Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Two worms got me [RESOLVED]

Started by elirarey , Sep 25 2005 05:00 PM

This topic is locked

#16
elirarey

Posted 02 October 2005 - 04:00 PM

Member

Topic Starter
Member
16 posts

I'm having trouble following your advice because despite the fact that I am connected to a wireless server at 54.0 Mbps I seem to be downloading files at between 0.1 and 0.7 KB per second. :tazz:

Even more mysterious, some files seem to download faster than others. Is the bit defender site having some sort of problem? If so, then so is the firefox site and fandango.com, though zonelabs is rushing me their firewall at 3.5 KB per sec.

I'm going to let it go over night and see if it improves.

#17
Buckeye_Sam

Posted 02 October 2005 - 06:14 PM

Malware Expert

Member
10,019 posts

That's another indication that malware is active on your computer. Post back when you can.

#18
elirarey

Posted 02 October 2005 - 11:16 PM

Member

Topic Starter
Member
16 posts

This is my ZoneAlarm log. Immediately on starting up, two programs tried to access the internet which I denied: LEXPPS tried to act as a server and Spooler Sub something tried to access the internet. Now three separate Generic Win32 Hosts are shown by ZoneAlarm to be accessing the internet along with FireFox.

:tazz:

Does all this mean anything? I'm downloading Bit Defender now rather quickly, I'll have its log for you in the morning I think.

ZoneAlarm Logging Client v6.0.667.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
OSFW,2005/10/03,00:48:28 -4:00 GMT,UNKNOWN(0),guard,C:\Program Files\ewido\security suite\ewidoguard.exe,FILE,WRITE,SRC,WINDRVDIR\ETC\HOSTS
PE,2005/10/03,00:49:34 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
ACCESS,2005/10/03,00:49:34 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for connecting to the Internet (192.168.100.31:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:49:42 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
ACCESS,2005/10/03,00:49:42 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for sending data to the Internet (192.168.100.31:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:49:48 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
PE,2005/10/03,00:49:56 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
PE,2005/10/03,00:50:04 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:50:04 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for connecting to the Internet (192.168.100.63:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:50:12 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:50:12 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for sending data to the Internet (192.168.100.63:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:50:18 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
PE,2005/10/03,00:50:24 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:54:40 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (148.4.108.234:DNS).,N/A,N/A
PE,2005/10/03,00:55:10 -4:00 GMT,guard,85.10.237.9:80,N/A
ACCESS,2005/10/03,00:55:10 -4:00 GMT,guard was unable to obtain permission for connecting to the Internet (85.10.237.9:HTTP); access was denied.,N/A,N/A
FWOUT,2005/10/03,01:00:52 -4:00 GMT,192.168.1.109:1030,148.4.108.234:53,UDP
PE,2005/10/03,01:03:48 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
PE,2005/10/03,01:03:48 -4:00 GMT,LEXPPS.EXE,0.0.0.0:1025,N/A
ACCESS,2005/10/03,01:04:12 -4:00 GMT,Spooler SubSystem App was temporarily blocked from connecting to the Internet (192.168.100.63:Port 161).,N/A,N/A
PE,2005/10/03,01:04:38 -4:00 GMT,guard,207.46.254.126:53,N/A
ACCESS,2005/10/03,01:09:58 -4:00 GMT,Spooler SubSystem App was temporarily blocked from connecting to the Internet (192.168.100.31:Port 161).,N/A,N/A
FWOUT,2005/10/03,01:10:04 -4:00 GMT,192.168.1.109:1027,192.168.100.31:161,UDP

#19
elirarey

Posted 03 October 2005 - 04:30 AM

Member

Topic Starter
Member
16 posts

Here is the BItDefender log. I'm surprised the PestPatrol Quaratine is still on my system as I uninstalled PestPatrol ages ago. This log seems to show no current infections, am I right? These are all quarantines and restore files?

//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 03/10/2005 01:48:11
//
//-----------------------------------------------------------------

Statistics

Scan path : C:\
Folders : 3885
Files : 313018
Archives : 14809
Packed files : 20424
Identified viruses : 7
Infected files : 19
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 2
Renamed files : 0
I/O errors : 26
Scan time : 03:08:45
Scan speed (files/sec) : 27

Virus definitions : 214593
Scan plugins : 13
Archive plugins : 39
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/whenusearch/Search.exe Detected: Adware.Whenu.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/whenusearch/Search.exe Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/whenusearch/search.dll Detected: Adware.Whenu.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/save/save.exe Detected: Application.Adware.SaveNow.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/save/save.exe Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/incred~1/bho/incfin~1.dll Infected Trojan.Downloader.KeenValue.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/incred~1/bho/incfin~1.dll Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>Program Files/incredifind/bho/incfindbho.dll Infected Trojan.Downloader.KeenValue.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>apropos_client_loader.exe Detected: Adware.ApropoAd.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip=>apropos_client_loader.exe Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040630071218390.zip Moved
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Infected Trojan.Downloader.Agent.EC
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Detected: Adware.ApropoAd.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Infected Backdoor.Ruledor.C
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Infected Trojan.Downloader.Agent.EC
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Detected: Adware.ApropoAd.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Infected Backdoor.Ruledor.C
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.RB0=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Infected Trojan.Downloader.Agent.EC
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Detected: Adware.ApropoAd.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Infected Backdoor.Ruledor.C
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Infected Trojan.Downloader.Agent.EC
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0003 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Detected: Adware.ApropoAd.A
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0006 Move failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Infected Backdoor.Ruledor.C
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Disinfection failed
C:\RECYCLER\S-1-5-21-1729697498-2501954535-3646181656-1006\Dc2\PestPatrol\Quarantine\20040716093650640.zip=>My Documents/Data/Data/all_files4.exe=>(NSIS o)=>zlib_nsis0007 Move failed
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP233\A0062076.dll.tcf Detected: Adware.Wheaterbug.A
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP233\A0062076.dll.tcf Disinfection failed
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP233\A0062076.dll.tcf Moved

I'm also posting a new ZA log, in hopes that it is more useful:

ZoneAlarm Logging Client v6.0.667.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
OSFW,2005/10/03,00:48:28 -4:00 GMT,UNKNOWN(0),guard,C:\Program Files\ewido\security suite\ewidoguard.exe,FILE,WRITE,SRC,WINDRVDIR\ETC\HOSTS
PE,2005/10/03,00:49:34 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
ACCESS,2005/10/03,00:49:34 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for connecting to the Internet (192.168.100.31:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:49:42 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
ACCESS,2005/10/03,00:49:42 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for sending data to the Internet (192.168.100.31:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:49:48 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
PE,2005/10/03,00:49:56 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
PE,2005/10/03,00:50:04 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:50:04 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for connecting to the Internet (192.168.100.63:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:50:12 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:50:12 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for sending data to the Internet (192.168.100.63:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:50:18 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
PE,2005/10/03,00:50:24 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:54:40 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (148.4.108.234:DNS).,N/A,N/A
PE,2005/10/03,00:55:10 -4:00 GMT,guard,85.10.237.9:80,N/A
ACCESS,2005/10/03,00:55:10 -4:00 GMT,guard was unable to obtain permission for connecting to the Internet (85.10.237.9:HTTP); access was denied.,N/A,N/A
FWOUT,2005/10/03,01:00:52 -4:00 GMT,192.168.1.109:1030,148.4.108.234:53,UDP
PE,2005/10/03,01:03:48 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
PE,2005/10/03,01:03:48 -4:00 GMT,LEXPPS.EXE,0.0.0.0:1025,N/A
ACCESS,2005/10/03,01:04:12 -4:00 GMT,Spooler SubSystem App was temporarily blocked from connecting to the Internet (192.168.100.63:Port 161).,N/A,N/A
PE,2005/10/03,01:04:38 -4:00 GMT,guard,207.46.254.126:53,N/A
ACCESS,2005/10/03,01:09:58 -4:00 GMT,Spooler SubSystem App was temporarily blocked from connecting to the Internet (192.168.100.31:Port 161).,N/A,N/A
FWOUT,2005/10/03,01:10:04 -4:00 GMT,192.168.1.109:1027,192.168.100.31:161,UDP
OSFW,2005/10/03,01:21:44 -4:00 GMT,UNKNOWN(0),Win32 Cabinet Self-Extractor ,C:\Documents and Settings\Adam44\Desktop\Downloads\bitdefender_free_v8.exe,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE,wextract_cleanup0
PE,2005/10/03,01:29:24 -4:00 GMT,BitDefender Console Scanner,69.44.123.70:53,N/A
PE,2005/10/03,01:44:12 -4:00 GMT,LEXPPS.EXE,0.0.0.0:1025,N/A
PE,2005/10/03,01:44:18 -4:00 GMT,LEXPPS.EXE,0.0.0.0:1025,N/A
PE,2005/10/03,01:45:48 -4:00 GMT,BitDefender Scanner Module,69.44.123.70:53,N/A
PE,2005/10/03,01:46:30 -4:00 GMT,guard,69.44.123.73:53,N/A
OSFW,2005/10/03,01:46:48 -4:00 GMT,UNKNOWN(0),BitDefender Upgrade Replacer,C:\PROGRAM FILES\Softwin\BITDEFENDER8\upgrepl.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE,fa4682f2-79a1449a-8c33a19e-d0d57b33,4551-9fb832d9-f29fbe72
FWOUT,2005/10/03,03:03:06 -4:00 GMT,192.168.1.109:1080,208.185.174.66:80,TCP (flags:S)
FWOUT,2005/10/03,04:00:12 -4:00 GMT,192.168.1.109:1084,208.185.174.66:80,TCP (flags:S)
FWOUT,2005/10/03,05:02:10 -4:00 GMT,192.168.1.109:1102,208.185.174.66:80,TCP (flags:S)

And last of all, here's another HijackThis log.

ZoneAlarm Logging Client v6.0.667.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
OSFW,2005/10/03,00:48:28 -4:00 GMT,UNKNOWN(0),guard,C:\Program Files\ewido\security suite\ewidoguard.exe,FILE,WRITE,SRC,WINDRVDIR\ETC\HOSTS
PE,2005/10/03,00:49:34 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
ACCESS,2005/10/03,00:49:34 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for connecting to the Internet (192.168.100.31:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:49:42 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
ACCESS,2005/10/03,00:49:42 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for sending data to the Internet (192.168.100.31:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:49:48 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
PE,2005/10/03,00:49:56 -4:00 GMT,Spooler SubSystem App,192.168.100.31:161,N/A
PE,2005/10/03,00:50:04 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:50:04 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for connecting to the Internet (192.168.100.63:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:50:12 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:50:12 -4:00 GMT,Spooler SubSystem App was unable to obtain permission for sending data to the Internet (192.168.100.63:Port 161); access was denied.,N/A,N/A
PE,2005/10/03,00:50:18 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
PE,2005/10/03,00:50:24 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
ACCESS,2005/10/03,00:54:40 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (148.4.108.234:DNS).,N/A,N/A
PE,2005/10/03,00:55:10 -4:00 GMT,guard,85.10.237.9:80,N/A
ACCESS,2005/10/03,00:55:10 -4:00 GMT,guard was unable to obtain permission for connecting to the Internet (85.10.237.9:HTTP); access was denied.,N/A,N/A
FWOUT,2005/10/03,01:00:52 -4:00 GMT,192.168.1.109:1030,148.4.108.234:53,UDP
PE,2005/10/03,01:03:48 -4:00 GMT,Spooler SubSystem App,192.168.100.63:161,N/A
PE,2005/10/03,01:03:48 -4:00 GMT,LEXPPS.EXE,0.0.0.0:1025,N/A
ACCESS,2005/10/03,01:04:12 -4:00 GMT,Spooler SubSystem App was temporarily blocked from connecting to the Internet (192.168.100.63:Port 161).,N/A,N/A
PE,2005/10/03,01:04:38 -4:00 GMT,guard,207.46.254.126:53,N/A
ACCESS,2005/10/03,01:09:58 -4:00 GMT,Spooler SubSystem App was temporarily blocked from connecting to the Internet (192.168.100.31:Port 161).,N/A,N/A
FWOUT,2005/10/03,01:10:04 -4:00 GMT,192.168.1.109:1027,192.168.100.31:161,UDP
OSFW,2005/10/03,01:21:44 -4:00 GMT,UNKNOWN(0),Win32 Cabinet Self-Extractor ,C:\Documents and Settings\Adam44\Desktop\Downloads\bitdefender_free_v8.exe,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE,wextract_cleanup0
PE,2005/10/03,01:29:24 -4:00 GMT,BitDefender Console Scanner,69.44.123.70:53,N/A
PE,2005/10/03,01:44:12 -4:00 GMT,LEXPPS.EXE,0.0.0.0:1025,N/A
PE,2005/10/03,01:44:18 -4:00 GMT,LEXPPS.EXE,0.0.0.0:1025,N/A
PE,2005/10/03,01:45:48 -4:00 GMT,BitDefender Scanner Module,69.44.123.70:53,N/A
PE,2005/10/03,01:46:30 -4:00 GMT,guard,69.44.123.73:53,N/A
OSFW,2005/10/03,01:46:48 -4:00 GMT,UNKNOWN(0),BitDefender Upgrade Replacer,C:\PROGRAM FILES\Softwin\BITDEFENDER8\upgrepl.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE,fa4682f2-79a1449a-8c33a19e-d0d57b33,4551-9fb832d9-f29fbe72
FWOUT,2005/10/03,03:03:06 -4:00 GMT,192.168.1.109:1080,208.185.174.66:80,TCP (flags:S)
FWOUT,2005/10/03,04:00:12 -4:00 GMT,192.168.1.109:1084,208.185.174.66:80,TCP (flags:S)
FWOUT,2005/10/03,05:02:10 -4:00 GMT,192.168.1.109:1102,208.185.174.66:80,TCP (flags:S)

thanks so luch for your help -- do you see anything suspicious?

#20
elirarey

Posted 03 October 2005 - 07:27 AM

Member

Topic Starter
Member
16 posts

Oops, here is the HijackThis log for real this time. So now every time my computer turns on it tells me that LEXPPS.EXE is trying to act as a server. Is that as bad as it sounds?

It's listed as a "running process" here.

Logfile of HijackThis v1.99.1
Scan saved at 9:25:09 AM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\WRSSSDK.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Documents and Settings\Adam44\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.scservers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: SysTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {BA224D00-9553-11d2-9D65-00A0CC22CBC4} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: DigiChat Applet - http://host7.digicha...s/Client_IE.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127657371398
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\EarthLink TotalAccess\Spyware Blocker\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#21
elirarey

Posted 03 October 2005 - 10:55 AM

Member

Topic Starter
Member
16 posts

ZoneAlarm just did an automatic scan - found PartyPoker and quarantined it. LEXPPS continues its reign of terror.

Just keeping the updates coming. Post when you have a chance - thanks for your help.

New Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12:54:38 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Adam44\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.scservers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: SysTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {BA224D00-9553-11d2-9D65-00A0CC22CBC4} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: DigiChat Applet - http://host7.digicha...s/Client_IE.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127657371398
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\EarthLink TotalAccess\Spyware Blocker\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#22
Buckeye_Sam

Posted 03 October 2005 - 03:10 PM

Malware Expert

Member
10,019 posts

So now every time my computer turns on it tells me that LEXPPS.EXE is trying to act as a server. Is that as bad as it sounds?

This is a legitimate process that is associated with your printer. You should allow it.

ZoneAlarm just did an automatic scan - found PartyPoker and quarantined it.

I'm a little confused by this because Zone Alarm is just a firewall. Do you mean AVG?

You can fix these lines with Hijackthis.

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {BA224D00-9553-11d2-9D65-00A0CC22CBC4} - (no file)

Delete this folder.

C:\Program Files\PartyPoker

Everything that Bit Defender found was old. No active infections.

Please download and install Cleanup 4.0

Now run CleanUp
IMPORTANT!
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
- Delete Cookies
  This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select Yes
Close CleanUp

Let me know how things are working now.

#23
elirarey

Posted 03 October 2005 - 04:52 PM

Member

Topic Starter
Member
16 posts

Glad to know the reign of terror from LEXPPS was actually just a printer. PS - I have a Konica, an Epson, and an HP printer, no Lexmark. (It's installed, but I don't remember why.) If I delete this printer from my Control Panel list of installed printers, will LEXPPS stop benignly becoming a server?

I didn't mistake ZoneAlarm for AVG -- when I downloaded ZA it convinced me to do a 15-day trial of ZoneAlarm Pro, which apparently sometimes scans my computer on its whim.

Everything seems to be going great -- is that because I got rid of Party Poker? Why was my computer so hung up before?

I'm afraid to mark this resolved because everything will go bonkers again. :tazz:

#24
Buckeye_Sam

Posted 03 October 2005 - 07:31 PM

Malware Expert

Member
10,019 posts

Glad to know the reign of terror from LEXPPS was actually just a printer. PS - I have a Konica, an Epson, and an HP printer, no Lexmark. (It's installed, but I don't remember why.) If I delete this printer from my Control Panel list of installed printers, will LEXPPS stop benignly becoming a server?

It should. But you may have to to uninstall any software that was installed with it also.

Delete these three files that are associated with Lexmark. They may not be present after you remove the printer.

C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\lxamsp32.exe

And this folder:

C:\Program Files\LexmarkX63

I didn't mistake ZoneAlarm for AVG -- when I downloaded ZA it convinced me to do a 15-day trial of ZoneAlarm Pro, which apparently sometimes scans my computer on its whim.

Gotcha! That makes sense. :tazz:

Everything seems to be going great -- is that because I got rid of Party Poker? Why was my computer so hung up before?

I'm afraid to mark this resolved because everything will go bonkers again. lookaround.gif

Party Poker is usually not a problem. In fact, I often will leave it alone unless someone mentions it.

At this point it would be a good idea to uninstall Bit Defender since you have AVG running.

I'll keep this thread open for a few weeks just in case you start having problems again.

#25
Buckeye_Sam

Posted 17 October 2005 - 05:51 PM

Malware Expert

Member
10,019 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.