Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Unknow Adware


  • This topic is locked This topic is locked
8 replies to this topic

#1 pencraft

pencraft

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 20 June 2006 - 05:42 PM

I'm not sure what my brother downloaded but this is a wild one. I thought it was just a search bar so I uninstalled it but it is something even worse. I don't remember what the search bar was called but I did find some links that were just added- ZIGID003, TagASaurus, 526_620
Now I am getting a fake Windows Security Center warning. It's taking over my pc. Please help!

Logfile of HijackThis v1.99.1
Scan saved at 6:41:40 PM, on 6/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\inet20026\services.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1137082771\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\testtestt.exe
C:\WINDOWS\System32\ca730b5.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\System32\dxvwsdrx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\xpupdate.exe
C:\Program Files\Adobe\Acrobat 6.0\Adobe PDF 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dxvwxflp.exe
C:\WINDOWS\inet20026\mm5.exe
C:\WINDOWS\inet20026\select.exe
C:\WINDOWS\inet20026\socks.exe
C:\DOCUME~1\homerun\LOCALS~1\Temp\1343\explorer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\System32\dxvwbyuo.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\homerun\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gopbqnb.exe
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20026\3.03.00.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137082771\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [defender] C:\\dfndr.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [newname] C:\\nwnm.exe
O4 - HKLM\..\Run: [ms043605378-147] C:\WINDOWS\ms043605378-147.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [ca730b5.exe] C:\WINDOWS\System32\ca730b5.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\services.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwbyuo.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20026\socks.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ca730b5.exe] C:\Documents and Settings\homerun\Local Settings\Application Data\ca730b5.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20026\services.exe
O4 - Startup: Run hotfix bat file.lnk = C:\Program Files\REX2XCU\msxml3 hotfix\runhfix.bat
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Adobe PDF 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - blank (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...ius/ext360.html
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://rmlsfl.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://rmlsfl.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\en02l1do1.dll
O21 - SSODL: wxjtcpdsGnvm - {A82A90FF-0280-3A55-F476-EF2E9DAB4B51} - C:\WINDOWS\System32\apa.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\DOCUME~1\homerun\LOCALS~1\Temp\1343\explorer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thanks in advance.
Melissa

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:07 AM

Posted 21 June 2006 - 02:42 AM

Hello Melissa,

Welcome to Bleeping Computer :thumbsup:

You've got a lot going on here, and not even Service Pack 1a! :flowers:

I hate to the bearer of bad news but, your log shows a very dangerous Trojan is residing on your PC.

Described here http://www.liutilities.com/products/wintas...brary/ibm00001/ as Trojan.W32.Torpig
The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP. The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further behaviors.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, Your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 pencraft

pencraft
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 June 2006 - 07:15 AM

I have a lot of important documents on the shared drive of this computer. Is it possible to recover these without taking the Trojan with me?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:07 AM

Posted 21 June 2006 - 01:01 PM

Hello,

I believe so, yes. :thumbsup: Burn what you deem necessary to disk, scanning the files before you burn them, then scan them again when they get to their new home to be safe.

If you have any further questions, feel free to ask. :flowers:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 pencraft

pencraft
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 June 2006 - 03:26 PM

Is it possible for the virus to spread to other computers on my network? I don't have a server but I do have ten computers networked together using a wireless router and a switch. Also, is it possible that the computer was infected way before I started see the systems? I appreciate all your help.
Melissa

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:07 AM

Posted 21 June 2006 - 06:57 PM

Hi Melissa,

Your concern is a valid one. You have a LOT more on this computer than just one Trojan. Having a router does reduce the chances of the infections spreading, but please check them all out to be sure. If it's possible, disconnect this computer from the network until it's clean again. Do not change the passwords on the infected computer right now either. Until it's clean again, the Trojan can still log all your information. That's why I said earlier to change them from a known clean computer.

Yes, it's possible this was there for a while, but I can't tell you which infection was there first, or exactly how long. Having one infection tends to draw in more since the security has been breached. They like to invite their friends in to play. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 pencraft

pencraft
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 22 June 2006 - 04:00 PM

So what do I need to do to delete it other the re-format? Also, now, whenever I try to bring up up the task manager, I get a message that says that the administrator has limited my access. On top of that, a fake Windows Security Center keeps asking me to install a new spyware protection program. It is crazy. One more thing, what entry should I look for on the other nine computers in my office to make sure they haven't been infected? Thanks for the help.
Melissa

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:07 AM

Posted 22 June 2006 - 06:23 PM

Hi Melissa,

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe" Is the Torpig password stealer entry. It may show up in an 04 entry as well, and may have different numbers at the end, not just the 3.

There is a LOT of bad stuff on this PC besides the one Trojan, so it's going to keep going downhill until you reformat and install it clean.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:07 AM

Posted 18 July 2006 - 11:55 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users