Solved

HijackThis and Spybot log analysis

Posted on 2004-08-25
3
882 Views
Last Modified: 2009-07-29
I need some expert analysis on this HiJack log and startup list log.  I've also included a copy of Spybot's LSP report.  The only thing that I've noticed that doesn't look right is the presence of Shop At Home agent (sahagent) from Spybot's LSP report.   Please tell me if there's anything else that looks suspicious.

Thank you,

Refined

~~~~

HiJack Log
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Logfile of HijackThis v1.98.2
Scan saved at 4:29:12 PM, on 8/24/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\msdtc.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\SYSTEM32\CPQRCMC.EXE
C:\ExecSoft\Diskeep\DKSERVICE.EXE
C:\ExecSoft\Diskeep\Control.exe
d:\FAIRCOM\ctsrvr.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\System32\llssrv.exe
c:\winnt\system32\pstores.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Compaq\Survey\Surveyor.EXE
C:\WINNT\System32\sysdown.exe
C:\ExecSoft\Undelete\UdServe.exe
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\cpqnimgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\CqMgStor\CqMgStor.EXE
C:\WINNT\system32\cpqmgmt\CqMgHost\CqMgHost.exe
C:\WINNT\system32\cpqmgmt\CPQWMGMT.EXE
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\WINNT\regedit.exe
C:\TEMP\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.0.7 67.98.11.130 67.98.11.131
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.0.7 67.98.11.130 67.98.11.131

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Spybot-S&D winsock LSP report, 8/24/04 4:36:07 PM

NS Provider ( 1) TCP/IP ({22059D40-7E9E-11CF-AE5A-00AA00A7112B})
NS Provider ( 2) NWLink IPX/SPX Compatible Transport Protocol ({E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B})
Protocol ( 1) SAHagent MSAFD Tcpip [TCP/IP] ({D8C3E667-9814-4D11-8C51-C43450AA6D60})
Protocol ( 2) SAHagent MSAFD Tcpip [UDP/IP] ({EFE85258-AC8E-4BF5-B2E9-65CA261A63CC})
Protocol ( 3) SAHagent MSAFD Tcpip [RAW/IP] ({24F1DE55-EDA0-4859-9BB4-9CFB056D1D2E})
Protocol ( 4) SAHagent MSAFD NwlnkIpx [IPX] ({90B81905-B99C-47BF-9EC6-18F57D715C13})
Protocol ( 5) SAHagent MSAFD NwlnkSpx [SPX] ({0F5CCA8D-9909-42FD-9395-6D278ED0C927})
Protocol ( 6) SAHagent MSAFD NwlnkSpx [SPX] [Pseudo Stream] ({29DAE256-AFB4-4793-B28C-FEBCEBE14773})
Protocol ( 7) SAHagent MSAFD NwlnkSpx [SPX II] ({6D944389-3DFC-4BA4-BB4C-734734695444})
Protocol ( 8) SAHagent MSAFD NwlnkSpx [SPX II] [Pseudo Stream] ({218532B6-FBE9-4827-BDA0-80BBB1A74D0C})
Protocol ( 9) SAHagent MSAFD NetBIOS [\Device\NetBT_CpqNF31] SEQPACKET 0 ({20F9C36A-E80B-4B57-A283-CD0C8BB45D12})
Protocol (10) SAHagent MSAFD NetBIOS [\Device\NetBT_CpqNF31] DATAGRAM 0 ({52A3D2D2-07F1-4E22-98A1-62CB2FF0B9C6})
Protocol (11) SAHagent MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 1 ({F69E9106-74EC-4D09-94DD-FEB668E73FE4})
Protocol (12) SAHagent MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 1 ({8CE9D8E8-C5D3-43C7-9C58-865467B3AB4B})
Protocol (13) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol (14) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol (15) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol (16) MSAFD NwlnkIpx [IPX] ({11058240-BE47-11CF-95C8-00805F48A192})
Protocol (17) MSAFD NwlnkSpx [SPX] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol (18) MSAFD NwlnkSpx [SPX] [Pseudo Stream] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol (19) MSAFD NwlnkSpx [SPX II] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol (20) MSAFD NwlnkSpx [SPX II] [Pseudo Stream] ({11058241-BE47-11CF-95C8-00805F48A192})
Protocol (21) MSAFD NetBIOS [\Device\NetBT_CpqNF31] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (22) MSAFD NetBIOS [\Device\NetBT_CpqNF31] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (23) MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (24) MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (25) SAHagent ({5A21F160-DF30-11CF-8927-00AA00539F1C})

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

StartupList report, 8/24/04, 4:08:53 PM
StartupList version: 1.52.2
Started from : C:\TEMP\HijackThis.EXE
Detected: Windows NT 4 SP6 (WinNT 4.00.1381)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\msdtc.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\PowerChute Business Edition\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\SYSTEM32\CPQRCMC.EXE
C:\ExecSoft\Diskeep\DKSERVICE.EXE
C:\ExecSoft\Diskeep\Control.exe
d:\FAIRCOM\ctsrvr.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\System32\llssrv.exe
c:\winnt\system32\pstores.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Compaq\Survey\Surveyor.EXE
C:\WINNT\System32\sysdown.exe
C:\ExecSoft\Undelete\UdServe.exe
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\cpqnimgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\CqMgStor\CqMgStor.EXE
C:\WINNT\system32\cpqmgmt\CqMgHost\CqMgHost.exe
C:\WINNT\system32\cpqmgmt\CPQWMGMT.EXE
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\TEMP\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit,nddeagnt.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
BrowserWebCheck = loadwc.exe
mdac_runonce = C:\WINNT\System32\runonce.exe
SchedulingAgent = mstinit.exe /logon
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry key not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {000006B1-19B5-414A-849F-2A3C64AE6939}
(no name) - (no file) - {00000EF1-0786-4633-87C6-1AA7A44296DA}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[CSND_AX.ctlCSND_AX]
InProcServer32 = C:\WINNT\Downloaded Program Files\CSND_AX.ocx
CODEBASE = http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB

[DLC Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\grTransferCtrl.dll
CODEBASE = http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.dll
CODEBASE = http://windowsupdate.microsoft.com/R1150/V31Controls/x86/nt4/en/actsetup.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINNT\Installer\InstMsi0\cabinet.dll||C:\WINNT\Installer\InstMsi0\imagehlp.dll||C:\WINNT\Installer\InstMsi0\instmsi.msi||C:\WINNT\Installer\InstMsi0\msiinst.exe||C:\WINNT\Installer\InstMsi0\msimain.sdb||C:\WINNT\Installer\InstMsi0\msls31.dll||C:\WINNT\Installer\InstMsi0\riched20.dll||C:\WINNT\Installer\InstMsi0\sdbapiU.dll||C:\WINNT\Installer\InstMsi0\shfolder.dll||C:\WINNT\Installer\InstMsi0\usp10.dll||C:\WINNT\Installer\InstMsi0||C:\WINNT\cle10D.tmp\cleanup.exe||C:\WINNT\cle10D.tmp||C:\WINNT\cle112.tmp\cleanup.exe||C:\WINNT\cle112.tmp||C:\WINNT\cle113.tmp\cleanup.exe||C:\WINNT\cle113.tmp||C:\WINNT\cle1F0.tmp\cleanup.exe||C:\WINNT\cle1F0.tmp


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
End of report, 6,042 bytes
Report generated in 0.090 seconds

0
Comment
Question by:refined
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
Luc Franken earned 250 total points
ID: 11912248
Hi refined,

Your logfile looks pretty clean to me, just some minor thingies:

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)

You can let hijackthis fix those lines.

About "Shop at home", it seems that spybot S&D was able to remove it fully as it's not visuable in your hijackthis log which it should be if you where still having problems with this.

Greetings,

LucF
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11944260
I believe the information provided should have helped you resolve this, true?  If more is needed or you have additional information in this regard, please do update this.
Thank you,
Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11954033
Terrific!  Thanks for finalizing this.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gmail Account risks 4 78
Reason for High TTFB 1 50
site launch date and last modified date 3 83
Content Filtering by Search Term with a Smoothwall Firewall 1 92
I spend far too much time on the web keeping up with the news: politics, the environment, computer stuff, the Experts Exchange. It's never-ending. But many of the most informative web pages are overwhelmed with noise: scrolling banners, flashing tex…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now