How do I learn to read the hijack logs?

[viking12344]

Any websites or anything helpfull would be appreciated. Thanks!

[dammit]

Hi buddy...first...stick around here and read a lot...you may recognise certain things that occur regularly...and can pick them out.
It's not easy to read logs...spyware changes almost daily....so new tools are developed for getting rid of this nightmare by folks far cleverer than us. I reckon these days 90% of puter problems are due to this intrusion of privacy ...or even more...

i dont want to point you in the direction of learning how at the moment...because a little knowledge in this case is a dangerous thing....when you have been around a while....well thats different

[AnnMarie]

dammit is correct viking 12344. It takes time and willingness to research to learn to read a log correctly and what many people do not realise is that when an entry is "fixed" in a Hijack This log, a registry key or value is actually being deleted.

This site will help you gain a greater understanding of Hijack This logs and what each code in a log refers to.

[putasolutions]

Quote:

when you have been around a while....well thats different

ooops sorry

[Acrobaze]

Good morning!


Another question to be sure:

when we find this, by exemple:
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL

then, we check and fix.

Are we sure that BHO001.DLL is deleted?

Thank you for your answer.

[AnnMarie]

Hi Acrobaze - Hijack This does usually delete the file associated with a BHO however, it does not in the instance of the CWSSearchx (About:Blank) hijacker. That file has to be deleted manually.

[Acrobaze]

Thank you very much, AnnMarie.

[AnnMarie]

You are welcome Acrobaze

[Acrobaze]

Good morning!

I just see a thing I'd never sawn :

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s

I search in Google...but nothing! I don't understand what is this " +s ".

You know what it is ?

Thank you for your answer.

[dammit]

Hi buddy....best thing is to post a fresh log then someone can check it out for you

[Acrobaze]

Hi Damnit! Thank you to answer me !


Here is the log I don't understand :

Logfile of HijackThis v1.97.7
Scan saved at 22:04:00, on 25/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Trend Micro\PC-cillin 9\WebTrap.EXE
C:\Program Files\RamBooster\Rambooster.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Apps\ActivBoard\OSD.exe
C:\Planetis\Planetis.exe
C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CLEMENT.SNCD08200284\Mes documents\les setup\HijackThis ( contre 1 trojan ).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat....d=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetis.com/net@tous
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat....d=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [CTBPlanetisEDF] C:\Planetis\Planetis.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr...eleir_cert.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...wflash5r42.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26F1B73-0994-4A0C-B960-543002BB4DC7}: NameServer = 212.27.32.176 212.27.39.1

I don't know what are these "+".

[Meangean]

i believe there is a sticky in cyber saftery forum on how to read em or somewhere

i forgot

there is a site

just search for "how to read hijack this logs"

or something


also i would use google to search up all the .exes and files to see if they are windows files or trojans, viruses or bad stuff

ex: search for sajdfk.exe

its not a real file but if u search for it look on sites and see what they have to say abou that file

[dammit]

Hi again....Close all open windows...run hijack again and put a check in the boxes for the below entries..then hit "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat...id=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetis.com/net@tous
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat...id=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe

Reboot into Safe Mode.....( tap F8 key during booting, until the boot menu appears...)

Make sure you can see Hidden files and Folders... here is how if you don't know.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Go to start>search>files and folders and run a search for and delete the following files and/or folders when/if found.
Also ctrl>alt>del to bring up task manager..and end process on the below if running.

keyword.exe
manage.exe

[hashashanur]

I am new to this and without much computer knowledge.
I have managed to get my log by following the instructions
I've seen in the Forum.
Can I post it here? Will someone tell me what to do next?
If the answers to the above questions are "Yes", where is
the "New Thread" icon that is said to be in the upper right
corner of the page? I don't see it.
Any info appreciated....
Thanks... ?????

[tb525]

Hi hashashanur, Welcome to CTH..
Yes, post your HijackThis log in a new thread.. Click this link http://www.cybertechhelp.com/forums/...splay.php?f=25 and then click the 'New Topic' button in the upper left...