Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Did I Catch All The Baddies?


  • This topic is locked This topic is locked
5 replies to this topic

#1 johntee

johntee

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 03 February 2006 - 12:32 PM

Hi folks. I've run alot of programs on this computer to get rid of the bad guys, and it's certainly a lot better, but I suspect there's still one or two I haven't managed to get rid of. Any help would be appreciated.

I haven't managed to remove:
O2 - BHO: (no name) - {25C66CEA-72F8-1DC8-8F60-9FD1987278BE} - (no file)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\atleb32.exe (I think this is a baddie, but not sure)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing) (I'm not with AOL anymore)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE (I don't use a Lexmark printer anymore)

Once I know it's clean, I'll upgrade to XP Service Pack 2.
There are about 6 user accounts on this PC (all Administrators), so would I have to do all the steps under each account? (Hope not.)


Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:17:47 PM, on 2/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\atleb32.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {25C66CEA-72F8-1DC8-8F60-9FD1987278BE} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\atleb32.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBMSoftware - C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:01 AM

Posted 04 February 2006 - 09:41 AM

Hello,

Download AboutBuster.
Unzip AboutBuster.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

* Start Aboutbuster and let it scan.
The log will be saved in the aboutbuster-folder.
Post the log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 johntee

johntee
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 04 February 2006 - 11:00 PM

Hi. I ran AboutBuster (twice as it said to), in Safe Mode. Here are the new HijackThis and AboutBuster log files. Looks like something is still lurking...


Logfile of HijackThis v1.99.1
Scan saved at 10:52:12 PM, on 2/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {25C66CEA-72F8-1DC8-8F60-9FD1987278BE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - C:\Program Files\WINnerTweak3\PopUp Blocker.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBMSoftware - C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


AboutBuster 6.0
Scan started on [2/4/2006] at [10:49:12 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
Removed File! : C:\WINDOWS\fkqudi.dat
Removed File! : C:\WINDOWS\dhxxqc.dat
Removed File! : C:\WINDOWS\hghagl.log
Removed File! : C:\WINDOWS\zmzpks.txt
Removed File! : C:\WINDOWS\apprn32.dll
Removed File! : C:\WINDOWS\zhsgiw.log
Removed File! : C:\WINDOWS\zyjoie.dat
Removed File! : C:\WINDOWS\dbxxmh.dat
Removed File! : C:\WINDOWS\gtgkq.txt
Removed File! : C:\WINDOWS\fwfhis.txt
Removed File! : C:\WINDOWS\gtgkqi.txt
Removed File! : C:\WINDOWS\wgpnmj.log
Removed File! : C:\WINDOWS\oamgem.dat
Removed File! : C:\WINDOWS\msnr.exe
Removed File! : C:\WINDOWS\mset32.exe
Removed File! : C:\WINDOWS\addub.exe
Removed File! : C:\WINDOWS\msgx.exe
Removed File! : C:\WINDOWS\kjscje.dat
Removed File! : C:\WINDOWS\n_byiwyg.dat
Removed File! : C:\WINDOWS\n_rbjswn.log
Removed File! : C:\WINDOWS\n_mboqbh.dat
Removed File! : C:\WINDOWS\n_lcgwdn.log
Removed File! : C:\WINDOWS\n_sxngsn.txt
Removed File! : C:\WINDOWS\n_eezvtw.log
Removed File! : C:\WINDOWS\xqoqf.log
Removed File! : C:\WINDOWS\n_fmjkbc.txt
Removed File! : C:\WINDOWS\n_eficgp.dat
Removed File! : C:\WINDOWS\n_pnbbhb.dat
Removed File! : C:\WINDOWS\n_tfwrlj.txt
Removed File! : C:\WINDOWS\n_pybmzo.dat
Removed File! : C:\WINDOWS\n_vrpnjv.txt
Removed File! : C:\WINDOWS\n_qddmts.txt
Removed File! : C:\WINDOWS\n_mwstgh.dat
Removed File! : C:\WINDOWS\n_skakza.log
Removed File! : C:\WINDOWS\n_jizesh.log
Removed File! : C:\WINDOWS\n_anejrr.log
Removed File! : C:\WINDOWS\n_mxqkot.txt
Removed File! : C:\WINDOWS\n_kptvhn.txt
Removed File! : C:\WINDOWS\n_jjripm.dat
Removed File! : C:\WINDOWS\n_bhvxaq.txt
Removed File! : C:\WINDOWS\n_pjrkue.txt
Removed File! : C:\WINDOWS\n_mbonix.log
Removed File! : C:\WINDOWS\lsrqz.dat
Removed File! : C:\WINDOWS\n_oeqyfg.txt
Removed File! : C:\WINDOWS\jocig.log
Removed File! : C:\WINDOWS\n_xjfmde.dat
Removed File! : C:\WINDOWS\n_ryrvhj.txt
Removed File! : C:\WINDOWS\jdwxfj.dat
Removed File! : C:\WINDOWS\olqfs.log
Removed File! : C:\WINDOWS\n_hhospt.dat
Removed File! : C:\WINDOWS\n_sifeoy.dat
Removed File! : C:\WINDOWS\n_kfuton.log
Removed File! : C:\WINDOWS\n_zjcscu.log
Removed File! : C:\WINDOWS\hzrkwa.dat
Removed File! : C:\WINDOWS\spvsn.log
Removed File! : C:\WINDOWS\System32\avone.log
Removed File! : C:\WINDOWS\System32\zwbvj.txt
Removed File! : C:\WINDOWS\System32\wuhpd.log
Removed File! : C:\WINDOWS\System32\zmzpk.dat
Removed File! : C:\WINDOWS\System32\ntwt32.exe
Removed File! : C:\WINDOWS\System32\atleb32.exe
Removed File! : C:\WINDOWS\System32\winsr.exe
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:50:13 PM


AboutBuster 6.0
Scan started on [2/4/2006] at [10:50:49 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:51:23 PM

#4 johntee

johntee
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 04 February 2006 - 11:41 PM

Hi again. Just realized as I ran HijackThis scan under the other user-accounts on this PC... do I need to run each of the (many) anti-spyware programs/techniques against EACH of the user-accounts? (There are 5 users set up on the PC.)
I did run HijackThis under each of them, and they mostly look like what I've posted above. (Some had Webrebates.com links that I fixed using HJT.) Now all look mostly as shown above (still can't get rid of 02-BHO, and AOL Connectivity and ZeroSpyware FileDeleter and LexBce server no matter how many times I run the Fix).
Thanks!!

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:01 AM

Posted 05 February 2006 - 01:52 AM

Hello,

Can you post a log made in normal mode please?

Why would you like to delete AOL Connectivity and ZeroSpyware FileDeleter and LexBce server ? Nothing wrong with them....
You may not just check and fix all entries in a log, a lot are legit and needed!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:01 AM

Posted 12 February 2006 - 05:41 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users