Please help me get rid of xlime.offeroptimizer

Hi amerigor and welcome to A2K
Need you to do a couple things please,
First,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Drag HJT into it please, Don't weant HJT sitting in a Temp folder. Best to have it sitting in a dedicated folder,

Make sure both Ad-aware and Spybot are updated and run another scan with both of them please,

Next Reboot to safe mode ( Start tapping F8 on start up )
Run another scan with Ad-aware and spybot again while in safe mode,

Have Ad-aware fix all it finds, Have Spybot fix all it finds in Red.

Restart your computer,
Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.

Then scan again with HijackThis and post another log.

Working better now
Thanks for the tips. I did as you said and it worked better for about an hour and then the popups came back. A friend told me to delete the following from the HJT list:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKLM\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKLM\..\Run: [rjzmmejtmr] C:\WINDOWS\System32\fzcnfw.exe
O4 - HKLM\..\Run: [infopc] C:\WINDOWS\Driver Cache\infopc.exe
O4 - HKLM\..\Run: [tdsapin] C:\WINDOWS\system32\tdsapin.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe



Finally the popups have stopped. Thanks again. Here is a new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:22:15 AM, on 3/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\FEELitDM.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\IMMERS~1\IMMERS~1.1\IDesktop.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Monicalovesme\Local Settings\Temp\Temporary

Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.hp.com/notebooks/pavilion/e-center
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://yahoo.sbc.com/dsl
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -

C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [Motive SmartBridge]

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IDesktop] C:\PROGRA~1\IMMERS~1\IMMERS~1.1\IDesktop.exe 1
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program

Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program

Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program

Files\Hewlett-Packard\hpis\" -boot
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP

Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP

Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe

/startup
O4 - Startup: DSL Connection.lnk = C:\WINDOWS\system32\rasphone.exe
O4 - Startup: Shortcut to CManager.lnk = C:\Program Files\SBC\Connection

Manager\CManager.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft

Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft

Office\Office\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} -

C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://
O14 - IERESET.INF:

START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} -

http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -

http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{CF43374D-4025-42FE-8D6C-0CB1E33BB64D}:

NameServer = 206.13.29.12 206.13.30.12
O23 - Service: FEELitDM - Immersion Corporation -

C:\WINDOWS\System32\FEELitDM.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard -

C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard -

C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: tbaspi - Unknown owner - C:\Program Files\Turtle

Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 -

C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe

Well, you haven't exactly done as recommended - HJT still is not where it oughtta be. Your freind was right about deletin' those files though. Still, there's a lot left to do there. You have a couple different infections goin' on yet; namely ABetterInternet and SideStep, and there may be others I haven't noticed. Dunno where Don's at, but I'll try to help ya out if you'd like.

Were there any files ActiveScan and/or Housecall listed as "Unable to delete?"

If you would please, put HJT into its own folder on your root drive, as Don recommended. Please run it from there, and have it generate some logs I'd like to see.

When it opens, click the 4th bar, "Open the Misc Tools section",



locate "StartupList (integrated v1.52), place a checkmark in both boxes, "List also minor sections (full)" and "List empty sections (complete)", then click "Generate StartupList log". Save that log to post back here.

Next, still in HJT's Misc Tools utility, click the 3rd bar, "Open hosts file manager". When that opens, select the "Open in Notepad" button, and save that log to post back here.

Next, still in HJT's Misc Tools utility, click the 7th bar, "Open Uninstall Manager", and when that opens, select "Save list...", save the list (it will be named "uninstall_list .txt") to a convenient-to-find location - the HJT folder would be fine.





When you've done all that, close HJT and post the requested logs back to this thread. Thanks.

Also, before we go any further, I'd like you to make sure your Windows is operatin' OK apart from your browser problems, because in the next phase, we're gonna deactivate System Restore temporarily, and clear all the stored recovery points.