Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old April 18th, 2004, 10:44 PM
viking12344 viking12344 is offline
New Member
 
Join Date: Apr 2004
Posts: 1
How do I learn to read the hijack logs?

Any websites or anything helpfull would be appreciated. Thanks!
Reply With Quote
  #2  
Old April 19th, 2004, 12:10 AM
dammit's Avatar
dammit dammit is offline
Rampant Rabbit
 
Join Date: Dec 2002
Location: New York/Paris/Milan/pie country
Age: 22
Posts: 11,532
Hi buddy...first...stick around here and read a lot...you may recognise certain things that occur regularly...and can pick them out.
It's not easy to read logs...spyware changes almost daily....so new tools are developed for getting rid of this nightmare by folks far cleverer than us. I reckon these days 90% of puter problems are due to this intrusion of privacy ...or even more...

i dont want to point you in the direction of learning how at the moment...because a little knowledge in this case is a dangerous thing....when you have been around a while....well thats different
Reply With Quote
  #3  
Old April 19th, 2004, 02:27 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
dammit is correct viking 12344. It takes time and willingness to research to learn to read a log correctly and what many people do not realise is that when an entry is "fixed" in a Hijack This log, a registry key or value is actually being deleted.

This site will help you gain a greater understanding of Hijack This logs and what each code in a log refers to.
Reply With Quote
  #4  
Old April 19th, 2004, 02:51 PM
putasolutions putasolutions is offline
Senior Member
 
Join Date: Sep 2003
Location: North East,UK
Posts: 581
Quote:
when you have been around a while....well thats different
ooops sorry
Reply With Quote
  #5  
Old April 19th, 2004, 03:24 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Good morning!


Another question to be sure:

when we find this, by exemple:
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL

then, we check and fix.

Are we sure that BHO001.DLL is deleted?

Thank you for your answer.
Reply With Quote
  #6  
Old April 20th, 2004, 12:49 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi Acrobaze - Hijack This does usually delete the file associated with a BHO however, it does not in the instance of the CWSSearchx (About:Blank) hijacker. That file has to be deleted manually.
Reply With Quote
  #7  
Old April 20th, 2004, 08:45 AM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Thank you very much, AnnMarie.
Reply With Quote
  #8  
Old April 20th, 2004, 08:49 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
You are welcome Acrobaze
Reply With Quote
  #9  
Old April 25th, 2004, 05:49 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Good morning!

I just see a thing I'd never sawn :

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s

I search in Google...but nothing! I don't understand what is this " +s ".

You know what it is ?

Thank you for your answer.
Reply With Quote
  #10  
Old April 25th, 2004, 07:24 PM
dammit's Avatar
dammit dammit is offline
Rampant Rabbit
 
Join Date: Dec 2002
Location: New York/Paris/Milan/pie country
Age: 22
Posts: 11,532
Hi buddy....best thing is to post a fresh log then someone can check it out for you
Reply With Quote
  #11  
Old April 25th, 2004, 10:35 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Hi Damnit! Thank you to answer me !


Here is the log I don't understand :

Logfile of HijackThis v1.97.7
Scan saved at 22:04:00, on 25/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Trend Micro\PC-cillin 9\WebTrap.EXE
C:\Program Files\RamBooster\Rambooster.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Apps\ActivBoard\OSD.exe
C:\Planetis\Planetis.exe
C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CLEMENT.SNCD08200284\Mes documents\les setup\HijackThis ( contre 1 trojan ).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat....d=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetis.com/net@tous
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat....d=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [CTBPlanetisEDF] C:\Planetis\Planetis.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-908\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr...eleir_cert.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...wflash5r42.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F26F1B73-0994-4A0C-B960-543002BB4DC7}: NameServer = 212.27.32.176 212.27.39.1

I don't know what are these "+".
Reply With Quote
  #12  
Old April 25th, 2004, 10:57 PM
Meangean Meangean is offline
Senior Member
 
Join Date: Jan 2004
Location: U.S.A
Age: 36
Posts: 311
i believe there is a sticky in cyber saftery forum on how to read em or somewhere

i forgot

there is a site

just search for "how to read hijack this logs"

or something


also i would use google to search up all the .exes and files to see if they are windows files or trojans, viruses or bad stuff

ex: search for sajdfk.exe

its not a real file but if u search for it look on sites and see what they have to say abou that file
Reply With Quote
  #13  
Old April 25th, 2004, 11:44 PM
dammit's Avatar
dammit dammit is offline
Rampant Rabbit
 
Join Date: Dec 2002
Location: New York/Paris/Milan/pie country
Age: 22
Posts: 11,532
Hi again....Close all open windows...run hijack again and put a check in the boxes for the below entries..then hit "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat...id=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetis.com/net@tous
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat...id=190851127001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe

Reboot into Safe Mode.....( tap F8 key during booting, until the boot menu appears...)

Make sure you can see Hidden files and Folders... here is how if you don't know.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Go to start>search>files and folders and run a search for and delete the following files and/or folders when/if found.
Also ctrl>alt>del to bring up task manager..and end process on the below if running.

keyword.exe
manage.exe
Reply With Quote
  #14  
Old June 12th, 2005, 04:17 PM
hashashanur hashashanur is offline
New Member
 
Join Date: Jun 2005
Posts: 3
Hijacked!!!

I am new to this and without much computer knowledge.
I have managed to get my log by following the instructions
I've seen in the Forum.
Can I post it here? Will someone tell me what to do next?
If the answers to the above questions are "Yes", where is
the "New Thread" icon that is said to be in the upper right
corner of the page? I don't see it.
Any info appreciated....
Thanks... ?????
Reply With Quote
  #15  
Old June 12th, 2005, 04:23 PM
tb525 tb525 is offline
Malware Removal Team Advisor
 
Join Date: Sep 2002
O/S: Windows 7 32-bit
Posts: 3,151
Hi hashashanur, Welcome to CTH..
Yes, post your HijackThis log in a new thread.. Click this link http://www.cybertechhelp.com/forums/...splay.php?f=25 and then click the 'New Topic' button in the upper left...
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
like to learn about hijack logs IamOne Malware Removal 4 January 16th, 2006 11:23 AM
Learn Chinese in 5 minutes...(You MUST read them out loud) The Dude Jokes Forum 0 November 1st, 2005 01:03 AM
HJT Logs Please Read Again da_moma Malware Removal 4 January 31st, 2005 08:29 AM
Please read before posting Hijack This logs. AnnMarie Malware Removal 2 June 21st, 2004 01:28 AM
Help me read Hijack logs enat66 The Anything Else Board 2 April 30th, 2004 09:15 PM


All times are GMT +1. The time now is 07:58 PM.