PixPox???

Discussion in 'malware problems & news' started by brad2003, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. brad2003
    Offline

    brad2003 Registered Member

    I am having a problem with porn related pop up ads randomly appearing. I have run CWShredder, Symantec AntiVirus and Hijackthis. Everything has come up with nothing. The only item I can find after some searching on my own is a web site pixpox.com. This appears in my history file after the pop up ads appear. This is the only site in the history list that I have not gone to, so I am assuming the virus has something to do with this site. I have added the site into my restricted zone in IE but the pop ups continue to appear. I have even gone as far as to install google toolbar to stop the pop up and that doesn't help. Anyone hear of this? Any ideas? Thanks!!
  2. snapdragin
    Offline

    snapdragin Administrator

    I see you did post a HijackThis log back in Feb, but you did not post another HijackThis log in that thread to be checked: http://www.wilderssecurity.com/showthread.php?t=23066

    You could do another scan with HijackThis and post another log here, as there may still be something there that may not have shown up in your previous logs.

    Regards,

    snap

    Note - If it turns out that it is not virus-related, then I will move this thread over to the 'adware, spyware & hijack cleaning' forum.
  3. brad2003
    Offline

    brad2003 Registered Member

    no problem...acutally, i did post this in the other forum already. nonetheless, the hijack file is below...

    Logfile of HijackThis v1.97.7
    Scan saved at 8:54:37 PM, on 4/25/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\ccmsetup\ccmsetup.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\oracle\ora81\bin\vppdc.exe
    C:\WINNT\Explorer.EXE
    C:\oracle\ora81\BIN\TNSLSNR.exe
    c:\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\AGRSMMSG.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepserver.exe
    C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepagent.exe
    C:\WINNT\system32\mshta.exe
    C:\WINNT\System32\irftp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://central.informatica.com/
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\RunOnce: [wruntime2] command /c del "C:\DOCUME~1\bweisber\LOCALS~1\Temp\wrunti~2.mdb
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: iPassConnect Informatica Remote Access.lnk = C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informatica.webex.com/client/v_localized/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi brad2003,

    We have to stop meeting like this. ;)

    In HijackThis could you click Config > Misc Tools > Generate StartUpList
    That will produce a text file. I would like to see the content.

    Regards,

    Pieter
  5. brad2003
    Offline

    brad2003 Registered Member

    tell me about it. startup list below...

    StartupList report, 4/26/2004, 6:41:04 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\bweisber\My Documents\HijackThis.EXE
    Detected: Windows 2000 SP3 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\oracle\ora81\bin\vppdc.exe
    C:\WINNT\Explorer.EXE
    C:\oracle\ora81\BIN\TNSLSNR.exe
    c:\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\AGRSMMSG.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepserver.exe
    C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepagent.exe
    C:\WINNT\system32\mshta.exe
    C:\WINNT\System32\irftp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\CCM\CcmExec.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\bweisber\Start Menu\Programs\Startup]
    SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    iPassConnect Informatica Remote Access.lnk = C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ATIModeChange = Ati2mdxx.exe
    PRPCMonitor = PRPCUI.exe
    AGRSMMSG = AGRSMMSG.exe
    SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    TPTRAY = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    dla = C:\WINNT\system32\dla\tfswctrl.exe
    REGSHAVE = C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SpyKiller = C:\Program Files\SpyKiller\spykiller.exe /startup

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    wruntime2 = command /c del "C:\DOCUME~1\bweisber\LOCALS~1\Temp\wrunti~2.mdb

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=(NONE)
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    BMMTask.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [ppctlcab]
    CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
    OSD = C:\WINNT\Downloaded Program Files\OSD406.OSD

    [PPSDKActiveXScanner.MainScreen]
    InProcServer32 = C:\WINNT\Downloaded Program Files\PPSDKActiveXScanner.ocx
    CODEBASE = http://www.pestscan.com/scanner/axscanner.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [GpcContainer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ieatgpc.dll
    CODEBASE = https://informatica.webex.com/client/v_localized/webex/ieatgpc.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\WINNT\system32\ccmsetup\ccmsetup.reset||c:\documents and settings\bweisber\cookies\bweisber@questionmarket[2].txt||c:\documents and settings\bweisber\cookies\bweisber@cgi-bin[2].txt||c:\documents and settings\bweisber\cookies\bweisber@questionmarket[2].txt||c:\documents and settings\bweisber\cookies\bweisber@zedo[2].txt||C:\WINNT\system32\ccmsetup\ccmsetup.reset||c:\winnt\temp\CCMC91.tmp||c:\7e875048199be7a70cda1fa7e359c5


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\system32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 7,985 bytes
    Report generated in 0.100 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  6. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi brad2003,

    Boot into safe mode and delete the content of the C:\DOCUMENTS AND SETTINGS\bweisber\LOCAL SETTINGS\Temp folder.
    Do NOT delete the folder itself, just what's in it.
    The Local Settings folder is hidden by default. To "unhide" hidden files and folders:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Then run HijackThis and Fix this one if it is still there:
    O4 - HKCU\..\RunOnce: [wruntime2] command /c del "C:\DOCUME~1\bweisber\LOCALS~1\Temp\wrunti~2.mdb

    Then boot normally and keep us posted.

    Regards,

    Pieter
  7. brad2003
    Offline

    brad2003 Registered Member

    Thanks Pieter. I think that did it...no pop ups since I deleted the contents of that file.

    Thanks again!!
Thread Status:
Not open for further replies.