Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help, offeroptimizer is a problem


  • This topic is locked This topic is locked
13 replies to this topic

#1 slickpimpn

slickpimpn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 02 December 2004 - 01:17 PM

Every time I look at my screen I see a pop up from this same site, how do i get rid of it and will it stay off my computer once I have gotten rid of it. I have been having a problem with spy ware so im guessing thats what it steamed from. i downloaded Hijack and ran it to see what was going on but i was unable to get rid of anything here are the results and if anyone is out there could you please help me out here !!!!!! Im running XP professional on my system and here are the results.

ogfile of HijackThis v1.98.2
Scan saved at 7:05:53 PM, on 12/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSNhksrv.exe
C:Program FilesDellOpenManageClientActionAgent.exe
C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe
C:DMIWIN32inDellDmi.exe
C:Program FilesDellOpenManageClientEventAgt.exe
C:Program FilesDellOpenManageClientDLT.exe
C:WINDOWSSYSTEM32GEARSEC.EXE
C:Program FilesExpertcityGoToMyPCg2svc.exe
C:WINDOWSExplorer.EXE
C:Program FilesDellOpenManageClientIap.exe
C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe
C:Program FilesExpertcityGoToMyPCg2comm.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSwanmpsvc.exe
C:dmiwin32inWin32sl.exe
C:WINDOWSsystem32MsPMSPSv.exe
C:Program FilesExpertcityGoToMyPCg2tray.exe
C:WINDOWSDELLMMKB.EXE
C:Program FilesRealRealPlayerRealPlay.exe
C:PROGRA~1SYMANT~1SYMANT~1vptray.exe
C:WINDOWSSystem32iziaxn.exe
C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe
C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe
C:Program FilesNetropaOSD.exe
C:Program FilesAmerica Online 7.0aoltray.exe
C:Program FilesRoxioEasy CD Creator 6AudioCentralPlaylist.exe
C:Program FilesEMS Free Surfer Companion s30.exe
C:Program FilesMSN Messengermsnmsgr.exe
C:Program FilesYahoo!Messengerymsgr_tray.exe
C:DOCUME~1RODRIC~1LOCALS~1TempTemporary Directory 1 for HijackThis.zipHijackThis.exe
C:Program FilesInternet Exploreriexplore.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://government.dellnet.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://government.dellnet.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.se1.attbb.net;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: indows.
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:WINDOWSmxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:WINDOWSsystb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM..Run: [DellTouch] C:WINDOWSDELLMMKB.EXE
O4 - HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1SYMANT~1vptray.exe
O4 - HKLM..Run: [qmvrxesmyftyl] C:WINDOWSSystem32iziaxn.exe
O4 - HKLM..Run: [IMJPMIG8.1] C:WINDOWSIMEimjp8_1IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM..Run: [IMEKRMIG6.1] C:WINDOWSimeimkr6_1IMEKRMIG.EXE
O4 - HKLM..Run: [MSPY2002] C:WINDOWSSystem32IMEPINTLGNTImScInst.exe /SYNC
O4 - HKLM..Run: [PHIME2002ASync] C:WINDOWSSystem32IMETINTLGNTTINTSETP.EXE /SYNC
O4 - HKLM..Run: [PHIME2002A] C:WINDOWSSystem32IMETINTLGNTTINTSETP.EXE /IMEName
O4 - HKLM..Run: [GoToMyPC] C:Program FilesExpertcityGoToMyPCg2svc.exe -logon
O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe"
O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
O4 - HKLM..Run: [RoxioAudioCentral] "C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe"
O4 - HKLM..Run: [satmat] C:WINDOWSsatmat.exe
O4 - HKLM..Run: [Win Server Updt] C:WINDOWSwupdt.exe
O4 - HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:Program FilesAmerica Online 7.0aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Get siteinfo data (fsc) - C:Program FilesEMS Free Surfer Companion slauncher.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0522.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:Program FilesEMS Free Surfer CompanionFS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:Program FilesEMS Free Surfer CompanionFS30.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - AppInit_DLLs: 



Thanks in Advance

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:49 PM

Posted 02 December 2004 - 05:47 PM

is anyone out there?

I am. :thumbsup: I'll do it. Hang in there, and we'll get rid of the unwanted popups. Checkin' it over, could be several hours...
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:49 PM

Posted 04 December 2004 - 02:28 PM

when my computer lags its "Smc.exe" that has 100% cpu usage !

That would be your firewall program fightin' some of the problems below, slickpimpn

HijackThis saves backups automatically to it's folder and we may need them. We will delete files in the temp folder as we fix the problems, so it must be redone. C:DOCUME~1\RODRIC~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zipHijackThis.exe should look like this C:\HJT\HijackThis.exe on your log. To make it that way: click Start-->My Computer-->Hard Disk Drive C:\-->File-->New-->Folder and name it HJT. Then simply download again, this time extract to the C:\HJT folder.

Please make sure to work through the fixes in the exact order that they're presented below. You should also print out or copy this page to Notepad.

You will need several tools on your desktop. Unlike HJT, you may run them from the desktop. All are .zip files,
examples of zip files after extraction to the desktop Please use these links to download them to your desktop, and extract/run them when they are presented:Extract Killbox, open folder & choose extract to your desktop. "Finish". Open the folder and then double-click on Killbox.exe to start the program.

Start Killbox.exe Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\
Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.
R1 - HKCUSoftware\Microsoft\Internet ExplorerMain,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCUSoftware\Microsoft\Internet ExplorerMain,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLMSoftware\Microsoft\Internet ExplorerMain,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLMSoftware\Microsoft\Internet ExplorerMain,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLMSoftware\Microsoft\Internet ExplorerSearch,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLMSoftware\Microsoft\Internet ExplorerSearch,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCUSoftware\Microsoft\Internet ExplorerSearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O1 - Hosts: indows.
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOW\SmxTarget.dll
info: twain-tech
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
info:IEPlugin
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM..Run: [qmvrxesmyftyl] C:WINDOWS\System32\iziaxn.exe
O4 - HKLM..Run: [satmat] C:WINDOWS\satmat.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O20 - AppInit_DLLs: 

When you're sure that files marked for deletion are correct, click the Fix button and exit HJT.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them.) Do not delete main folders like C:\WINDOWS or C:\Program Files. Navigate to the folder locations or use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders", "sub-folders".

Delete
C:\WINDOWS\SmxTarget.dll<--this file only
C:\WINDOWS\systb.dll<--this file only
C:\WINDOWS\wupdt.exe<--this file only
C:\WINDOWS\satmat.exe<--this file only
C:\WINDOWS\System32\iziaxn.exe<--this file only
C:\WINDOWS\System32\<--this file only

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Reboot your computer to go back to normal mode

Extract HostFix. Open the zipped-folder and choose to extract to your desktop. Click "Finish". Then open the unzipped folder and double-click on the HostFix.exe file. With the program open, click "YES". Doing this will simply restore the default hosts file.

Run HijackThis again and post the new log as a reply to this post.

(Include comments regarding any problems you might have had, and let us know if its working better.)
patiently patrolling, plenty of persisant pests n' problems ...

#4 slickpimpn

slickpimpn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 08 December 2004 - 01:32 AM

Thanks Phawgg i followed you instruction to the t and now here is my new log, I will surf the net a lil and see if the changes worked but thanks a million!!!!

Logfile of HijackThis v1.97.7
Scan saved at 1:28:28 AM, on 12/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\WINDOWS\wanmpsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...AB?37852.891875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

#5 slickpimpn

slickpimpn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 08 December 2004 - 01:52 AM

Well Phawgg still getting popups here any more ideas of whats going on!!!!

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:49 PM

Posted 08 December 2004 - 06:22 AM

any more ideas of whats going on!!!!

yeah. You got some new ones. I'll look it over more closely. Put up with 'em until I can post another fix, please.
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O9 - Extra button: Ebates (HKCU)
patiently patrolling, plenty of persisant pests n' problems ...

#7 slickpimpn

slickpimpn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 08 December 2004 - 08:38 AM

Ok Pwagg...waiting patiently thanks again !!!! :thumbsup:

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:49 PM

Posted 09 December 2004 - 02:26 AM

Thank you for your patience, slickpimpn :thumbsup:

For some reason your HJT is not v 1.98.2 anymore. It is v1.97.7, an older version. Please delete the old version's folder,
.zip folder & any files before you use HJT to follow these guidelines, please. Then, lets continue with:

Please install Ad-Aware SE Personal 1.05 onto your PC, unless you already have this version.
You should uninstall an older version before installing this. Using AdAware to remove malware.
Run Ad-Aware and immediately check for updates. Exit after updating.

Start-->Add or Remove Programs-->Uninstall (if found) any instances of Ebates_MoeMoneyMaker.

Set your PC to: show hidden files. Additional information here.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
www.multimpp.com
info:multimpp
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: Ebates (HKCU)

When you're sure that files marked for deletion are correct, click the Fix button.

Reboot your computer into Safe Mode by tapping F8 until the screen appears. Use the up arrow to choose safe mode. Hit enter.

Search for, locate and delete files or folders (Don't be concerned if they don't exist, previous steps may have deleted them.)
Do not delete the main folders C:\WINDOWS or C:\Program Files.
To find them use: Start-->Search-->select "all files & folders"-->"more advanced options"-->check search-->
"system folders", "hidden files & folders" & "sub-folders". Fill in filename field. Search. When found, right-click-->delete.
You may also navigate to the folder and right-click "delete" the individual file(s) or folder as indicated.

Delete manualy.
C:\WINDOWS\multimpp.dll<--file only
C:\Program Files\Ebates_MoeMoneyMaker<--folder & all files

Run Ad-Aware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next".
Let Ad-Aware remove anything it finds.
Run System Security Suite. (All windows and browsers closed)
To clean out Temp and Temporary Internet Files, in the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options.
At the General tab, which should be the first tab you are currently on, click on the Delete Files button
and put a checkmark in Delete offline content. Then press the OK button.

Reboot your computer to go back to normal mode.

Scan online for viruses at TrendMicro's Housecall.
Scan online for viruses at Bitdefender

Run HijackThis again and post the new log as a reply to this post.
patiently patrolling, plenty of persisant pests n' problems ...

#9 slickpimpn

slickpimpn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 09 December 2004 - 04:41 PM

Phawgg

Question: I have a profile on my computer that my Girlfriend uses do i need to go into her profile and chage or adjust anything or will all theproblems be cleared up when preform the processes on my profile?

#10 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:49 PM

Posted 09 December 2004 - 07:43 PM

do i need to go into her profile and chage or adjust anything

Not at this point. As to after the procedure is done, I'm seeking a definitive & easy answer. I'll let you know.

will all theproblems be cleared up when preform the processes on my profile?

In order to even do them, you are required to have administrator priviledges. That implies system-wide changes are involved. Is your girlfriend in the admin group?
patiently patrolling, plenty of persisant pests n' problems ...

#11 slickpimpn

slickpimpn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 December 2004 - 01:27 AM

No she is a limited user!

#12 slickpimpn

slickpimpn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 December 2004 - 01:56 AM

Phawgg, thanks this is the new log:

Logfile of HijackThis v1.98.2
Scan saved at 1:54:51 AM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\WINDOWS\wanmpsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\DOCUME~1\RODRIC~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender8\\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\\bdnagent.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

#13 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:49 PM

Posted 10 December 2004 - 12:53 PM

slickpimpn, now that you have a :flowers: clean log, you should disable & re-enable your System Restore to set a new restore point.
This insures that there are no infected files found in a restore point left over from what we have just cleaned.
Additional information & instructions are here.

Question: I have a profile on my computer that my Girlfriend uses do i need to go into her profile and chage or adjust anything or will all theproblems be cleared up when preform the processes on my profile?

If another profile is used it might reinfect you. She could visit a bad site under her user group. It is less likely if she is in a group that does not allow download & installations of activeX, but it can still happen. You can run HJT in normal mode and compare the results to those in yours, for an extra measure of reassurance.
Some other steps to be taken are:

1. Use secure Internet Explorer settings
  • Open IE and check tools-->internet options-->security-->click internet icon-->(default is medium).

    Click custom and check that these settings are:
  • Download unsigned ActiveX controls - prompt
  • Initialize and script ActiveX controls not marked as safe - disable
  • Installation of desktop items - prompt
  • Launching programs and files in IFRAME - prompt
  • Navigate sub-frames across different domains - prompt
2. Use AntiVirus Software & Update Frequently. It's best to use only one. Your Norton program provides for this.
  • An excellent free program is AVG, if you need an option. This program can be
    set to automatically scan & either auto-update
    or you may choose to do that yourself. Virus definition updates with this program occur frequently, which is very good.
3. Use a Firewall, but use only one. If you install your own, disable the built-in winXP firewall. Your Norton program provides for this.
  • Excellent free programs available include:
  • Sygate
  • Kerio
  • (others are also available)
  • Choose one (if you do not already use a firewall). Keep your Firewall up & monitor it's configurations
  • (fully understanding it's operation may require some thought & a little practice, but it helps to have it installed and functioning)
4. Use Microsoft Windows Updates Frequently
  • SP2 is the most recent Service Pack available.
  • It provides all the updates issued since Windows XP was first released, including SP1 and all updates added to it
  • More updates have already been added to it, so to remain current in regards to security issues in particular, consider installing it.
  • Information is more readily available now that involves any possible conflicts with your present software.
  • You can read up on that information .here.
5. Use Spybot S&D & Update
  • Install and use this program with its TeaTimer option.
  • This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with this program on a regular basis, just as you would an antivirus software.
  • Check for updates when you do. A tutorial is available here.
7. Use SpywareBlaster & Update
  • Install and use this program
  • Adding a large list of sites/programs into your Browser settings, it protects you from running or downloading known malicious programs.
  • You may customize it if required to accomodate your individual needs, and updates are also frequently issued with new definitions added
  • Make it a habit to run and update on a regular basis.
7. Use Ad-Aware & Update
  • Install, configure and use this program with the others.
  • It is very well thought of in it's effectiveness, it complements the actions of the others.
  • It provides for additional plug-in specialty tools as well as an upgrade if you choose them.
  • Updates are frequent, so I suggest that you do both that and run the program regularly.
8. Use an alternative Browser Frequently. You may use several if you like.
  • Consider using Firefox as an alternative to IE for fundamental security reasons.
  • You can have both easily. Doing so will provide you with several benefits and options.
  • Other alternative browsers are also available at no charge
  • They do not have inherent vulnerabilities to the extent that IE does.
  • They are not subject to the same attention by malware creators as IE, which is much more commonly used.
These recommendations provide a valuable service to you, and no conflicts exist when operating them together on your PC [winXPSP2]
Please enact them for your own sake at that of the Internet itself.

9. Use BleepingComputer Tutorials & Resources Frequently. "and check for updates...:thumbsup:"
  • While cleaning your PC important tutorials were offered to explain what was being done.
  • Urgency to accomplish the task may have compromised your full understanding of what all was involved.
  • There is always room for improvement when using a personal computer.
  • Resources are available here and improving all the time. Some that deal with these recommendations & other topics include:
Tutorials available for more in-depth considerations.
Switching from Internet Explorer to Firefox
Four Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware
Simple and easy ways to keep your computer safe and secure on the Internet
Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Guide to Windows XP Recovery Features
Steps to take when connecting a new computer to the Internet

One last note:
HijackThis saves backups automatically to it's folder and you might have need for them. You delete files in the temp folder when you fix the problems, so it should be redone if you use HJT again. C:DOCUME~1\RODRIC~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zipHijackThis.exe
should look like this C:\HJT\HijackThis.exe on your log. To make it that way: click Start-->My Computer-->Hard Disk Drive C:\-->File-->New-->Folder
and name it HJT. Then simply download again, this time extract to the C:\HJT folder

Edited by phawgg, 10 December 2004 - 01:15 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#14 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:49 PM

Posted 31 December 2004 - 07:21 PM

Closed. The topics in this thread appear to have been resolved.

If referring to this thread you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.

You may also contact a HJT Team Member, and reference the link location address. Happy New Year. :thumbsup: :flowers:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users