offeroptimizer spyware and some other popup windows

Forums: Computers
Email this Topic • Print this Page

I have some problems with offeroptimizer spyware and some other popup windows.
Please help me!
Can anyone help me decifer which files to delete?
This is my log...
Thanks a lot.

Logfile of HijackThis v1.97.7
Scan saved at 14.51.53, on 05/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\Programmi\Network Associates\VirusScan\Mcshield.exe
C:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\ePOAgent\UpdaterUI.exe
C:\WINNT\system32\cmd.exe
C:\Programmi\Internet Explorer\iexplore.exe
H:\VSS\win32\SSEXP.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ARighi\IMPOST~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cpscolor.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.2.125:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: (no name) - {00000250-0320-4DD4-BE4F-7566D2314352} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38162.2305092593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file://D:\ENGLISH\PLATSDK\controls\sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cps.color
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cps.color
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emea.cps.color

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 1,457 • Replies: 2

No top replies

You have a CoolWebSearch trojan. Download, update and run
CWShredder
Click Fix, don't just scan. Let it fix everything it asks about. Then reboot your computer and post back with a new log.

0 Replies

OfferOptimizer was a pain to get rid of...
As of 6/28/04, I had the same experience running Windows XP Pro. Searched all over and found that it was also related to a Twain-Tech application. Here's what I finally did to get rid of it...

1. Tried SpyBot - Search and Destroy. That didn't really get rid of it but it did help identify the problem files. Turns out there were two suspect dlls that I had (your mileage may vary) that I had to get rid of. You have to unregister them both then delete their existence from your system. If you only unregister one of them, it seems they remake their files and reregister themselves on your next reboot. The files in question were: mxtarget.dll and twaintec.dll

2. To unregister them I went to a command console and typed the following:

c:\> regsvr32 /u mxtarget.dll
c:\> regsvr32 /u twaintec.dll

3. Then I searched my entire system for the occurrence of mxtarget and twaintec and deleted anything which had those filenames. There were cab files, dlls, stuff in a prefetch directory and other places... deleted them all.

4. Finally rebooted. Since then, seems I'm lucky enough to not have to deal with that again.

I'd also suggest searching Twaintec. There seems to be a lot of good info on removing this as well.

Good luck!

0 Replies

offeroptimizer spyware and some other popup windows

Related Topics

Quick Links

My Account

able2know