Xlime optimizer help

Discussion in 'adware, spyware & hijack cleaning' started by Helpplz, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. Helpplz

    Helpplz Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    2
    Ok. So I have a spybot..xlime optimizer. Need help to completely clean system of this problem. Here is my hijackthis log. Plz refer to bottom for explaination for colors.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:55:33 AM, on 6/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
    C:\WINDOWS\System32\lhkgnt.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Niel\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rage-board.com/rageboard/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
    O4 - HKLM\..\Run: [wlwehjrawojae] C:\WINDOWS\System32\lhkgnt.exe
    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\setup.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/02bfc560656e36058419/netzip/RdxIE601.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://support.vugames.com/betasubmission/sysinfo/Si.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4302/mcfscan.cab


    RED - Pretty sure these belong to xlime. Just need to to verify that these are actually ok to "fix"

    ORANGE - I wanted to point out support.exe because while i was trying to get rid of the spybot, I came across this email worm the W32.Akosw@mm virus. If you know an good program that can detect and clean this it would be appreciated. My Norton Professional fully updated couldnt find it...but as you can see it is clearly there.

    GREEN - These look suspicious to me, but I am not sure. The http://support.vugames.com/betasubmission/sysinfo/Si.cab is where im pretty sure i got the xlime from....but I dont know.

    Also, while trying to clean this xlime from my system...I had difficulty deleting the mxTarget.dll. I was successful in deleting wsem218.dll, but mxTarget recopies itself. And yes i did indeed unregister the dll before trying to delete it. regsvr32 /u mxTarget.dll

    Thank you for any and all help that you can provide.
     
    Helpplz, Jun 25, 2004
    #1
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    The orange is probably fine (at least virally) and Symantec is correct - leave it for now

    Get rid of the greens with the browser closed (it's almost always fine to remove O16's)

    Lets start with some of the nastier stuff
    This one has to go for sure
    O4 - HKLM\..\Run: [wlwehjrawojae] C:\WINDOWS\System32\lhkgnt.exe
    Delete the file from SAFE mode after removing the startup using HJT and clean your internet cache and temp files.

    This red one
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    you shouln't do anything with - it's fine

    The wsaupdater part of this one
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
    also has to go.
    For the most part it works just fine to remove it with HJT but I'd like u to read this one in advance
    http://www.lavahelp.com/articles/v6/04/06/0901.html
    just in case!
    This one
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    is also part of it,

    Here's some slightly out of date links on BlazeFind (which is where it comes from)
    http://www.kephyr.com/spywarescanner/library/iesearchbar/index.phtml
    http://www.pestpatrol.com/pestinfo/b/blazefind.asp
    http://www.doxdesk.com/parasite/ISTbar.html

    When you're done
    Download Spybot - Search and Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer windows, hit 'Check for Problems', and after SpyBotSD has completed it's scan push the 'Fix checked' button for all that it has automatically selected.
     
    Last edited: Jun 25, 2004
    IMM, Jun 25, 2004
    #2
  3. Helpplz

    Helpplz Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    2
    thank you for your help. Much appreciated :)
     
    Helpplz, Jun 25, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...