Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lovsan and Winfixer [RESOLVED]


  • This topic is locked This topic is locked

#1
thunderguns

thunderguns

    New Member

  • Member
  • Pip
  • 5 posts
Between these two I cant get anything done. Kaspersky Anti_Hacker keeps haveing trouble with lovsan on every reboot and every time I open a web page I get another one that pops up like this http://www.winfixer....&ed=2&ex=1&ax=1
Maybe you guys can help me out here, this is getting annoying :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:30 AM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\mlljk.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282822406
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


I hope I got this right, if I didnt correct me.

Thanks
  • 0

Advertisements


#2
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello thunderguns and welcome to Geeks To Go :tazz:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Show me this log and a new hijack log when finished please. :)
  • 0

#3
thunderguns

thunderguns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
********
8:02 PM: | Start of Session, Friday, November 11, 2005 |
8:02 PM: Spy Sweeper started
8:02 PM: Sweep initiated using definitions version 572
8:02 PM: Starting Memory Sweep
8:03 PM: Found Adware: virtumonde
8:03 PM: Detected running threat: C:\WINDOWS\system32\mlljk.dll (ID = 77)
8:04 PM: Memory Sweep Complete, Elapsed Time: 00:01:15
8:04 PM: Starting Registry Sweep
8:04 PM: Found Adware: screensavers
8:04 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140550)
8:04 PM: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140551)
8:04 PM: HKCR\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140552)
8:04 PM: HKCR\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140553)
8:04 PM: HKCR\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140554)
8:04 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140555)
8:04 PM: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140556)
8:04 PM: HKLM\software\classes\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140557)
8:04 PM: HKLM\software\classes\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140558)
8:04 PM: HKLM\software\classes\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140559)
8:04 PM: HKLM\software\classes\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140560)
8:04 PM: HKLM\software\classes\screensaversinstaller.installer\ (5 subtraces) (ID = 140561)
8:04 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140562)
8:04 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140563)
8:04 PM: HKLM\software\classes\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140564)
8:04 PM: HKLM\software\classes\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140565)
8:04 PM: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
8:04 PM: HKLM\software\screensavers.com\ (13 subtraces) (ID = 140569)
8:04 PM: HKCR\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140570)
8:04 PM: HKCR\screensaversinstaller.installer\ (5 subtraces) (ID = 140571)
8:04 PM: HKCR\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140572)
8:04 PM: HKCR\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140573)
8:04 PM: HKCR\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140574)
8:04 PM: HKCR\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140575)
8:04 PM: Registry Sweep Complete, Elapsed Time:00:00:08
8:04 PM: Starting Cookie Sweep
8:04 PM: Found Spy Cookie: about cookie
8:04 PM: compaq_owner@about[1].txt (ID = 2037)
8:04 PM: Found Spy Cookie: yieldmanager cookie
8:04 PM: compaq_owner@ad.yieldmanager[2].txt (ID = 3751)
8:04 PM: Found Spy Cookie: adknowledge cookie
8:04 PM: compaq_owner@adknowledge[1].txt (ID = 2072)
8:04 PM: Found Spy Cookie: hbmediapro cookie
8:04 PM: compaq_owner@adopt.hbmediapro[2].txt (ID = 2768)
8:04 PM: Found Spy Cookie: adrevolver cookie
8:04 PM: compaq_owner@adrevolver[1].txt (ID = 2088)
8:04 PM: compaq_owner@adrevolver[3].txt (ID = 2088)
8:04 PM: Found Spy Cookie: belointeractive cookie
8:04 PM: compaq_owner@ads.belointeractive[2].txt (ID = 2295)
8:04 PM: Found Spy Cookie: ask cookie
8:04 PM: compaq_owner@ask[1].txt (ID = 2245)
8:04 PM: Found Spy Cookie: belnk cookie
8:04 PM: compaq_owner@ath.belnk[2].txt (ID = 2293)
8:04 PM: Found Spy Cookie: atwola cookie
8:04 PM: compaq_owner@atwola[1].txt (ID = 2255)
8:04 PM: Found Spy Cookie: azjmp cookie
8:04 PM: compaq_owner@azjmp[2].txt (ID = 2270)
8:04 PM: Found Spy Cookie: banner cookie
8:04 PM: compaq_owner@banner[1].txt (ID = 2276)
8:04 PM: compaq_owner@belnk[1].txt (ID = 2292)
8:04 PM: compaq_owner@belointeractive[1].txt (ID = 2294)
8:04 PM: Found Spy Cookie: cardomain cookie
8:04 PM: compaq_owner@cardomain[2].txt (ID = 2350)
8:04 PM: compaq_owner@dist.belnk[2].txt (ID = 2293)
8:04 PM: Found Spy Cookie: fe.lea.lycos.com cookie
8:04 PM: compaq_owner@fe.lea.lycos[1].txt (ID = 2660)
8:04 PM: compaq_owner@homepage.belointeractive[1].txt (ID = 2295)
8:04 PM: Found Spy Cookie: howstuffworks cookie
8:04 PM: compaq_owner@howstuffworks[2].txt (ID = 2805)
8:04 PM: Found Spy Cookie: kmpads cookie
8:04 PM: compaq_owner@kmpads[1].txt (ID = 2909)
8:04 PM: Found Spy Cookie: domainsponsor cookie
8:04 PM: compaq_owner@landing.domainsponsor[1].txt (ID = 2535)
8:04 PM: Found Spy Cookie: realmedia cookie
8:04 PM: compaq_owner@realmedia[1].txt (ID = 3235)
8:04 PM: Found Spy Cookie: statcounter cookie
8:04 PM: compaq_owner@statcounter[1].txt (ID = 3447)
8:04 PM: Found Spy Cookie: reliablestats cookie
8:04 PM: compaq_owner@stats1.reliablestats[2].txt (ID = 3254)
8:04 PM: compaq_owner@yieldmanager[1].txt (ID = 3749)
8:04 PM: Found Spy Cookie: zedo cookie
8:04 PM: compaq_owner@zedo[1].txt (ID = 3762)
8:04 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:04 PM: Starting File Sweep
8:04 PM: c:\program files\screensavers.com (8 subtraces) (ID = -2147480365)
8:07 PM: Warning: Failed to open file "c:\my downloads\". The system cannot find the path specified
8:07 PM: Warning: Failed to open file "c:\my downloads\". The system cannot find the path specified
8:07 PM: Warning: Failed to open file "c:\my downloads\". The system cannot find the path specified
8:07 PM: swpstart.exe (ID = 74759)
10:50 PM: Warning: Invalid file - not a PKZip file
10:51 PM: Warning: Invalid Stream
10:51 PM: Warning: Invalid Stream
10:51 PM: File Sweep Complete, Elapsed Time: 02:47:07
10:51 PM: Full Sweep has completed. Elapsed time 02:48:36
10:51 PM: Traces Found: 232
9:04 AM: Removal process initiated
9:04 AM: Quarantining All Traces: virtumonde
9:04 AM: virtumonde is in use. It will be removed on reboot.
9:04 AM: C:\WINDOWS\system32\mlljk.dll is in use. It will be removed on reboot.
9:04 AM: Quarantining All Traces: screensavers
9:04 AM: Quarantining All Traces: about cookie
9:04 AM: Quarantining All Traces: adknowledge cookie
9:04 AM: Quarantining All Traces: adrevolver cookie
9:04 AM: Quarantining All Traces: ask cookie
9:04 AM: Quarantining All Traces: atwola cookie
9:04 AM: Quarantining All Traces: azjmp cookie
9:04 AM: Quarantining All Traces: banner cookie
9:04 AM: Quarantining All Traces: belnk cookie
9:04 AM: Quarantining All Traces: belointeractive cookie
9:04 AM: Quarantining All Traces: cardomain cookie
9:04 AM: Quarantining All Traces: domainsponsor cookie
9:04 AM: Quarantining All Traces: fe.lea.lycos.com cookie
9:04 AM: Quarantining All Traces: hbmediapro cookie
9:04 AM: Quarantining All Traces: howstuffworks cookie
9:04 AM: Quarantining All Traces: kmpads cookie
9:04 AM: Quarantining All Traces: realmedia cookie
9:04 AM: Quarantining All Traces: reliablestats cookie
9:04 AM: Quarantining All Traces: statcounter cookie
9:04 AM: Quarantining All Traces: yieldmanager cookie
9:04 AM: Quarantining All Traces: zedo cookie
9:04 AM: Warning: Launched explorer.exe
9:04 AM: Warning: Quarantine process could not restart Explorer.
9:05 AM: Removal process completed. Elapsed time 00:00:22
********
7:58 PM: | Start of Session, Friday, November 11, 2005 |
7:58 PM: Spy Sweeper started
7:58 PM: Sweep initiated using definitions version 572
8:00 PM: Sweep Canceled
8:02 PM: Sent error log: C:\Documents and Settings\Compaq_Owner\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
8:02 PM: | End of Session, Friday, November 11, 2005 |
********
7:19 PM: | Start of Session, Friday, November 11, 2005 |
7:19 PM: Spy Sweeper started
7:19 PM: Sweep initiated using definitions version 572
7:19 PM: Starting Memory Sweep
7:19 PM: Found Adware: virtumonde
7:19 PM: Detected running threat: C:\WINDOWS\system32\mlljk.dll (ID = 77)
7:21 PM: Memory Sweep Complete, Elapsed Time: 00:01:39
7:21 PM: Starting Registry Sweep
7:21 PM: Found Adware: screensavers
7:21 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140550)
7:21 PM: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140551)
7:21 PM: HKCR\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140552)
7:21 PM: HKCR\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140553)
7:21 PM: HKCR\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140554)
7:21 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140555)
7:21 PM: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140556)
7:21 PM: HKLM\software\classes\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140557)
7:21 PM: HKLM\software\classes\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140558)
7:21 PM: HKLM\software\classes\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140559)
7:21 PM: HKLM\software\classes\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140560)
7:21 PM: HKLM\software\classes\screensaversinstaller.installer\ (5 subtraces) (ID = 140561)
7:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140562)
7:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140563)
7:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140564)
7:21 PM: HKLM\software\classes\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140565)
7:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
7:21 PM: HKLM\software\screensavers.com\ (13 subtraces) (ID = 140569)
7:21 PM: HKCR\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140570)
7:21 PM: HKCR\screensaversinstaller.installer\ (5 subtraces) (ID = 140571)
7:21 PM: HKCR\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140572)
7:21 PM: HKCR\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140573)
7:21 PM: HKCR\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140574)
7:21 PM: HKCR\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140575)
7:21 PM: Registry Sweep Complete, Elapsed Time:00:00:09
7:21 PM: Starting Cookie Sweep
7:21 PM: Found Spy Cookie: about cookie
7:21 PM: compaq_owner@about[1].txt (ID = 2037)
7:21 PM: Found Spy Cookie: yieldmanager cookie
7:21 PM: compaq_owner@ad.yieldmanager[2].txt (ID = 3751)
7:21 PM: Found Spy Cookie: adknowledge cookie
7:21 PM: compaq_owner@adknowledge[1].txt (ID = 2072)
7:21 PM: Found Spy Cookie: hbmediapro cookie
7:21 PM: compaq_owner@adopt.hbmediapro[2].txt (ID = 2768)
7:21 PM: Found Spy Cookie: adrevolver cookie
7:21 PM: compaq_owner@adrevolver[1].txt (ID = 2088)
7:21 PM: compaq_owner@adrevolver[3].txt (ID = 2088)
7:21 PM: Found Spy Cookie: belointeractive cookie
7:21 PM: compaq_owner@ads.belointeractive[2].txt (ID = 2295)
7:21 PM: Found Spy Cookie: ask cookie
7:21 PM: compaq_owner@ask[1].txt (ID = 2245)
7:21 PM: Found Spy Cookie: belnk cookie
7:21 PM: compaq_owner@ath.belnk[2].txt (ID = 2293)
7:21 PM: Found Spy Cookie: atwola cookie
7:21 PM: compaq_owner@atwola[1].txt (ID = 2255)
7:21 PM: Found Spy Cookie: azjmp cookie
7:21 PM: compaq_owner@azjmp[2].txt (ID = 2270)
7:21 PM: Found Spy Cookie: banner cookie
7:21 PM: compaq_owner@banner[1].txt (ID = 2276)
7:21 PM: compaq_owner@belnk[1].txt (ID = 2292)
7:21 PM: compaq_owner@belointeractive[1].txt (ID = 2294)
7:21 PM: Found Spy Cookie: cardomain cookie
7:21 PM: compaq_owner@cardomain[2].txt (ID = 2350)
7:21 PM: compaq_owner@dist.belnk[2].txt (ID = 2293)
7:21 PM: Found Spy Cookie: fe.lea.lycos.com cookie
7:21 PM: compaq_owner@fe.lea.lycos[1].txt (ID = 2660)
7:21 PM: compaq_owner@homepage.belointeractive[1].txt (ID = 2295)
7:21 PM: Found Spy Cookie: howstuffworks cookie
7:21 PM: compaq_owner@howstuffworks[2].txt (ID = 2805)
7:21 PM: Found Spy Cookie: kmpads cookie
7:21 PM: compaq_owner@kmpads[1].txt (ID = 2909)
7:21 PM: Found Spy Cookie: domainsponsor cookie
7:21 PM: compaq_owner@landing.domainsponsor[1].txt (ID = 2535)
7:21 PM: Found Spy Cookie: realmedia cookie
7:21 PM: compaq_owner@realmedia[2].txt (ID = 3235)
7:21 PM: Found Spy Cookie: statcounter cookie
7:21 PM: compaq_owner@statcounter[1].txt (ID = 3447)
7:21 PM: Found Spy Cookie: reliablestats cookie
7:21 PM: compaq_owner@stats1.reliablestats[2].txt (ID = 3254)
7:21 PM: compaq_owner@yieldmanager[1].txt (ID = 3749)
7:21 PM: Found Spy Cookie: zedo cookie
7:21 PM: compaq_owner@zedo[1].txt (ID = 3762)
7:21 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:21 PM: Starting File Sweep
7:21 PM: c:\program files\screensavers.com (8 subtraces) (ID = -2147480365)
7:25 PM: Warning: Failed to open file "c:\my downloads\". The system cannot find the path specified
7:25 PM: Warning: Failed to open file "c:\my downloads\". The system cannot find the path specified
7:25 PM: Warning: Failed to open file "c:\my downloads\". The system cannot find the path specified
7:26 PM: swpstart.exe (ID = 74759)
7:57 PM: Sweep Canceled
********
7:16 PM: | Start of Session, Friday, November 11, 2005 |
7:16 PM: Spy Sweeper started
7:16 PM: Sweep initiated using definitions version 572
7:16 PM: Starting Memory Sweep
7:16 PM: Sweep Canceled
7:16 PM: Memory Sweep Complete, Elapsed Time: 00:00:13
7:16 PM: Traces Found: 0
7:19 PM: | End of Session, Friday, November 11, 2005 |
********
7:15 PM: | Start of Session, Friday, November 11, 2005 |
7:15 PM: Spy Sweeper started
7:16 PM: Warning: Access is denied
7:16 PM: Your spyware definitions have been updated.
7:16 PM: | End of Session, Friday, November 11, 2005 |



Logfile of HijackThis v1.99.1
Scan saved at 9:18:51 AM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282822406
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#4
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello again thunderguns :tazz:

That spysweeper does such a nice job and makes my life alot easier, but we still have a couple things to do.

Fire up hijack this, press scan only and place checks next to these.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE


Close all browsers and click fix on hijack this.

Find your way to these files and delete if found.

C:\WINDOWS\ALCXMNTR.EXE <---This file

Reboot and show me a new log please. :)
  • 0

#5
thunderguns

thunderguns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:37:26 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe
C:\WINDOWS\ALCXMNTR.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282822406
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#6
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello again :tazz:

Looks like were going to have to go into safe mode to grab that one file.

If your not sure how to click here.

Once there find your way to this file and delete.

C:\WINDOWS\ALCXMNTR.EXE <---This file

Reboot and show me a new log please. :)
  • 0

#7
thunderguns

thunderguns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Took me awhile, but I think I got it anyways....




Logfile of HijackThis v1.99.1
Scan saved at 11:06:10 AM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282822406
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#8
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello again :)

Yep that was the ticket and this is now a nice clean log, congrats!!!! :tazz:

Since your issues have been addressed and you are ready to travel the net again, I will just give you a few ideas on how to stay safe out there. Best of all these programs are all readily available on the net for free :)

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:

Spyware Blaster Spyware Guard

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE--Adaware Tutorial

Spybot S&D--Spybot Tutorial

Antiviruses play an important role in keeping your computer safe and worry free while using the net. *NOTE* Only one antivirus must be allowed to run on your computer, as having two or more running can and will cause conflicts.

AVG Avast

Firewalls are also a must in any good prevention :

Zone Alarm Sygate Kerio

There are different browsers available on the net, other than Internet Explorer, we believe!! these are better for security purposes :

Firefox Opera

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitally important to stay on top of your critical updates provided by microsoft.

This can be accessed by going to Windows Updates and following the prompts.

To add to the performance of your computer, i suggest a weekly maintenance program. Run this tool. Ccleaner

Lastly a second opinion on the Antivirus that you have chosen. I suggest running these online virus scans periodically, just to make sure that the av is doing a proper job, of keeping you safe :

Rav Online Scan Housecall Online Scan Panda Activescan

Housecall Java Online Scan<---For those who use Firefox

And finally a little Posted Image How did I get infected in the first place ? (by Mr. Tony Klein and dvk01)

Good luck and safe surfing :woot:
  • 0

#9
thunderguns

thunderguns

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I have the Spywareblaster, Adaware,Spybot, and Ofcourse Spysweeper. For an anti virus I have System Mechanic. About the microsoft updates, I have it turned on, but I cant seem to ever get it to download them. Anyways thanks for all the help. :) :tazz:
  • 0

#10
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Your very welcome, and thanks for stopping by. Have a great day and safe surfing :tazz:
  • 0

#11
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP