Xlime...Killing Me

Discussion in 'adware, spyware & hijack cleaning' started by Tank_D, Mar 24, 2004.

Thread Status:
Not open for further replies.
  1. Tank_D

    Tank_D Guest

    Hi, I have run SpyBot and can't get rid of these stupid popups can anyone assist. Here's my Log. Thanks!!!


    Logfile of HijackThis v1.97.7
    Scan saved at 11:43:45 AM, on 3/24/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\ePOAgent\naimas32.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\WinMX\WinMX.exe
    C:\Documents and Settings\mtanks\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {05A51493-1026-4F93-A359-86609F2F3476} - C:\WINNT\sz6d.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll (file missing)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - (no file)
    O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
    O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [gPpA] C:\WINNT\um0pir7p.exe
    O4 - HKLM\..\Run: [updater] C:\RECYCLER\S-1-5-21-507921405-261903793-725345543-500\Dc7\wupdater.exe
    O4 - HKLM\..\Run: [RVP] "C:\RECYCLER\S-1-5-21-1998280219-2088136258-456279356-10356\Dc799\bpc.exe"
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
    O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - HKCU\..\RunOnce: [MovingCacheA Wininet Settings] rundll32.exe C:\WINNT\system32\wininet.dll,RunOnceUrlCache C:\DOCUME~1\mtanks\LOCALS~1\TEMPOR~1
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlanta.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlanta.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlanta.local
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Tank_D,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. On your desktop this will make a mess.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {05A51493-1026-4F93-A359-86609F2F3476} - C:\WINNT\sz6d.dll

    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll (file missing)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - (no file)
    O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
    O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - (no file)

    O4 - HKLM\..\Run: [gPpA] C:\WINNT\um0pir7p.exe
    O4 - HKLM\..\Run: [updater] C:\RECYCLER\S-1-5-21-507921405-261903793-725345543-500\Dc7\wupdater.exe
    O4 - HKLM\..\Run: [RVP] "C:\RECYCLER\S-1-5-21-1998280219-2088136258-456279356-10356\Dc799\bpc.exe"
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

    O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP

    Then reboot and delete:
    C:\Program Files\BulletProofSoft.com <= entire folder
    C:\Program Files\Common Files\Dpi <= entire folder
    C:\WINNT\um0pir7p.exe

    Regards,

    Pieter
     
  3. Tank_D

    Tank_D Guest

    Thanks! Seems like that did it. You're a great help and I appreciate it!!!!

    Here's my new file.


    Logfile of HijackThis v1.97.7
    Scan saved at 12:19:31 PM, on 3/24/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\ePOAgent\naimas32.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\system32\mobsync.exe
    C:\ePOAgent\naimag32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe
    C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\mtanks\Desktop\hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlanta.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlanta.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlanta.local
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good job, and read this on how to prevent future infections: http://boards.cexx.org/viewtopic.php?t=957

    And stay away from Trek Blue and BulletProofSoft. They are worse then the spyware they promise to target.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.