Re: Offeroptimizer wont go away...ever

From: Terry (F1ComNOSPAM_at_pobox.com)
Date: 11/10/04 

Date: Tue, 09 Nov 2004 16:48:57 -0800

On 11/9/2004 4:12 PM On a whim, Aaron pounded out on the keyboard

> Hey, somehow i got this retarded offeroptimizer...no adware scanner will fix
> it.
> can someone take a look at my hijack-this logfile... pretty sure i got rid
> of
> everything related to this popup, but its still happening:
>
> Logfile of HijackThis v1.98.2
> Scan saved at 6:01:39 PM, on 11/9/2004
> Platform: Windows XP SP2
> MSIE: Internet Explorer v6.00 SP2
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\Program Files\Norton AntiVirus\navapsvc.exe
> C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
> C:\Program Files\Norton AntiVirus\SAVScan.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> C:\WINDOWS\system32\MsPMSPSv.exe
> C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
> C:\WINDOWS\system32\hphmon04.exe
> C:\WINDOWS\system32\CTHELPER.EXE
> C:\WINDOWS\system32\RunDll32.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\AIM\aim.exe
> C:\Program Files\iPod\bin\iPodService.exe
> C:\WINDOWS\system32\HPHipm11.exe
> C:\WINDOWS\system32\zytchly.exe
> C:\Program Files\Outlook Express\msimn.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Documents and Settings\Aaron\Desktop\HijackThis.exe
> O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} -
> C:\WINDOWS\multimpp.dll
> O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
> C:\WINDOWS\systb.dll (file missing)
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
> Files\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
> C:\Program Files\Norton AntiVirus\NavShExt.dll
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [Advanced Tools Check]
> C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
> Panel\atiptaxx.exe
> O4 - HKLM\..\Run: [DeadAIM] rundll32.exe
> "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
> O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
> C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
> O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
> O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
> 11\hphinstall\UniPatch\hphupd04.exe"
> O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
> O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
> O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
> O4 - HKLM\..\Run: [gvnvtx] C:\WINDOWS\system32\zytchly.exe
> O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
> O4 - HKCU\..\Run: [RemoteCenter] C:\Program
> Files\Creative\MediaSource\RemoteControl\RcMan.exe
> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
> Files\Adobe\Calibration\Adobe Gamma Loader.exe
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
> Files\AIM\aim.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
> AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
> http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098503167983
> O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
> AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
> O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
> C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
>
>
>

What is zytchly.exe? I'm not familiar with it and a Google search brings
up nothing. I would remove that from your
HKLM\Microsoft\Windows\CurrentVersion\Run unless you know what it is
(while the registry is open press F5 to see if a program is monitoring
the registry and tries to replace it). And then rename the file if you
can to zytchly.exe.old. You'll probably have to end the process first.
And possibly turn SR off (it may be keeping backups there). 

-- 
Terry
***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.