system32\psjpqcwj.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://home.wspan.com
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKCU-Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
R0 -: HKLM-Main,Default_Page_URL = hxxp://home.wspan.com
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O9 -: {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 -: {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe -
O15 -: Trusted Zone: *.worldspan.com
O15 -: Trusted Zone: *.wspan.com
O15 -: Trusted Zone: *.worldspan.com
O15 -: Trusted Zone: *.wspan.com

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {03DF0933-6E10-4D32-9835-B9A815622831} - hxxps://gopublic.wspan.com/secure/DLLs/WSSystemInformation.cab
C:\WINDOWS\Downloaded Program Files\WSSystemInformation.inf
C:\WINDOWS\Downloaded Program Files\WSSystemInformation.dll

O16 -: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} - hxxp://www.bookingbuilder.com/files/LMUTILS.CAB
C:\WINDOWS\Downloaded Program Files\LMUTILS.INF
C:\WINDOWS\Downloaded Program Files\LMUTILS.dll

O16 -: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} - hxxps://go.worldspan.com/Dlls/WSFileIO3.cab
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\wsfileio3.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WSMap.vbs
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WSFileIO3.dll

O16 -: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} - hxxps://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
C:\WINDOWS\Downloaded Program Files\wsbrowserconfig.inf
C:\WINDOWS\Downloaded Program Files\WSBrowserConfig.dll

O16 -: {D4233B6D-88A0-11D3-BC29-400011500032} - hxxp://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
C:\WINDOWS\Downloaded Program Files\wspancal.inf
C:\WINDOWS\Downloaded Program Files\wspancal.dll

O16 -: {E474D8A6-9BAF-11D1-9C74-400011900013} - hxxp://home.wspan.com/control/wfwload.cab
C:\WINDOWS\Downloaded Program Files\wfwload.inf
C:\WINDOWS\Downloaded Program Files\wsploadctrl.ocx

O16 -: {E99BF99C-5D95-11D4-A0EC-00500489A32D} - hxxps://go.wspan.com/secure/DLLs/WSFileIO.cab
C:\WINDOWS\Downloaded Program Files\wsfileio.inf
C:\WINDOWS\Downloaded Program Files\WSMap.vbs
C:\WINDOWS\Downloaded Program Files\WSFileIO.dll

O16 -: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - hxxps://gopublic.wspan.com/Secure/Dlls/WSClient.cab
C:\WINDOWS\Downloaded Program Files\WSClient.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 10:05:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\NMSSvc.Exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-22 10:15:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-22 14:14:50
ComboFix2.txt 2008-09-24 14:28:10

Pre-Run: 15,020,474,368 bytes free
Post-Run: 15,168,950,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

202

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:26 PM

Posted 22 October 2008 - 06:40 PM

Hello, mikegru.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    C:\WINDOWS\system32\avemomexbt.exe
    folder::
    C:\WINDOWS\system32\mC19
    C:\WINDOWS\system32\ip5
    C:\WINDOWS\system32\ep
    C:\WINDOWS\system32\dnf
    C:\WINDOWS\system32\aES
    C:\Temp\mtc2
    registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    [-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    [-HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=-
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 23 October 2008 - 11:12 AM

Hi Billy, Shut down everything I could find and re-ran Combofix using the script you wrote. Combofix log follows:

ComboFix 08-10-21.04 - Worldspan1 2008-10-23 11:10:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.364 [GMT -4:00]
Running from: C:\Documents and Settings\Worldspan1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Worldspan1\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\avemomexbt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\mtc2
C:\Temp\mtc2\h5v.log
C:\WINDOWS\system32\aES
C:\WINDOWS\system32\avemomexbt.exe
C:\WINDOWS\system32\dnf
C:\WINDOWS\system32\dnf\LGI34O49.exe
C:\WINDOWS\system32\ep
C:\WINDOWS\system32\ip5
C:\WINDOWS\system32\mC19

.
((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 )))))))))))))))))))))))))))))))
.

2008-09-24 11:02 . 2008-10-23 10:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-24 11:02 . 2008-10-23 10:55 <DIR> d-------- C:\Documents and Settings\Worldspan1\Application Data\SUPERAntiSpyware.com
2008-09-24 11:02 . 2008-09-24 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-24 09:55 . 2008-09-24 09:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-24 09:44 . 2008-09-24 13:44 <DIR> d-------- C:\Hijackthis
2008-09-24 09:22 . 2008-10-23 04:20 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-24 09:13 . 2008-09-24 09:13 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-24 09:13 . 2008-09-24 09:13 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-24 09:13 . 2008-09-24 09:13 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-24 09:12 . 2008-10-22 08:59 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-24 09:12 . 2008-09-24 09:12 <DIR> d-------- C:\Program Files\AVG
2008-09-24 09:12 . 2008-09-24 09:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-24 09:08 . 2008-09-24 09:13 8,192 --a------ C:\Documents and Settings\RESAGE~3
2008-09-24 09:08 . 2008-09-24 09:13 8,192 --a------ C:\Documents and Settings\ADMIN~3.WKX
2008-09-23 18:33 . 2008-09-23 18:34 243 --a------ C:\WINDOWS\wininit.ini
2008-09-23 17:32 . 2008-09-23 17:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-23 17:32 . 2008-10-23 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 17:19 . 2008-09-23 17:19 262,144 --a------ C:\Documents and Settings\RESAGE~2
2008-09-23 17:19 . 2008-09-23 17:19 262,144 --a------ C:\Documents and Settings\ADMIN~2.WKX
2008-09-23 17:12 . 2008-09-23 17:15 262,144 --a------ C:\Documents and Settings\RESAGE~1
2008-09-23 17:12 . 2008-09-23 17:15 262,144 --a------ C:\Documents and Settings\ADMIN~1.WKX
2008-09-23 16:55 . 2008-09-24 10:05 <DIR> d-------- C:\Program Files\Twain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Fomine WinPopup"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 1051136]
"Winpopup LAN Messenger"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 1051136]
"BookingBuilder GDS Interface"="C:\WINDOWS\System32\LMGDSInt.EXE" [2006-08-31 454656]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-03-27 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-27 106496]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-01-30 81920]
"BookingBuilder GDS Interface"="C:\WINDOWS\System32\LMGDSInt.EXE" [2006-08-31 454656]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"PROMon.exe"="PROMon.exe" [2002-02-22 C:\WINDOWS\system32\PROMon.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BookingBuilder Desktop.lnk - C:\Program Files\BookingBuilder\BBDesktop.exe [2006-04-13 2240512]
Hpm.lnk - C:\wspan\swgw\Hpm.exe [2004-12-01 172032]
Worldspan Filter Agent.lnk - C:\wspan\swgw\FilterAgent.exe [2006-03-15 127035]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\dllhost.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-24 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-24 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-24 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-24 76040]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-04-04 11113]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 149952]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 149952]

*Newly Created Service* - NMSCFG
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 11:12:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-10-23 11:15:31
ComboFix-quarantined-files.txt 2008-10-23 15:14:41
ComboFix2.txt 2008-10-22 14:15:05
ComboFix3.txt 2008-09-24 14:28:10

Pre-Run: 15,301,160,960 bytes free
Post-Run: 15,295,156,224 bytes free

111

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:26 PM

Posted 23 October 2008 - 01:53 PM

Hello, mikegru.
That looks a lot better. How are things running?

We need to preform operations on your registry.
  • Please open Notepad by opening a run prompt and typing in "notepad" and pressing enter, or navigating to Start -> Accessories -> Notepad.
  • Copy the text in the codebox below by selecting all of it and going to Edit -> Copy, or by pressing <Control> + C.
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\dllhost.exe"=-
  • Return to notepad and paste the text in by going to Edit -> Paste or pressing <Control>+V.
  • Save the file to your desktop as "fix.reg" (including quotes)
    Note: You must include the quotes!
  • Double click the "fix.reg" file we created earlier on your desktop.
  • Accept (Press Yes) to any prompts you receive.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 24 October 2008 - 07:55 AM

Thanks Billy, Still running slow, but at least I can get into hotmail now. Here's the log you requested:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3550 (20081023)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=53828197c917fb4f954ef93e859081c6
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-23 11:00:53
# local_time=2008-10-23 07:00:53 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=202162
# found=5
# scan_time=2091
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\dnf\LGI34O49.exe.vir a variant of Win32/Adware.GooochiBiz application (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\dnf\LGI34O49.exe.vir »NSIS »ư©€ a variant of Win32/Adware.GooochiBiz application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP1384\A0064007.exe a variant of Win32/Adware.GooochiBiz application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP1384\A0064007.exe »NSIS »ư©€ a variant of Win32/Adware.GooochiBiz application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:26 PM

Posted 24 October 2008 - 09:35 PM

Hello, mikegru.
You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 27 October 2008 - 01:43 PM

Thanks Billy - seems to be running better now. Here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:34 PM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\LMGDSFNC.EXE
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\system32\LMGDSINT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\system32\LMIECTR2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O15 - Trusted Zone: *.worldspan.com
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: *.wspan.com
O15 - Trusted Zone: http://*.wspan.com
O15 - Trusted Zone: *.worldspan.com (HKLM)
O15 - Trusted Zone: http://*.worldspan.com (HKLM)
O15 - Trusted Zone: *.wspan.com (HKLM)
O15 - Trusted Zone: http://*.wspan.com (HKLM)
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207763034171
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - https://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trams.webex.com/client/v_mywebex-t2...ort/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go.wspan.com/secure/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsp01001.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wsp01001.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsp01001.wspan.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

--
End of file - 7851 bytes

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:26 PM

Posted 28 October 2008 - 03:31 PM

Sorry.. one last thing. Do you recognise "worldspan.com"?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 28 October 2008 - 04:06 PM

Billy - Yes, Worldspan is the main program we use in my business. It's a specialized reservations system for travel agencies.

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:26 PM

Posted 28 October 2008 - 04:34 PM

Hello, mikegru.
Ah... just wanted to be sure :)

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 29 October 2008 - 08:05 AM

Thanks Billy - Will clean up today and try to keep up with updates, etc.. to keep it bug free.

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:26 PM

Posted 01 November 2008 - 09:45 PM

Hello, mikegru.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users