The incredible edible xlime (another one)

Okay, I've been grappling with this bug on my own for at least six hours and I'm ready to admit that I've been outdone by a scrap of software. I'll try to explain my problem in as much excruciating detail as I can muster:

It all started when I managed to contract the ISTBar dealie off of some gaming site, which was what initially prompted me to grab ad-aware, spybot, etc... The two programs combined managed to find a veritable cornucopia of advertising trash on my computer, including ISTBar, which they seemed to get rid of nicely enough, and so I figured the day was won.

But then the xlime popups started. Every few page browses a pop-nowhere window (wouldn't actually show at all when clicked) with the address "xlime.somethingican'tremember..." would spawn itself, run for a few seconds, then close. Probably tracking my clicks or something, Idunno. Running Ad-Aware/Spybot again, they kept on showing up with instances of vx2.betterinternet (ad-aware) or vx2/f (spybot). Of course, spybot only ever seems to detect a few registry keys, but adaware typically discovers ~20 vx2 files every time I scan and restart.

Alright, so I know (or at least I think I know) that twaintec.dll is probably at the bottom of all this, but it will not - and I mean WILL NOT - go away. Things I've done:

-Scan using ad-aware (full hard drive scan) and spybot, delete files. twaintec.dll doesn't even get touched by this.

-manually rename/delete twaintec.dll by myself. Alternately, manually unregister it with "regsvr32 /u c:\winnt\twaintec.dll", then delete.

-Disable System Restore, on the off-chance that it's propagating itself from a backed up restore point.

-Mucked through my temp files ("c:\documents and settings\owner\local settings\temp"). I found a dozen twaintec.inis there, one full ensemble of twaintec.dll, twaintec.ini, and preinstt.exe, as well as 3-4 other spyware programs from god-knows-where. All deleted.

-Run a system search for all files containing the word "twaintec". Nothing suspect pops up, or at least nothing I didn't know about before.

-"fix" the BHO object listed as twaintec.dll in HijackThis, then delete on next reboot.

-use CWShredder and vx2finder, repeatedly. Neither found anything.

-Institute Spybot's immunization thingie and JavaCoolSoftware's SpywareBlaster.

-Tried most of the above in safe mode.


In every instance, within two reboots twaintec.dll was back right where it used to be, with all its associated turds (including, of course, the xlime popups). It will not die. Interestingly, it dates itself as being last modified in february, so it's my guess that it's getting re-extracted from an archive or executable somewhere.

I didn't notice anything else suspect in my hijackthis log, but if I knew what I was talking about I'd have kicked this bug in the ass quite some time ago, so I'll just leave it to the pros - I sincerely hope you can find something I've overlooked:

(note that BHO: twaintec.dll isn't on here because I futilely attempted to fix/delete again. If I rebooted, it probably would be again.)

----------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 8:53:34 AM, on 5/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\System32\rruzgz.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = World Wide What?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zlxizujqpyb] C:\WINNT\System32\rruzgz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: messenger.hotmail.com
O15 - Trusted Zone: login.passport.com
O15 - Trusted Zone: loginnet.passport.com
O15 - Trusted Zone: memberservicesnet.passport.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3862AAA4-0C36-4B66-AD5A-7E8131D372DF}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3862AAA4-0C36-4B66-AD5A-7E8131D372DF}: NameServer = 198.77.116.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{3862AAA4-0C36-4B66-AD5A-7E8131D372DF}: Domain = direcway.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3862AAA4-0C36-4B66-AD5A-7E8131D372DF}: NameServer = 198.77.116.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{3862AAA4-0C36-4B66-AD5A-7E8131D372DF}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{3862AAA4-0C36-4B66-AD5A-7E8131D372DF}: NameServer = 198.77.116.8

 

Hi Spamtek,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)

O4 - HKLM\..\Run: [zlxizujqpyb] C:\WINNT\System32\rruzgz.exe

Then reboot preferably into safe mode and delete:
C:\WINNT\System32\rruzgz.exe

As a general remark: it is not always advisable to Unregister suspect .dll's since they are sometimes rigged to make things worse when that happens.

Regards,

Pieter