xadso/xlime problems

Unknown
edited October 2004 in Spyware & Virus Removal
Hi,
I'm new to this forum, so hopefully I'll relay what's needed to get help. It seems I somehow clicked on the wrong thing and now keep getting popup ads, seemingly from a redirecting site with xadso or xlime in the name (hard to catch as it changes it's header). I also seem to have gotten the Find4U program somehow. I've tried removing things with Spy Sweeper, previously with another program (don't remember which) and have tried to get rid of it with HijackThis. I have run CWShredder and it doesn't seem to find any problem. Here's my HijackThis logfile:

Logfile of HijackThis v1.98.2
Scan saved at 5:00:25 PM, on 9/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\gearsec.exe
C:\WINNT\System32\Identd.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\System32\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ljrnchg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\srog.exe
C:\WINNT\system32\NALWIN32.EXE
C:\WINNT\system32\naldesk.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Altru Health system
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://bau-squid.altru.net/proxycfg/proxy.pac
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Check Version] c:\ca400\cwbckver.exe LOGIN
O4 - HKLM\..\Run: [Client Access Help Update] c:\ca400\cwbinhlp.exe
O4 - HKLM\..\Run: [Client Access Service] c:\ca400\CwbSvStr.Exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ueipdrssrdk] C:\WINNT\system32\ljrnchg.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [Sory] C:\WINNT\system32\srog.exe
O4 - Startup: NAL.lnk = public\NAL.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{B490D393-AD8F-4EC0-93DA-F8166C19A97C}: Domain = altru.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B490D393-AD8F-4EC0-93DA-F8166C19A97C}: NameServer = 10.1.1.49,10.1.1.48

Advice?

Thanks,
Randy

Comments

  • rrice
    edited September 2004
    HI,
    Found the Sticky notes about running AdAware and Spybot--had run SpyBot but not AdAware. Ran both again now and here's the new log file. I think they've stopped at the moment, but I've thought that before. Here's the logfile:

    Logfile of HijackThis v1.98.2
    Scan saved at 6:41:21 PM, on 9/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\System32\gearsec.exe
    C:\WINNT\System32\Identd.exe
    C:\WINNT\System32\NALNTSRV.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wm.exe
    C:\WINNT\system32\svchost.exe
    C:\NOVELL\ZENRC\WUOLService.exe
    C:\NOVELL\ZENRC\wuser32.exe
    C:\WINNT\System32\WMRUNDLL.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\System32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\system32\NALWIN32.EXE
    C:\WINNT\system32\naldesk.exe
    C:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE
    C:\WINNT\Explorer.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Altru Health system
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://bau-squid.altru.net/proxycfg/proxy.pac
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
    O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [Client Access Check Version] c:\ca400\cwbckver.exe LOGIN
    O4 - HKLM\..\Run: [Client Access Help Update] c:\ca400\cwbinhlp.exe
    O4 - HKLM\..\Run: [Client Access Service] c:\ca400\CwbSvStr.Exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
    O4 - Startup: NAL.lnk = public\NAL.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B490D393-AD8F-4EC0-93DA-F8166C19A97C}: Domain = altru.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B490D393-AD8F-4EC0-93DA-F8166C19A97C}: NameServer = 10.1.1.49,10.1.1.48

    Let me know if anything still looks amiss. Thanks,
    Randy
  • SpywareShooterSpywareShooter 127.0.0.1
    edited September 2004
    Yep, your log looks good now. Are you having any problems at this point?
  • rrice
    edited October 2004
    Thanks,
    It seems to be back to normal--other than an occassional pop-up associated with certain sites I'm browsing at the time, the large volume, immensely annoying ones have stopped. Thanks for the help.
    Randy
  • SpywareShooterSpywareShooter 127.0.0.1
    edited October 2004
    You're welcome. :)

    I am going to close this topic now as it appears to have been resolved. If you have any more spyware problems feel free to ask here.
This discussion has been closed.