Author Topic: trojan horse problem (Read 2532 times)

guestolo · « **Reply #20 on:** January 15, 2006, 05:47:40 PM »

Very sorry for the delay monkeeman
I had to leave town for a couple nights

Can you do the following please

Create a new restore point to fall back on, in case we need it
Can you download RegSeeker from here please
http://www.hoverdesk.net/freeware.htm
Unzip the contents too desktop
Open the RegSeeker Folder and double click on RegSeeker.exe
Click on "Clean the registry" in the left menu
Hit OK
Let it finish scanning and then ensure Backup before deletion is checked
Choose "Select all"
Right click and Delete all selected

Run hijackthis again and fix check the following with all other windows closed

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Reboot the computer

Come back here and post a fresh hijackthis log
Ensure you include the whole log please, don't cut off the top part of it

Could you also run these thru RegSrch.vbs again and post the results
startup manager
windows setup manager

Additionally, can you download and unzip to it's own folder
Servicefilter.zip
Run Servicefilter.vbs
a text will be created in the same folder
Can you post the PostThis please

monkeeman · « **Reply #21 on:** January 15, 2006, 07:49:07 PM »

Logfile of HijackThis v1.99.1
Scan saved at 00:40:59, on 16/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2D9F7B63-EC7C-43FF-A41D-6E9EC984A5B9} (GGSecSign Class) - https://secure.gateway.gov.uk/java/GGSecSign.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

hijack this log^

RegSrch results

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "windows setup manager" 16/01/2006 00:43:38

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STARTUP_MANAGER\0000]
"DeviceDesc"="windows setup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\startup manager]
"DisplayName"="windows setup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_STARTUP_MANAGER\0000]
"DeviceDesc"="windows setup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\startup manager]
"DisplayName"="windows setup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STARTUP_MANAGER\0000]
"DeviceDesc"="windows setup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\startup manager]
"DisplayName"="windows setup manager"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "startup manager" 16/01/2006 00:42:34

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STARTUP_MANAGER\0000]
"Service"="startup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\startup manager]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\startup manager\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\startup manager\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_STARTUP_MANAGER\0000]
"Service"="startup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\startup manager]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\startup manager\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STARTUP_MANAGER\0000]
"Service"="startup manager"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\startup manager]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\startup manager\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\startup manager\Enum]

monkeeman · « **Reply #22 on:** January 15, 2006, 07:59:25 PM »

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Jan 16, 2006 00:56:48

---> Begin Service Listing <---

Unknown Service # 1
Service Name: avast! Mail Scanner
Display Name: avast! Mail Scanner
Start Mode: Manual
Start Name: LocalSystem
Description: Implements mail scanning for avast! ...
Service Type: Own Process
Path: "c:\program files\alwil software\avast4\ashmaisv.exe" /service
State: Running
Process ID: 2104
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: avast! Web Scanner
Display Name: avast! Web Scanner
Start Mode: Manual
Start Name: LocalSystem
Description: Implements web (HTTP) scanning for avast! ...
Service Type: Own Process
Path: "c:\program files\alwil software\avast4\ashwebsv.exe" /service
State: Running
Process ID: 1540
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: ewido security suite control
Display Name: ewido security suite control
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\ewido\security suite\ewidoctrl.exe
State: Running
Process ID: 1464
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: ewido security suite guard
Display Name: ewido security suite guard
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\ewido\security suite\ewidoguard.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: IDriverT
Display Name: InstallDriver Table Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Provides support for the Running Object Table for InstallShield ...
Service Type: Own Process
Path: c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: startup manager
Display Name: windows setup manager
Start Mode: Disabled
Start Name: LocalSystem
Description: setup ...
Service Type: Own Process
Path:
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{a0b4f8db-9699-4362-acd2-e04420450833}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 88 Win32 services on this machine.
7 were unrecognized.

Script Execution Time: 4.987061 seconds.

no worries about not posting back for a while, thanks again for the help

i cant sign into msn messenger , apparantly my proxy settings are not right?

regards

guestolo · « **Reply #23 on:** January 15, 2006, 09:29:45 PM »

Let's try something
==Download DelDomains.inf
Right click on the link and choose Save Target As or Save Link As
Depending if you use IE or Mozilla
Save it to your desktop
http://www.mvps.org/winhelp2002/DelDomains.inf
We'll need it later

Download, from below, Fix.zip
UNZIP the contents to your desktop so you have Fix.reg extracted
We'll need this later too

Print the rest of this or copy and paste it for reference

Open Hijackthis>>Open misc tools section>>Open "Delete an NT service"
In the open field, copy and paste the following below in bold then hit OK

startup manager

Hijackthis should prompt that the service was found and too reboot your computer
Don't reboot yet
Instead, in Hijackthis>>Click Back
Do a SCAN
put a check next to this entry

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot into safe mode

In safe mode
Double click on fix.reg and allow to add/merge to the registry

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Reboot back to Normal mode

Don't open a browser yet
access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the Content tab>>Clear SSL Slate

Go to start>>run>>type in cmd
In the new box type the following
ipconfig /flushdns
Hit ENTER

Type Exit>>hit Enter

Let me know how things are running

monkeeman · « **Reply #24 on:** January 16, 2006, 10:18:46 AM »

hey guestsolo

everything is running fine! faster than ever

my msn wont connect at all , i have reinstalled it and changed my firewall and still nothing

do you know what this might be?

monkeeman

guestolo · « **Reply #25 on:** January 16, 2006, 03:45:14 PM »

I'm not sure of what version of MSN Messenger your using
Can you check the following:

Code: [Select]

ZoneAlarm Pro 3.1 or later and ZoneAlarm Security Suite 5.0 or later:

   1. Start ZoneAlarm, click "Program Control" in the left navigation list, and then click the "Programs" tab on the right.
   2. If Msnmsgr.exe is already on the list, delete it by right-clicking on "MSN Messenger", in the "Programs" list and then click "Remove".
   3. Add MSN Messenger to the list:
		  * Click "Add"
		  * Click "Browse", locate the C:\Program Files\MSN Messenger folder, and then double-click the Msnmsgr file to add the latest version of Msnmsgr.exe to the "Programs" list. Note The computer settings determine whether the file name is followed by the extension ".exe." 
   4. After you add Msnmsgr.exe to the "Programs" list, click the Access and Server entries for MSN Messenger, and then click Allow.

Also, check the following
===================================================================
If you’re still having trouble with either error 890109, connection to .Net Messenger Service, or anything else, here are some other things to try, courtesy of Jonathan Kay, MVP, the MSN Sign-in team, and a JustSomeGuy on Mess.be:

    0.    Clear your IE cache and cookies: open IE, click the Tools à Internet Options, then click Delete Files. When that's complete click Delete Cookies.

    1.    Check your IE Security settings: open IE, click Tools à Internet Options, then Advanced tab, scroll to the Security section, and verify that "Check for server certificate revocation" is unchecked. Also verify that 'Use SSL 2.0' and Use SSL 3.0' is checked. Click OK.

    2.    Run the Connection Troubleshooter:

a. Start MSN Messenger.

b. Click "Tools," and then "Options."

c. Click “Connection”, and then click “Test” to the right of the appropriate connection type

3. Adjust the proxy settings in IE::

a. Start Internet Explorer.

b. On the "Tools" menu, click "Internet Options."

c. Click the "Connections" tab, and then click "LAN Settings."

d. Clear the 'Automatically detect settings" check box.

e. Click "OK" two times.

4. Clear the proxy settings in MSN Messenger:.

a. Start MSN Messenger 7.5.

b. On the "Tools" menu, click "Options."

c. Click on “Connection” , and then click the “Advanced Settings” button.

d. Delete the entries under SOCKS

g. Click "OK" two times to save the settings.

5. Adjust your IE security settings:

a. Start IE.

b. Click "Tools" à" Internet Options," àthe "Advanced" tab.

c. In the "Security" section, verify the following settings:

    -Clear the "Check for server certificate revocation" check box.

    -Select the "Use SSL 2.0" check box.

    -Select the "Use SSL 3.0" check box.

   d. Click "OK"

   e. Reregister SSL security libraries: Click "Start," click "Run," and then follow the steps for your OS. Note: After each command is executed successfully, you will receive a "DllRegisterServer succeeded" message. Wait until you receive this message before you continue to the next command:

i. Type %windir%\system32\REGSVR32 softpub.dll, press ENTER.

ii. Type %windir%\system32\REGSVR32 wintrust.dll, press ENTER.

iii. Type %windir%\system32\REGSVR32 initpki.dll, press ENTER.

   f. Clear the Secure Sockets Layer (SSL) state and the AutoComplete history:

      i. Start Internet Explorer.

      ii. On the "Tools" menu, click "Internet Options,"; click the "Content" tab.

      iii. Under "Certificates," click "Clear SSL State."

      iv. When you receive the message that states that the SSL cache was successfully cleared, click "OK."

6. Try disabling any anti-spyware programs you have running.
================================================
Are you getting error messages when you try to connect?

monkeeman · « **Reply #26 on:** January 21, 2006, 08:01:43 PM »

your a genius!

my pc is running fine and msn is all working ok!

thank you very much your a good man! i take it you are male

is the donate page safe? i could spare a few quid for your help

peace monkeeman

guestolo · « **Reply #27 on:** January 21, 2006, 08:24:52 PM »

Quote

is the donate page safe? i could spare a few quid for your help

Yes it's safe, my services are free, but if you find that you could donate
That would be very kind
However, I want to make sure you are clean

Can you post a fresh hijackthis log please
Just some final cleanup to do afterwards

What fix was it that got you hooked back to MSN?

monkeeman · « **Reply #28 on:** January 22, 2006, 11:24:19 AM »

Logfile of HijackThis v1.99.1
Scan saved at 16:21:52, on 22/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2D9F7B63-EC7C-43FF-A41D-6E9EC984A5B9} (GGSecSign Class) - https://secure.gateway.gov.uk/java/GGSecSign.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

i donated £5.00

thanks again mate

guestolo · « **Reply #29 on:** January 22, 2006, 01:10:15 PM »

*If everything is running better
We should clear all your restore points to ensure you don't restore any nasties that may be residing in the
restore folders
Go to START>>RUN>>In the open field
type in msconfig
Hit OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"

Apply it and OK out of there>>Reboot your computer

Back in Windows, Go back and take the check out of Turn off system restore
This will reenable the System Restore feature and creates a new restore point
[indent]===========================[/indent]
*For added protections against future attacks
You should install this free tool
SpywareBlaster 3.5.1 by JavaCool

[indent]===========================[/indent]
[/list]*Check for updates with your anti-spyware programs and run a scan on a regular basis
About every couple of weeks
In addition: Open Spybot 1.4
Click on Immunize>>OK>>Immunize at the top green cross
Do that after every update

[indent]===========================[/indent]
*Make sure your Anti-virus software is always updated and actively running
In addition, I would hold onto Ewido<--check for updates once a month and run a scan
[indent]===========================[/indent]
*Keep up to date on Windows updates
You should update Windows to the latest Service pack
This is very important, it includes many Security patches
I would run Cleanup! again with the instructions I posted earlier
This cleans your temp folders, etc...
Also cleans your prefetch folder, if you find the first bootup after running CleanUp! is a little slower
That is because of the cleaning of the prefetch, not to worry
Bootup will be faster next time around

I would also take this oppurtunity to to a Disk Defragment
I prefer to do this in safe mode, allows minimal running
It may take some time if it hasn't been done for awhile
Afterwards, boot back to Normal mode
We've started you in the right direction to install SP2
Please, additionally, take a look at this link
http://www.microsoft.com/windowsxp/sp2/default.mspx
Take note of the link 'What to know before you download and install'
Afterwards, visit Windows updates and install SP2, may take about 30 minutes or more on cable, dsl

Once installed, reboot the computer
Just a reminder, if you are not set to Autoupdate, make a habit of visiting Windows Updates
and check for High Priority updates at least once a month
This is important in keeping your system secure

Stay safe and thanks

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

twiglet · « **Reply #30 on:** January 28, 2006, 07:00:18 AM »

I have exactly the same problem as monkeeman. when the internet starts my homepage gets hijacked to adultfinder.com, avg dectects the trojan horse generic.BMC and heals it but then my internet signs out. i have downloaded hijackthis and here is my logfile.

Logfile of HijackThis v1.99.1
Scan saved at 11:54:19 AM, on 1/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\msgconfigrs.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\BROADB~1\SMARTB~1\BTHelpNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Documents and Settings\Lewis Heapy\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\WINDOWS\876029.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BROADB~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\Broadband Desktop Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Homepage - {42954776-AB7B-45A3-8871-E911EBA6D287} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {58A28CCE-118A-415C-9F9B-391D33257D72} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterex...artload124a.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137954979053
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137954957762
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAB7DE06-9478-4CE4-A40B-2D7180B9995A}: NameServer = 194.74.65.69 194.72.9.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

any help would be much appreciated!

guestolo · « **Reply #31 on:** January 29, 2006, 01:49:35 PM »

As the original posters problems appear resolved
I'll lock this topic
All others please start your own post please

TheTechGuide Forum

News:

Author Topic: trojan horse problem (Read 2532 times)

guestolo

trojan horse problem

monkeeman

trojan horse problem

monkeeman

trojan horse problem

guestolo

trojan horse problem

monkeeman

trojan horse problem

guestolo

trojan horse problem

monkeeman

trojan horse problem

guestolo

trojan horse problem

monkeeman

trojan horse problem

guestolo

trojan horse problem

twiglet

trojan horse problem

guestolo

trojan horse problem