Results 1 to 7 of 7

Thread: xads.optimizer

  1. #1
    Junior Member
    Join Date
    Sep 2004
    Posts
    2

    Angry xads.optimizer

    can't get rid of xads.offeroptimizer
    tried lots of stuff.
    Please help

    Logfile of HijackThis v1.98.2
    Scan saved at 3:12:54 PM, on 14/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Firebird\bin\ibguard.exe
    C:\WINDOWS\System32\NALNTSRV.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wm.exe
    C:\Program Files\Firebird\bin\ibserver.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\HP Digital Camera Software\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP Digital Camera Software\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\dpmw32.exe
    C:\WINDOWS\System32\NWTRAY.EXE
    C:\Program Files\HP Digital Camera Software\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\NALDESK.EXE
    C:\Program Files\SECRETMAKER\secretmaker.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\Documents and Settings\rick\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ninemsn.com.au/homepage.asp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP Digital Camera Software\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP Digital Camera Software\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [dfrgfhae] C:\WINDOWS\System32\vtdudcd.exe
    O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com.au
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/components/o...d/MSSurVid.cab

  2. #2
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Please go to Add/Remove programs and uninstall the following:

    180solutions


    Please boot into safe mode and select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
    O4 - HKLM\..\Run: [dfrgfhae] C:\WINDOWS\System32\vtdudcd.exe
    O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe


    Please, while still in safe mode, find and delete the following:

    C:\WINDOWS\System32\vtdudcd.exe
    c:\program files\180solutions <<Folder and everything in it.


    Then reboot and let us know how it's working.


  3. #3
    AO's Mr Grumpy
    Join Date
    Apr 2003
    Posts
    903
    (not original by me )

    There are many who think the OfferOptimizer popup ads are a virus, Trojan, or spyware installed onto their computers. What the OfferOptimizer is really only an ad server for the Transponder Gang that only works if the user has either the win32 BI.dll or Twaintech.dll transponder variant and its components installed. I have seen where one solution is to block the OfferOptimizer address, however, this will only block the popup ads by them but the components installed will still transmit your personal information to their controlling servers. Also, if you block only the IP address you find, you will still get other ads and updates from this group as they do not use the same servers or IP addresses for all their files or who receives the transmissions.

    OfferOptimizer.com is registered to Ad Services but their older whois shows who had really registered the domain name. You will notice the only change was to remove Murray, A from the technical contact. This is a method they use to try and hide the real identity of its owner(s).
    Computer says no
    (Carol Beer)

  4. #4
    I know (like you said) jm459 that they aren't your words but..

    only an ad server for the Transponder Gang
    There are many that feel that the Transponder Gang is only outdone (in terms of sleeziness) by the folks who "work" for the "coolwebsearch gang"..

    trojans/viruses/spyware/hijackers.. how is one to rightfully judge which is "better" ?
    are their lesser degrees of nastiness ? well, I suppose there is. To me, I judge it on how easy or difficult it is to be rid of it.

    I don't know if you've ever heard of him.. but there's this guy "webhelper" that goes around various forums to post info on the latest news on the transponder gang.. it's his "personal crusade " hehehe..

    here's his place.. http://home.comcast.net/~webhelper/

    (uh, sorry rick for sort of hijacking your thread.. you're in good hands when you have meeeeeee helping you with your hjt log..)

    and you didn't mention it but most folks go for a 1-2-3 punch with spyware/malware..
    they run ad-aware, spybot (search and destroy) then then run hijackthis..
    for me, I also like to run pestpatrol and a few trojanscanners in addition to one or two antivirus programs.. (that is.. on boxes that get thrown into my lap) 'cause I don't generally ever get any malware on my boxes apart from a bad cookie or two.

  5. #5
    Junior Member
    Join Date
    Sep 2004
    Posts
    2
    Well, thank you. Seems to have worked.
    could not gfind any solution 180 but every thing else in log file.
    How do you know which to attack?
    thanks again

  6. #6
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    How do you know which to attack?
    Lots & lots of time spent reading logs and researching..... here's some very basic info for you if you're interested:

    http://www.security-forums.com/forum...ic.php?t=13810

    There are also forums that train people to read/understand HijackThis logs. I belong to a few of them, but the easiest to get into is SWI. Their BootCamp is very informative and a great resource. Here's the link for signing up if anyone is interested. We can always use more informed people to help in the fight.

  7. #7
    meeeeeee.. now that's what I call "decent spamming" ..."you da gal"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •