Problem description and HijackThis log file, help needed:

Unknown

Hello everybody, a search engine brought this forum to my knowledge after inquiring about a spyware i discovered on my system. I believe that the name of the malware is offeroptimizer and i discovered it in peerguardians log after it tried to contact the web. I would like you to help me detect it and delete it from my system and given the chance i would also like you to inform about other possible malware running in the background, I have already performed system scans with Ad-Aware 6.0 Pro, Spybot - Search and destroy, Spyware Doctor and I have also used the CWShredder application, everything turns out clean now and here is the log file HijackThis produces. Thanks in advance for your help.

---

Logfile of HijackThis v1.99.1
Scan saved at 2:32:41 am, on 29/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\PowerS.exe
G:\WINDOWS\System32\RUNDLL32.EXE
G:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\Microsoft Hardware\Keyboard\type32.exe
G:\WINDOWS\System32\ctfmon.exe
G:\Program Files\PeerGuardian2\pg2.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\AdsGone\adsgone.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
G:\WINDOWS\System32\ZoneLabs\isafe.exe
G:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
G:\WINDOWS\System32\nvsvc32.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Constantinos\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-choice.com.cy/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - G:\Program Files\Mass Downloader\MDHELPER.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - G:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PowerS] G:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LWBMOUSE] G:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "G:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] G:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [IntelliType] "G:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] G:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "g:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PeerGuardian] G:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: AdsGone.lnk = G:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AdsGone 2004.lnk = G:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2005.lnk = G:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + &Mass Downloader: download this file - G:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - G:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Download &all with DAP - G:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - G:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - G:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - G:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - G:\Program Files\AdsGone\adsgone (file missing)
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6F911DE8-3C2A-4F38-8557-9562F8947C19} (Luder3DPlugin Control) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - G:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - G:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

---

vulg

The ones that looks the most suspicious to me, are these:
'O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe'
What do you guys think?

Buckeye_Sam

Your log is clean. Those two lines belong to your graphics card driver and Zone Alarm, both legit.

vulg

thanks. but now i'm wondering how could something that doesn't appear to be running in the background tries to contact the internet. peerguardian keeps blocking offeroptimizer from contacting the web. any ideas?

Buckeye_Sam

You mentioned in your first post that you scanned with Adaware 6.0, which is an old version.

Please follow these instructions to run Adware.

• Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
  1. Download Ad-Aware SE Personal 1.05:
     • Download Ad-Aware SE Personal 1.05.
     • Save aawsepersonal.exe to a convenient location.
  2. Install Ad-Aware SE Personal 1.05:
     • Double-click on aawsepersonal.exe to install the program.
     • Follow the default settings for installation.
     • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  3. Update Ad-Aware SE Personal 1.05:
     • Double-click the Ad-Aware SE Personal icon on your desktop.
     • Click "Check for updates now" then click "Connect".
     • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  4. Configure Ad-Aware SE Personal 1.05:
     • Click on the Gear button at the top of the window.
     • Click "General" on the left hand side to display the General Settings box.
       • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
         • "Automatically save logfile"
         • "Automatically quarantine objects prior to removal"
         • "Safe Mode (always request confirmation)"
         • "Prompt to update outdated definitions" - change to 7 days from the default 14.
     • Click "Scanning" on the left hand side to display the Scan Settings box.
       • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
         • "Scan within archives"
         • "Select drives & folders to scan" - select your hard drive(s).
         • "Scan active processes"
         • "Scan registry"
         • "Deep-scan registry"
         • "Scan my IE favorites for banned URLs"
         • "Scan my Hosts file"
     • Click "Advanced" on the left hand side to display the Advanced Settings box.
       • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
         • "Move deleted files to Recycle Bin"
         • "Include additional object information"
         • "Include negligible objects information"
         • "Include environment information"
     • Click "Defaults" on the left hand side to display the Default Settings box.
       • Make sure these items have your preferred settings in them.:
         • "Default homepage"
         • "Default searchpage"
     • Click "Tweak" on the left hand side to display the Tweak Settings box.
       • Click the + (plus) sign next to the Log Files section. This will expand the section.
       • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
         • "Include basic Ad-Aware settings in log file"
         • "Include additional Ad-Aware settings in log file"
         • "Include reference summary in log file"
         • "Include alternate data stream details in log file"
       • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
       • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
         • "Unload recognized processes & modules during scan"
         • "Scan registry for all users instead of current user only"
         • "Obtain command line of scanned processes"
       • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
       • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
         • "Always try to unload modules before deletion"
         • "During removal, unload Explorer and IE if necessary"
         • "Let Windows remove files in use at next reboot"
         • "Delete quarantined objects after restoring"
     • Once you are done with these settings, click "Proceed" to save them.
     • This will take you back to the main screen.
  5. Run Ad-Aware SE Personal 1.05:
     • Click the "Start" button.
     • Uncheck the "Search for negligible risk entries" entry.
     • Choose the "Use custom scanning options" scan mode.
     • Click the "Next" button.
     • Ad-Aware will begin to scan for malware residing on your computer.
     • Allow the scan to finish.
     • Right-click on any entry in the list and click "Select All" to select the whole list.
     • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Reboot and post a new hijackthis log. Let me know if Adaware found anything. Are you still getting the notification from Peer Guardian?