# *----->HijackThis Tutorial<-----*



## brendandonhu (Jul 8, 2002)

Nearly 2,000 HijackThis logs have been posted to TSG, mostly by people looking for help with spyware/browser jacking problems. I have written a tutorial on identifying which items in HijackThis are malicious, so please read the tutorial and help out in the security forum.
The tutorial is about 5 pages long-but you can do it :up: lol.
http://hjt.wizardsofwebsites.com

Note: This is a tutorial for techies on how to examine HJT logs, if you are looking for information on running Hijack This and posting your log, see this tutorial.
http://www.tomcoyote.org/hjt/

Please post suggestions, corrections, feedback, and questions.


----------



## Flrman1 (Jul 26, 2002)

Very good brendandonhu! :up:


----------



## brendandonhu (Jul 8, 2002)

Thanks  
Hope it helps.


----------



## dvk01 (Dec 14, 2002)

http://www.spywareinfo.com/~merijn/htlogtutorial.html

and where you mention rapidblaster, all current versions have lptt01 in the name. that is the only constant thing as the actual .exe name can vary tremendously


----------



## aineo (May 3, 2003)

Thanks alot for the links. I have been wanting to learn more about this program, but have not put the effort forward to learn it myself. This should save some effort and research on my part. I appreciate it.


----------



## brendandonhu (Jul 8, 2002)

Yesterday I uploaded an old version of the tutorial over the latest, so I lost about 5 Advanced Descriptions. I have now added a couple back in. dvk01-what exactly do I need to change about the RapidBlaster part?


----------



## dvk01 (Dec 14, 2002)

check Tony's post about rapid blaster here

http://forums.techguy.org/t138563/s.html

it's pretty safe to say that anything with lptt01 in the name is Rapid blaster


----------



## brendandonhu (Jul 8, 2002)

Added a few more of the advanced descriptions.
BTW those advanced descs. are not by me-they are out of Hijack This itself. But its kinda hard to get some of them as I can't them online, I had to mess with the registry/install commonName/new.net to recreate them.


----------



## chalky (Oct 8, 2001)

Thanks for the Tutorials Brendan....with enough concentration I hope I can eventully work out the logs......:up:

Now a question.....

When looking at a Hijack Log and not knowing what website..... for example......http:// rest of address.....is... and what may have been downloaded from that site, I have previously tried to go to the site to find out... only to be told on the page that opens, that I do not have permission to enter the site, and similar messages...so I've been unable find out why some addresses are in the log...

Now does this mean that those entries are *iffy* ones and should be *fixed* or is there a reason for not being allowed in...


----------



## brendandonhu (Jul 8, 2002)

I wouldn't necessarily say they are iffy (although I have never had that happen), remember you can ask the user if they use that site. If not, fix it.


----------



## Alfie_UK (Mar 28, 2003)

Just added your link,Brenda.to my favourites folder,now hopefully i can start to check out my own highjack logs :up:


----------



## jarlin (Apr 14, 2003)

Thank you very much for this it will be a great tool for me to use


Thank you


----------



## brendandonhu (Jul 8, 2002)

Cool thanks 
BTW its Brendan


----------



## brendandonhu (Jul 8, 2002)

Thanks to Candy for pinning it.


----------



## GoJoAGoGo (Dec 26, 2002)

Thanks for the link ... :up:


----------



## starman2002 (Jul 11, 2003)

Thanks for the info Brendan its much appreciated.


----------



## bonlu (Jul 20, 2003)

Thank you so much for the HijackThis tutorial! It was extremely helpful and I enjoyed taking MY computer back (so to speak). Would a firewall (I have cable connection) protect me from future attacks? I'm thinking about purchasing one from my online VS provider (McAfee). Any thoughts on this?

Thanks again,
Bonnie


----------



## GoJoAGoGo (Dec 26, 2002)

Hi bonlu:

Welcome to TSG. There very execellent Freeware firewalls available. Here are a few which are very popular:

http://download.com.com/3000-2092-10184369.html

http://download.com.com/3000-2092-10211820.html

http://download.com.com/3000-2092-9032150.html


----------



## bonlu (Jul 20, 2003)

Thanks GoJo!


----------



## brendandonhu (Jul 8, 2002)

Very welcome starman and bonlu.
Yes you can just use one of the free firewalls that GoJoAGoGo listed. It is important for all computers to have a firewall, but for Spyware prevention, lookup Spyware Blaster and Spybot Search & Destroy (it has an Immunization feature).


----------



## bonlu (Jul 20, 2003)

Thanks Brendan! You're the best!


----------



## putasolution (Mar 20, 2003)

Looks like the start of a whole new industry between you, Brendan, and Tony Klein

Now all we have to do is a tutorial on how to stop people from installing all the spyware in the first place


----------



## brendandonhu (Jul 8, 2002)

^^Done
Run Spybot, click Immunize. Download Spyware Blaster. Raise IE security settings. Get firewall. Check if software contains spyware before downloading.

There your done and spyware-protected (mostly).


----------



## putasolution (Mar 20, 2003)

Suggest that one updates the spybot definitions before immunisation for maximum protection, Using *Update*, search for updates


----------



## amthmi (Mar 23, 2002)

Very nicely done !
I now have a better understanding of the log.
I've been reading alot of the Hijack This post but refrained from advising
people on what to remove because of my lack of comprehension of the logs.
I've been creating a log of known entries that needed to be fixed for studying.
Now with what you created, it's all making more sense to me.
Thanks.....


----------



## Alfie_UK (Mar 28, 2003)

> _Originally posted by brendandonhu:_
> *Cool thanks
> BTW its Brendan  *


Hi Brendan,All i can say on behalf of my defence for misspelling your name,is. i can only type with one fingerand i look at the monitor,back to the keyboard,back to the monitor and back to the keyboard,pretty soon i'm crosseyed,hope you accept this apology  

P.S. just put pointed hat on,and gone and stood in the corner


----------



## amthmi (Mar 23, 2002)

I took a look at the sample hijack log you referenced at the web site.
I only saw one entry that should be fixed.
This one:
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

Would I be correct in my assumption ?
Everything else looks legit.


----------



## bonlu (Jul 20, 2003)

Thanks Amthmi!


----------



## GoJoAGoGo (Dec 26, 2002)

bonlu:

You're welcome. Hope things are working out for you.


----------



## bonlu (Jul 20, 2003)

GoJo,

I downloaded Zone Alert and so far everything is great. Thank you so much for the info. I've been managing a retail website through a cable-connection for a long time so my need for a firewall is long past due. 

Thanks again!
Bonnie


----------



## amthmi (Mar 23, 2002)

I'm not sure what I'm getting thanked for.
I posed a question on the log entry..

Oh well, back to why I'm posting again.
brendandonhu on the site you have "Advanced Info", nice little feature.
On these 
O10 - Breaking of Internet access by New.Net or WebHancer
O13 - Hijack of default URL prefixes

The Advanced Info doesn't work.


----------



## bonlu (Jul 20, 2003)

Oh sorry amthmi. I thought your were refering to my log which had that same log entry your wrote about... But I now see that you were referring to a "Sample" entry.


----------



## brendandonhu (Jul 8, 2002)

Amthmi-yes that toolbar should be fixed, and those advanced descriptions are being fixed.


----------



## jackal969k (Mar 16, 2003)

Thanks Brendan! Very informative tutorial. I,like others I suppose,am interested in learning about things such as this and helping other people as we ourselves have been helped. I will try to put this information to good use with guidance from the more knowledgeable people who frequent TSG. Thanks again!

George


----------



## brendandonhu (Jul 8, 2002)

Glad to have such good response to it :up:


----------



## Backspace (May 23, 2003)

HEY EVERYONE!

Can you believe this guy *brendandonhu *?????

What the Future Must Hold for this *BRILLIANT YOUNG LAD!!!*

THANKS SO MUCH BRENDAN !!! 

:up: *X2*


----------



## bonlu (Jul 20, 2003)

HERE, HERE, Backspace! I second that! My 13 year old froze when I told her about him!!


----------



## Backspace (May 23, 2003)

Maybe he came over on Starship Enterprise!!!!!


----------



## brendandonhu (Jul 8, 2002)

*blushing


----------



## BillC (May 29, 2003)

Hey Brendan,

Thank you for the time and effort you put into this great informative tool. I've been trying to learn the good, bad, and ugly about HJT logs from reading post after post after post. You have helped shorten the learning curve for me.

Good work my young friend. Ever thought about going to Georgia Tech's Computer Sciences school?

BillC


----------



## brendandonhu (Jul 8, 2002)

Very welcome :up:

Its summer-not thinking about school now


----------



## NiteHawk (Mar 9, 2003)

> _Originally posted by BillC:_
> *Hey Brendan,
> 
> Good work my young friend. Ever thought about going to Georgia Tech's Computer Sciences school?
> ...


As a student or an instructor??


----------



## NiteHawk (Mar 9, 2003)

First off let me say that that is a GREAT document/web page. Thank you Brendan for doing all the research and pulling it all together. It will be a great help to all of us in helping others.

When I first decided to learn how to read and interpret the HiJack This log files I used a method similar to what is suggested in the tutorial.

I would cut and paste the log into MS Word and then BOLD everything I thought was bad. Items that I was unsure of and had to research were highlighted in yellow.

I would work with two google search windows open and a third one for pacs-portal. I didnt know about Tonys list of BHOs and Toolbar lists then. Slowly the yellow highlighted items would either be deleted because they were good, or changed to bold because they were bad. OR noted as unknown if nothing showed up on Google.

Once I had my list I would either scroll down farther in the thread or save the list and wait until Tony Klein, Rollin Rog, or one of the other knowledgeable security experts made their comments and suggestions and then compared my list against theirs. I wasnt always right; I totally missed some and others that were good that I had noted as bad. But it was a learning curve. As my lists became more and more accurate I reached a point where I felt that I could also post and give advise to the users. 

Still, when in doubt, I would rather pass over something unknown and hope that one of the BIG GUNS would pick up on it rather than have someone remove something that was good.


----------



## twizzle34 (Jul 25, 2003)

i dont understand the hj tutorial so ill tell you my log results

they are:
Logfile of HijackThis v1.95.1
Scan saved at 11:35:32 PM, on 7/24/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Eric Weisbrot\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37776.5534953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

please get back to me as soon as possible


----------



## shortnpretty (Mar 2, 2003)

Hey Brendan......very good info you threw together here. I had a few of the info pages you referred to from Tony's site, etc., but never really put things together like you did. I've been checking the posts and practicing on the HJT logs as if I were going to help the folks and then compared them to the real tech's answers. I'm getting pretty good, but I didn't want to step on toes and try to help, especially if I were to give wrong advice. Should I get very comfy practicing, dare I try to help? I definitely want to help more. I feel useless arguing with the leftists in Random and feel I could contribute more? Your opinion? Can a person help without stepping on toes in technicals?


----------



## NiteHawk (Mar 9, 2003)

When you feel you are ready, jump in!! To my way of thinking, an extra pair of eyes never hurts. 
As for stepping on toes, I really don't think that's an issue for most of us. After all, we are all here to help. We all have different experience and hence knowledge levels. The beauty of it is, what one person doesn't know, another one does. In the end, the person with the problem gets the help they came for and a healthy PC.


----------



## shortnpretty (Mar 2, 2003)

Thanks for the encouragement NiteHawk


----------



## holland76 (Jul 19, 2003)

I tried to fix my problem with HJT - scanning then fixing by using the notes provided, but I still have a hijacked browser. I hope I am in the right place to attach my current HJT log, and of course would appreciate some help. thanks


----------



## TonyKlein (Aug 26, 2001)

Holland76,

Please go to http://forums.techguy.org/forumdisplay.php?s=&forumid=54 , and launch a new topic, explaining your problem, and showing us a Hijack This log.

We'll be happy to advise.


----------



## TechOpie (Jul 28, 2003)

Here is my Hijack Log....Please let me know which ones to delete...

Logfile of HijackThis v1.95.1
Scan saved at 10:43:20 AM, on 07/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\John Johnston\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} - c:\windows\iexplorr23.dll
O2 - BHO: (no name) - {6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} - c:\windows\iexplorr24.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [win32app] C:\WINDOWS\System32\winpup32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks in advance.

Opie


----------



## TonyKlein (Aug 26, 2001)

Why o why don't people start a new thread to ask their question, instead of adding to this one all the time... 

Very well!

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*O2 - BHO: (no name) - {4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} - c:\windows\iexplorr23.dll
O2 - BHO: (no name) - {6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} - c:\windows\iexplorr24.dll

O4 - HKLM\..\Run: [win32app] C:\WINDOWS\System32\winpup32.exe

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - 
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - 
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - 
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - *

Now *restart* your computer, and delete the C:\WINDOWS\System32\winpup32.exe file itself.

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.


----------



## shortnpretty (Mar 2, 2003)

LOL Tony........I think its because they are like me. They are clueless and are very grateful for techies like you to guide us....


----------



## TonyKlein (Aug 26, 2001)

Wow! I'll remember to be kind, then!


----------



## shortnpretty (Mar 2, 2003)

hehehehehe......as if you aren't.


----------



## NiteHawk (Mar 9, 2003)

> _Originally posted by TonyKlein:_
> *Why o why don't people start a new thread to ask their question, instead of adding to this one all the time...
> 
> *


Aaaah, if we only knew the answer to that....
Then maybe we could concentrate on the deeper issues, like the meaning of life. Or at least how to keep our computers clean and running error free.


----------



## shortnpretty (Mar 2, 2003)

> _Originally posted by NiteHawk:_
> *Aaaah, if we only knew the answer to that....
> Then maybe we could concentrate on the deeper issues, like the meaning of life. Or at least how to keep our computers clean and running error free. *


Well the issues in regards to the meaning of life might be found in Random... 

As for clean computers and running error free, well you techies here get my vote for the war on these issues...


----------



## TonyKlein (Aug 26, 2001)

I'll be more than happy to answer any questions you might have regarding the meaning of life as well...


----------



## Alfie_UK (Mar 28, 2003)

> _Originally posted by shortnpretty:_
> * Can a person help without stepping on toes in technicals? *


Hi SnP,
As for your original question^this is what,Brendan,wrote in his opening post,"I have written a tutorial on identifying which items in HijackThis are malicious, so please read the tutorial and help out in the security forum".so it looks like you input would be welcomed.

I've been doing the same as you,Learning as much as i can,writing down,Brendans.and,Tony's. info/advice in my little black book and reading it over and over again,and boy is there some info to absorb,or try to absorb  so you never know you might see both of us answering,HJT log posts in the future,in my case the far future


----------



## shortnpretty (Mar 2, 2003)

> _Originally posted by Alfie_UK:_
> *Hi SnP,
> As for your original question^this is what,Brendan,wrote in his opening post,"I have written a tutorial on identifying which items in HijackThis are malicious, so please read the tutorial and help out in the security forum".so it looks like you input would be welcomed.
> 
> I've been doing the same as you,Learning as much as i can,writing down,Brendans.and,Tony's. info/advice in my little black book and reading it over and over again,and boy is there some info to absorb,or try to absorb  so you never know you might see both of us answering,HJT log posts in the future,in my case the far future  *


Hiya Alfie_UK,

Hehehehee....you definitely got that right about absorbing info!! What I meant by stepping on toes really, is I don't want to do more harm than good here. Techies have an enormous job to do here and I don't want to hurt that in any way.

Brendan mentions specifically that the tutorial is for "techies". Sadly, I am not a techie, but just a lost journalist, wondering around in RANDOM....lol That being said, I most definitely will look forward to seeing our (mine and your) answers regarding HJT log posts in the future!


----------



## NiteHawk (Mar 9, 2003)

> _Originally posted by TonyKlein:_
> *I'll be more than happy to answer any questions you might have regarding the meaning of life as well...
> 
> 
> ...


Hahaha. Tony, I should have known..... What can I say? You're just an all around great (tech) guy!!


----------



## Alfie_UK (Mar 28, 2003)

> _Originally posted by shortnpretty:_
> *
> I don't want to do more harm than good here. Techies have an enormous job to do here and I don't want to hurt that in any way.
> *


I understand and agree with you^what's the saying"Too many cooks,spoil the broth" or words to that effect 



> *
> but just a lost journalist, wondering around in RANDOM *


I've got an A-Z road map,you can have.


----------



## Backspace (May 23, 2003)

Are they burning elephant snouts in that picture? Just curious


----------



## jnibori (Jul 21, 2002)

I've been looking for some help with identifying the nasties in the HJT logs. I have been unable to decipher exactly what I should be looking for by reading the posted logs, then watching the responses. At this point it is still all "Greek" to me.

What you have written will help very much.

brendandonhu,
*A sincere thanks !!!*

jnibori


----------



## shortnpretty (Mar 2, 2003)

> _Originally posted by Alfie_UK:_
> *I understand and agree with you^what's the saying"Too many cooks,spoil the broth" or words to that effect
> 
> I've got an A-Z road map,you can have.  *


A-Z road map???? Cool!!!  lmsao


----------



## jsoenens (Aug 7, 2003)

thank you very much for the tomcoyote page. It will be of graet use once I install hijackthis. I can't because I have this DLL missing ang I have no clue of whats about. Wonder if you knew.

Thank you

Janine


----------



## brendandonhu (Jul 8, 2002)

Which DLL is it?


----------



## shortnpretty (Mar 2, 2003)

lol bren.......I bet its MSVBUM60.DLL in the subject line of the post....


----------



## brendandonhu (Jul 8, 2002)

oops.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q290887


----------



## somak_de (Dec 1, 2002)

thank you very much brenden for this nice tutorial. After reading this i've checked my hjt log and found following items looking bad.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.fastwebfinder.com/iesearch.html/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.fastwebfinder.com/iesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.fastwebfinder.com/iesearch.html/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.zdnetindia.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.fastwebfinder.com/iesearch.html/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:8080
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D Player) - file://C:\WINDOWS\TEMP\IEInstall\cult.cab

I use download accelerator plus for download. Is This a spyware?
And what is "musicnote" and "fastwebfinder"

***Some of you may say that i should start a new thread ...i did not because i would like to figure out the problems by myself so i just posted the items which looks bad to me


----------



## brendandonhu (Jul 8, 2002)

I have heard that DAP is spyware, but from what I have seen I think it just has ads. Im not sure though.
This entry is fine if your using zdnetindia.com as your home page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.zdnetindia.com

This should be fixed unless you are using a proxy server, such as Proxomitron.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=localhost:8080

These 2 are harmless
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O9 - Extra button: Related (HKLM)

FastWebFinder is spyware, MusicNote, im not sure. You can fix that entry if you think it might be bad, or leave it alone.


----------



## somak_de (Dec 1, 2002)

> This entry is fine if your using zdnetindia.com as your home page


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.zdnetindia.com

I dont use this is as my homepage. i've visited this site and it's a well known site in india

Thanks for the help:up:


----------



## bassetman (Jun 7, 2001)

B, would SearchAssistant=about:blank
be a baddie if I have no idea where it came from?


----------



## brendandonhu (Jul 8, 2002)

Not necessarily a baddie, but it should be fixed. R0 and R1 entries with no value or about:blank is usually a sign that Spybot/AdAware fixed them, but no new value has been assigned yet. HJT will set the default value to them.


----------



## bassetman (Jun 7, 2001)

Can you tell me if I have anyother problems in startup please?

```
StartupList report, 08/10/2003, 2:06:29 PM
StartupList version: 1.51
Started from : C:\STARTUP LIST\STARTUPLIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\XL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\STARTUP LIST\STARTUPLIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CookieWall = C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SchedulingAgent = mstask.exe

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/8/2003, 1:41:50)

[Rename]
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H5 P330  T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Windows Critical Update Notification.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = [URL]http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab[/URL]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = [URL]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/URL]

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = [URL]http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab[/URL]

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PCPITS~1.DLL
CODEBASE = [URL]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/URL]

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = [URL]http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab[/URL]

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = [URL]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37612.4500231482[/URL]

[AV Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PAV.DLL
CODEBASE = [URL]http://www.pcpitstop.com/antivirus/PCPAV.CAB[/URL]

[Seagate SeaTools English Online]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NPSEATOOLS_EN.DLL
CODEBASE = [URL]http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab[/URL]

--------------------------------------------------
End of report, 6,044 bytes
Report generated in 0.270 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
```


----------



## brendandonhu (Jul 8, 2002)

All i see is a doubleclick cookie
C:WINDOWSWININIT.BAK listing:
(Created 9/8/2003, 1:41:50)

[Rename]
NUL=c:[email protected][1].txt
NUL=c:[email protected][2].txt
NUL=c:[email protected][1].txt
NUL=c:[email protected][2].txt

I would think clearing cookies would remove that.


----------



## bassetman (Jun 7, 2001)

Thanks!


----------



## sammalhabe (Aug 12, 2003)

What has happened to the 
webpage*http://www.spywareinfo.com*?

I wanted to get to the Tony Kleins BHOs list but the server was unavailable? Is it temporary?


----------



## brendandonhu (Jul 8, 2002)

Its working for me.


----------



## sammalhabe (Aug 12, 2003)

It was OK for me too now. But yesterday for some time at least it was unaccessible


----------



## wolfal (Apr 3, 2003)

Thanks for the tutorials on hjt....


----------



## marynia (Aug 20, 2003)

I am going to look at the tutorial but I am a layman here, or laywoman rather . I would be very grateful if anyone could have a look at my HiJackThis log and suggest which files to delete. Thanks.

Logfile of HijackThis v1.96.1
Scan saved at 10:19:51, on 2003-08-20
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\wins\DLLHOST.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\System32\internat.exe
C:\downloads\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37817.5342708333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Guest (Aug 20, 2003)

Do you know what all of these DAP references are, such as DAPIEBar.dll ?

I have seen them listed on a German site as possibly being spyware.


----------



## brendandonhu (Jul 8, 2002)

DAP is Download Accellerator Plus. Some people call it spyware, some don't. I'm not completely sure anymore.
Other than that the log looks clean :up:


----------



## brendandonhu (Jul 8, 2002)

I am editing & updating the tutorial right now...I have added banners for spybot & spywareinfo, and thx to a tip from Merijn got the Advanced Descriptions for all items. Any other suggestions?


----------



## bassetman (Jun 7, 2001)

Thanks for the link B!


----------



## brendandonhu (Jul 8, 2002)

Welcome :up:
Hope it helps.


----------



## NiteHawk (Mar 9, 2003)

What happened to the "sticky" on this??
Is the new revision "soon to be released"?


----------



## shesun4givn2 (Jul 7, 2003)

Bump


----------



## Rollin' Rog (Dec 9, 2000)

In order to reduce the number of pinned posts at the top of the forum I unpinned this along with some others. If there is a current discussion, of course that will keep it in view also.

Brendan's HijackThis Tutorial has been included in the Help Tools Pinned post for those who may have lost the bookmark.


----------



## brendandonhu (Jul 8, 2002)

waaah im not special anymore  

The tutorial is doing pretty well. Over 1200 unique visitors, and printed in an Indian newspaper


----------

