Xadso adware driving me nuts

Unknown

Hi guys.

This Xadso adware has been driving me nuts. I'm an IT professional and have been trying to lick this problem with the freeware tools to no avail - so my ego'a a bit bruised.

Well, I've run both Adaware and Spybot S&D and cleaned out quite a few bots and adwares. However, the Xadso pop-up persists.

I'm so glad I found you guys to help - yes, it's time for the security pros to take over. I ran HJT and even followed some of the more detailed instructions on having HJT fixing known bots and adwares based on the lists you guys have posted. Unfortunately, this Xadso still persists. Here is my log after doing all of the above:
_________________________________

Logfile of HijackThis v1.98.2
Scan saved at 9:06:30 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\PROGRA~1\Compaq\COMPAQ~1\hibserv.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cvss.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\WINDOWS\ltmsg.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Carlson\IMode\installmode.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINDOWS\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://epicenter.carlson.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://epicenter.carlson.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Carlson Companies
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Hdesk] C:\PROGRA~1\Carlson\HDesk\REPORT~1.EXE CHECKMAIL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Profgen3] "C:\DOCUME~1\ALLUSE~1\Carlson\Profgen\profgen3.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Templateupdate] C:\PROGRA~1\Carlson\TEMPLA~1.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [RADMIN] "C:\Program Files\Carlson\IMode\installmode.exe" remove
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://epicenter.carlson.com/
O15 - Trusted Zone: http://epicenter.carlson.com
O15 - Trusted Zone: http://eps.carlson.com
O15 - Trusted Zone: http://home.carlson.com
O15 - Trusted Zone: http://home.cmg.carlson.com
O15 - Trusted Zone: http://itf.carlson.com
O15 - Trusted Zone: http://knowledgenet.carlson.com
O15 - Trusted Zone: http://oracle.cmg.carlson.com
O15 - Trusted Zone: http://rmdf.cmg.carlson.com
O15 - Trusted Zone: http://security.carlson.com
O15 - Trusted Zone: http://sr.cci.carlson.com
O15 - Trusted Zone: http://stretch.cmg.carlson.com
O15 - Trusted Zone: http://summit98.carlson.com
O15 - Trusted Zone: http://toservices.cci.carlson.com
O15 - Trusted Zone: http://www.carlson.com
O15 - Trusted Zone: http://www.awardsdemo.cmg.carlson.com
O15 - Trusted Zone: http://www.chw.carlson.com
O15 - Trusted Zone: http://www.cmg.carlson.com
O15 - Trusted Zone: http://www.demo.cmg.carlson.com
O15 - Trusted Zone: http://www.carlsonrewards.com
O15 - Trusted Zone: http://home.carlsonwagonlit.com
O15 - Trusted Zone: http://*.chw-knet.co
O15 - Trusted Zone: http://*.chw-knet.com
O15 - Trusted Zone: http://mail.clgagent.com
O15 - Trusted Zone: http://*.countryinns-suites.com
O15 - Trusted Zone: http://*.countryinns.com
O15 - Trusted Zone: http://www.datamartsuites.com
O15 - Trusted Zone: http://*.goldcrowncard.com
O15 - Trusted Zone: http://*.goldcrowncard.staging
O15 - Trusted Zone: http://www.impact97.com
O15 - Trusted Zone: http://*.intelmdf.com
O15 - Trusted Zone: http://www.mlgold.com
O15 - Trusted Zone: http://*.nwa.com
O15 - Trusted Zone: http://www.oracle-east.com
O15 - Trusted Zone: http://*.oracle-presidents.com
O15 - Trusted Zone: http://*.parkhtls.com
O15 - Trusted Zone: http://*.parkinns.com
O15 - Trusted Zone: http://*.radisson.com
O15 - Trusted Zone: http://*.regenthotels.com
O15 - Trusted Zone: http://*.solutions98.com
O15 - Trusted Zone: http://www.tandemrewards.com
O15 - Trusted Zone: http://*.tgifridays.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07081bc1680e0889a414/netzip/RdxIE601.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://cwtctc56.carlson.com/tsweb/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.carlson.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.carlson.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.carlson.com

________________________

Please note that all URLs and links to carlson.com are okay as this is a company machine.

Thanks in advance.

primesuspect

Welcome to short-media. No worries about bruised egos here. There's not an "expert" in here that hasn't been stumped.

Get rid of the following items:


O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Then, manually delete:

C:\WINDOWS\wupdt.exe
C:\WINDOWS\VoiceIP.dll
C:\WINDOWS\multimpp.dll

You may want to check out this article, as it will help you understand why you may have gotten infected and how to prevent things like this from happening again.

If you want to thank us for help you, you can do two things:

1) Stick around. This is a great site with great people.

2) Learn about Folding, it's a good cause, and we would love to have you join our team and our family.

sauron256

Thanks so much, PrimeSuspect!

That did the trick - no more Xadso!!!!

This is such an insidious adware pretending to be something that I thought was critical!!

Kudos to you and your team! You guys truly provide a great service to the community at large.

Sauron256