xadsq offeroptimizer

Discussion in 'adware, spyware & hijack cleaning' started by jra, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. jra

    jra Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    3
    Operating win 95, cannot get rid of this pest. Since I'm using '95 I cann't update Ad-aware to 6+ since it only operates 98 and above.
    My sequence of tests are 1. CW Shredder, 2. Spybot S&D, 3. Ad-aware 5.8 these are not finding the prob.
    My Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:42:22 AM, on 16/06/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NSS\SPDSTART.EXE
    C:\WINDOWS\SYSTEM\JBXUYFO.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DLLHOST.EXE
    C:\UNZIPPED\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IdeCDok] regedit /s c:\windows\idecdok.reg
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [SetRecording] c:\windows\SetRec.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~3\NORTON~2\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [SpdStart] C:\Program Files\Norton SystemWorks\Norton Utilities\NSS\SPDSTART.EXE /AutoStart
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [abnbyyic] C:\WINDOWS\SYSTEM\jbxuyfo.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/p3a23a.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = csolve
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = csolve
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.61.168.3,198.235.216.1

    Could someone PLEASE help me remove this intruder!
    Thanx
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi jra,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [abnbyyic] C:\WINDOWS\SYSTEM\jbxuyfo.exe

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\ALCHEM.exe
    C:\PROGRAM FILES\INCREDIFIND <= entire folder
    C:\PROGRAM FILES\MYWEBSEARCH <= entire folder

    Regards,

    Pieter
     
  3. jra

    jra Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    3
    Pieter thank you for your assistance. Thought it was fixed , it did not show for several re-boots yesterday. BUT today on rebooting it showup again. I'm posting my Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:56:28 PM, on 16/06/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NSS\SPDSTART.EXE
    C:\WINDOWS\SYSTEM\JBXUYFO.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IdeCDok] regedit /s c:\windows\idecdok.reg
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [SetRecording] c:\windows\SetRec.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~3\NORTON~2\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [SpdStart] C:\Program Files\Norton SystemWorks\Norton Utilities\NSS\SPDSTART.EXE /AutoStart
    O4 - HKLM\..\Run: [cjycymznzn] C:\WINDOWS\SYSTEM\JBXUYFO.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/p3a23a.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = csolve
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = csolve
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.61.168.3,198.235.216.1

    It has regenerated 2 of the lines which I removed yesterday:
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O4 - HKLM\..\Run: [cjycymznzn] C:\WINDOWS\SYSTEM\JBXUYFO.EXE

    Should this following line have been deleted yesterday also?
    C:\WINDOWS\SYSTEM\JBXUYFO.EXE

    I hope you can help me with this.
    Thanx

    John
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    You can and should Fix those again.
    Empty your Temp Internet files and Temp folder when you are done.
    Also delete: C:\WINDOWS\SYSTEM\JBXUYFO.EXE

    Then download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot to stop it from coming back.

    If you look at the HijackThis screen you will see that it offers no opportunity to stop running processes. ;)

    I have been looking for some programs that will protect you, but it is not easy for Windows 95.
    But do read: Why did I get infected in the first place

    Regards,

    Pieter
     
  5. jra

    jra Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    3
    Pieter ..Thank you for your support with my problem. It has not shown up after the last corrections.

    Thanks again

    John
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.