-
September 14th, 2004, 06:09 AM
#1
Junior Member
xads.optimizer
can't get rid of xads.offeroptimizer
tried lots of stuff.
Please help
Logfile of HijackThis v1.98.2
Scan saved at 3:12:54 PM, on 14/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wm.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\HP Digital Camera Software\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP Digital Camera Software\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\HP Digital Camera Software\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\NALDESK.EXE
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\rick\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ninemsn.com.au/homepage.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP Digital Camera Software\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP Digital Camera Software\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [dfrgfhae] C:\WINDOWS\System32\vtdudcd.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com.au
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/components/o...d/MSSurVid.cab
-
September 14th, 2004, 02:11 PM
#2
Please go to Add/Remove programs and uninstall the following:
180solutions
Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O4 - HKLM\..\Run: [dfrgfhae] C:\WINDOWS\System32\vtdudcd.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
Please, while still in safe mode, find and delete the following:
C:\WINDOWS\System32\vtdudcd.exe
c:\program files\180solutions <<Folder and everything in it.
Then reboot and let us know how it's working.
-
September 14th, 2004, 11:36 PM
#3
(not original by me )
There are many who think the OfferOptimizer popup ads are a virus, Trojan, or spyware installed onto their computers. What the OfferOptimizer is really only an ad server for the Transponder Gang that only works if the user has either the win32 BI.dll or Twaintech.dll transponder variant and its components installed. I have seen where one solution is to block the OfferOptimizer address, however, this will only block the popup ads by them but the components installed will still transmit your personal information to their controlling servers. Also, if you block only the IP address you find, you will still get other ads and updates from this group as they do not use the same servers or IP addresses for all their files or who receives the transmissions.
OfferOptimizer.com is registered to Ad Services but their older whois shows who had really registered the domain name. You will notice the only change was to remove Murray, A from the technical contact. This is a method they use to try and hide the real identity of its owner(s).
Computer says no
(Carol Beer)
-
September 15th, 2004, 03:08 AM
#4
Member
I know (like you said) jm459 that they aren't your words but..
only an ad server for the Transponder Gang
There are many that feel that the Transponder Gang is only outdone (in terms of sleeziness) by the folks who "work" for the "coolwebsearch gang"..
trojans/viruses/spyware/hijackers.. how is one to rightfully judge which is "better" ?
are their lesser degrees of nastiness ? well, I suppose there is. To me, I judge it on how easy or difficult it is to be rid of it.
I don't know if you've ever heard of him.. but there's this guy "webhelper" that goes around various forums to post info on the latest news on the transponder gang.. it's his "personal crusade " hehehe..
here's his place.. http://home.comcast.net/~webhelper/
(uh, sorry rick for sort of hijacking your thread.. you're in good hands when you have meeeeeee helping you with your hjt log..)
and you didn't mention it but most folks go for a 1-2-3 punch with spyware/malware..
they run ad-aware, spybot (search and destroy) then then run hijackthis..
for me, I also like to run pestpatrol and a few trojanscanners in addition to one or two antivirus programs.. (that is.. on boxes that get thrown into my lap) 'cause I don't generally ever get any malware on my boxes apart from a bad cookie or two.
-
September 17th, 2004, 01:38 AM
#5
Junior Member
Well, thank you. Seems to have worked.
could not gfind any solution 180 but every thing else in log file.
How do you know which to attack?
thanks again
-
September 18th, 2004, 02:14 AM
#6
How do you know which to attack?
Lots & lots of time spent reading logs and researching..... here's some very basic info for you if you're interested:
http://www.security-forums.com/forum...ic.php?t=13810
There are also forums that train people to read/understand HijackThis logs. I belong to a few of them, but the easiest to get into is SWI. Their BootCamp is very informative and a great resource. Here's the link for signing up if anyone is interested. We can always use more informed people to help in the fight.
-
September 19th, 2004, 05:08 AM
#7
Member
meeeeeee.. now that's what I call "decent spamming" ..."you da gal"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|