xlime optimizer infection

Hi, I keep on getting annoying pop-ups from xlime optimizer. Here is the log of
I would appreciate if you could let me know what to delete from the list. Thanks

----

Logfile of HijackThis v1.98.2
Scan saved at 21:12:24, on 15/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Utilities\Norton Antivirus\defwatch.exe
C:\Programs\System\DiskeeperPro\DkService.exe
C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Programs\Utilities\Norton Antivirus\rtvscan.exe
C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programs\Utilities\Norton Antivirus\vptray.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\Internet\WinMX\WinMX.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programs\Internet\Ad-aware\Ad-aware.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis1982.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Alain/HomePages/alain.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Alain/HomePages/alain.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Alain/HomePages/alain.htm"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l7137oxv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPrograms%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l7137oxv.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programs\Internet\DAP\DAPBHO.dll
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programs\Programs\Acrobat\AcrobatWriter\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Programs\Programs\Acrobat\AcrobatWriter\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programs\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Programs\Programs\Acrobat\AcrobatWriter\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Programs\Utilities\Norton Antivirus\vptray.exe
O4 - HKLM\..\Run: [vqizaggqoaqns] C:\WINDOWS\System32\uzuydr.exe
O4 - HKLM\..\Run: [Video Process] qpatovp.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\RunServices: [Video Process] qpatovp.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\Programs\Internet\WinMX\WinMX.exe -m
O4 - HKCU\..\RunServices: [Video Process] qpatovp.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Programs\Internet\FrontPage\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Internet\FrontPage\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\Programs\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programs\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\Programs\Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Programs\Internet\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programs\Programs\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CDA7174-00D9-45E6-9469-315E1DFA6C42}: NameServer = 200.204.0.10,200.204.0.138

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited September 2004
    Welcome to Short Media forums.

    Before doing the following, please Set your computer to show hidden files and folders, Disable System Restore, and Reboot in Safe Mode.

    Once you have done that, Run HijackThis and have it fix the following:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Alain/HomePages/alain.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Alain/HomePages/alain.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programs\Internet\DAP\DAPBHO.dll
    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programs\Internet\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [vqizaggqoaqns] C:\WINDOWS\System32\uzuydr.exe
    O4 - HKLM\..\Run:
    [Video Process] qpatovp.exe
    O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
    O4 - HKLM\..\RunServices: [Video Process] qpatovp.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe



    Then find and locate the files listed above and Quarentine Them.

    Once you have done that, reboot, scan with HijackThis again, and post a new log.
  • edited September 2004
    Thanks a lot for your help. While you were analysing my HJT log file, I discovered a W32.Spybot virus that I killed. I fixed the HJT files and here is my new log. Could you confirm that my PC is now "clean" ?

    Thanks a lot for your great and quick support !


    Logfile of HijackThis v1.98.2
    Scan saved at 23:15:19, on 15/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programs\Utilities\Norton Antivirus\defwatch.exe
    C:\Programs\System\DiskeeperPro\DkService.exe
    C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Programs\Utilities\Norton Antivirus\rtvscan.exe
    C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programs\Utilities\Norton Antivirus\vptray.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programs\Internet\WinMX\WinMX.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis1982.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Alain/HomePages/alain.htm"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l7137oxv.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPrograms%5CInternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l7137oxv.slt\prefs.js)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Programs\Programs\Acrobat\AcrobatWriter\Acrobat\AcroIEFavClient.dll (file missing)
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\Programs\Utilities\Norton Antivirus\vptray.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WinMX] C:\Programs\Internet\WinMX\WinMX.exe -m
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office.lnk = C:\Programs\Internet\FrontPage\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programs\Internet\FrontPage\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\Programs\Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programs\Programs\Office\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8CDA7174-00D9-45E6-9469-315E1DFA6C42}: NameServer = 200.204.0.10,200.204.0.138
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    You should get rid of the following:


    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPrograms%5CInternet%5CNetscape%5Csearchplug ins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l7137oxv.slt\prefs.j s)

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Programs\Programs\Acrobat\AcrobatWriter\Acrobat \AcroIEFavClient.dll (file missing)

    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE

    O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu

    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

    Reboot, and post one more log after this.
  • edited September 2004
    Thanks for your feedback, Primesuspect. I did what you recommended, here is the log of HJT after your proposed deletions. Is my PC now cleaned and safe ?

    Thanks


    Logfile of HijackThis v1.98.2
    Scan saved at 20:21:11, on 17/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programs\Utilities\Norton Antivirus\defwatch.exe
    C:\Programs\System\DiskeeperPro\DkService.exe
    C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Programs\Utilities\Norton Antivirus\rtvscan.exe
    C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programs\Internet\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programs\Utilities\Norton Antivirus\vptray.exe
    C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis1982.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Alain/HomePages/alain.htm
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l7137oxv.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l7137oxv.slt\prefs.js)
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\Programs\Utilities\Norton Antivirus\vptray.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\Programs\Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programs\Programs\Office\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8CDA7174-00D9-45E6-9469-315E1DFA6C42}: NameServer = 200.204.0.10,200.204.0.138
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    Looks good to me :)

    Be sure to check out our folding team (Link in my sig). We would love to have you :)
This discussion has been closed.