Just another "How do I get rid of xadsjt offeroptimizer?" post

I know there are some nasties in there like the bho no names some i dont know about all this post will bring up the thread so more mods and higher people can check it

Hi Eric9112, welcome to TechTalk!

You do have infections, but you need to address couple of things before we start with the troubleshoot:

1. Your log indicates that you are using version 1.97.7 of HijackThis, which is out of date. Please download the latest version (1.98.2) using the link in my sig below and post the log that the new version generates.

2. This entry in your current log: " C:\Program Files\Internet Explorer\iexplore.exe" indicates that you had at least one instance of Internet Explorer open when you ran HijackThis. HijackThis cannot fully perform its fixes when any instances of your web browser are running, so you need to make sure Internet Explorer is entirely closed down before you run HJT the next time.

Do the above, and we'll take it from there . :)

Hi Thanks Everyone
Here is my new updated hijack this log
Thanks for all the help or any help that you can give me

Logfile of HijackThis v1.98.2
Scan saved at 9:23:07 AM, on 12/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\oygoyuq.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Westlakeuser.IMPAC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asrt.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asrt.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [uujgtnogw] C:\WINDOWS\system32\oygoyuq.exe
O4 - HKLM\..\Run: [algrehqr] C:\WINDOWS\algrehqr.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095174754321
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coastalradiation.com
O17 - HKLM\Software\..\Telephony: DomainName = coastalradiation.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coastalradiation.com

Your log indicates at least a couple of different infections, so it might take a couple of tries to get you totally clean. Please follow the instructions below fully and carefully:

1. Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.
2. Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan
2. Close ALL windows except Ad-Aware SE
3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

In the ‘General’ window make sure the following are selected in green:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

Under Definitions:

• Prompt to udate outdated definitions - set the number of days
• Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:

• Scan Within Archives

Under Select drives & folders to scan -

• choose all hard drives

Under Memory & Registry: all green

• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file

Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT

4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only

Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot

Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile

1. Click on ‘Proceed’ to save the settings.

2. Click ‘Start’

   *Choose:'Perform Full System Scan'
   *DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

3. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

4. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window; select [i]all[/i] found items for fixing.

5. Save the log file when it asks and then click ‘finish’

6. REBOOT to complete the removal of what Ad-Aware SE found

• Run SpyBot.

  When you first run SpyBot, it will walk you through a Wizard which will perform a few critical functions (making a registry backup, getting the latest updates, etc.).

1. Perform all of the Wizard's tasks.
2. Run the program. Once it completes, have it fix everything it finds.

3. Reboot.

4. Deregister the 2 offending .dll files (Ad Aware and/or SpyBot [i]may[/i] have been able to fix these already):

• Open a DOS box by typing "cmd" (omit the quotes) in the "Run.." option under your Start button menu.

• At the command prompt in the DOS window, type the following 2 commands:

          regsvr32 /u C:\Windows\multimpp.dll
          regsvr32 /u C:\Windows\systb.dll 
  

1. Have HijackThis fix all of the following:

   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://websearch.drsnsrch.com/sidesearch.cgi?id="]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://websearch.drsnsrch.com/sidesearch.cgi?id="]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://websearch.drsnsrch.com/sidesearch.cgi?id="]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://websearch.drsnsrch.com/sidesearch.cgi?id="]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
   R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://websearch.drsnsrch.com/sidesearch.cgi?id="]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
   R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url="http://websearch.drsnsrch.com/sidesearch.cgi?id="]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
   R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
   R3 - Default URLSearchHook is missing
   O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
   O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
   O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
   O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
   O4 - HKLM..\Run: [uujgtnogw] C:\WINDOWS\system32\oygoyuq.exe
   O4 - HKLM..\Run: [algrehqr] C:\WINDOWS\algrehqr.exe
   O4 - HKLM..\Run: [satmat] C:\WINDOWS\satmat.exe
   O4 - HKLM..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
   O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
   O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
   O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095174754321"]http://v5.windowsupdate.microsoft.c...b?1095174754321[/url]
   O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url="http://autos.msn.com/components/ocx/exterior/Outside.cab"]http://autos.msn.com/components/ocx...ior/Outside.cab[/url]
   O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - [url="http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab"]http://www.stopzilla.com/_download/...ller/dwnldr.cab[/url]
   O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - [url="http://download.abacast.com/download/files/abasetup151.cab"]http://download.abacast.com/downloa...abasetup151.cab[/url]

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

• Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

  • Delete the following [i]files[/i]:

  C:\WINDOWS\multimpp.dll
  C:\WINDOWS\systb.dll
  C:\WINDOWS\system32\oygoyuq.exe
  C:\WINDOWS\algrehqr.exe
  C:\WINDOWS\satmat.exe
  C:\WINDOWS\wupdt.exe

  • Delete the following [i]folder[/i] entirely (if it still exists):

  C:\Program Files\Ebates_MoeMoneyMaker

  • For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:
  1. Local Settings\Temp
  2. Cookies
  3. History
  4. Local Settings\Temporary Internet Files\Content.IE5
  • Delete the entire content of your C:\Windows\Temp folder.

  Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

  • Empty your Recycle Bin.
  1. Reboot normally, run HijackThis again, and post a new log.

Fix this only if you do not have Java Sun:
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
Hijackthis has a bug that misinterprets some 09 entries.

Fix this only if you do not have Java Sun...

Yup, my bad- I missed that at first. I just edited that line out of my above post...

Thanks :mrgreen:
Here is my new hijack this log
Logfile of HijackThis v1.98.2
Scan saved at 2:35:26 PM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Westlakeuser.IMPAC\Desktop\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asrt.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asrt.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = coastalradiation.com
O17 - HKLM\Software\..\Telephony: DomainName = coastalradiation.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = coastalradiation.com

Congratulations- you're log is squeaky clean. :)

Listed below are some general things you can do to greatly reduce your chances of future infections:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here.

5. Obviously: install a good anti-virus program and enable its auto-protect, automatic update, and email-scanning features.

6. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

Hi
Thanks it worked great! Is there any reading material that anyone can recommend so that I can understand the inner workings of this all better.
Thanks again!

I'll post some links for you tomorrow; it's well past "sleepy time" in my end of world right now....

Hi
Thanks it worked great! Is there any reading material that anyone can recommend so that I can understand the inner workings of this all better.
Thanks again!

There is a link to a hijackthis tutorial in this thread:
http://www.daniweb.com/techtalkforums/thread5690.html

Is this what you wanted? Were there some particular things you would like to know about?

And some other informational linkage:

http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://www.help2go.com/article153.html
http://aumha.org/a/parasite.htm
http://www.doxdesk.com/parasite/