Jump to content


Photo

xlime.offeroptimizer killing my citrix server!!!


  • Please log in to reply
1 reply to this topic

#1 tclardy

tclardy

    Member

  • New Member
  • Pip
  • 2 posts

Posted 14 July 2004 - 11:27 AM

:grrr: I keep getting popups and such due to xlime.offeroptimizer.com. It is bringing my citrix server down. I have run spy sweeper and spybot and it does not remove. Please see hijack this log.

Please help, this is causing major problems.

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 11:26:06 AM, on 7/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
X:\WINDOWS\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Compaq\vcagent\vcagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\Installer\AgentSVC.exe
C:\Program Files\Citrix\Installer\saginst.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\System32\CpqRcmc.exe
C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\System32\ctxxmlss.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\encsvc.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\WINNT\System32\mfcom.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINNT\System32\CPQMgmt\cpqwmgmt.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
\migrate\APPS\NadaEv\e-Valuator.exe
D:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\PTC\WINTELL\WinTellr.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\PTC\WINTELL\WinTellr.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\PTC\WINTELL\WinTellr.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\WINNT\System32\macromed\flash\GetFlash.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\PTC\WINTELL\WinTellr.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\PTC\WINTELL\WinTellr.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\yeyxpz.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Tickle\Tickle Hub.exe
C:\WINZIP\WZQKPICK.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\Citrix\system32\icabar.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Tickle\Tickle Hub.exe
C:\WINZIP\WZQKPICK.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
D:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\PTC\WINTELL\WinTellr.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
D:\PTC\WINTELL\WinTellr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\wfshell.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
D:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\System32\macromed\flash\GetFlash.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator.NBOT\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.250:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - X:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5EB0D1C4-7631-4FB5-9393-55CEA218C493} - \\migrate\home\TSR\WINDOWS\waif.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "D:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [zgnirup] C:\WINNT\zgnirup.exe
O4 - HKLM\..\Run: [dcr] C:\WINNT\dcr.exe
O4 - HKLM\..\Run: [wfszuv] C:\WINNT\wfszuv.exe
O4 - HKLM\..\Run: [lnlwvln] X:\WINDOWS\lrjis.exe
O4 - HKLM\..\Run: [awmocaesqimyn] C:\WINNT\system32\yeyxpz.exe
O4 - HKLM\..\Run: [uidvwlnyn] C:\WINNT\system32\lwlsmmy.exe
O4 - HKLM\..\Run: [Win Server Updt] X:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Tickle Launcher.lnk = C:\Program Files\Tickle\Tickle Hub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINZIP\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Broken Internet access because of LSP provider 'x:\windows\system32\rnr20.dll' missing
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8029.7493634259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://intranet.com...ls/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nbot.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6FEBF4F-C540-43CE-AEDF-6C4F651F4887}: Domain = nbot.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6FEBF4F-C540-43CE-AEDF-6C4F651F4887}: NameServer = 10.1.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nbot.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nbot.local

#2 tclardy

tclardy

    Member

  • New Member
  • Pip
  • 2 posts

Posted 15 July 2004 - 03:45 PM

Is this hopeless, can anybody help? Any help greatly appreciated!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button