Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 tboctavan

tboctavan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 02 May 2007 - 11:37 PM

Alright then. I'm having lots of trouble with the cpvfeed.com, much like everyone else. I've downloaded and run everything suggested, and Ad-aware doesn't find anything now, nor do Spybot, or either of the anti-virus. I must say, this has pissed me off, as even going to a site I know and trust 1) opens a pop-up every minute, and 2) somehow more malware gets installed at those sites.

If it helps, I'm running:
-Windows XP Pro SP2 (on E:)
-BitDefender 8
-ZoneAlarm

HijackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 11:20:54 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\LEXPPS.EXE
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Softwin\BitDefender8\bdmcon.exe
E:\Program Files\Softwin\BitDefender8\bdnagent.exe
D:\Program Files\Trillian\trillian.exe
D:\Program Files\IMVU\IMVUClient.exe
E:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\Program Files\IMVU\IMVUQualityAgent.exe
E:\Documents and Settings\Tom\Desktop\Security Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t-b-octavan.livejournal.com/friends/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] E:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BDMCon] "E:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [wkir] E:\PROGRA~1\COMMON~1\wkir\wkirm.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://download.games.yahoo.com/games/voice/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178070665703
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

HELP

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 AM

Posted 03 May 2007 - 01:16 AM

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the results of the AVG Anti-Spyware report scan. Then do this - download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 tboctavan

tboctavan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 03 May 2007 - 03:20 PM

Alright, here we go.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/03/2007 at 04:52 AM

Application Version : 3.7.1018

Core Rules Database Version : 3230
Trace Rules Database Version: 1241

Scan type : Complete Scan
Total Scan Time : 01:40:38

Memory items scanned : 298
Memory threats detected : 0
Registry items scanned : 4733
Registry threats detected : 0
File items scanned : 45218
File threats detected : 92

Adware.Tracking Cookie
E:\Documents and Settings\Tom\Cookies\tom@1065243893[2].txt
E:\Documents and Settings\Tom\Cookies\tom@4.adbrite[2].txt
E:\Documents and Settings\Tom\Cookies\tom@burstnet[2].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.realtechnetwork[2].txt
E:\Documents and Settings\Tom\Cookies\tom@2.adbrite[1].txt
E:\Documents and Settings\Tom\Cookies\tom@sales.liveperson[1].txt
E:\Documents and Settings\Tom\Cookies\tom@trafficmp[2].txt
E:\Documents and Settings\Tom\Cookies\tom@mediaplex[2].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.adultswim[1].txt
E:\Documents and Settings\Tom\Cookies\tom@www2.addfreestats[2].txt
E:\Documents and Settings\Tom\Cookies\tom@perf.overture[1].txt
E:\Documents and Settings\Tom\Cookies\tom@saletrack.co[1].txt
E:\Documents and Settings\Tom\Cookies\tom@ad1.clickhype[1].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.newgrounds[1].txt
E:\Documents and Settings\Tom\Cookies\tom@www.burstbeacon[1].txt
E:\Documents and Settings\Tom\Cookies\tom@adrevolver[1].txt
E:\Documents and Settings\Tom\Cookies\tom@www.googleadservices[1].txt
E:\Documents and Settings\Tom\Cookies\tom@cgi-bin[2].txt
E:\Documents and Settings\Tom\Cookies\tom@media.adrevolver[2].txt
E:\Documents and Settings\Tom\Cookies\tom@fastclick[2].txt
E:\Documents and Settings\Tom\Cookies\tom@atdmt[2].txt
E:\Documents and Settings\Tom\Cookies\tom@cgi-bin[5].txt
E:\Documents and Settings\Tom\Cookies\tom@audit.median[1].txt
E:\Documents and Settings\Tom\Cookies\tom@content.licenseacquisition[1].txt
E:\Documents and Settings\Tom\Cookies\tom@16137[1].txt
E:\Documents and Settings\Tom\Cookies\tom@advertising[1].txt
E:\Documents and Settings\Tom\Cookies\tom@data4.perf.overture[1].txt
E:\Documents and Settings\Tom\Cookies\tom@precisionclick[1].txt
E:\Documents and Settings\Tom\Cookies\tom@adprofile[1].txt
E:\Documents and Settings\Tom\Cookies\tom@exitexchange[2].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.revsci[1].txt
E:\Documents and Settings\Tom\Cookies\tom@azjmp[2].txt
E:\Documents and Settings\Tom\Cookies\tom@76226072[1].txt
E:\Documents and Settings\Tom\Cookies\tom@tribalfusion[2].txt
E:\Documents and Settings\Tom\Cookies\tom@adinterax[1].txt
E:\Documents and Settings\Tom\Cookies\tom@adultswim[2].txt
E:\Documents and Settings\Tom\Cookies\tom@interclick[2].txt
E:\Documents and Settings\Tom\Cookies\tom@enhance[2].txt
E:\Documents and Settings\Tom\Cookies\tom@server.cpmstar[2].txt
E:\Documents and Settings\Tom\Cookies\tom@feeds.directsex[1].txt
E:\Documents and Settings\Tom\Cookies\tom@count3.exitexchange[2].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.glispa[2].txt
E:\Documents and Settings\Tom\Cookies\tom@jamster[2].txt
E:\Documents and Settings\Tom\Cookies\tom@realmedia[1].txt
E:\Documents and Settings\Tom\Cookies\tom@data3.perf.overture[2].txt
E:\Documents and Settings\Tom\Cookies\tom@184905[2].txt
E:\Documents and Settings\Tom\Cookies\tom@www.fatpenguinmedia[1].txt
E:\Documents and Settings\Tom\Cookies\tom@hit[1].txt
E:\Documents and Settings\Tom\Cookies\tom@catalog[1].txt
E:\Documents and Settings\Tom\Cookies\tom@xiti[1].txt
E:\Documents and Settings\Tom\Cookies\tom@cgi-bin[1].txt
E:\Documents and Settings\Tom\Cookies\tom@1068616294[1].txt
E:\Documents and Settings\Tom\Cookies\tom@ad.yieldmanager[2].txt
E:\Documents and Settings\Tom\Cookies\tom@atwola[1].txt
E:\Documents and Settings\Tom\Cookies\tom@www.windowsmedia[1].txt
E:\Documents and Settings\Tom\Cookies\tom@count1.exitexchange[2].txt
E:\Documents and Settings\Tom\Cookies\tom@adopt.specificclick[2].txt
E:\Documents and Settings\Tom\Cookies\tom@image.masterstats[1].txt
E:\Documents and Settings\Tom\Cookies\tom@mycounter.tinycounter[1].txt
E:\Documents and Settings\Tom\Cookies\tom@hentaicounter[1].txt
E:\Documents and Settings\Tom\Cookies\tom@cpvfeed[1].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.adbrite[1].txt
E:\Documents and Settings\Tom\Cookies\tom@data2.perf.overture[2].txt
E:\Documents and Settings\Tom\Cookies\tom@humornsex[2].txt
E:\Documents and Settings\Tom\Cookies\tom@cgi-bin[6].txt
E:\Documents and Settings\Tom\Cookies\tom@cgi-bin[3].txt
E:\Documents and Settings\Tom\Cookies\tom@stats[1].txt
E:\Documents and Settings\Tom\Cookies\tom@adbrite[2].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.mediamayhemcorp[2].txt
E:\Documents and Settings\Tom\Cookies\tom@www.burstnet[2].txt
E:\Documents and Settings\Tom\Cookies\tom@anad.tacoda[2].txt
E:\Documents and Settings\Tom\Cookies\tom@sexgamesfree[1].txt
E:\Documents and Settings\Tom\Cookies\tom@view-2210[1].txt
E:\Documents and Settings\Tom\Cookies\tom@3.adbrite[2].txt
E:\Documents and Settings\Tom\Cookies\tom@ads.mininova[2].txt
E:\Documents and Settings\Tom\Cookies\tom@anat.tacoda[2].txt
E:\Documents and Settings\Tom\Cookies\tom@Play[1].txt
E:\Documents and Settings\Tom\Cookies\tom@indiads[2].txt
E:\Documents and Settings\Tom\Cookies\tom@count4.exitexchange[2].txt
E:\Documents and Settings\Tom\Cookies\tom@statcounter[1].txt
E:\Documents and Settings\Tom\Cookies\tom@adultrental[1].txt
E:\Documents and Settings\Tom\Cookies\tom@1069871597[1].txt
E:\Documents and Settings\Tom\Cookies\tom@focalex[1].txt
E:\Documents and Settings\Tom\Cookies\tom@aff.primaryads[1].txt
E:\Documents and Settings\Tom\Cookies\tom@adultadworld[1].txt
E:\Documents and Settings\Tom\Cookies\tom@cts.metricsdirect[2].txt
E:\Documents and Settings\Tom\Cookies\tom@2.marketbanker[1].txt
E:\Documents and Settings\Tom\Cookies\tom@v7.stats.load[2].txt
E:\Documents and Settings\Tom\Cookies\tom@stats[2].txt
E:\Documents and Settings\Tom\Local Settings\Temp\Cookies\tom@media1.break[1].txt

Adware.180solutions/ZangoSearch
E:\SYSTEM VOLUME INFORMATION\_RESTORE{ADDFCC11-9865-407A-8A5B-FC636EAE9F00}\RP68\A0041621.EXE

Trojan.Rootkit-TnCore
E:\SYSTEM VOLUME INFORMATION\_RESTORE{ADDFCC11-9865-407A-8A5B-FC636EAE9F00}\RP91\A0054605.SYS

#4 tboctavan

tboctavan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 03 May 2007 - 11:43 PM

Nevermind; it seems like everything is running smoothly now. Thank for the help.

#5 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 AM

Posted 04 May 2007 - 12:40 AM

Post the new HJT log so I can check it's clean - unless AVG removed the pests, you may still be infected.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#6 tboctavan

tboctavan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 04 May 2007 - 03:52 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:48:13 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\LEXPPS.EXE
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Softwin\BitDefender8\bdnagent.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Trillian\trillian.exe
D:\Program Files\IMVU\IMVUClient.exe
D:\Program Files\IMVU\IMVUQualityAgent.exe
D:\Program Files\iTunes\iTunes.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\iPod\bin\iPodService.exe
e:\program files\softwin\bitdefender8\bdmcon.exe
E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\Documents and Settings\Tom\Desktop\Security Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t-b-octavan.livejournal.com/friends/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] E:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BDMCon] "E:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [wkir] E:\PROGRA~1\COMMON~1\wkir\wkirm.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://download.games.yahoo.com/games/voice/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178070665703
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 AM

Posted 05 May 2007 - 12:53 AM

Couple of things need further investigation. Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

E:\WINDOWS\retadpu72.exe

Click on the submit button. Please post the results in your next reply. Repeat for:

E:\Program Files\Common Files\wkir\wkirm.exe
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 tboctavan

tboctavan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 05 May 2007 - 01:19 AM

Well, I can't seem to find either of them, on Johtti or in Windows Explorer (and the option to show hidden folders and files is checked). I can see as far as E:\Program Files\Common Files\wkir\ for the second one.

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 AM

Posted 05 May 2007 - 01:27 AM

Probably orphan entries then. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [runner1] E:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [wkir] E:\PROGRA~1\COMMON~1\wkir\wkirm.exe


Exit HijackThis when done. Using Windows Explorer, find and delete the following:

E:\Program Files\Common Files\wkir <-- folder

Exit Explorer and reboot. Rescan with HijackThis and post a final log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 tboctavan

tboctavan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 05 May 2007 - 01:47 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:42:24 AM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\LEXPPS.EXE
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Softwin\BitDefender8\bdmcon.exe
E:\Program Files\Softwin\BitDefender8\bdnagent.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Tom\Desktop\Security Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://t-b-octavan.livejournal.com/friends/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BDMCon] "E:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://download.games.yahoo.com/games/voice/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178070665703
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 AM

Posted 05 May 2007 - 01:49 AM

That looks better - is it still running OK?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#12 tboctavan

tboctavan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 05 May 2007 - 01:54 AM

Yep, it's running fine. Thanks for all your help!

#13 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 AM

Posted 05 May 2007 - 01:55 AM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users