Trying to clean up a hijack

  1. 20-08-2004  #1
    mistressfate
    mistressfate is offline Newbie

    Trying to clean up a hijack

    Hi guys! I've been taking some advice and trying to clean up a hijack or two.

    I've recently deleted runwin32.exe and wininet32.exe. I'm still having some trouble with http:/easy-search.biz However it doesn't show up on my current account, but my administration account.

    Plus, I don't know if it's even related, but when I try to install software, Microsoft Front Page installation pops up. It happened just now as I installed Spyware Guard.

    Without further delay, here is my log. Your help is greatly appreciated!


    Logfile of HijackThis v1.98.2
    Scan saved at 6:15:52 PM, on 8/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\lonewolf & cee\Desktop\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {E94CBC40-16DE-4DF0-829C-6A37E5167357} - C:\WINDOWS\System32\mfplay.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
    O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [eBsERRimT] vbaat32.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/ente...secall_pre.php (file missing)
    O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
    O9 - Extra button: Microsoft® VBScript® Console - {8D155506-DC14-4540-AF6E-F8A905670456} - (no file)
    O9 - Extra 'Tools' menuitem: VBScript Terminal - {8D155506-DC14-4540-AF6E-F8A905670456} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
    O9 - Extra button: Microsoft® VBScript® Terminal - {8D155506-DC14-4540-AF6E-F8A905670456} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU)
    O9 - Extra 'Tools' menuitem: VBScript Terminal - {8D155506-DC14-4540-AF6E-F8A905670456} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = S26452.tjem.com
    O17 - HKLM\Software\..\Telephony: DomainName = S26452.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2092BD9C-D74F-403C-9F4C-63D814B5BF3F}: Domain = S26452.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{415B4D25-B64D-44E2-BDBC-C625EA3FC71D}: Domain = S26452.tjem.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E95ADBE7-EA0E-43BA-BAF6-D20CBC74CF84}: Domain = S26452.tjem.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = S26452.tjem.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2092BD9C-D74F-403C-9F4C-63D814B5BF3F}: Domain = S26452.tjem.com

  3. 21-08-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Hello,
    Sorry about the long response time.

    Is this log from your Admin account? We need to fix things with admin priveledges so I need the log from your Admin account please. Thanks.
+ Reply to Thread
« CoolSearch Hijacked My Computer !! | hijack this »