xlime

Discussion in 'adware, spyware & hijack cleaning' started by antigon, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. antigon

    antigon Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    3
    please help me. i got the xlime.offeroptimizer spyware. here is my savelog.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:43:50, on 19/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\TWAIN_32\SiPix\SC-2300\USBPNP.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    C:\WINDOWS\TWAIN_32\SiPix\SC-2300\SC23Exec.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\System32\PL15Co2K.exe
    C:\WINDOWS\System32\hljwnxv.exe
    C:\Program Files\Netropa\One-touch Multimedia Keyboard\KEYBDMGR.EXE
    C:\PROGRA~1\Netropa\Onscre~1\OSD.exe
    C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
    C:\WINDOWS\TWAIN_32\SiPix\SC-2300\SC23CamC.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
    C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMUSBKB2.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\All Downloads\HijackThis1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.history.last_page_visited", "http://videos.tf1.fr/pubIframe/0,,e3JlZnJlc2hUaW1lIHRhZ1B1YiBVTlZfSUQgQ0hBSU5FX0lEIFJVQl9JRCBJUEdfSUR9IHszMCBUb3AgMSAxNTAwIDI5NTc5OCAxNTA0NTI1fQ==,00.html");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src");
    user_pref("browser.startup.homepage", "www.google.fr");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
    user_pref("browser.toolbars.showbutton.AimPT", false);
    user_pref("intl.charsetmenu.browser.cache", "us-ascii, windows-1252, windows-1251, UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_submit_insecure", false);
    user_pref("signon.SignonFileName", "65112675.s");
    user_pref("timebomb.first_launch_time", "1065112557726000");
    user_pref
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.history.last_page_visited", "http://videos.tf1.fr/pubIframe/0,,e3JlZnJlc2hUaW1lIHRhZ1B1YiBVTlZfSUQgQ0hBSU5FX0lEIFJVQl9JRCBJUEdfSUR9IHszMCBUb3AgMSAxNTAwIDI5NTc5OCAxNTA0NTI1fQ==,00.html");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src");
    user_pref("browser.startup.homepage", "www.google.fr");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
    user_pref("browser.toolbars.showbutton.AimPT", false);
    user_pref("intl.charsetmenu.browser.cache", "us-ascii, windows-1252, windows-1251, UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_submit_insecure", false);
    user_pref("signon.SignonFileName", "65112675.s");
    user_pref("timebomb.first_launch_time", "1065112557726000");
    user_pref
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\PROGRA~1\BPK\bpkwb.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SC2300USBPNP] C:\WINDOWS\TWAIN_32\SiPix\SC-2300\USBPNP.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SaitekAutoConfigure] C:\Program Files\Saitek\ST\Drv\saicnfig.exe /autorun
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SC2300CamCheck] C:\WINDOWS\TWAIN_32\SiPix\SC-2300\SC23Exec.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [VC_Log] C:\Program Files\PaqTool\Keylog\KeyLog.exe
    O4 - HKLM\..\Run: [Wspn] c:\windows\wspn.exe
    O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [fnphebpdsukb] C:\WINDOWS\System32\hljwnxv.exe
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Tout télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Télécharger avec &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
    O8 - Extra context menu item: Télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
    O9 - Extra button: NetAnts (HKLM)
    O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
    O9 - Extra button: Organise-notes (HKLM)
    O9 - Extra button: RapidReader (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/fr/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.4896180556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{74CA7733-A866-4330-B802-72A1112F8901}: NameServer = 212.27.39.2 212.27.32.177

    thanks guys
     
  2. antigon

    antigon Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    3
    bummp
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antigon,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

    O4 - HKLM\..\Run: [Wspn] c:\windows\wspn.exe

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [fnphebpdsukb] C:\WINDOWS\System32\hljwnxv.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    Then reboot and delete:
    c:\windows\wspn.exe
    C:\WINDOWS\System32\bridge.dll

    Regards,

    Pieter
     
  4. antigon

    antigon Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    3
    thanks man, obviously it is working !! no more xlime popup ! thanks again
    but just so you know, when I restart hijackthis, i did not find
    " O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll "
    (but i delete bridge.dll in c:\windows after reboot even if i don't find it in hijackthis)

    and after reboot i don't find wspn.exe in c:\windows\ whereas it was in hijack this scan.

    anyway, the most important is i don't get these popups.

    thanks again pieter
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.