[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 368
  • Last Modified:

Hijack This Logfile needs analysis

Here's another machine output from Hijack This.  I have run Spybot, AdAware & Coolwebshredder multiple times.  They each remove some stuff but NOT everything.  Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 11:31:55 AM, on 11/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [blspcloader] "C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE"
O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {EDF90934-7FD5-40B4-B8FC-03CFE3E8B52E} - (no file) (HKCU)
O9 - Extra button: (no name) - {758B952B-3764-4FAC-AAC4-4D6DEF09C8A0} - (no file) (HKCU)
O9 - Extra button: (no name) - {11B54677-76F7-440C-B2FD-FEA0A899FA4C} - (no file) (HKCU)
O9 - Extra button: (no name) - {9EBAB537-B6C8-48AC-ADDE-F8078DDD21BE} - (no file) (HKCU)
O9 - Extra button: (no name) - {DE014998-0AE7-4B8E-B70F-949FE48BC1D5} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EAAE55D-AA2C-41B6-B04F-0E869FC84070} - (no file) (HKCU)
O9 - Extra button: (no name) - {CC9F6F78-7005-431D-A898-FAE800EC1DB2} - (no file) (HKCU)
O9 - Extra button: (no name) - {9860DA73-DE35-4583-8272-D5B3CC3B8E69} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE1F3D2E-5FC8-4FE9-BD25-F5DC58DEE60D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C148228F-E0BA-4CD1-9D3E-21E1D6B67E4C} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O13 - WWW. Prefix: http://
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiClasses/Client_IE.cab





0
BrettFavre4
Asked:
BrettFavre4
  • 4
  • 2
1 Solution
 
SheharyaarSaahilCommented:
Hello BrettFavre4 =)

Plzz post ur log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
SheharyaarSaahilCommented:
>> O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll

and use LSPFix to remove this file >> http://www.spychecker.com/program/lspfix.html
And then download these tools,

========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
0
 
BrettFavre4Author Commented:
I went thru and analyzed the output (not to mention reviewed the tutorial).  A couple of questions still exist............

These should all be fixed/removed????  (not sure, still trying to find answers

C:\WINDOWS\RUNDLL32.EXE                 (HJT says "nasty")
O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe...............(HJT says "unknown")
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe...............(HJT says "unknown")
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe...............(HJT says "safe")
O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE...............(HJT says "unknown")
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl...............(HJT says "unknown")

                             
These WILL be deleted/fixed........... right??

O9 - Extra button: (no name) - {EDF90934-7FD5-40B4-B8FC-03CFE3E8B52E} - (no file) (HKCU)
O9 - Extra button: (no name) - {758B952B-3764-4FAC-AAC4-4D6DEF09C8A0} - (no file) (HKCU)
O9 - Extra button: (no name) - {11B54677-76F7-440C-B2FD-FEA0A899FA4C} - (no file) (HKCU)
O9 - Extra button: (no name) - {9EBAB537-B6C8-48AC-ADDE-F8078DDD21BE} - (no file) (HKCU)
O9 - Extra button: (no name) - {DE014998-0AE7-4B8E-B70F-949FE48BC1D5} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EAAE55D-AA2C-41B6-B04F-0E869FC84070} - (no file) (HKCU)
O9 - Extra button: (no name) - {CC9F6F78-7005-431D-A898-FAE800EC1DB2} - (no file) (HKCU)
O9 - Extra button: (no name) - {9860DA73-DE35-4583-8272-D5B3CC3B8E69} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE1F3D2E-5FC8-4FE9-BD25-F5DC58DEE60D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C148228F-E0BA-4CD1-9D3E-21E1D6B67E4C} - (no file) (HKCU)
O13 - WWW. Prefix: http://

This will be fixed by running lspfix....
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll



0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
SheharyaarSaahilCommented:
>> C:\WINDOWS\RUNDLL32.EXE
nah dont fix it, its valid when u are using Win98\ME,,,,, coz in Win2k\xp it runs from C:\Windows\System32 :)

>> O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe...............(HJT says "unknown")
this is peper trojan, get its removal tool and run it in safemode >> http://downloads.subratam.org/PeperFix.exe

>> O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe...............(HJT says "unknown")
Fix it !!

>> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe...............(HJT says "safe")
this is valid, leave it >> http://www.liutilities.com/products/wintaskspro/processlibrary/mstask/

>> O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE...............(HJT says "unknown")
Fix It !!

>> O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl...............(HJT says "unknown")
This is for AOL, leave it !!

>> These WILL be deleted/fixed........... right??
yeah fix them all !!

>> This will be fixed by running lspfix....
yeah LSPFix can remove this c:\windows\system\lspak.dll entry from winsock settings !!

:)
0
 
BrettFavre4Author Commented:
Thanx..........Cby65.exe was really throwing me for a loop.

0
 
SheharyaarSaahilCommented:
:)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now