Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie6 Shutdown, Can't Display Page, Slow Response & Viruses


  • Please log in to reply
11 replies to this topic

#1 mikegru

mikegru

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 14 June 2007 - 11:10 AM

I had Zone Alarm displayed until last Thursday, June 7, when something went wrong and ZA asked for permission for almost every entry made, even though I had already set permission for the programs. After looking in the program section of ZA, I noticed just about everything had been erased, so I uninstalled ZA, and started looking for viruses. I've rum AVG 7.5 multiple times both in regular and safe modes. I've also run Adaware and Spybot S&D multiple times and constantly get adware and trojan notifications which can't seem to be corrected. I've run Vundofix, virtumondobegone, smitfraudfix, winsockxpfix, and have tried running Panda scan and some other scan, but both the programs quit before the scanning is complete. As I write this to you, I'm running Symantec security check, and it hasn't shut down yet.

Nothing really seems to cure the problems that IE6 shuts down at will, sometimes when displaying email, the embedded pcitures don't show up, and sometimes it takes 3 or 4 tries to even open up Outlook Express. Most often though, when I open IE6, I receive the error that says the page cannot be displayed. I guess it goes without saying that everything runs very slowly. I've included my HJT log to see if you can detect anything. Thanks in advance for your help. Mike

Logfile of HijackThis v1.99.1
Scan saved at 12:08:03 PM, on 6/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\LMGDSFNC.EXE
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\LMGDSINT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\LMWSInterface.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\System32\iiffeff.dll (file missing)
O2 - BHO: LaunchMagic.com, Inc. - {30121F5F-E81C-4EC0-A219-3395B0E42EE4} - C:\WINDOWS\System32\lmiectrl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A2BD0AAF-C860-4528-85BD-586BE04A1732} - C:\WINDOWS\System32\awtqn.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\ttjhgfri.dll (file missing)
O2 - BHO: (no name) - {FA6F41D9-3746-41CD-90C0-95D8870FFCA3} - C:\WINDOWS\System32\mljjg.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\dvhwevcl.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.worldspan.com
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: *.wspan.com
O15 - Trusted Zone: http://*.wspan.com
O15 - Trusted Zone: *.worldspan.com (HKLM)
O15 - Trusted Zone: *.wspan.com (HKLM)
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wspxxxxx.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O20 - AppInit_DLLs: C:\WINDOWS\System32\systs2.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\System32\j0291132.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 14 June 2007 - 03:24 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum mikegru :thumbsup:

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
dns cache reader (DNSCacheReader)
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

****************************

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following command in bold text below,then press Enter:
SC DELETE DNSCacheReader
Then type EXIT then press Enter.

Restart your pc.

****************************

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 14 June 2007 - 05:07 PM

Thanks - OK, here are the two logs you requested.

Logfile of HijackThis v1.99.1
Scan saved at 6:03:34 PM, on 6/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\LMGDSFNC.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\LMGDSINT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\System32\iiffeff.dll (file missing)
O2 - BHO: LaunchMagic.com, Inc. - {30121F5F-E81C-4EC0-A219-3395B0E42EE4} - C:\WINDOWS\System32\lmiectrl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A2BD0AAF-C860-4528-85BD-586BE04A1732} - C:\WINDOWS\System32\awtqn.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: (no name) - {FA6F41D9-3746-41CD-90C0-95D8870FFCA3} - C:\WINDOWS\System32\mljjg.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wspxxxxx.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O20 - AppInit_DLLs: C:\WINDOWS\System32\systs2.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

*************************************************


ComboFix 07-06-13.7 - C:\Documents and Settings\Worldspan1\Desktop\combofix.exe
"Worldspan1" - 2007-06-14 17:47:29 - Service Pack 1 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dvhwevcl.dll
C:\WINDOWS\system32\lcvewhvd.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\advvpi32.dll
C:\WINDOWS\system32\T8QaSQ


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTIO256
-------\ntio256


((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))


2007-06-11 16:36 <DIR> d-------- C:\VundoFix Backups
2007-06-11 16:16 1,364 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-07 16:39 <DIR> d-------- C:\Temp\x2b
2007-06-05 11:15 <DIR> d-------- C:\Program Files\Microsoft Security Adviser
2007-05-14 11:29 <DIR> d-------- C:\Address book - copy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 20:49:14 -------- d-----w C:\Program Files\WMR11
2007-05-02 20:54:33 -------- d-----w C:\DOCUME~1\WORLDS~1\APPLIC~1\.ABC
2007-05-01 12:29:25 -------- d-----w C:\Program Files\Hijackthis2
2007-04-27 21:38:58 14,902 ----a-w C:\syswlqv.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll [2004-09-29 13:02]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 01:47]
{0868E7A4-82FD-48ED-942F-AC7CEC0280C3}=C:\WINDOWS\System32\iiffeff.dll []
{30121F5F-E81C-4EC0-A219-3395B0E42EE4}=C:\WINDOWS\System32\lmiectrl.dll [2004-08-13 18:42]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{A2BD0AAF-C860-4528-85BD-586BE04A1732}=C:\WINDOWS\System32\awtqn.dll []
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 02:03]
{B2C9A858-A8BE-426C-B1C7-7FD258B28CAA}=C:\WINDOWS\System32\LMIECTR2.dll [2006-10-19 13:46]
{B930BA63-9E5A-11D3-A288-0000E80E2EDE}=C:\Program Files\Mass Downloader\MDHELPER.DLL []
{FA6F41D9-3746-41CD-90C0-95D8870FFCA3}=C:\WINDOWS\System32\mljjg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-08 14:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 20:30]
"Winpopup LAN Messenger"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]
"Fomine WinPopup"="C:\Program Files\Winpopup LAN Messenger\WinPopup.exe" [2004-10-17 20:53]
"BookingBuilder GDS Interface"="C:\WINDOWS\System32\LMGDSInt.EXE" [2006-11-20 15:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"LogonType"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoManageMyComputerVerb"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoAutoUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" [2006-06-16 10:38]
"{0868E7A4-82FD-48ED-942F-AC7CEC0280C3}"="C:\WINDOWS\System32\iiffeff.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\systs2.dll

*Newly Created Service* - NMSCFG

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 17:52:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 17:53:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 17:53
C:\ComboFix.txt ... 2007-05-01 08:55
C:\ComboFix3.txt ... 2006-06-30 18:58

--- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 14 June 2007 - 06:18 PM

Please make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:
C:\Temp\x2b
C:\syswlqv.exe
C:\WINDOWS\System32\systs2.dll

Restart normally.

************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

************************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit the program,don't run the scan just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\System32\iiffeff.dll (file missing)
O2 - BHO: (no name) - {A2BD0AAF-C860-4528-85BD-586BE04A1732} - C:\WINDOWS\System32\awtqn.dll (file missing)
O2 - BHO: (no name) - {FA6F41D9-3746-41CD-90C0-95D8870FFCA3} - C:\WINDOWS\System32\mljjg.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 15 June 2007 - 09:40 AM

Thanks, it does seem to be running better, but still very slowly. Outlook Express still doesn't want to open - I have to try a couple times before OE opens.

Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2007 at 10:22 AM

Application Version : 3.8.1002

Core Rules Database Version : 3255
Trace Rules Database Version: 1266

Scan type : Complete Scan
Total Scan Time : 00:54:30

Memory items scanned : 402
Memory threats detected : 0
Registry items scanned : 5084
Registry threats detected : 10
File items scanned : 34946
File threats detected : 12

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{1945CA11-888C-4818-A5AE-59F39001304F}
HKCR\CLSID\{1945CA11-888C-4818-A5AE-59F39001304F}
HKCR\CLSID\{1945CA11-888C-4818-A5AE-59F39001304F}\InprocServer32
HKCR\CLSID\{1945CA11-888C-4818-A5AE-59F39001304F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJK.DLL

Parasite.WareOut
HKLM\Software\Classes\CLSID\{49A0B42C-5805-33F0-A589-343862ACE748}
HKCR\CLSID\{49A0B42C-5805-33F0-A589-343862ACE748}
HKCR\CLSID\{49A0B42C-5805-33F0-A589-343862ACE748}\InprocServer32
CNFTIPS.DLL
HKLM\Software\Classes\CLSID\{DD132C68-CAF5-2089-225D-85F2C8EC7A21}
HKCR\CLSID\{DD132C68-CAF5-2089-225D-85F2C8EC7A21}
HKCR\CLSID\{DD132C68-CAF5-2089-225D-85F2C8EC7A21}\InprocServer32
DRIVER64.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Worldspan1\Cookies\worldspan1@atdmt[2].txt
C:\Documents and Settings\Maint\Cookies\maint@pornking.fullonvideo[1].txt
C:\Documents and Settings\Worldspan1\Cookies\worldspan1@burstnet[2].txt

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ADVVPI32.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP153\A0050335.DLL

Trojan.Downloader-Gen/LIB
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UXPHWSEL.DLL.VIR

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP149\A0045480.EXE

Trojan.Downloader-Gen/Blah
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AC747D6A-91F9-4048-BF29-B852C4BDC2E9}\RP150\A0047841.DLL
C:\VUNDOFIX BACKUPS\IIFFEFF.DLL.BAD


***************************

Logfile of HijackThis v1.99.1
Scan saved at 10:38:01 AM, on 6/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\LMGDSFNC.EXE
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\LMGDSINT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\LMWSInterface.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: LaunchMagic.com, Inc. - {30121F5F-E81C-4EC0-A219-3395B0E42EE4} - C:\WINDOWS\System32\lmiectrl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wspxxxxx.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 15 June 2007 - 10:25 AM

I see you've got a topic posted at CastleCops:
http://www.castlecops.com/p951783-Trojans_...m_problems.html
When you get a reply there,you should let them know you're being helped here.

******************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

******************************

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

******************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

Also post a new Hijackthis log please.
Let me know how your pc is running now.

Posted Image
Posted Image

#7 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 15 June 2007 - 11:06 AM

I originally posted to Castlecops last week, and they never responded - still haven't. I've used bleeping computer for reference on a few issues, so decided to try and post a message here. Thank you for the quick replies, and for the assistance. Here are the logs you requested.


Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Winpopup LAN Messenger"="C:\\Program Files\\Winpopup LAN Messenger\\WinPopup.exe"
"Fomine WinPopup"="C:\\Program Files\\Winpopup LAN Messenger\\WinPopup.exe"
"BookingBuilder GDS Interface"="C:\\WINDOWS\\System32\\LMGDSInt.EXE"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Logfile of HijackThis v1.99.1
Scan saved at 12:01:01 PM, on 6/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\LMGDSFNC.EXE
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\System32\LMGDSINT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\LMWSInterface.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: LaunchMagic.com, Inc. - {30121F5F-E81C-4EC0-A219-3395B0E42EE4} - C:\WINDOWS\System32\lmiectrl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wspxxxxx.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#8 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 15 June 2007 - 02:58 PM

Another issue I forgot to mention, as it only intermittently affects my computer, and it just happened again - occasionally when I boot up, I am shut off from our network. Sometimes I have to restart the system 3 or 4 times before I can regain the network connection. This only has happened since I began having the problems we've been working on.

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 15 June 2007 - 05:29 PM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Also post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#10 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 June 2007 - 10:08 AM

Good morning - email opened fine this morning, with no problems. IE also worked fine so far - no surprise shutdowns.


Scan History Details
Start Date: 6/18/2007 9:53:15 AM
End Date: 6/18/2007 10:49:36 AM
Total Time: 56 Min 21 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@atdmt[2].txt


Cookie: CGI-Bin Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@cgi-bin[1].txt
c:\documents and settings\worldspan1\cookies\worldspan1@CGI-BIN[2].txt


CouponBar Toolbar more information...
Details: CouponBar is an advertising program that installs a Browser Helper Object (BHO) in the form of a toolbar in Internet Explorer. CouponBar provides coupons to users.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{A138BE8B-F051-4802-9A3F-A750A6D862D4}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{87255C51-CD7D-4506-B9AD-97606DAF53F3}\1.0\HELPDIR


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@doubleclick[2].txt


Cookie: FastClick.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@fastclick[1].txt


Cookie: PointRoll.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@ads.pointroll[2].txt


Cookie: RealMedia.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@realmedia[1].txt


Cookie: Advertising.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@advertising[2].txt


Cookie: Zedo Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@zedo[1].txt


MediaTickets CDT Adware (General) more information...
Details: MediaTickets CDT is an adware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-2436313513-1203752577-514352727-1009\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0
HKEY_USERS\S-1-5-21-2436313513-1203752577-514352727-1009\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0
HKEY_USERS\S-1-5-21-2436313513-1203752577-514352727-1009\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0


Cookie: casalemedia.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\worldspan1\cookies\worldspan1@casalemedia[2].txt


CWS.HomeSearchAssistant Adware (General) more information...
Details: CWS.HomeSearchAssistant is a CoolWebSearch hijacker that changes the user's homepage and default search settings.
Status: Deleted

Files detected
C:\WINDOWS\system32\cpln32mk.dll


SpySheriff Rogue Security Program more information...
Details: SpySheriff is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Deleted

Files detected
C:\Program Files\SpySheriff(2)\SpySheriff_2.dat


Oemji Bar Toolbar more information...
Details: Oemji Bar is a hijacker and toolbar that substitutes its search provider for the browser's default search provider.
Status: Deleted

Files detected
C:\DOCUMENTS AND SETTINGS\WORLDSPAN1\APPLICATION DATA\SPAMEXTRACT\count
C:\DOCUMENTS AND SETTINGS\WORLDSPAN1\APPLICATION DATA\SPAMEXTRACT

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT.1
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT.1
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.BAYESIANOBJECT\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM.1
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM.1
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.MAILITEM\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT.1
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT.1
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\BAYESOBJ.WHITELISTOBJECT\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB.1.0
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB.1.0
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB.1.0\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB.1.0\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\CCONFIRMATIONOBJECT.CCONFIRMATIONOB\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT.1.0
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT.1.0
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT.1.0\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT.1.0\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\CEMAILPROMPT.CEMAILPROMPT\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{0CFC2012-205B-4E00-9417-35822237C52C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{E4A5B138-6BE5-4A0D-A5C3-D2DE4A62EBDC}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{0AC17D72-80F3-4F79-BFCC-9A779BA70334}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{828BC5D5-9C49-4DFD-B3C5-0436707DF5B3}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{AEF5EB3E-0739-4A12-83F3-77249D80F63F}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{B0DDF13B-2D10-472D-B409-F10476E9A12A}\1.0\HELPDIR


SpySpotter Rogue Security Program more information...
Details: SpySpotter is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Deleted

Files detected
C:\Program Files\SpySpotter\SpySpotter.exe


Backdoor.Win32.Small.nz Backdoor more information...
Status: Deleted

Registry entries detected
HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS
HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS


Trojan-Downloader.Win32.VB.ayr Trojan Downloader more information...
Status: Deleted

Files detected
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\xpreload.ocx


*****************

Logfile of HijackThis v1.99.1
Scan saved at 11:06:36 AM, on 6/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BookingBuilder\BBDesktop.exe
C:\wspan\swgw\Hpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\wspan\swgw\FilterAgent.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\System32\LMGDSFNC.EXE
C:\Program Files\BookingBuilder\LMFChk.EXE
C:\WINDOWS\System32\LMGDSINT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\LMWSInterface.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.wspan.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wspan.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Worldspan Go!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: LaunchMagic.com, Inc. - {30121F5F-E81C-4EC0-A219-3395B0E42EE4} - C:\WINDOWS\System32\lmiectrl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: LaunchMagic.com, Inc. - IECTRL2 - {B2C9A858-A8BE-426C-B1C7-7FD258B28CAA} - C:\WINDOWS\System32\LMIECTR2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Winpopup LAN Messenger] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [Fomine WinPopup] C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
O4 - HKCU\..\Run: [BookingBuilder GDS Interface] C:\WINDOWS\System32\LMGDSInt.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BookingBuilder Desktop.lnk = C:\Program Files\BookingBuilder\BBDesktop.exe
O4 - Global Startup: Hpm.lnk = C:\wspan\swgw\Hpm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = swgw\FilterAgent.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: BookingBuilder Desktop - Drag && Drop Profile Data Into This Page - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra 'Tools' menuitem: BookingBuilder Desktop - {53F0FA27-1273-4afc-81D0-CB233010B05C} - C:\Program Files\BookingBuilder\BBIETlBr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - http://go.worldspan.com/diagtool/WSSystemInformation.cab
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {321C4CB3-6D3B-408A-AB8A-11CFA8E331CD} (SystemObject Class) - http://www.bookingbuilder.com/files/LMUTILS.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143230576984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go8f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CB6F8DE2-913D-4543-9FBB-C1E1340BFD24} (FTPCtrl Class) - http://gopublic.wspan.com/secure/DLLs/wsftp.cab
O16 - DPF: {CC56FF0D-76B7-4C4D-97B5-AF208ECE16A5} (ToolCtrl Class) - http://go.worldspan.com/diagtool/ConnectivityTool.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - http://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tramsevents.webex.com/client/v_mywe...bex/ieatgpc.cab
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us/DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://gopublic.wspan.com/secure/dlls/Comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\Software\..\Telephony: DomainName = wspxxxxx.wspan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wspxxxxx.wspan.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 18 June 2007 - 12:56 PM

Backdoor.Win32.Small.nz was deleted by Counterspy.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

********************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {08882277-D04C-4A9D-845A-A28FE8CD0773} (xpreload.xpreloader) - ms-its:mhtml:file://c:\nores.mht!http://adxgate.net/zscript/pre.chm::/xpreload. cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreloa d.ocx

Exit Hijackthis.

********************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

********************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
DelDomains.zip
Deldomains.inf
Combofix
fix.reg
VundoFix.exe
Fixwareout

C:\QooBox

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#12 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 June 2007 - 03:32 PM

Thank you very much. The last time something like this happened, I installed Zone Alarm, however it looked this time like Zone Alarm was affected by the intrusion. In your opinion is ZA safe and effective to re-install?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users