Member Avatar for ajelliott

I was wondering if you would be willing to share the tools you use to interpret the HijackThis logs? I have the Task List from www.answeresthatwork.com and it great to see what’s running, but how is it that you know the names of all the processes out there and the right ones to delete using the HJT tool? You must have some kind of list that is undated daily.

For Example, I was advised to remove this line using the HJT tool:
O2 - BHO: (no name) - {221E8D90-C439-4297-B84A-EA3291D7CB1A} - C:\WINNT\system32\ebnel.dll (file missing)

What about this line gives you the clues? No name, ebnel.dll, or “file missing?

  • 3 Contributors
  • 17 Replies
  • 352 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by caperjack
Member Avatar for caperjack

just a couple of things I use or do ,google search for a lot of the bad DLL's
I use BHOList.exe to search this and its also searche for bad Toolbars#221E8D90-C439-4297-B84A-EA3291D7CB1A
you can get it here .http://www.sysinfo.org/bhoinfo.html

If you have CWShredder install on you computer ,create a shortcut to it on you sesktop ,right click it and go to properties.in the target line add this , /debug not there is a space between whats there and the /,
now when you click on the short cut you created you use shredder as a tool to search CWS ,like this .R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=138308.From that line you copy and past this into the shredder tool.
couldnotfind.com ,and it will tell you if is or isn't CWS.

you can also search for the bad 016's ,in SpywareBlaster if you have it installed on you computer .that program can be found in my signature in How i Got Infected In the first place .just open Spywareblaster and click on /internet explorer along the top and then right click on one of the idems in the list and click search .

I use this site for Hijackthis tutoral.
http://www.spywareinfo.com/~merijn/htlogtutorial.html

and this one for good and bad LPS's=010's in the log
http://www.angeltowns.com/members/zupe/lsps.html

and this one to search 017's IP addresses.
http://www.arin.net/whois/

I use canned speaches for my posts with all the links to the programs for the person to use on the affected computer.i got these speaches from the experts at the Spywareinfo.com ,i joined up for the bootcamp to learn how to read logs .I should spend more time there actuall to learn more,so I could be a better help with the hard logs .

Member Avatar for ajelliott

If you have CWShredder install on you computer ,create a shortcut to it on you sesktop ,right click it and go to properties.in the target line add this , /debug not there is a space between whats there and the /,
now when you click on the short cut you created you use shredder as a tool to search CWS ,like this .R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_..._id=138308.From that line you copy and past this into the shredder tool.
couldnotfind.com ,and it will tell you if is or isn't CWS.

Member Avatar for ajelliott

I tried this and it worked as far as to bring up a different aspect of CWShreadder. I can see where to past the line but there is no button to execute the search.

It looks like this:
[IMG][IMG]C:\cwshreader.jpg[/img][/IMG]

Member Avatar for ajelliott

:o Ok I made a screen shot of the CWShreader using the " ,/debug not " switch, but I don’t know how to imbed it into this reply.

Help.... anyone?

Member Avatar for caperjack

I tried this and it worked as far as to bring up a different aspect of CWShreadder. I can see where to past the line but there is no button to execute the search.

It looks like this:
[IMG][IMG]C:\cwshreader.jpg[/img][/IMG]

There is no search button it will just say YES or NO.
when you are checking a CWS,you don't put in the HTTP//www.
just this part .[couldnotfind.com] and the NO will change to a Yes

Member Avatar for ajelliott

There is no search button it will just say YES or NO.
when you are checking a CWS,you don't put in the HTTP//www.
just this part .[couldnotfind.com] and the NO will change to a Yes

I will try this when I get home. Working at my sister's house today trying to fix her kid's computer.... :(

Yuck what a mess! Even the keys in the keyboard stick together.

Member Avatar for caperjack

Hey, thankx for the suggestion...

Is there any tutorials that explains this link and how to use it?

Just copy paste the suspected CWS into the search ,to check it to see if your suspected is a CWS variant .

Member Avatar for crunchie

LSP is what caperjack meant. This type of software is known as a Layered Service Provider or LSP, a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, rendering the user unable to access the Internet.

Member Avatar for caperjack

Sorry, that my Dyslexia,Acting up !

Member Avatar for crunchie

Isn't that spelt: DsYelxia?

Member Avatar for ajelliott

I appreciate very much the support you all provide to us home users. I find this very interesting and want to learn to interpret the logs to help others fix their computers too.

It’s a bit scary, because I don’t want to make a check on an item that needs to be there. As well, I don’t want to leave something that needs to be fixed.

It will take time before I trust myself to interpret the logs on my own. Until then it seems every few days I hear of another person in my community having problems with these same issues. I wonder what’s going on... has the virus pushers found new ways to bypass Norton and other antivirus programs, or has all this been around since the beginning, and I’ve only become aware of it recently?

I am just like anyone else feeling secure with my Norton updates and Ad-aware. But I found so much crapware running on my two home systems and one I thought was completely clean. It seems that if I run CWShreadder on any computer I will find a Trojan even if the owner has been following all the basic known precautions. It’s obviously not enough anymore. Maybe with all the spyware detecting programs becoming more of a routine the crapware pushers are finding more cleaver ways of polluting our systems. I don’t know.

Member Avatar for crunchie

I believe the main culprit to be the Microsoft system. It's so full of holes it's a wonder that what's in there doesn't fall out!!

Member Avatar for ajelliott

While on the subject of learning I have another question...
Its related to the first so I dont think it should be a new thread.

When you look at the HJT log, what is it that we're looking at? It not a task list; is it a portion of the registry of running processes? What word or terminology would you use to describe the contents of the log file?

Okay so that's 3 questions.....

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.