1
   

OfferOptimizer Help

Forums: Computers
Email this Topic Print this Page
 
 
DetroitDave
 
Reply Thu 18 Nov, 2004 12:04 pm
I could use some help getting rid of the virus associated with xlime.offeroptimizer.com. I followed the instructions that were given in this forum http://www.able2know.com/forums/about38503.html and have not been able to remove it. I have used CCleaner, SpyBot, AdAware, and the Trend Micro online scan. The only piece that I cannot complete is the BitDefender scan as I do not have administrative access and would like to fix this problem on my own as it is a work computer. Here is my most recent Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 1:03:14 PM, on 11/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Network Associates\PGP60\PGPtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Documents and Settings\dbabinsk\Desktop\Virus Tools\CCleaner\sysclean.com
C:\Documents and Settings\dbabinsk\Desktop\Virus Tools\CCleaner\sysclean.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\DOCUME~1\dbabinsk\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R3 - Default URLSearchHook is missing
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\Windows\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP60\PGPtray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jerrybaker.com
O17 - HKLM\Software\..\Telephony: DomainName = jerrybaker.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jerrybaker.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jerrybaker.com


Please help me with any info that you can. Thanks.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 1,294 • Replies: 3
No top replies

 
Don77
 
  1  
Reply Thu 18 Nov, 2004 07:46 pm
Hi DetroitDave and welcome to A2K.
Let see if we can get this starightened out for you, A couple things need you to do,

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt.
Drag HJT into it, Don't want it sitting in a Temp Folder.
Next
Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R3 - Default URLSearchHook is missing
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\Windows\localNRD.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)




Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD
C:\Windows\localNRD.dll

Restart your computer,

Run through the steps in this Post Looks as though Spybot may have taken a hit somehow,

Post back a fresh log after you have done the above
0 Replies
 
DetroitDave
 
  1  
Reply Fri 19 Nov, 2004 01:14 pm
New Log File
Hey Don77,
I really appreciate the quick response. These viruses can be quite the headache. I went through all of the steps outlined with the exception of the BitDefender, since I do not have administrative access. It appears to have fixed the problem. Here is my new HJT log file:

Logfile of HijackThis v1.97.7
Scan saved at 2:12:54 PM, on 11/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\NavNT\DefWatch.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Windows\system32\mobsync.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Network Associates\PGP60\PGPtray.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\dbabinsk\LOCALS~1\Temp\Temporary Directory 2 for hjt.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O1 - Hosts file is located at: C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP60\PGPtray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jerrybaker.com
O17 - HKLM\Software\..\Telephony: DomainName = jerrybaker.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jerrybaker.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jerrybaker.com

I really would like to thank you and all other computer experts for taking time to help out the semi-informed user.
0 Replies
 
Don77
 
  1  
Reply Fri 19 Nov, 2004 07:15 pm
Yep looks clean Dave,
But you seem to have the old version of HJT still on your system,
Please remove it. Make sure you created a dedicated foler for HJT and move it to there please,

Download the following programs, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.

Download Spyware Blaster and SpywareGaurd

Check for updates after you install them, And check weekly as well

Keep Ad-aware and Spybot handy, Check them for updates and run them weekly
Same with your Anti Virus,
Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.

Remeber to check Check Windows for updates

Let us know if you have any further problems,
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » OfferOptimizer Help
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 12/25/2025 at 10:08:43