5 replies to this topic

[mps69_1999]

Can one of you guys have a look at this HJT log.
The PC isn't mine (honest ), it belongs to my father-in-law. I've just tonite manged to install SP2 pack for the very first time.
As a little side bar I can't get his PC to run with my monitor, there's power, but the screen just stays black. I plugged it into an older monitor and it ran no problem. Should I try and get the drivers for my monitor and install them into his?

Anyway here's the log
Logfile of HijackThis v1.99.1
Scan saved at 21:34:41, on 23/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\camtool\VideoMonitor\CamTool.exe
I:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timecomputers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C:oo.mht!http://198.88.20.155/targ.chm::/win32.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks
mps

[AndyManchesta]

Hi mps69_1999

If the monitor came with a disk try installing that on the pc, apart from that Im not sure what would cause that problem

Run Hijack This and choose Do A System Scan then place a check next to these entries

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!ht*p://198.88.20.155/targ.chm::/win32.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Then delete these files if they exist:

c:\eied_s7.cab
c:\ex.cab

Download Ewido Anti-Spyware

• Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
  
• Click on the Scanner tab at the top and then click on Complete System Scan
  
• Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
  
• Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Please then post back the Ewido log and a new HijackThis log.

Thanks

Andy

[mps69_1999]

Hi Andy
First things first, got the monitor working, amazing when the drivers are updated what works

Here's the latest HJT report

Logfile of HijackThis v1.99.1
Scan saved at 20:12:34, on 24/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vsnpstd3.exe
I:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.timecomputers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

And now the ewido report.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:39:12 24/08/2006

+ Scan result:



C:\Program Files\Butterfly Oasis Screensaver\BO1Uninstaller.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\Program Files\Butterfly Oasis Screensaver\bo1helper.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\Documents and Settings\christine\Local Settings\Temp\smrss.exe -> Downloader.Agent.is : Cleaned with backup (quarantined).
C:\Documents and Settings\brian\Cookies\brian@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@redcatsuk.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@thomascook.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@trafic[1].txt -> TrackingCookie.Trafic : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\brian\Cookies\brian@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\christine\Cookies\christine@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\christine\Local Settings\Temporary Internet Files\Content.IE5\4F9F6M39\WinFixer2006FreeInstall[1].exe -> Trojan.Fakealert : Cleaned with backup (quarantined).


::Report end

Thanks
mps

[AndyManchesta]

Hey mps

Glad you got the Monitor problem fixed, Im useless at techy questions

The HijackThis log looks fine but Ewido's detected afew Adware problems and a Trojan Downloader in the temp folder so I think its worth running a scan with Kaspersky to make sure there isnt more problems.

Run Cleaner to remove the contents of the Temp Folders and then run a scan with Kaspersky

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please then post back the Kaspersky report if it finds any infections

Cheers

Andy

[mps69_1999]

Hi Andy
I tried to DL but due to network problems I couldn't get it to work........very long story mate so I won't bore you. I did DL spybot and ran that, pick a couple of things nothing too bad, bl00dy gator stuff, gawd I hate their software.
I ran Avast and it picked up a trojan, funny enough it was in the ewido quarantine file.
I keep an eye on the system over the next few week and see how it runs.
I'd like to take this time to thank you for all your help, not just for me but for all the other guy on this forum.
Take care
mps

[AndyManchesta]

Hi mps

The Gator junk is bundled with the 'free' Screensavers (on your system the Butterfly Oasis Screensaver) but they can usually be uninstalled without issues using the Add/Remove screen. Spybot and Ad-Aware are also worth running to remove their junk as they usually perform well against them.

Avast is probably detecting the same Trojan Ewido removed (Downloader.Agent.is) so it cannot harm the system as its in a quarantined area, you can remove them all by opening Ewido and clicking Infections on the top bar then place checks next to the entries and click Finally Remove.

No problem regarding the help, there's enough people trying to infect PC's so its nice to be on the side thats removing it

Run Ad-Aware if you havent already and install SpywareBlaster as they have Gator's sites on their blocked list then let me know if you have any more problems and we can try different scanners.

Cheers

Andy