Results 1 to 8 of 8

Thread: xads.offeroptimizer.com

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    8

    Question xads.offeroptimizer.com

    One of my colleagues get these popups in winxp SP2 that aren't really pop-ups. They are from xads.offeroptimizer.com or something, and is without a doubt a left-over from a raid of adware hitting our office.

    I've runned Adaware SE Personal, Xoftspy (registered) and SpyBot, but nothing seems to fix the problem. I've also deleted all references to a scanreg.exe in his registry, but this solved another virii, not the one I'm talking about.

    Attached you'll find the HijackThis.log.

    Thanks for any help.

  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Did you google the results from HijackThis ?

    Things like Winad ??

    Did you run Ad-aware in safe mode ?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #3
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Try and see if you can remove the following via Add/Remove programs:

    Winad Client


    Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”


    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll


    O4 - HKLM\..\Run: [Microsoft Excell] wuamngr32.exe **
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [nlaocpwbwnaia] C:\WINDOWS\System32\eqptbu.exe
    O4 - HKLM\..\RunServices: [Microsoft Excell] wuamngr32.exe**
    O4 - HKCU\..\Run: [Microsoft Excell] wuamngr32.exe**


    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...af646f61636257

    ** Check this file first, but I'm 99% positive you have a trojan there.

    In addition , also download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.

    Then find and delete the following:

    wuamngr32.exe **

    C:\Program Files\Winad Client\ <<Folder and everything in it.

    C:\WINDOWS\System32\eqptbu.exe

  4. #4
    Junior Member
    Join Date
    May 2004
    Posts
    8
    Cheers, will do.

    While at it, my own computer @ work has been infected with some nasty stuff. Spybots S&D has blocked some of it, but lately cmd.exe opens up a blank.html which refreshes into ads.

    Attached is my hijackthis.log

  5. #5
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: (no name) - {3AAC132A-9D17-04E7-8604-165508DA2814} - C:\WINNT\System32\ikss.dll
    OO2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll

    O4 - HKLM\..\Run: [Windows Registry Scan] regscan.exe
    O4 - HKLM\..\Run: [Microsoft Excell] wuamngr32.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [ifcdbihgirccz] C:\WINNT\System32\nlfcok.exe
    O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
    O4 - HKLM\..\RunServices: [Microsoft Excell] wuamngr32.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab


    Once again you have a few trojans. Download A-squared and run it (the link is in my last post).

    Then find and delete the following if they're still there:

    regscan.exe
    wuamngr32.exe
    C:\Program Files\BullsEye Network <<folder and everything in it.


    Then please get some protections!!

    At the minimum please follow the directions here: Groovicus’ Guide to Simple P.C. Security



  6. #6
    Junior Member
    Join Date
    May 2004
    Posts
    8
    Thanks!
    I saw MxTarget.dll at the other computer as well. Most of these are simply detected by intuition, but the computer I use at work is so slow that I preferred to be sure before deleting anything. The tutorial and comments you wrote have been forwarded to our system administrator. He's a pretty stressed guy, and since most people around here only _depends on other people_ to ensure their privacy, I'm pressed to run around alot cleaning malware.

    It's gotto stop!

    ... If it comes to it, I'll order ThinkGeek's t-shirt: "No, I will not fix your computer."

  7. #7
    Junior Member
    Join Date
    May 2004
    Posts
    8
    Hate to do this, but here's another log.

    Apart from eqptbu.exe, wuamngr32.exe and mxTarget files; what needs to be fixed?
    Log attached

  8. #8
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Please go to Add/Remove programs and uninstall the following unless you really use it:

    MyWebSearch


    Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O4 - HKLM\..\Run: [pxypgalv] C:\WINDOWS\System32\eqptbu.exe
    O4 - HKLM\..\Run: [Microsoft Excell] wuamngr32.exe
    O4 - HKLM\..\RunServices: [Microsoft Excell] wuamngr32.exe
    O4 - HKCU\..\Run: [Microsoft Excell] wuamngr32.exe
    ** O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    ** O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    ** O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm41445NO

    ** Don't fix these if you use MyWebSearch intentionally.


    Then, while still in safe mode, find and delete the following:

    C:\WINDOWS\System32\eqptbu.exe
    wuamngr32.exe
    C:\PROGRA~1\MYWEBSearch <<Folder and everything in it.


    I want you to read up on this stuff and get some protection! Here are some good references for you:

    Groovicus’ Guide to Simple P.C. Security
    So how did I get infected in the first place?
    Understanding Spyware, Browser Hijackers, and Dialers
    HijackThis Logs - How to read and research

    Also, the current version of HijackTHis is 1.98.2. If you don't have that you can get it free at http://www.downloads.subratam.org/hijackthis.zip


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •