xlime removal

[JWE01]

Hello,
I am new to this and would like some help removing XLIME ads that keep poping up, I ran adaware, spybot, and Hijack this. Still no luck any tips.

Thanks,

[Undeadlord]

http://forums.maddoktor2.com/index.php?showtopic=2066

Second post down has detailed directions that should help you.

You can download Hijackthis here http://www.spychecker.com/program/hijackthis.html

Undeadlord

[JWE01]

I ran HIjack this but the Xlime ads still appear. Any other suggestions?

[JWE01]

Actually the name of the pop up is xlime.adofferoptimizer.com I CAN't be the only one getting this thing.

[nomaxim]

Welcome to TechIMO.

First off this should be in the Security and Privacy forum. Not community. You can ask a Mod to move it for you.

Second, post your 'Hijackthis' log. Hijackthis will not remove anything by itself. The link that Undeadlord gave tells you how to remove it manually.

[Chuckiechan]

Try doing a search for xlime on your computer. You may need to go to safe mode to delete it.

What browser are you running?

BTW: Welcome to Techimo!

[Undeadlord]

Sorry about that, maybe I should have been abit more clear. Hijackthis just gives you a quick overview of some settings and programs that are running. Its up to you to take that data and use it to remove the Xlime Ads.

The first link I gave should have had directions for doing that.

Undeadlord

[JWE01]

Thanks for the help guys, Here is the log I got from Hijack this but I don't see the Xlime in there anywhere.

Logfile of HijackThis v1.99.0
Scan saved at 8:04:46 AM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Windows\system32\MsgSys.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\fzocqgq.exe
C:\Windows\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff Evans\Desktop\HijackThis.exe

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\Windows\ZServ.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [baksakeogp] C:\Windows\system32\fzocqgq.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O23 - Service: Ati HotKey Poller - Unknown - C:\Windows\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

[paul9]

under suspicion immediatetly are any references to fzocqgq.exe and wscntfy.exe. google them. the second may be legit, but check it anyway.
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\Windows\ZServ.dll may warrant further investigation.
fzocqgq.exe is 99% certain malware.

[paul9]

wscntfy.exe is part of windows.
fzocqgq.exe won't google. it is now 99.98% certain to be malware. it is probably one of the random name changing type programs, so it runs with a different process name every time it starts.
http://www.doxdesk.com/parasite/Transponder.html talks about ZServ.dll