xlime crap.....help!!

Discussion in 'adware, spyware & hijack cleaning' started by dlx1, May 31, 2004.

Thread Status:
Not open for further replies.
  1. dlx1

    dlx1 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1
    i have had some problems with xlime offeroptimizer and nkvd.us address redirecting, and havent been able to remove them.
    first i ran adaware and it removed a number of registry entries, and then hijackthis as this site suggests. can someone please help me to get rid of this.

    this is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:07:28 PM, on 05/31/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\RUNSERVICE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\MSREXE.EXE
    C:\WINDOWS\TWAIN_32\A4S2_32\WATCH.EXE
    C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\BIN\VXD\FULL\MIXER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\MICROSOFT OFFICE 2000\OFFICE\WINWORD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\PROFILES\DL\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=crue
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1514/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=crue
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.flinders.edu.au/proxy.pac
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: (no name) - {69555BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Modem Booster Dialer] C:\PROGRAM FILES\MODEM BOOSTER\ModemBtr.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [ICServer] C:\PROGRAM FILES\INTERCAST\COMPONENTS\ICSERVER.EXE
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
    O4 - HKLM\..\Run: [mswspl] C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
    O4 - HKLM\..\Run: [slpaqlf] "C:\WINDOWS\SYSTEM\SLPAQLF.exe"
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
    O4 - HKLM\..\Run: [ignxuzbtfsnu] C:\WINDOWS\SYSTEM\tnowpe.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
    O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\SYSTEM\realupd.exe
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_32\WATCH.exe
    O8 - Extra context menu item: Bookmark to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\bookmark.htm
    O8 - Extra context menu item: Clip Page to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\scrapbook.htm
    O8 - Extra context menu item: Save Image to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadImage.htm
    O8 - Extra context menu item: Save Target to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadTarget.htm
    O8 - Extra context menu item: Logoff i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\Logoff.htm
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: SpotOn (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\PROGRAM FILES\SPOTON\SPOTON.DLL,-150 (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra 'Tools' menuitem: Filo (tm) Properties... (HKCU)
    O9 - Extra 'Tools' menuitem: Uninstall Filo (tm) (HKCU)
    O9 - Extra button: Big Pond (HKCU)
    O9 - Extra button: Telstra (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
    O12 - Plugin for .c3d: C:\PROGRA~1\INTERN~1\PLUGINS\NPC3DN.dll
    O12 - Plugin for .pdb: C:\PROGRA~1\INTERN~1\PLUGINS\NPC3DN.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ent: C:\PROGRA~1\INTERN~1\PLUGINS\NPC3DN.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
    O13 - DefaultPrefix: http://www.nkvd.us/1514/
    O13 - WWW Prefix: http://www.nkvd.us/1514/
    O13 - Home Prefix: http://www.nkvd.us/1514/
    O13 - Mosaic Prefix: http://www.nkvd.us/1514/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D1D6534D-197A-11D3-8039-00500471A15D} (FunctionProxy Class) - https://www.idrive.com/site/download/WinFilo.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = cc.flinders.edu.au
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = visp.com.au,cc.flinders.edu.au
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.61.170.13,129.96.252.31,129.96.1.21


    thanks
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi dlx1,

    Before you start please move hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. These would now end up on your desktop.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nkvd.us/s.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nkvd.us/s.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=crue
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1514/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=crue

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nkvd.us/s.htm

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)

    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

    O3 - Toolbar: (no name) - {69555BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll

    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe

    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
    O4 - HKLM\..\Run: [mswspl] C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
    O4 - HKLM\..\Run: [slpaqlf] "C:\WINDOWS\SYSTEM\SLPAQLF.exe"
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
    O4 - HKLM\..\Run: [ignxuzbtfsnu] C:\WINDOWS\SYSTEM\tnowpe.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

    O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\SYSTEM\realupd.exe
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

    O13 - DefaultPrefix: http://www.nkvd.us/1514/
    O13 - WWW Prefix: http://www.nkvd.us/1514/
    O13 - Home Prefix: http://www.nkvd.us/1514/
    O13 - Mosaic Prefix: http://www.nkvd.us/1514/

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot into safe mode and delete:
    C:\WINDOWS\SYSTEM\bpcpost.exe
    C:\WINDOWS\SYSTEM\runonce.exe
    C:\WINDOWS\SYSTEM\MSREXE.EXE
    C:\WINDOWS\SYSTEM\SLPAQLF.exe
    C:\WINDOWS\SYSTEM\A.EXE
    C:\WINDOWS\SYSTEM\tnowpe.exe
    C:\WINDOWS\ALCHEM.exe
    C:\WINDOWS\SYSTEM\realupd.exe
    C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

    Then do an online virusscan, you will find several listed here: http://www.wilders.org/free_services_m.htm

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.