 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
| 0 user currently in Hardware/Software. |
| Acmlm's Board - I2 Archive - Hardware/Software - Damnit!! Offeroptimizer |
 |  |  |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| User | Post | ||
Drag Flurry  I don't post anymore! o_O Level: 26  Posts: 76/254 EXP: 98946 For next: 3329 Since: 03-15-04 From: Deogon Vally, Dragon Country Since last post: 316 days Last activity: 44 days |
| ||
| Ok. Sometimes while I'm in IE, I get a random popup from Offeroptimizer.com. I did Ad-Aware many times and it isn't fixing it. If that weren't enough, I'm getting some random software installations that I'm not doing. First, Lycos ClearSearch or something, next, WebSavingsfromEbates. I've had enough. I want this fucking adware off of here. I used hijackthis and here's a log. Hopefully, can someone tell me what in this log is bad and I should check and fix. Logfile of HijackThis v1.97.7 Scan saved at 5:52:24 PM, on 3/27/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\DELLMMKB.EXE C:\WINDOWS\System32\qttask.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\PhotoWise\quicklnk.exe C:\Program Files\Netropa\OSD.exe C:\WINDOWS\Nhksrv.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\mIRC\Newer\mirc.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wjview.exe C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.113.34.239:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing) O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll (file missing) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O9 - Extra button: Sidesearch (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Encarta Encyclopedia (HKLM) O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Define (HKLM) O9 - Extra 'Tools' menuitem: Define (HKLM) O9 - Extra button: AOL Instant Messenger (SM) (HKLM) O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .rgb: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/InstallFiles/SIFiles/live/TP_live.cab O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://www.clickteam.com/vitalize3/vitalize.cab IF YOU SAY FORMAT, OR SWITCH OFF OF IE, I WILL SHOOT YOU! Thanks for any help!  Edit: Ok, I deleted the indicated files, and my popup problem hasn't reappeared yet, so I'm hoping that did the trick. I didn't get everything I needed to for the startup thing, meaning there are some references to files I deleted, but I'll take care of that. If there is anything else I didn't strike out that I should check and fix, let me know. Thanks. (edited by Drag on 03-27-04 05:57 PM) (edited by Drag on 03-27-04 06:53 PM) (edited by Drag on 03-27-04 06:55 PM) |
|||
|
HyperLamer <||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people Sesshomaru Tamaranian Level: 118 Posts: 195/8210 EXP: 18171887 For next: 211027 Since: 03-15-04 From: Canada, w00t! LOL FAD Since last post: 2 hours Last activity: 2 hours |
| ||
| Why not Google all the files that sound suspicious? I've never heard of C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe, for example. A quick Google search shows this to be a rather common file that nobody has thought to be spyware, so it's likely clean. | |||
|
kitty Come on babe, pet the pussy ;) Level: 70 Posts: 438/2449 EXP: 2962406 For next: 53405 Since: 03-15-04 From: Scranton, PA, USA Since last post: 3 hours Last activity: 3 hours |
| ||
| You said you ran Ad-Aware. I assume you mean you have Ad-Aware 6 installed and you updated it BEFORE you scanned? Did you also try Spybot S+D? Deleting files and registry keys helps, but doesn't always remove every last trace. I'd scan with the latest updates to both and make sure. |
|||
|
Drag Flurry I don't post anymore! o_O Level: 26 Posts: 82/254 EXP: 98946 For next: 3329 Since: 03-15-04 From: Deogon Vally, Dragon Country Since last post: 316 days Last activity: 44 days |
| ||
I have the latest definition files for AdAware 6, but as I've read online, Adaware can't detect the program itself. It only can see what gets added to the registry as a result, the files the downloader trojan downloaded, and such. HijackThis actually showed me what files were using IE, and that kind of stuff. I deleted the files that were identified from other people's similar problem (random offeroptimizer.com popups on site browsing), and so far, no more popups. I also found out that belt.exe was the trojan that was downloading all of the shit. Deleted that, got it out of the startup sequence, and now no more downloaded shitware. Also, it really helps when I know the date that all of this shit started happened, because I put the folders on sort by date modified, and the offending files went straight to the bottom.  Yeah, I'm like 90% sure that I successfully removed all of the shitware from my computer, seeing as how the abnormal behavior has ceased. Thank you HijackThis! And yes, there still may be shitkeys in the registry, but AdAware 6 will remove those. It HAS been.  |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| Acmlm's Board - I2 Archive - Hardware/Software - Damnit!! Offeroptimizer |
| | |
