Need help with xlime.offeroptimizer

Discussion in 'adware, spyware & hijack cleaning' started by mhm, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. mhm

    mhm Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    Yes, I have a problem with pop-ups and it seems to be xlime.offeroptimizer that´s behind this. I´ve read that I should post my logfile here after scanning my computer with HijackThis...well here it goes. What should I do?

    Logfile of HijackThis v1.97.7
    Scan saved at 12:12:01, on 2004-06-24
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program\Real\RealPlayer\RealPlay.exe
    C:\Program\D-Tools\daemon.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\QuickTime\qttask.exe
    C:\WINDOWS\System32\ovphmm.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Digital Line Detect\DLG.exe
    C:\Program\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program\DC++\DCPlusPlus.exe
    C:\Program\MSN Messenger\msnmsgr.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Windows Media Player\wmplayer.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Messenger\msmsgs.exe
    C:\My Download Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stockholminnebandy.nu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/se/sve/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/se/sve/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/se/sve/gen/default.htm
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [diagent] C:\Program\Creative\SBLive\Diagnostics\diagent.exe startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Desksite CMA] C:\Program\desksite\bin\cma.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [gmvsszsneyq] C:\WINDOWS\System32\ovphmm.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Download Demon.lnk = C:\Program Files\Netzip Download Demon\Netzip Download Demon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi mhm,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [gmvsszsneyq] C:\WINDOWS\System32\ovphmm.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\ovphmm.exe
    C:\WINDOWS\alchem.exe
    C:\WINDOWS\mxTarget.dll <= HijacktThis should remove it, but better check since it seems to survive sometimes

    Regards,

    Pieter
     
  3. mhm

    mhm Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    Thanks Pieter! I think it´s fixed now, thank you so much!!!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.