xlime

Discussion in 'adware, spyware & hijack cleaning' started by antigon, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. antigon

    antigon Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    3
    please help me. i got the xlime.offeroptimizer spyware. here is my savelog.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:43:50, on 19/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\TWAIN_32\SiPix\SC-2300\USBPNP.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    C:\WINDOWS\TWAIN_32\SiPix\SC-2300\SC23Exec.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\System32\PL15Co2K.exe
    C:\WINDOWS\System32\hljwnxv.exe
    C:\Program Files\Netropa\One-touch Multimedia Keyboard\KEYBDMGR.EXE
    C:\PROGRA~1\Netropa\Onscre~1\OSD.exe
    C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
    C:\WINDOWS\TWAIN_32\SiPix\SC-2300\SC23CamC.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
    C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMUSBKB2.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\All Downloads\HijackThis1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.history.last_page_visited", "http://videos.tf1.fr/pubIframe/0,,e3JlZnJlc2hUaW1lIHRhZ1B1YiBVTlZfSUQgQ0hBSU5FX0lEIFJVQl9JRCBJUEdfSUR9IHszMCBUb3AgMSAxNTAwIDI5NTc5OCAxNTA0NTI1fQ==,00.html");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src");
    user_pref("browser.startup.homepage", "www.google.fr");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
    user_pref("browser.toolbars.showbutton.AimPT", false);
    user_pref("intl.charsetmenu.browser.cache", "us-ascii, windows-1252, windows-1251, UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_submit_insecure", false);
    user_pref("signon.SignonFileName", "65112675.s");
    user_pref("timebomb.first_launch_time", "1065112557726000");
    user_pref
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.history.last_page_visited", "http://videos.tf1.fr/pubIframe/0,,e3JlZnJlc2hUaW1lIHRhZ1B1YiBVTlZfSUQgQ0hBSU5FX0lEIFJVQl9JRCBJUEdfSUR9IHszMCBUb3AgMSAxNTAwIDI5NTc5OCAxNTA0NTI1fQ==,00.html");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src");
    user_pref("browser.startup.homepage", "www.google.fr");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
    user_pref("browser.toolbars.showbutton.AimPT", false);
    user_pref("intl.charsetmenu.browser.cache", "us-ascii, windows-1252, windows-1251, UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_submit_insecure", false);
    user_pref("signon.SignonFileName", "65112675.s");
    user_pref("timebomb.first_launch_time", "1065112557726000");
    user_pref
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\PROGRA~1\BPK\bpkwb.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SC2300USBPNP] C:\WINDOWS\TWAIN_32\SiPix\SC-2300\USBPNP.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SaitekAutoConfigure] C:\Program Files\Saitek\ST\Drv\saicnfig.exe /autorun
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SC2300CamCheck] C:\WINDOWS\TWAIN_32\SiPix\SC-2300\SC23Exec.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [VC_Log] C:\Program Files\PaqTool\Keylog\KeyLog.exe
    O4 - HKLM\..\Run: [Wspn] c:\windows\wspn.exe
    O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [fnphebpdsukb] C:\WINDOWS\System32\hljwnxv.exe
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Tout télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Télécharger avec &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
    O8 - Extra context menu item: Télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
    O9 - Extra button: NetAnts (HKLM)
    O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
    O9 - Extra button: Organise-notes (HKLM)
    O9 - Extra button: RapidReader (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/fr/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.4896180556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{74CA7733-A866-4330-B802-72A1112F8901}: NameServer = 212.27.39.2 212.27.32.177

    thanks guys
     
  2. antigon

    antigon Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    3
    bummp
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi antigon,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

    O4 - HKLM\..\Run: [Wspn] c:\windows\wspn.exe

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [fnphebpdsukb] C:\WINDOWS\System32\hljwnxv.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    Then reboot and delete:
    c:\windows\wspn.exe
    C:\WINDOWS\System32\bridge.dll

    Regards,

    Pieter
     
  4. antigon

    antigon Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    3
    thanks man, obviously it is working !! no more xlime popup ! thanks again
    but just so you know, when I restart hijackthis, i did not find
    " O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll "
    (but i delete bridge.dll in c:\windows after reboot even if i don't find it in hijackthis)

    and after reboot i don't find wspn.exe in c:\windows\ whereas it was in hijack this scan.

    anyway, the most important is i don't get these popups.

    thanks again pieter
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.