Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adserving.cpxinteractive.com Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 soss

soss

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 17 April 2007 - 09:52 AM

Getting popups from adserving.cpxinteractive.com
Spybot, Adaware, and Panda are showing computer as clean.

HELP!

Logfile of HijackThis v1.99.1
Scan saved at 4:55:17 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\CA\Unicenter Remote Control\rcHost.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.axaonline.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [TermEvent] C:\Windows\system32\TermEvt.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [CA-AMAgent] C:\TNGAM\AGENT\amagent.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://edox.axa-advisors.com
O15 - Trusted Zone: http://preprod.axaonline.com
O15 - Trusted Zone: http://snwtiwp1.axaonline.com
O15 - Trusted Zone: http://test.axaonline.com
O15 - Trusted Zone: http://wtiwebopt.axaonline.com
O15 - Trusted Zone: http://www.axaonline.com
O15 - Trusted Zone: http://edox.equitable.com
O15 - Trusted Zone: mpgint.equitable.com
O15 - Trusted Zone: http://mpgpln.equitable.com
O15 - Trusted Zone: mpgtrn.equitable.com
O15 - Trusted Zone: http://axa.financialcampus.com
O15 - Trusted Zone: http://advtools.morningstar.com
O15 - Trusted Zone: http://apps.questerra.com
O15 - Trusted Zone: http://www.questerra.com
O15 - Trusted Zone: http://www.smartmoney.com
O15 - Trusted Zone: http://*.snj1afsap33
O15 - Trusted Zone: http://*.sny1afsapdev18
O15 - Trusted Zone: http://edox.axa-advisors.com (HKLM)
O15 - Trusted Zone: http://preprod.axaonline.com (HKLM)
O15 - Trusted Zone: http://snwtiwp1.axaonline.com (HKLM)
O15 - Trusted Zone: http://test.axaonline.com (HKLM)
O15 - Trusted Zone: http://wtiwebopt.axaonline.com (HKLM)
O15 - Trusted Zone: http://www.axaonline.com (HKLM)
O15 - Trusted Zone: http://edox.equitable.com (HKLM)
O15 - Trusted Zone: mpgint.equitable.com (HKLM)
O15 - Trusted Zone: http://mpgpln.equitable.com (HKLM)
O15 - Trusted Zone: mpgtrn.equitable.com (HKLM)
O15 - Trusted Zone: http://axa.financialcampus.com (HKLM)
O15 - Trusted Zone: http://advtools.morningstar.com (HKLM)
O15 - Trusted Zone: http://apps.questerra.com (HKLM)
O15 - Trusted Zone: http://www.questerra.com (HKLM)
O15 - Trusted Zone: http://www.smartmoney.com (HKLM)
O15 - Trusted Zone: http://*.snj1afsap33 (HKLM)
O15 - Trusted Zone: http://*.sny1afsapdev18 (HKLM)
O16 - DPF: {3B74F448-B418-40E7-AB9A-1DCCC344B09C} (Siebel Option Pack for IE 7.0.5) - https://wtiwebopt.axaonline.com/fins/14703/...lOptionPack.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = axa-advisors.axa-financial.intraxa
O17 - HKLM\Software\..\Telephony: DomainName = axa-advisors.axa-financial.intraxa
O17 - HKLM\System\CCS\Services\Tcpip\..\{E69C3E5C-0E5F-416E-88C3-847ED901756C}: NameServer = 192.168.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = axa-advisors.axa-financial.intraxa
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = equitable.com,axa-advisors.axa-financial.intraxa,axa-advisors.com,axa-financial.com,axa-na.com,elas.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = axa-advisors.axa-financial.intraxa
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = equitable.com,axa-advisors.axa-financial.intraxa,axa-advisors.com,axa-financial.com,axa-na.com,elas.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = equitable.com,axa-advisors.axa-financial.intraxa,axa-advisors.com,axa-financial.com,axa-na.com,elas.com
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\NetExPro\FlowHook.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINDOWS\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINDOWS\Lic98RmtD.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DM Primer (DMPrimer) - Unknown owner - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe" -DMPRIMER_SERVICE_: (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Unicenter Remote Control Host (rcHost) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Remote Control\rcHost.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Accociates, Intl Inc. - C:\TNGSD\BIN\SDSERV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 AM

Posted 19 April 2007 - 03:51 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:59 AM

Posted 28 April 2007 - 08:26 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users