Solved

Hijack This Logfile needs analysis

Posted on 2004-11-01
332 Views
Last Modified: 2012-05-05
Here's another machine output from Hijack This.  I have run Spybot, AdAware & Coolwebshredder multiple times.  They each remove some stuff but NOT everything.  Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 11:31:55 AM, on 11/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [blspcloader] "C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE"
O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {EDF90934-7FD5-40B4-B8FC-03CFE3E8B52E} - (no file) (HKCU)
O9 - Extra button: (no name) - {758B952B-3764-4FAC-AAC4-4D6DEF09C8A0} - (no file) (HKCU)
O9 - Extra button: (no name) - {11B54677-76F7-440C-B2FD-FEA0A899FA4C} - (no file) (HKCU)
O9 - Extra button: (no name) - {9EBAB537-B6C8-48AC-ADDE-F8078DDD21BE} - (no file) (HKCU)
O9 - Extra button: (no name) - {DE014998-0AE7-4B8E-B70F-949FE48BC1D5} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EAAE55D-AA2C-41B6-B04F-0E869FC84070} - (no file) (HKCU)
O9 - Extra button: (no name) - {CC9F6F78-7005-431D-A898-FAE800EC1DB2} - (no file) (HKCU)
O9 - Extra button: (no name) - {9860DA73-DE35-4583-8272-D5B3CC3B8E69} - (no file) (HKCU)
O9 - Extra button: (no name) - {BE1F3D2E-5FC8-4FE9-BD25-F5DC58DEE60D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C148228F-E0BA-4CD1-9D3E-21E1D6B67E4C} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O13 - WWW. Prefix: http://
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiClasses/Client_IE.cab





0
Question by:BrettFavre4
    6 Comments
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    Hello BrettFavre4 =)

    Plzz post ur log at this site >> http://www.hijackthis.de/index.php?langselect=english
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

    CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    >> O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll

    and use LSPFix to remove this file >> http://www.spychecker.com/program/lspfix.html
    And then download these tools,

    ========================================================
    AdAware ==> http://www.spychecker.com/program/adaware.html
    SpyBot  ==> http://www.spychecker.com/program/spybot.html
    CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
    Stinger ==> http://vil.nai.com/vil/stinger
    ========================================================

    Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
    Then Run all of them one by one in safemode and delete everything they detect.
    Then delete the temporary internet files and history of IE
    and run Disk Cleanup on ur hard drive to delete those temp and junk files.
    Restart back in Normal Mode to check for the problems now ?? :)
    0
     

    Author Comment

    by:BrettFavre4
    I went thru and analyzed the output (not to mention reviewed the tutorial).  A couple of questions still exist............

    These should all be fixed/removed????  (not sure, still trying to find answers

    C:\WINDOWS\RUNDLL32.EXE                 (HJT says "nasty")
    O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe...............(HJT says "unknown")
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe...............(HJT says "unknown")
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe...............(HJT says "safe")
    O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE...............(HJT says "unknown")
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl...............(HJT says "unknown")

                                 
    These WILL be deleted/fixed........... right??

    O9 - Extra button: (no name) - {EDF90934-7FD5-40B4-B8FC-03CFE3E8B52E} - (no file) (HKCU)
    O9 - Extra button: (no name) - {758B952B-3764-4FAC-AAC4-4D6DEF09C8A0} - (no file) (HKCU)
    O9 - Extra button: (no name) - {11B54677-76F7-440C-B2FD-FEA0A899FA4C} - (no file) (HKCU)
    O9 - Extra button: (no name) - {9EBAB537-B6C8-48AC-ADDE-F8078DDD21BE} - (no file) (HKCU)
    O9 - Extra button: (no name) - {DE014998-0AE7-4B8E-B70F-949FE48BC1D5} - (no file) (HKCU)
    O9 - Extra button: (no name) - {8EAAE55D-AA2C-41B6-B04F-0E869FC84070} - (no file) (HKCU)
    O9 - Extra button: (no name) - {CC9F6F78-7005-431D-A898-FAE800EC1DB2} - (no file) (HKCU)
    O9 - Extra button: (no name) - {9860DA73-DE35-4583-8272-D5B3CC3B8E69} - (no file) (HKCU)
    O9 - Extra button: (no name) - {BE1F3D2E-5FC8-4FE9-BD25-F5DC58DEE60D} - (no file) (HKCU)
    O9 - Extra button: (no name) - {C148228F-E0BA-4CD1-9D3E-21E1D6B67E4C} - (no file) (HKCU)
    O13 - WWW. Prefix: http://

    This will be fixed by running lspfix....
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll



    0
     
    LVL 65

    Accepted Solution

    by:
    >> C:\WINDOWS\RUNDLL32.EXE
    nah dont fix it, its valid when u are using Win98\ME,,,,, coz in Win2k\xp it runs from C:\Windows\System32 :)

    >> O4 - HKLM\..\Run: [25YSWQC2@43#HN] C:\WINDOWS\SYSTEM\Cby65.exe...............(HJT says "unknown")
    this is peper trojan, get its removal tool and run it in safemode >> http://downloads.subratam.org/PeperFix.exe

    >> O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe...............(HJT says "unknown")
    Fix it !!

    >> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe...............(HJT says "safe")
    this is valid, leave it >> http://www.liutilities.com/products/wintaskspro/processlibrary/mstask/

    >> O4 - HKCU\..\Run: [bBqsRWjpl] DISPHBK.EXE...............(HJT says "unknown")
    Fix It !!

    >> O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl...............(HJT says "unknown")
    This is for AOL, leave it !!

    >> These WILL be deleted/fixed........... right??
    yeah fix them all !!

    >> This will be fixed by running lspfix....
    yeah LSPFix can remove this c:\windows\system\lspak.dll entry from winsock settings !!

    :)
    0
     

    Author Comment

    by:BrettFavre4
    Thanx..........Cby65.exe was really throwing me for a loop.

    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    :)
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    860 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now