Need help with xadso.offeroptimizer
Hi Guys,
Ive recently been infected with something that continually opens an internet explorer session when I log on. It is called xadso.offeroptimizer. I've tried various programms but cant seem to get rid of it
I have downloaded and run AdAware and Spybot as instructed in the other thread and it is still there.
I've run HijakThis and copied the log below.
I would really appreciate any help you can give me with this one,
I hate having these things on my PC.
Thanks a million, in advance.
Cheers
Scanjet5
Logfile of HijackThis v1.98.2
Scan saved at 21:01:27, on 08/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\System32\DRIVERS\dcfssvc.exe
F:\WINDOWS\system32\gearsec.exe
F:\WINDOWS\Explorer.EXE
C:\Program Files\norton\Norton AntiVirus\navapsvc.exe
C:\Program Files\norton\Norton Utilities\NPROTECT.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
F:\Program Files\BPK\scanjet.exe
F:\WINDOWS\Cyb2k.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\ONSPEED\onspeed.exe
C:\PROGRA~1\norton\SPEEDD~1\nopdb.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Internet\ICC\ICC2000.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.i--search.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.i--search.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - F:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - F:\PROGRA~1\BPK\SCANJE~2.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - F:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [scanjet] F:\Program Files\BPK\scanjet.exe
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [C2K] F:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: ONSPEED.lnk = F:\Program Files\ONSPEED\onspeed.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Show All Original Images - res://F:\Program Files\ONSPEED\onspeed.exe/250
O8 - Extra context menu item: Show Original Image - res://F:\Program Files\ONSPEED\onspeed.exe/227
O12 - Plugin for .pdf: F:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095704524718
O17 - HKLM\System\CCS\Services\Tcpip\..\{995D8CD8-C4CE-4E32-A424-86DD6988243D}: NameServer = 195.218.116.2 194.46.8.57
Ive recently been infected with something that continually opens an internet explorer session when I log on. It is called xadso.offeroptimizer. I've tried various programms but cant seem to get rid of it
I have downloaded and run AdAware and Spybot as instructed in the other thread and it is still there.
I've run HijakThis and copied the log below.
I would really appreciate any help you can give me with this one,
I hate having these things on my PC.Thanks a million, in advance.
Cheers
Scanjet5
Logfile of HijackThis v1.98.2
Scan saved at 21:01:27, on 08/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\System32\DRIVERS\dcfssvc.exe
F:\WINDOWS\system32\gearsec.exe
F:\WINDOWS\Explorer.EXE
C:\Program Files\norton\Norton AntiVirus\navapsvc.exe
C:\Program Files\norton\Norton Utilities\NPROTECT.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
F:\Program Files\BPK\scanjet.exe
F:\WINDOWS\Cyb2k.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\ONSPEED\onspeed.exe
C:\PROGRA~1\norton\SPEEDD~1\nopdb.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Internet\ICC\ICC2000.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.i--search.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.i--search.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - F:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - F:\PROGRA~1\BPK\SCANJE~2.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - F:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [scanjet] F:\Program Files\BPK\scanjet.exe
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [C2K] F:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: ONSPEED.lnk = F:\Program Files\ONSPEED\onspeed.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Show All Original Images - res://F:\Program Files\ONSPEED\onspeed.exe/250
O8 - Extra context menu item: Show Original Image - res://F:\Program Files\ONSPEED\onspeed.exe/227
O12 - Plugin for .pdf: F:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095704524718
O17 - HKLM\System\CCS\Services\Tcpip\..\{995D8CD8-C4CE-4E32-A424-86DD6988243D}: NameServer = 195.218.116.2 194.46.8.57
0
This discussion has been closed.
Comments
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
Fix those entries then find and delete localNRD.dll, reboot and post a new log.
Thanks for that really quick responce
Is this OK now?
Cheers
Scanjet5
Logfile of HijackThis v1.98.2
Scan saved at 01:24:58, on 09/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\System32\DRIVERS\dcfssvc.exe
F:\WINDOWS\system32\gearsec.exe
F:\WINDOWS\Explorer.EXE
C:\Program Files\norton\Norton AntiVirus\navapsvc.exe
C:\Program Files\norton\Norton Utilities\NPROTECT.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\PROGRA~1\norton\SPEEDD~1\nopdb.exe
F:\Program Files\BPK\scanjet.exe
F:\WINDOWS\Cyb2k.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\ONSPEED\onspeed.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Internet\ICC\ICC2000.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.i--search.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.i--search.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - F:\PROGRA~1\BPK\SCANJE~2.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - F:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [scanjet] F:\Program Files\BPK\scanjet.exe
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [C2K] F:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: ONSPEED.lnk = F:\Program Files\ONSPEED\onspeed.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Show All Original Images - res://F:\Program Files\ONSPEED\onspeed.exe/250
O8 - Extra context menu item: Show Original Image - res://F:\Program Files\ONSPEED\onspeed.exe/227
O12 - Plugin for .pdf: F:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095704524718
O17 - HKLM\System\CCS\Services\Tcpip\..\{995D8CD8-C4CE-4E32-A424-86DD6988243D}: NameServer = 195.218.116.2 194.46.8.57
Heres the log with the R1 entry:
Logfile of HijackThis v1.98.2
Scan saved at 11:53:44, on 09/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\System32\DRIVERS\dcfssvc.exe
F:\WINDOWS\system32\gearsec.exe
F:\WINDOWS\Explorer.EXE
C:\Program Files\norton\Norton AntiVirus\navapsvc.exe
C:\Program Files\norton\Norton Utilities\NPROTECT.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\PROGRA~1\norton\SPEEDD~1\nopdb.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\BPK\scanjet.exe
F:\WINDOWS\Cyb2k.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\ONSPEED\onspeed.exe
F:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
F:\Program Files\Internet\ICC\ICC2000.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
F:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - F:\PROGRA~1\BPK\SCANJE~2.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - F:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [scanjet] F:\Program Files\BPK\scanjet.exe
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [C2K] F:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: ONSPEED.lnk = F:\Program Files\ONSPEED\onspeed.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Show All Original Images - res://F:\Program Files\ONSPEED\onspeed.exe/250
O8 - Extra context menu item: Show Original Image - res://F:\Program Files\ONSPEED\onspeed.exe/227
O12 - Plugin for .pdf: F:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095704524718
O17 - HKLM\System\CCS\Services\Tcpip\..\{995D8CD8-C4CE-4E32-A424-86DD6988243D}: NameServer = 195.218.116.2 194.46.8.57
Everything seems to be working fine now, got rid of that pest, thanks to you. Thanks a MILLION for all your help
Take it easy.
Scanjet5