-
September 3rd, 2004, 02:20 PM
#1
Junior Member
xads.offeroptimizer.com
One of my colleagues get these popups in winxp SP2 that aren't really pop-ups. They are from xads.offeroptimizer.com or something, and is without a doubt a left-over from a raid of adware hitting our office.
I've runned Adaware SE Personal, Xoftspy (registered) and SpyBot, but nothing seems to fix the problem. I've also deleted all references to a scanreg.exe in his registry, but this solved another virii, not the one I'm talking about.
Attached you'll find the HijackThis.log.
Thanks for any help.
-
September 3rd, 2004, 05:47 PM
#2
Did you google the results from HijackThis ?
Things like Winad ??
Did you run Ad-aware in safe mode ?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
September 3rd, 2004, 09:11 PM
#3
Try and see if you can remove the following via Add/Remove programs:
Winad Client
Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Microsoft Excell] wuamngr32.exe **
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [nlaocpwbwnaia] C:\WINDOWS\System32\eqptbu.exe
O4 - HKLM\..\RunServices: [Microsoft Excell] wuamngr32.exe**
O4 - HKCU\..\Run: [Microsoft Excell] wuamngr32.exe**
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...af646f61636257
** Check this file first, but I'm 99% positive you have a trojan there.
In addition , also download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.
Then find and delete the following:
wuamngr32.exe **
C:\Program Files\Winad Client\ <<Folder and everything in it.
C:\WINDOWS\System32\eqptbu.exe
-
September 6th, 2004, 09:18 AM
#4
Junior Member
Cheers, will do.
While at it, my own computer @ work has been infected with some nasty stuff. Spybots S&D has blocked some of it, but lately cmd.exe opens up a blank.html which refreshes into ads.
Attached is my hijackthis.log
-
September 7th, 2004, 02:18 PM
#5
Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {3AAC132A-9D17-04E7-8604-165508DA2814} - C:\WINNT\System32\ikss.dll
OO2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
O4 - HKLM\..\Run: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\Run: [Microsoft Excell] wuamngr32.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [ifcdbihgirccz] C:\WINNT\System32\nlfcok.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\RunServices: [Microsoft Excell] wuamngr32.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
Once again you have a few trojans. Download A-squared and run it (the link is in my last post).
Then find and delete the following if they're still there:
regscan.exe
wuamngr32.exe
C:\Program Files\BullsEye Network <<folder and everything in it.
Then please get some protections!!
At the minimum please follow the directions here: Groovicus’ Guide to Simple P.C. Security
-
September 7th, 2004, 05:34 PM
#6
Junior Member
Thanks!
I saw MxTarget.dll at the other computer as well. Most of these are simply detected by intuition, but the computer I use at work is so slow that I preferred to be sure before deleting anything. The tutorial and comments you wrote have been forwarded to our system administrator. He's a pretty stressed guy, and since most people around here only _depends on other people_ to ensure their privacy, I'm pressed to run around alot cleaning malware.
It's gotto stop!
... If it comes to it, I'll order ThinkGeek's t-shirt: "No, I will not fix your computer."
-
September 20th, 2004, 02:26 PM
#7
Junior Member
Hate to do this, but here's another log.
Apart from eqptbu.exe, wuamngr32.exe and mxTarget files; what needs to be fixed?
Log attached
-
September 20th, 2004, 03:08 PM
#8
Please go to Add/Remove programs and uninstall the following unless you really use it:
MyWebSearch
Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O4 - HKLM\..\Run: [pxypgalv] C:\WINDOWS\System32\eqptbu.exe
O4 - HKLM\..\Run: [Microsoft Excell] wuamngr32.exe
O4 - HKLM\..\RunServices: [Microsoft Excell] wuamngr32.exe
O4 - HKCU\..\Run: [Microsoft Excell] wuamngr32.exe
** O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
** O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
** O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm41445NO
** Don't fix these if you use MyWebSearch intentionally.
Then, while still in safe mode, find and delete the following:
C:\WINDOWS\System32\eqptbu.exe
wuamngr32.exe
C:\PROGRA~1\MYWEBSearch <<Folder and everything in it.
I want you to read up on this stuff and get some protection! Here are some good references for you:
Groovicus’ Guide to Simple P.C. Security
So how did I get infected in the first place?
Understanding Spyware, Browser Hijackers, and Dialers
HijackThis Logs - How to read and research
Also, the current version of HijackTHis is 1.98.2. If you don't have that you can get it free at http://www.downloads.subratam.org/hijackthis.zip
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|