Offer Optimizer and mxtarget.dll

Unknown

Hi,

I have been trying unsucessfully for weeks to remove mxtarget.dll and now a new one called xado.offeroptimizer.com has spawned and I have seen some posts on the forum which look sucessful and was hoping that somebody may be able to help.

Thanks in advance.

Andy

Logfile of HijackThis v1.98.2
Scan saved at 11:42:22, on 28/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\PROGRA~1\CoCreate\MEls\MEls.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\CoCreate\OSD_MO~1.0\binNT\SDserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Launch Manager\QtDTAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\jewgwclb.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ArGo Software Design\Mail Server\mailserver.exe
C:\Documents and Settings\andy\Application Data\My-disgo\MyKey disgo.exe
C:\WINDOWS\Plaxo\2.0.4.58\InstallStub.exe
C:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Documents and Settings\andy\Start Menu\Programs\Startup\sizer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\CSI\Install\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 170.1.10.51:80
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtDTAcer.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dzsbwhxvg] C:\WINDOWS\System32\jewgwclb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ArGoSoftMailServer] C:\Program Files\ArGo Software Design\Mail Server\mailserver.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\andy\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.0.4.58\InstallStub.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MeetingCenter] C:\Documents and Settings\andy\.OneSpace\OneSpaceMC.bat
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: sizer.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/beta/vet_install_popup.pl?1&4&04.00.07.02&http://www.seikousa.com/Collections/SC1_Arctura2.aspx
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {1257D8F2-D1DE-4270-BEE0-45688CAD16BB} (OSFileControl Class) - https://host1.onespace.net/OneSpace/Data/CAB/OSProjectControlCAB.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=81a20e2d4daf862b581047e8e0c24e8effd07b128e225c91fe269f1e3e53b395f49377f8e3605dd230f34a38bc2fbef0a2d6fd6f14c38aff842869220dcf:31e1e886df05c54f80cdc9defbb7eddc
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/193717e9ea3ee43ac816/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093960092848
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://powerwave.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E4A96914-9818-45AC-A166-CCEB594B6B03} (Project1.UserControl1) - http://62.8.109.108/dropbox.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E977EEA-BE38-40E6-A12D-FE3B45D495A1}: NameServer = 10.0.0.1

SpywareShooter

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O4 - HKLM\..\Run: [dzsbwhxvg] C:\WINDOWS\System32\jewgwclb.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\andy\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.0.4.58\InstallStub.exe -a
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...dc9d efbb7eddc
O16 - DPF: {E4A96914-9818-45AC-A166-CCEB594B6B03} (Project1.UserControl1) - http://62.8.109.108/dropbox.CAB

Fix those entries then find and delete the files listed above, reboot and post a new log.

AndyH

Hi,

Many thanks for your prompt reply. I am concerned about deleting the following entries as they are all related to programs that I use and am aware of.

O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\andy\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.0.4.58\InstallStub.exe -a
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {E4A96914-9818-45AC-A166-CCEB594B6B03} (Project1.UserControl1) - http://62.8.109.108/dropbox.CAB

My-Disgo is a program to access my Memory Stick
Plaxo is an automatic contact updater integrated in Outlook
Dropbox is a program written by our company

When I try and delete mxTarget.dll I receive the following error.

Cannot delete mxTarget:Access is denied
Make sure the disk is not full or write-protected and that the file is not currently in use.

Sorry to sound like a worrier, only I followed some instructions from a website recently, regarding the removal of mxTarget and upon restarting I was unable to login in to my machine!

Thanks Again

Andy

SpywareShooter

Plaxo is not exactly spyware, but some classify it as that. It places a cookie on your computer that has your name, address, phone number, and more personal information. Cookies can be read by different sites other than the one it belongs to (in this case Plaxo.com). I know this because it was somehow installed on my computer (Even though I don't have Outlook). Also it sends out email to every contact on your Outlook list and tries to get them to download Plaxo. And if I remember right, it continues to send them email until they download it, then that chain continues.

If you cannot delete mxtarget.dll, boot into Safe Mode (press F8 at the bIOS screen when rebooting) and delete it from there.

AndyH

Hi,

Many thanks for your continued support.

I tried your instructions and all seemed fine, but once again MxTarget spawned.

I have since found out that Twaintec and MxTarget are linked to something called VX2 and that Adaware supports the removal of this annoyance.

Installed Adaware Personal SE and it found loads of instances of VX2!! Cleaned up and now all is well.

Thanks again

Andy

Crunchie

There is other stuff to remove. Please hold

Crunchie

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/193717e9ea3ee4...ip/RdxIE601.cab

Reboot and delete the wsaupdater.exe file.

AndyH

Hi,

I am not sure why you are suggesting I delete the following entry?

UserInit=C:\WINDOWS\system32\userinit.exe

This is a system file and will prevent logging into my system upon rebooting

Waht is wsaupdater.exe for?

Thanks

Andy

Crunchie

This part C:\Windo ws\System32\wsaupdater.exe, is a nasty that has attached itself. The userinit will not be affected .

Crunchie

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFIND.A