Home > Hijackthis Log > Here's My HiJackThis Log. Which Files I Should Delete?

Here's My HiJackThis Log. Which Files I Should Delete?


Several trojan hijackers use a homemade service in adittion to other startups to reinstall themselves. You can click on a section name to bring you to the appropriate section. Cookiegal, Sep 26, 2007 #8 HalleluYAH Thread Starter Joined: Apr 28, 2007 Messages: 45 Thanks for helping me. If you feel they are not, you can have them fixed.

It is recommended that you reboot into safe mode and delete the offending file. There is a tool designed for this type of issue that would probably be better to use, called LSPFix. Startup Registry Keys: O4 entries that utilize registry keys will start with the abbreviated registry key in the entry listing. I know that the entries/program files "Spoolsv.exe", "Wuaclt.exe", "Lsass.exe", "Csrss.exe",and "Smss.exe" m ight be causing problems, but I have don't know how to solve them.

Hijackthis Log File Analyzer

Beyond that point, please start a new topic.Orange Blossom Help us help you. Example Listing 017 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer =, If you see entries for this and do not recognize the domain as belonging to your ISP or company, and the DNS servers Where else are you receiving assistance? SpywareInfo Forum has decided to open a forum for smartphones due to the needs presented by this shift in usage.

The Global Startup and Startup entries work a little differently. I used to have vista but 2 days ago after the hacking i reformatted down to Xp because i was tired of Vista, if that helps any. If you are experiencing problems similar to the one in the example above, you should run CWShredder. Hijackthis Tutorial You need to get one immediately.

Files Used: prefs.js As most spyware and hijackers tend to target Internet Explorer these are usually safe. Please be aware that when these entries are fixed HijackThis does not delete the file associated with it. This would have a value of http=4 and any future IP addresses added to the restricted sites will be placed in that key. https://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/ You can also download the program HostsXpert which gives you the ability to restore the default host file back onto your machine.

HijackThis Configuration Options When you are done setting these options, press the back key and continue with the rest of the tutorial. Tfc Bleeping There will no longer be separate Usernames and Display Names. RunServicesOnce keys: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce The RunOnceEx keys are used to launch a program once and then remove itself from the Registry. There are two prevalent tutorials about HijackThis on the Internet currently, but neither of them explain what each of the sections actually mean in a way that a layman can understand.

Is Hijackthis Safe

This is just another method of hiding its presence and making it difficult to be removed. Now if you added an IP address to the Restricted sites using the http protocol (ie. Hijackthis Log File Analyzer HalleluYAH, Apr 30, 2007 #5 Cookiegal Administrator Malware Specialist Coordinator Joined: Aug 27, 2003 Messages: 105,647 There is still infection in your log. Autoruns Bleeping Computer I keep both up to date, and scan w/Norton's at least once a week.

Example Listings: F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe F2 - REG:system.ini: Shell=explorer.exe beta.exe Registry Keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell The Shell registry value is equivalent to the function of Please download HijackThis from any of the following locations: spywareinfo.com subratam.org tools.zerosrealm.com [*]Install/Unzip it into C:\HJT. [*]Only run HijackThis from C:\HJT\HijackThis.exe. Double click on the local "C-Drive" to open it. When you fix O4 entries, Hijackthis will not delete the files associated with the entry. Hijackthis Help

Join our site today to ask your question. These files can not be seen or deleted using normal methods. R3 is for a Url Search Hook. You should use extreme caution when deleting these objects if it is removed without properly fixing the gap in the chain, you can have loss of Internet access.

If you add an IP address to a security zone, Windows will create a subkey starting with Ranges1 and designate that subkey as the one that will contain all IP addresses Adwcleaner Download Bleeping You should always delete 016 entries that have words like sex, porn, dialer, free, casino, adult, etc. Sign In Sign In Remember me Not recommended on shared computers Sign in anonymously Sign In Forgot your password?

When a user, or all users, logs on to the computer each of the values under the Run key is executed and the corresponding programs are launched.

Click on "File" => "New Folder" and name it HJT. O12 Section This section corresponds to Internet Explorer Plugins. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Hijackthis Download It should be noted that the Userinit and the Shell F2 entries will not show in HijackThis unless there is a non-whitelisted value listed.

Thank you in advance for any solutions you may have. You can generally delete these entries, but you should consult Google and the sites listed below. When it opens, click on the Restore Original Hosts button and then exit HostsXpert. When you see the file, double click on it.

HijackThis will delete the shortcuts found in these entries, but not the file they are pointing to. You will then click on the button labeled Generate StartupList Log which is is designated by the red arrow in Figure 8. IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program.

Logfile of HijackThis v1.99.1 Scan saved at 3:48:48 PM, on 4/29/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe However, since only Coolwebsearch does this, it's better to use CWShredder to fix it.O20 - AppInit_DLLs Registry value autorunWhat it looks like: O20 - AppInit_DLLs: msconfd.dll What to do:This Registry value Section Name Description R0, R1, R2, R3 Internet Explorer Start/Search pages URLs F0, F1, F2,F3 Auto loading programs N1, N2, N3, N4 Netscape/Mozilla Start/Search pages URLs O1 Hosts file redirection O2 the CLSID has been changed) by spyware.

The name of the Registry value is nwiz and when the entry is started it will launch the nwiz.exe /install command. If you have already run Spybot - S&D and Ad-Aware and are still having problems, then please continue with this tutorial and post a HijackThis log in our HijackThis forum, including Therefore you must use extreme caution when having HijackThis fix any problems. You will then be presented with the main HijackThis screen as seen in Figure 2 below.

If the entry is located under HKLM, then the program will be launched for all users that log on to the computer. Finally we will give you recommendations on what to do with the entries.