Offeroptimizer wont go away...ever

A

Aaron

Hey, somehow i got this retarded offeroptimizer...no adware scanner will fix
it.
can someone take a look at my hijack-this logfile... pretty sure i got rid
of
everything related to this popup, but its still happening:

Logfile of HijackThis v1.98.2
Scan saved at 6:01:39 PM, on 11/9/2004
Platform: Windows XP SP2
MSIE: Internet Explorer v6.00 SP2
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\system32\zytchly.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
C:\WINDOWS\multimpp.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
"C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
 
D

David H. Lipman

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report your results ! * * *

Dave




| Hey, somehow i got this retarded offeroptimizer...no adware scanner will fix
| it.
| can someone take a look at my hijack-this logfile... pretty sure i got rid
| of
| everything related to this popup, but its still happening:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 6:01:39 PM, on 11/9/2004
| Platform: Windows XP SP2
| MSIE: Internet Explorer v6.00 SP2
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
| C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\Program Files\Norton AntiVirus\navapsvc.exe
| C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
| C:\Program Files\Norton AntiVirus\SAVScan.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
| C:\WINDOWS\system32\MsPMSPSv.exe
| C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Common Files\Symantec Shared\ccApp.exe
| C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
| C:\WINDOWS\system32\hphmon04.exe
| C:\WINDOWS\system32\CTHELPER.EXE
| C:\WINDOWS\system32\RunDll32.exe
| C:\Program Files\iTunes\iTunesHelper.exe
| C:\Program Files\AIM\aim.exe
| C:\Program Files\iPod\bin\iPodService.exe
| C:\WINDOWS\system32\HPHipm11.exe
| C:\WINDOWS\system32\zytchly.exe
| C:\Program Files\Outlook Express\msimn.exe
| C:\Program Files\Internet Explorer\iexplore.exe
| C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
| O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
| C:\WINDOWS\multimpp.dll
| O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
| C:\WINDOWS\systb.dll (file missing)
| O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
| C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
| O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
| C:\PROGRA~1\SPYBOT~1\SDHelper.dll
| O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
| Files\Norton AntiVirus\NavShExt.dll
| O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
| C:\Program Files\Norton AntiVirus\NavShExt.dll
| O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
| Shared\ccApp.exe"
| O4 - HKLM\..\Run: [Advanced Tools Check]
| C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
| O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
| Panel\atiptaxx.exe
| O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
| "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
| O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
| C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
| O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
| O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
| 11\hphinstall\UniPatch\hphupd04.exe"
| O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
| O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
| O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
| O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
| O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
| O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
| O4 - HKCU\..\Run: [RemoteCenter] C:\Program
| Files\Creative\MediaSource\RemoteControl\RcMan.exe
| O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
| Files\Adobe\Calibration\Adobe Gamma Loader.exe
| O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
| Office\Office10\OSA.EXE
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
| Files\AIM\aim.exe
| O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
| C:\Program Files\Messenger\msmsgs.exe
| O9 - Extra 'Tools' menuitem: Windows Messenger -
| {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
| Files\Messenger\msmsgs.exe
| O12 - Plugin for .spop: C:\Program Files\Internet
| Explorer\Plugins\NPDocBox.dll
| O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
| AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
| O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
|
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
| O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
| AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
| O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
| C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
|
|
|
 
R

rotric

David said:
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report your results ! * * *

Dave




| Hey, somehow i got this retarded offeroptimizer...no adware scanner will fix
| it.
| can someone take a look at my hijack-this logfile... pretty sure i got rid
| of
| everything related to this popup, but its still happening:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 6:01:39 PM, on 11/9/2004
| Platform: Windows XP SP2
| MSIE: Internet Explorer v6.00 SP2
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
| C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\Program Files\Norton AntiVirus\navapsvc.exe
| C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
| C:\Program Files\Norton AntiVirus\SAVScan.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
| C:\WINDOWS\system32\MsPMSPSv.exe
| C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Common Files\Symantec Shared\ccApp.exe
| C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
| C:\WINDOWS\system32\hphmon04.exe
| C:\WINDOWS\system32\CTHELPER.EXE
| C:\WINDOWS\system32\RunDll32.exe
| C:\Program Files\iTunes\iTunesHelper.exe
| C:\Program Files\AIM\aim.exe
| C:\Program Files\iPod\bin\iPodService.exe
| C:\WINDOWS\system32\HPHipm11.exe
| C:\WINDOWS\system32\zytchly.exe
| C:\Program Files\Outlook Express\msimn.exe
| C:\Program Files\Internet Explorer\iexplore.exe
| C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
| O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
| C:\WINDOWS\multimpp.dll
| O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
| C:\WINDOWS\systb.dll (file missing)
| O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
| C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
| O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
| C:\PROGRA~1\SPYBOT~1\SDHelper.dll
| O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
| Files\Norton AntiVirus\NavShExt.dll
| O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
| C:\Program Files\Norton AntiVirus\NavShExt.dll
| O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
| Shared\ccApp.exe"
| O4 - HKLM\..\Run: [Advanced Tools Check]
| C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
| O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
| Panel\atiptaxx.exe
| O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
| "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
| O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
| C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
| O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
| O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
| 11\hphinstall\UniPatch\hphupd04.exe"
| O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
| O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
| O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
| O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
| O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
| O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
| O4 - HKCU\..\Run: [RemoteCenter] C:\Program
| Files\Creative\MediaSource\RemoteControl\RcMan.exe
| O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
| Files\Adobe\Calibration\Adobe Gamma Loader.exe
| O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
| Office\Office10\OSA.EXE
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
| Files\AIM\aim.exe
| O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
| C:\Program Files\Messenger\msmsgs.exe
| O9 - Extra 'Tools' menuitem: Windows Messenger -
| {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
| Files\Messenger\msmsgs.exe
| O12 - Plugin for .spop: C:\Program Files\Internet
| Explorer\Plugins\NPDocBox.dll
| O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
| AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
| O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
|
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
| O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
| AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
| O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
| C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
|
|
|
Click to expand...
Aaron, follow David's instructions, ... there is a file in your sys32
folder called "zytchly.exe" now i dont know if that belongs to a valid
app you may have but i doubt it. the spelling seems, either czech, polak
or russian(cyrillic)... let us know
 
T

Terry

On 11/9/2004 4:12 PM On a whim, Aaron pounded out on the keyboard
Hey, somehow i got this retarded offeroptimizer...no adware scanner will fix
it.
can someone take a look at my hijack-this logfile... pretty sure i got rid
of
everything related to this popup, but its still happening:

Logfile of HijackThis v1.98.2
Scan saved at 6:01:39 PM, on 11/9/2004
Platform: Windows XP SP2
MSIE: Internet Explorer v6.00 SP2
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\system32\zytchly.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
C:\WINDOWS\multimpp.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
"C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
Click to expand...

What is zytchly.exe? I'm not familiar with it and a Google search brings
up nothing. I would remove that from your
HKLM\Microsoft\Windows\CurrentVersion\Run unless you know what it is
(while the registry is open press F5 to see if a program is monitoring
the registry and tries to replace it). And then rename the file if you
can to zytchly.exe.old. You'll probably have to end the process first.
And possibly turn SR off (it may be keeping backups there).

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
 
A

Aaron

Wooo!! First of all, id like to just say that, Dave, you're the man.
Your directions proved to be verrry effective. I can go all over w/o any
popups.
Whew...One issue i still have, at least in my mind, is how can i prevent
this craziness from happening in the future?... I have norton 2004 running
constantly, along with the oh so lovely sp2 firewall ...i assume i should
get a real firewall, but i really hate configuring them. What do you guys
think? Oh, and it seems that that crazy zytchly.exe file was evil, as
adaware/trendmicro stuff deleted it.
Thanks!!!!!
Aaron

David H. Lipman said:
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full
Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform
using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore
preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report your results ! * * *

Dave




| Hey, somehow i got this retarded offeroptimizer...no adware scanner will
fix
| it.
| can someone take a look at my hijack-this logfile... pretty sure i got
rid
| of
| everything related to this popup, but its still happening:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 6:01:39 PM, on 11/9/2004
| Platform: Windows XP SP2
| MSIE: Internet Explorer v6.00 SP2
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
| C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\Program Files\Norton AntiVirus\navapsvc.exe
| C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
| C:\Program Files\Norton AntiVirus\SAVScan.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
| C:\WINDOWS\system32\MsPMSPSv.exe
| C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Common Files\Symantec Shared\ccApp.exe
| C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
| C:\WINDOWS\system32\hphmon04.exe
| C:\WINDOWS\system32\CTHELPER.EXE
| C:\WINDOWS\system32\RunDll32.exe
| C:\Program Files\iTunes\iTunesHelper.exe
| C:\Program Files\AIM\aim.exe
| C:\Program Files\iPod\bin\iPodService.exe
| C:\WINDOWS\system32\HPHipm11.exe
| C:\WINDOWS\system32\zytchly.exe
| C:\Program Files\Outlook Express\msimn.exe
| C:\Program Files\Internet Explorer\iexplore.exe
| C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
| O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
| C:\WINDOWS\multimpp.dll
| O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
| C:\WINDOWS\systb.dll (file missing)
| O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
| C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
| O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
| C:\PROGRA~1\SPYBOT~1\SDHelper.dll
| O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program
| Files\Norton AntiVirus\NavShExt.dll
| O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
| C:\Program Files\Norton AntiVirus\NavShExt.dll
| O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
| Shared\ccApp.exe"
| O4 - HKLM\..\Run: [Advanced Tools Check]
| C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
| O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
| Panel\atiptaxx.exe
| O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
| "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
| O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
| C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
| O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
| O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
| 11\hphinstall\UniPatch\hphupd04.exe"
| O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
| O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
| O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
| O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
| O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
| O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
| O4 - HKCU\..\Run: [RemoteCenter] C:\Program
| Files\Creative\MediaSource\RemoteControl\RcMan.exe
| O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
| Files\Adobe\Calibration\Adobe Gamma Loader.exe
| O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
| Office\Office10\OSA.EXE
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program
| Files\AIM\aim.exe
| O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
| C:\Program Files\Messenger\msmsgs.exe
| O9 - Extra 'Tools' menuitem: Windows Messenger -
| {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
| Files\Messenger\msmsgs.exe
| O12 - Plugin for .spop: C:\Program Files\Internet
| Explorer\Plugins\NPDocBox.dll
| O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
| AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
| O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
|
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
| O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
| AutoUpdate Support Package) -
http://www.creative.com/su/ocx/15008/CTPID.cab
| O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
| C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
|
|
|
Click to expand...
 
K

Kelly

Depends....

SpywareBlaster doesn't scan and clean for spyware. It prevents it from ever
being installed.
http://majorgeeks.com/download2859.html


/taskbarplus!.htm


Aaron said:
Wooo!! First of all, id like to just say that, Dave, you're the man.
Your directions proved to be verrry effective. I can go all over w/o any
popups.
Whew...One issue i still have, at least in my mind, is how can i prevent
this craziness from happening in the future?... I have norton 2004
running constantly, along with the oh so lovely sp2 firewall ...i assume i
should get a real firewall, but i really hate configuring them. What do
you guys think? Oh, and it seems that that crazy zytchly.exe file was
evil, as adaware/trendmicro stuff deleted it.
Thanks!!!!!
Aaron

David H. Lipman said:
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full
Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform
using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore
preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report your results ! * * *

Dave




| Hey, somehow i got this retarded offeroptimizer...no adware scanner
will fix
| it.
| can someone take a look at my hijack-this logfile... pretty sure i got
rid
| of
| everything related to this popup, but its still happening:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 6:01:39 PM, on 11/9/2004
| Platform: Windows XP SP2
| MSIE: Internet Explorer v6.00 SP2
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
| C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\Program Files\Norton AntiVirus\navapsvc.exe
| C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
| C:\Program Files\Norton AntiVirus\SAVScan.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
| C:\WINDOWS\system32\MsPMSPSv.exe
| C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Common Files\Symantec Shared\ccApp.exe
| C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
| C:\WINDOWS\system32\hphmon04.exe
| C:\WINDOWS\system32\CTHELPER.EXE
| C:\WINDOWS\system32\RunDll32.exe
| C:\Program Files\iTunes\iTunesHelper.exe
| C:\Program Files\AIM\aim.exe
| C:\Program Files\iPod\bin\iPodService.exe
| C:\WINDOWS\system32\HPHipm11.exe
| C:\WINDOWS\system32\zytchly.exe
| C:\Program Files\Outlook Express\msimn.exe
| C:\Program Files\Internet Explorer\iexplore.exe
| C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
| O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
| C:\WINDOWS\multimpp.dll
| O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
| C:\WINDOWS\systb.dll (file missing)
| O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
| C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
| O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
| C:\PROGRA~1\SPYBOT~1\SDHelper.dll
| O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program
| Files\Norton AntiVirus\NavShExt.dll
| O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
| C:\Program Files\Norton AntiVirus\NavShExt.dll
| O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
| Shared\ccApp.exe"
| O4 - HKLM\..\Run: [Advanced Tools Check]
| C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
| O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control
| Panel\atiptaxx.exe
| O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
| "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
| O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
| C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
| O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
| O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
| 11\hphinstall\UniPatch\hphupd04.exe"
| O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
| O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
| O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
| O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
| O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
| O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
| O4 - HKCU\..\Run: [RemoteCenter] C:\Program
| Files\Creative\MediaSource\RemoteControl\RcMan.exe
| O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
| Files\Adobe\Calibration\Adobe Gamma Loader.exe
| O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
| Office\Office10\OSA.EXE
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program
| Files\AIM\aim.exe
| O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
| C:\Program Files\Messenger\msmsgs.exe
| O9 - Extra 'Tools' menuitem: Windows Messenger -
| {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
| Files\Messenger\msmsgs.exe
| O12 - Plugin for .spop: C:\Program Files\Internet
| Explorer\Plugins\NPDocBox.dll
| O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
| AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
| O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
|
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
| O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
| AutoUpdate Support Package) -
http://www.creative.com/su/ocx/15008/CTPID.cab
| O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
| C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
|
|
|
Click to expand...
Click to expand...
 
T

Terry

On 11/9/2004 8:48 PM On a whim, Aaron pounded out on the keyboard
Wooo!! First of all, id like to just say that, Dave, you're the man.
Your directions proved to be verrry effective. I can go all over w/o any
popups.
Whew...One issue i still have, at least in my mind, is how can i prevent
this craziness from happening in the future?... I have norton 2004 running
constantly, along with the oh so lovely sp2 firewall ...i assume i should
get a real firewall, but i really hate configuring them. What do you guys
think? Oh, and it seems that that crazy zytchly.exe file was evil, as
adaware/trendmicro stuff deleted it.
Thanks!!!!!
Aaron

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full
Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform
using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore
preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report your results ! * * *

Dave




| Hey, somehow i got this retarded offeroptimizer...no adware scanner will
fix
| it.
| can someone take a look at my hijack-this logfile... pretty sure i got
rid
| of
| everything related to this popup, but its still happening:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 6:01:39 PM, on 11/9/2004
| Platform: Windows XP SP2
| MSIE: Internet Explorer v6.00 SP2
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
| C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\Program Files\Norton AntiVirus\navapsvc.exe
| C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
| C:\Program Files\Norton AntiVirus\SAVScan.exe
| C:\WINDOWS\System32\svchost.exe
| C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
| C:\WINDOWS\system32\MsPMSPSv.exe
| C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
| C:\WINDOWS\system32\Ati2evxx.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Common Files\Symantec Shared\ccApp.exe
| C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
| C:\WINDOWS\system32\hphmon04.exe
| C:\WINDOWS\system32\CTHELPER.EXE
| C:\WINDOWS\system32\RunDll32.exe
| C:\Program Files\iTunes\iTunesHelper.exe
| C:\Program Files\AIM\aim.exe
| C:\Program Files\iPod\bin\iPodService.exe
| C:\WINDOWS\system32\HPHipm11.exe
| C:\WINDOWS\system32\zytchly.exe
| C:\Program Files\Outlook Express\msimn.exe
| C:\Program Files\Internet Explorer\iexplore.exe
| C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
| O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
| C:\WINDOWS\multimpp.dll
| O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
| C:\WINDOWS\systb.dll (file missing)
| O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
| C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
| O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
| C:\PROGRA~1\SPYBOT~1\SDHelper.dll
| O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program
| Files\Norton AntiVirus\NavShExt.dll
| O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
| C:\Program Files\Norton AntiVirus\NavShExt.dll
| O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
| Shared\ccApp.exe"
| O4 - HKLM\..\Run: [Advanced Tools Check]
| C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
| O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
| Panel\atiptaxx.exe
| O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
| "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
| O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
| C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
| O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
| O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
| 11\hphinstall\UniPatch\hphupd04.exe"
| O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
| O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
| O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
| O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
| O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
| O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
| O4 - HKCU\..\Run: [RemoteCenter] C:\Program
| Files\Creative\MediaSource\RemoteControl\RcMan.exe
| O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
| Files\Adobe\Calibration\Adobe Gamma Loader.exe
| O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
| Office\Office10\OSA.EXE
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program
| Files\AIM\aim.exe
| O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
| C:\Program Files\Messenger\msmsgs.exe
| O9 - Extra 'Tools' menuitem: Windows Messenger -
| {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
| Files\Messenger\msmsgs.exe
| O12 - Plugin for .spop: C:\Program Files\Internet
| Explorer\Plugins\NPDocBox.dll
| O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
| AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
| O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
|
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
| O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
| AutoUpdate Support Package) -
http://www.creative.com/su/ocx/15008/CTPID.cab
| O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
| C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
|
|
|
Click to expand...
Click to expand...

There is a memory resident program that comes with Spybot called Tea
Timer (in the Advanced menu). It monitors the registry and will warn you
whenever a program makes a change. If you add/remove programs a lot it
could be a pain, but for everyday tasks, it will let you know if some
crudware tries to set itself up on your system.

(If you wind up using it, can I suggest making a donation?)

--
Terry

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
 
D

David H. Lipman

I'm glad I could help and that there was resolution.

Dave




| Wooo!! First of all, id like to just say that, Dave, you're the man.
| Your directions proved to be verrry effective. I can go all over w/o any
| popups.
| Whew...One issue i still have, at least in my mind, is how can i prevent
| this craziness from happening in the future?... I have norton 2004 running
| constantly, along with the oh so lovely sp2 firewall ...i assume i should
| get a real firewall, but i really hate configuring them. What do you guys
| think? Oh, and it seems that that crazy zytchly.exe file was evil, as
| adaware/trendmicro stuff deleted it.
| Thanks!!!!!
| Aaron
|
| | > 1) Download the following three items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend Pattern File.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Adaware SE (free personal version v1.05)
| > http://www.lavasoftusa.com/
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download Sysclean.com and place it in that directory.
| > Dowload the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt242.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same
| > directory as
| > sysclean.com.
| >
| > 2) Update Adaware with the latest definitions.
| > 3) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 4) Reboot your PC into Safe Mode
| > 5) Using both the Trend Sysclean utility and Adaware, perform a Full
| > Scan of your
| > platform and clean/delete any infectors/parasites found.
| > (a few cycles may be needed)
| > 6) Restart your PC and perform a "final" Full Scan of your platform
| > using both the
| > Trend Sysclean utility and Adaware
| > 7) Re-enable System Restore and re-apply any System Restore
| > preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| > 8) Reboot your PC.
| > 9) Create a new Restore point
| >
| > * * * Please report your results ! * * *
| >
| > Dave
| >
| >
| >
| >
| > | > | Hey, somehow i got this retarded offeroptimizer...no adware scanner will
| > fix
| > | it.
| > | can someone take a look at my hijack-this logfile... pretty sure i got
| > rid
| > | of
| > | everything related to this popup, but its still happening:
| > |
| > | Logfile of HijackThis v1.98.2
| > | Scan saved at 6:01:39 PM, on 11/9/2004
| > | Platform: Windows XP SP2
| > | MSIE: Internet Explorer v6.00 SP2
| > | Running processes:
| > | C:\WINDOWS\System32\smss.exe
| > | C:\WINDOWS\system32\winlogon.exe
| > | C:\WINDOWS\system32\services.exe
| > | C:\WINDOWS\system32\lsass.exe
| > | C:\WINDOWS\system32\Ati2evxx.exe
| > | C:\WINDOWS\system32\svchost.exe
| > | C:\WINDOWS\System32\svchost.exe
| > | C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
| > | C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
| > | C:\WINDOWS\system32\spoolsv.exe
| > | C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| > | C:\Program Files\Norton AntiVirus\navapsvc.exe
| > | C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
| > | C:\Program Files\Norton AntiVirus\SAVScan.exe
| > | C:\WINDOWS\System32\svchost.exe
| > | C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
| > | C:\WINDOWS\system32\MsPMSPSv.exe
| > | C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
| > | C:\WINDOWS\system32\Ati2evxx.exe
| > | C:\WINDOWS\Explorer.EXE
| > | C:\Program Files\Common Files\Symantec Shared\ccApp.exe
| > | C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
| > | C:\WINDOWS\system32\hphmon04.exe
| > | C:\WINDOWS\system32\CTHELPER.EXE
| > | C:\WINDOWS\system32\RunDll32.exe
| > | C:\Program Files\iTunes\iTunesHelper.exe
| > | C:\Program Files\AIM\aim.exe
| > | C:\Program Files\iPod\bin\iPodService.exe
| > | C:\WINDOWS\system32\HPHipm11.exe
| > | C:\WINDOWS\system32\zytchly.exe
| > | C:\Program Files\Outlook Express\msimn.exe
| > | C:\Program Files\Internet Explorer\iexplore.exe
| > | C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
| > | O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
| > | C:\WINDOWS\multimpp.dll
| > | O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
| > | C:\WINDOWS\systb.dll (file missing)
| > | O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
| > | C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
| > | O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
| > | C:\PROGRA~1\SPYBOT~1\SDHelper.dll
| > | O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
| > C:\Program
| > | Files\Norton AntiVirus\NavShExt.dll
| > | O3 - Toolbar: Norton AntiVirus -
| > {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
| > | C:\Program Files\Norton AntiVirus\NavShExt.dll
| > | O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
| > | Shared\ccApp.exe"
| > | O4 - HKLM\..\Run: [Advanced Tools Check]
| > | C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
| > | O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
| > | Panel\atiptaxx.exe
| > | O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
| > | "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
| > | O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
| > | C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
| > | O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
| > | O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
| > | 11\hphinstall\UniPatch\hphupd04.exe"
| > | O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
| > | O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
| > | O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
| > | O4 - HKLM\..\Run: [iTunesHelper] C:\Program
| > Files\iTunes\iTunesHelper.exe
| > | O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
| > | O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
| > | O4 - HKCU\..\Run: [RemoteCenter] C:\Program
| > | Files\Creative\MediaSource\RemoteControl\RcMan.exe
| > | O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
| > | Files\Adobe\Calibration\Adobe Gamma Loader.exe
| > | O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
| > | Office\Office10\OSA.EXE
| > | O8 - Extra context menu item: E&xport to Microsoft Excel -
| > | res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| > | O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
| > C:\Program
| > | Files\AIM\aim.exe
| > | O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
| > | C:\Program Files\Messenger\msmsgs.exe
| > | O9 - Extra 'Tools' menuitem: Windows Messenger -
| > | {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
| > | Files\Messenger\msmsgs.exe
| > | O12 - Plugin for .spop: C:\Program Files\Internet
| > | Explorer\Plugins\NPDocBox.dll
| > | O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
| > | AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
| > | O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
| > |
| >
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098503167983
| > | O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
| > | AutoUpdate Support Package) -
| > http://www.creative.com/su/ocx/15008/CTPID.cab
| > | O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
| > | C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
| > |
| > |
| > |
| >
| >
|
|
 
B

barde

David said:


* * * Please report your results ! * * *

Dave


Hi. I just wanted to know that I followed your instructions - an
thanx! I used to have a severe case of OfferOptimizer. Now it'
vanished from the face of the screen :)

Greetings from Norway.
Bard. :
Click to expand...



-
bard
 
D

David H. Lipman

Glad to hear it !

Thanx for the feedback.

Dave




|
| David H. Lipman wrote:
| >
| >
| > * * * Please report your results ! * * *
| >
| > Dave
| >
| >
| > Hi. I just wanted to know that I followed your instructions - and
| > thanx! I used to have a severe case of OfferOptimizer. Now it's
| > vanished from the face of the screen :)
| >
| > Greetings from Norway.
| > Bard. :)
|
|
|
| --
| barde
| ------------------------------------------------------------------------
|
| ------------------------------------------------------------------------
| View this thread: http://www.mcse.ms/message1212468.html
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problems with pops ups 6
Nt Authority System Please Help!! 0
sharedobj.dll errors 1
IE 8 won't start 2
IE redirection problem 2
over 600 virus's found! ran anti-virus but still not working 12
Desktop Icons Missing at startup 7
SVC host problem 3

Top