Hi,Matt_Cowan

Well you still have that one file that keeps coming back
lit's try this here lit me know what it finds but lit it clean
all it finds.

by the way are you running an Anti-Virus scanner????

ewido online scanner beta
http://www.ewido.net/en/onlinescan/

again just lit it clean what it finds

HGD

Hi HJT, thanks for the replay

Yes this is a true persistent pain!

Problem is, everytime we wipe it we lose all the stuff downloaded (like Hijackthis, AVG, spybot, Zonealarm etc) and also it lets this demon back in to wreck havok!

Anyway, the problem it seems with this now is that after a few mins on the PC (not even nessacarilly online) windows pops up a message saying somethingis wrong and I need to go and get some sort of reg-fixer, if I don't it could lead to data loss or corruption. Once that message has popped up, nothing on the PC will work. Double click any item - IE, Word, Paint, or even try and open the Task manager - and the system just freezes. Can't do anything, not even shut it down - have to do it at the button on the tower for that.....

It's a very strange one. I haven't figured out if this virus has got to the mobo yet, or is still contained in the HDD. It can't be tho as we have wiped the HDD many many times now, de-partitioned it over and over, and most times it takes a long time to do a re-install as it keeps not doing it right and failing to install certain EXE's and DLL's.

So I am wondering if the HDD is just completely fubar and needs a new one? Fresh format, fresh install etc....

Or is this virus lurking somewhere else, like the mobo and will continue to corrupt the system?

I don't know if I want to wipe again only to find it comes back full force again and we start from square one

I will try and get over there tonight tho and run that programme you said to, and try and get AVG back on and run that too

Hey,Matt_Cowan

Did the online scan show anything at all this is big time odd
if no run the online scan see if it picks something up.

if no go there are other things to try but it's gething
hard to reply right away i have moms on my back

you know it sounds like you get them clean then
they go online & we are back here again now i know
it will be hard but ask them not to use PC till you have
them all clean.ok then

HGD

No not run the scan yet, can't get over to the PC till this eve at the earliest.

As far as I know, no one is using the PC at all at the mo cos it keeps messing up and freezing.

What I might try if I can is plugging in my spare 80GB maxtor HDD, formatting it and installing XP and see how it runs. If all runs well, then I know his HDD is currupt so will get a new one. I am worried tho it will screw my spare HDD up aswell tho.

Hi,Matt_Cowan

Not a bad idea at that but i don't think it will do anything to your
hard drive lit me know how it all comes out.

HGD

Okay, ran the online scanner you provided; found 15 infections, some spyware, but about 8 or so HIGH RISK ones! Cleaned em all, ran it again and it found 2 more, one labled BACKDOOR.RBOT and the other very similar. Path was C:\Windows\System\WinPE.exe.

Here's an uptodate HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 21:42:03, on 27/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\mapi32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\winPE.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A23376-ACB7-4C0D-82EB-E4F39D6A9D48}: NameServer = 194.72.0.114 62.6.40.162
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe (file missing)

I don't like the looks of these;

O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe

On some more good advice, I have been advised that 2morrow I should re-wipe the HDD and install over it with Win XP using my SP2 disk - as it should kill what I have. So gonna try that aswell and report back when I can.

Thanks again for your time and advice HJT - reply back when you can - thanks!

Lastly, these pop ups I am getting - they keep pointing me in the direction of non-Windows domain site (one just come up, says go to "http://www.fixupregistry.com" but the site name is always changing, so it suggests to me it is the virus, or spyware that is putting up these pop ups, not Windows itself (plus they are the "old style windows" not the XP style ones it should be if it was a proper Windows alert)

Hi,Matt_Cowan

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Once in Safe Mode do a file Search for this here if found delete it

winPE.exe

Then do this here

Copy the text to a Notepad file and save it to your desktop! We will need the file later.

Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\1.tmp
C:\WINDOWS\System32\mapi32.exe
C:\WINDOWS\System32\mousehs.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Then see how the PC is doing lit us know.

HGD