I'm having random pop-ups from xlime. Help? (Hijack This! log provided.)

Discussion in 'adware, spyware & hijack cleaning' started by drumstickz07, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. drumstickz07

    drumstickz07 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    20
    Hello! I seem to be getting xlime pop-ups occasionally and I believe I could possibly have other spyware/problems as well. Help would be appreciated by taking a look at this log and checking for problems! Disregard google toolbar and flashget in the log because I am aware of those two.

    I ran ad-aware prior to the scan.

    Hijack This! log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:20:50 PM, on 6/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\installer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\winexec32.bpq
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\WildTangent\Apps\GameChannel.exe
    C:\WINDOWS\System32\wesfcw.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\Program Files\MSN\MSNIA\msniasvc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN\MSNIA\WA\ClientSideProxy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\FlashGet\flashget.exe
    C:\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,winexec32.bpq,
    O1 - Hosts: 216.40.230.4 desktop.kazaa.com
    O1 - Hosts: 216.40.230.4 alpha.kazaa.com
    O1 - Hosts: 216.40.230.4 shop.kazaa.com
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [WinServices] winexec32.bpq
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [installer] C:\WINDOWS\System32\installer.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [xgomlqfy] C:\WINDOWS\System32\wesfcw.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMAN.EXE /onboot
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" "+b1"
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31e126889d23442a7918/netzip/RdxIE601.cab
    O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/keycrypt/npkxsite.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38022.8219560185
    O16 - DPF: {B5CC0E52-9CE2-4BF2-8365-A0E4E2C528A2} (EGameWebCrypt Class) - https://www.e-games.com.my/com/EGameWebCrypt.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B6C08A-9B2B-410F-85CD-5D1DBBD356DA}: NameServer = 209.244.0.3 209.244.0.4

    Again I will appreciate all help!
     
    Last edited: Jun 17, 2004
  2. drumstickz07

    drumstickz07 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    20
    Ok now I have noticed that these pop ups are no longer just xlime optimizer pop ups but they're others as well such as "You may be having memory leaks in your computer! Click here to fix now!" and stuff like that.
     
  3. drumstickz07

    drumstickz07 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    20
    These pop-ups are quite annoying and I might just resort to system restore, but I'll wait a little longer to see if any of you see any problems in the hijack this log.
     
  4. drumstickz07

    drumstickz07 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    20
    Update: I'm not completely sure but for some reason the problem has stopped. I think the problem is gone for good, but just to be careful here is an updated Hijack This Log. Will anyone verify that the log is clear of any problems so that I can rest at ease? o_O

    Logfile of HijackThis v1.97.7
    Scan saved at 3:30:50 PM, on 6/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\installer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\winexec32.bpq
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\WildTangent\Apps\GameChannel.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\WINDOWS\System32\wesfcw.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\Program Files\MSN\MSNIA\msniasvc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,winexec32.bpq,
    O1 - Hosts: 216.40.230.4 desktop.kazaa.com
    O1 - Hosts: 216.40.230.4 alpha.kazaa.com
    O1 - Hosts: 216.40.230.4 shop.kazaa.com
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinServices] winexec32.bpq
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [installer] C:\WINDOWS\System32\installer.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [xgomlqfy] C:\WINDOWS\System32\wesfcw.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMAN.EXE /onboot
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31e126889d23442a7918/netzip/RdxIE601.cab
    O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/keycrypt/npkxsite.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38022.8219560185
    O16 - DPF: {B5CC0E52-9CE2-4BF2-8365-A0E4E2C528A2} (EGameWebCrypt Class) - https://www.e-games.com.my/com/EGameWebCrypt.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B6C08A-9B2B-410F-85CD-5D1DBBD356DA}: NameServer = 209.244.0.3 209.244.0.4
     
  5. drumstickz07

    drumstickz07 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    20
    No one wants to check? :doubt:
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi drumstickz07 :)

    Just give it a little time. ;)

    It is best just to check back periodically for new posts and recommendations. :)

    snowbound
     
  7. drumstickz07

    drumstickz07 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    20
    Ok I'm sorry. It's just that others are getting responses much faster than I am, but then I realized that you guys are very busy and you can't always get to everyone. So take your time then!
     
  8. drumstickz07

    drumstickz07 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    20
    Hello it has been almost a full day since I created this topic and I have not recieved a response. I hope someone will be kind enough to check my log. Also I guess it is safe to note that whenever I boot up my computer automatically tries to go online (dial-up) because it is "recieving a connection request" from a website. I don't remember the site clearly but next time I see it I will tell you for sure. The site was something like static.hosting.biz but I'm not sure. I just want the assurance that my PC is clean and free and I hope that someone can do that!
     
Thread Status:
Not open for further replies.