Re: HijackThisLog Analysis - Ansteph

Here is what you should do.

End the below suspicious process :

C: \ WINDOWS \ System32 \ msserv32.exe
C: \ WINDOWS \ PMJ151LA.BIN
C: \ WINDOWS \ System32 \ lserv.exe

Remove these additional browser plug-in keys (O2...O4):

O4 - HKLM \ .. \ Run: [Configuration Loader] msserv32.exe
O4 - HKLM \ .. \ Run: [Microsoft Office] lserv.exe
O4 - HKLM \ .. \ RunServices: [Microsoft Office] lserv.exe
O4 - HKLM \ .. \ RunServices: [Configuration Loader] msserv32.exe

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ WINDOWS \ System32 \ msserv32.exe
C: \ WINDOWS \ System32 \ lserv.exe

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 11:32:07 AM, on 11 / 12 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ System32 \ msserv32.exe
C: \ WINDOWS \ PMJ151LA.BIN
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ Telstra \ Cable Login \ bpcable.exe
C: \ Program Files \ Lexmark X6100 Series \ lxbfbmgr.exe
C: \ WINDOWS \ System32 \ lserv.exe
C: \ WINDOWS \ SOUNDMAN.EXE
C: \ WINDOWS \ System32 \ ctfmon.exe
C: \ Program Files \ Lexmark X6100 Series \ lxbfbmon.exe
C: \ Documents and Settings \ Alan Baird \ Desktop \ hijackthis \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: microsoft.com / isapi / redir.dll?prd=ie&ar=iesearch
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: microsoft.com / isapi / redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: microsoft.com / isapi / redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: microsoft.com / isapi / redir.dll?prd=ie&ar=iesearch
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: microsoft.com / isapi / redir.dll?prd=ie&ar=iesearch
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: microsoft.com / isapi / redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O4 - HKLM \ .. \ Run: [BigPondCable] "C: \ Program Files \ Telstra \ Cable Login \ bpcable.exe" / r
O4 - HKLM \ .. \ Run: [msconfig.exe] C: \ msconfig.exe
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / install
O4 - HKLM \ .. \ Run: [Lexmark X6100 Series] "C: \ Program Files \ Lexmark X6100 Series \ lxbfbmgr.exe"
O4 - HKLM \ .. \ Run: [Configuration Loader] msserv32.exe
O4 - HKLM \ .. \ Run: [Microsoft Office] lserv.exe
O4 - HKLM \ .. \ Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM \ .. \ RunServices: [Microsoft Office] lserv.exe
O4 - HKLM \ .. \ RunServices: [Configuration Loader] msserv32.exe
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ System32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Microsoft Office] lserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ Office10 \ EXCEL.EXE / 3000
O12 - Plugin for .spop: C: \ Program Files \ Internet Explorer \ Plugins \ NPDocBox.dll