Hi-Jack log (xlime infection?)

Discussion in 'adware, spyware & hijack cleaning' started by byexlime, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. byexlime

    byexlime Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    3
    Hello,

    I'm having many weird popups and I hope it's possible to fix the problem. I tried downloading Adaware twice but it wouldn't install on my computer. I successfully ran Spybot S&D which removed many things but the ads are still popping up. Here is my Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:03:18 AM, on 7/4/2004
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\TELEPATH.101\tpexe.exe
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSCHED.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\TOOLS_95\IMGICON.EXE
    C:\WINDOWS\SYSTEM\HPWPSW.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnet.att.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F1 - win.ini: load=HPWHRC.EXE
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    O4 - HKLM\..\Run: [VSchedule] C:\Program Files\Network Associates\McAfee VirusScan\VSCHED.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ASP: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    I tried removing the 09 items but they came back... In my browser history I see items for xadso.offeroptimizer and xadsq.offeroptimizer. Sometimes the windows just pop up and then automatically close. Any help is most appreciated!
     
    byexlime, Jul 6, 2004
    #1
  2. byexlime

    byexlime Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    3
    OK, I've read a few posts and tried to fix some things but I'm still getting the popups. I've tried "Adaware" but when I double-click on the file to install it, I get an "Install Shield" window that quickly disappears and nothing happens.

    I was able to run Spybot S&D but it didn't get rid of the offeroptimizer popups. I downloaded a new virus scanner (AVG) that found a few bugs.

    In Control Panel -> Add/Remove Programs, there is a listing for Web Savings from Ebates that I cannot remove. When I try to remove it I get a message saying:

    WJView Error

    ERROR: Could not execute Main: The system cannot find the file specified

    I have found and already deleted something like C:\Prorgam Files\Websavings\ but it didn't seem to help.

    My most recent Hijack log is as follows:


    --------------

    Logfile of HijackThis v1.97.7
    Scan saved at 11:38:34 PM, on 7/6/2004
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\TELEPATH.101\tpexe.exe
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\TOOLS_95\IMGICON.EXE
    C:\WINDOWS\SYSTEM\HPWPSW.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\TEMP\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnet.att.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F1 - win.ini: load=HPWHRC.EXE
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ASP: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    -----------

    I'm not quite sure hoe to get rid of this stupid Websavings thing. Any help is appreciated.
     
    byexlime, Jul 12, 2004
    #2
  3. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I could be wrong but I think you need to be online in order to remove Web Rebates.

    Run Hijackthis again with all browsers closed and check these items and then on Fix:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

    Reboot and post a new HJT log. Let me know how the uninstall goes.
     
    Taz71498, Jul 12, 2004
    #3
  4. byexlime

    byexlime Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    3
    Well I fixed that DLL you suggested and it seems to have worked. No pop-ups yet and IE is still working.

    I tried to uninstall Web Savings from Ebates while connected but it still gave me the same error and remains in the list of programs. I guess as long as I'm not getting pop-ups then it doesn't really matter.

    Thanks a lot!
     
    byexlime, Jul 13, 2004
    #4
  5. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hi,

    Great to hear. I do see one more that I missed in HJT. Run it again and if you see this one, have HJT fix:

    O13 - WWW. Prefix: http://

    Reboot.

    You might want to post one last log for review just to make sure I got everything.
     
    Taz71498, Jul 13, 2004
    #5
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...