Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Hijack This Logfile needs analysis

Posted on 2004-11-01
6
Medium Priority
?
364 Views
Last Modified: 2012-05-05
Here's another machine output from Hijack This.  I have run Spybot, AdAware & Coolwebshredder multiple times.  They each remove some stuff but NOT everything.  Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 11:31:55 AM, on 11/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [blspcloader] "C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE"
O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {EDF90934-7FD5-40B4-B8FC-03CFE3E8B52E} - (no file) (HKCU)
O9 - Extra button: (no name) - {758B952B-3764-4FAC-AAC4-4D6DEF09C8A0} - (no file) (HKCU)
O9 - Extra button: (no name) - {11B54677-76F7-440C-B2FD-FEA0A899FA4C} - (no file) (HKCU)
O9 - Extra button: (no name) - {9EBAB537-B6C8-48AC-ADDE-F8078DDD21BE} - (no file) (HKCU)
O9 - Extra button: (no name) - {DE014998-0AE7-4B8E-B70F-949FE48BC1D5} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EAAE55D-AA2C-41B6-B04F-0E869FC84070} - (no file) (HKCU)
O9 - Extra button: (no name) - {CC9F6F78-7005-431D-A898-FAE800EC1DB2} - (no file) (HKCU)
O9 - Extra button: (no name) - {9860DA73-DE35-4583-8272-D5B3CC3B8E69} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE1F3D2E-5FC8-4FE9-BD25-F5DC58DEE60D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C148228F-E0BA-4CD1-9D3E-21E1D6B67E4C} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O13 - WWW. Prefix: http://
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiClasses/Client_IE.cab





0
Comment
Question by:BrettFavre4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12465615
Hello BrettFavre4 =)

Plzz post ur log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12465643
>> O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll

and use LSPFix to remove this file >> http://www.spychecker.com/program/lspfix.html
And then download these tools,

========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
0
 

Author Comment

by:BrettFavre4
ID: 12466595
I went thru and analyzed the output (not to mention reviewed the tutorial).  A couple of questions still exist............

These should all be fixed/removed????  (not sure, still trying to find answers

C:\WINDOWS\RUNDLL32.EXE                 (HJT says "nasty")
O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe...............(HJT says "unknown")
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe...............(HJT says "unknown")
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe...............(HJT says "safe")
O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE...............(HJT says "unknown")
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl...............(HJT says "unknown")

                             
These WILL be deleted/fixed........... right??

O9 - Extra button: (no name) - {EDF90934-7FD5-40B4-B8FC-03CFE3E8B52E} - (no file) (HKCU)
O9 - Extra button: (no name) - {758B952B-3764-4FAC-AAC4-4D6DEF09C8A0} - (no file) (HKCU)
O9 - Extra button: (no name) - {11B54677-76F7-440C-B2FD-FEA0A899FA4C} - (no file) (HKCU)
O9 - Extra button: (no name) - {9EBAB537-B6C8-48AC-ADDE-F8078DDD21BE} - (no file) (HKCU)
O9 - Extra button: (no name) - {DE014998-0AE7-4B8E-B70F-949FE48BC1D5} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EAAE55D-AA2C-41B6-B04F-0E869FC84070} - (no file) (HKCU)
O9 - Extra button: (no name) - {CC9F6F78-7005-431D-A898-FAE800EC1DB2} - (no file) (HKCU)
O9 - Extra button: (no name) - {9860DA73-DE35-4583-8272-D5B3CC3B8E69} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE1F3D2E-5FC8-4FE9-BD25-F5DC58DEE60D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C148228F-E0BA-4CD1-9D3E-21E1D6B67E4C} - (no file) (HKCU)
O13 - WWW. Prefix: http://

This will be fixed by running lspfix....
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll



0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 1000 total points
ID: 12466689
>> C:\WINDOWS\RUNDLL32.EXE
nah dont fix it, its valid when u are using Win98\ME,,,,, coz in Win2k\xp it runs from C:\Windows\System32 :)

>> O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe...............(HJT says "unknown")
this is peper trojan, get its removal tool and run it in safemode >> http://downloads.subratam.org/PeperFix.exe

>> O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe...............(HJT says "unknown")
Fix it !!

>> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe...............(HJT says "safe")
this is valid, leave it >> http://www.liutilities.com/products/wintaskspro/processlibrary/mstask/

>> O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE...............(HJT says "unknown")
Fix It !!

>> O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl...............(HJT says "unknown")
This is for AOL, leave it !!

>> These WILL be deleted/fixed........... right??
yeah fix them all !!

>> This will be fixed by running lspfix....
yeah LSPFix can remove this c:\windows\system\lspak.dll entry from winsock settings !!

:)
0
 

Author Comment

by:BrettFavre4
ID: 12477614
Thanx..........Cby65.exe was really throwing me for a loop.

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12477651
:)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question