Hi-Jack log (xlime infection?)

Discussion in 'adware, spyware & hijack cleaning' started by byexlime, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. byexlime

    byexlime Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    3
    Hello,

    I'm having many weird popups and I hope it's possible to fix the problem. I tried downloading Adaware twice but it wouldn't install on my computer. I successfully ran Spybot S&D which removed many things but the ads are still popping up. Here is my Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:03:18 AM, on 7/4/2004
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\TELEPATH.101\tpexe.exe
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSCHED.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\TOOLS_95\IMGICON.EXE
    C:\WINDOWS\SYSTEM\HPWPSW.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnet.att.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F1 - win.ini: load=HPWHRC.EXE
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    O4 - HKLM\..\Run: [VSchedule] C:\Program Files\Network Associates\McAfee VirusScan\VSCHED.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ASP: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    I tried removing the 09 items but they came back... In my browser history I see items for xadso.offeroptimizer and xadsq.offeroptimizer. Sometimes the windows just pop up and then automatically close. Any help is most appreciated!
     
  2. byexlime

    byexlime Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    3
    OK, I've read a few posts and tried to fix some things but I'm still getting the popups. I've tried "Adaware" but when I double-click on the file to install it, I get an "Install Shield" window that quickly disappears and nothing happens.

    I was able to run Spybot S&D but it didn't get rid of the offeroptimizer popups. I downloaded a new virus scanner (AVG) that found a few bugs.

    In Control Panel -> Add/Remove Programs, there is a listing for Web Savings from Ebates that I cannot remove. When I try to remove it I get a message saying:

    WJView Error

    ERROR: Could not execute Main: The system cannot find the file specified

    I have found and already deleted something like C:\Prorgam Files\Websavings\ but it didn't seem to help.

    My most recent Hijack log is as follows:


    --------------

    Logfile of HijackThis v1.97.7
    Scan saved at 11:38:34 PM, on 7/6/2004
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\TELEPATH.101\tpexe.exe
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\TOOLS_95\IMGICON.EXE
    C:\WINDOWS\SYSTEM\HPWPSW.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\TEMP\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnet.att.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F1 - win.ini: load=HPWHRC.EXE
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ASP: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    -----------

    I'm not quite sure hoe to get rid of this stupid Websavings thing. Any help is appreciated.
     
  3. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I could be wrong but I think you need to be online in order to remove Web Rebates.

    Run Hijackthis again with all browsers closed and check these items and then on Fix:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

    Reboot and post a new HJT log. Let me know how the uninstall goes.
     
  4. byexlime

    byexlime Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    3
    Well I fixed that DLL you suggested and it seems to have worked. No pop-ups yet and IE is still working.

    I tried to uninstall Web Savings from Ebates while connected but it still gave me the same error and remains in the list of programs. I guess as long as I'm not getting pop-ups then it doesn't really matter.

    Thanks a lot!
     
  5. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hi,

    Great to hear. I do see one more that I missed in HJT. Run it again and if you see this one, have HJT fix:

    O13 - WWW. Prefix: http://

    Reboot.

    You might want to post one last log for review just to make sure I got everything.
     
Thread Status:
Not open for further replies.