I myself have been posting up reports from hiJack This, and like many others have been recieving the help from the experts like E-Liam, Evo, nwaflygirl and many others, but I would like personally to learn how to read the report my system has produced and be able to select the correct files to be fixed :confused:

So, i'd like to take this oppertunity to ask those in the know for their help and advice. I'm not trying to steal your thunder guys, but i'd like not have to constantly post a new thread and beg for your help:{

A previous thread gave this link to a "How to read your HJT report"

http://www.pchell.com/support/hijackthistutorial.shtml

But I would like to know what it is that most look for in the report? Do you compare what is said in "Running processes" to what the report shows, and then determine what doesn't belong there :ugh:

So to E-Liam and all the others, Were constantly in your debt for all the help and guidance you have provided in the past :ok:
And right now, I'd like to know would you be interested in teaching:
"Hi Jack This For Dummies"

I look forward to the replies on this one,

Regards,

S.C. :)

Hi SC,

As with anything complex, there is a period of learning.. I've been doing this for a couple of years, and I still visit sites such as Castlecops, Techsupportforum or Techguys to keep up with the latest changes. I'm still listed as an expert on all of them, even though I haven't worked either of those forums for several months now.. (too much to do, too little time to do it in) :) so if I get really stuck I can pop into the staffroom and ask around if needs be.. :)

For a start though, you can check the entries by using one of the following, depending on what you are checking..

Here (http://computercops.biz/CLSID.html) for 02 and 03 entries.

Here (http://castlecops.com/StartupList.html) for all the 04 entries.

Here (http://www.samspade.org/) for resolving DNS addresses, such as those found in the 017 entries.

Here (http://www.antispyware.nextdesigns.net/023l.php) for the 023 entries.


Here (http://www3.ca.com/securityadvisor/pest/search.aspx) for checking up on particular nasties..

And of course my bestest friend on the whole web..Google (http://www.google.com)

.. and lots (and lots and lots) of practice of course. There are many other reference sites I use, but as there are so many different baddies out there, that shouldn't be too surprising. You'll usually find them accidentally through Google, if the need arises.

As far as the logs themselves go, you've seen the way I do it, which is to determine what should or shouldn't be there, have the patient fix the entry, and then delete (usually in safe mode, as although the act of fixing the entry in HJT does stop it from running, there are usually other parts of the folder that haven't stopped) the respective files or folders. Then you run Adaware, Spybot, CCleaner, and any others that you may need for any particular clean up.

You won't need to get them to run the Peper.A cleaner if that trojan didn't show up in the log to start with for instance. As for the running processes, a quick glance after doing the main fix, in case a file happens to be running in the background, and wasn't picked up in the main log (rare) is all I'll do. There are though, instances where seeing the order of some files in the RP list, will give you immediate clues as to what is going on. The Peper.A one being another (or is it the same??) case in point.

Have a practice.. see what you think you should do on this log..

Scan saved at 1:34:56 AM, on 1/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AIM\aim.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kasamba\_kasamba.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\LISA\Local Settings\Temporary Internet Files\Content.IE5\3D5CJTO1\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi...ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi....yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dial.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi...earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page...id=1000940
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi....yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: toolbar.yahoo.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/...1/chat.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-c.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) - http://contentpurity.com/ScanFile.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/o...winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share...insctl.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/o...leXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c...mplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/share...cgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF46D8D1-D48F-4773-8F79-EF24C08B70BC}: NameServer = 151.164.1.8 206.13.28.12
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

..and then see if your fix comes close to the original here (http://castlecops.com/postt102177.html). Refer to my posts as well, to see the order that I do things.. admittedly in a slightly different order to the helper here. :)

Cheers

Liam

Wow :eek: There is so much to read in to and understand. Those links are well detailed, i'm going to enjoy this. For the post you put up, The R0 and R1 stand out to me, do you have any other links to determine what they are?

Regards

S.C. :ok:

E-Liam,

Wish I had read this thread before posting my help a friend thread!

Cheers

DeepC

Hi SC,

Re: the R0 and R1 entries, if they look dodgy fix them. These are your start and search pages, and are easily reset, through Tools | Internet Options. They will in some cases give you a clue as to what, if any, particular hijack you are dealing with. CWS is one such, where in the olden days, when CWS wasn't as big a problem to fix, the reset homepage, depending on what it was, would basically throw up a red flag.

Remember though Don't click on the link to test the entry.. if it is a site capable of a driveby download, such CWS, guess who's going to be next to post up a HJT.. yep, you.. :{ :)

Again, without any clues for your fix on this log, if they appear to be bad, then fix them. If you are testing yourself on this log, research them.. by googling and seeing what experts at sites such as Castlecops do with them.

Hi Deep C,

I've posted up what to do next, as I'm sure you'll read soon enough.. :ok: :)

Cheers

Liam

This is one of the best threads I have seen on here for a long time :ok:
Very interesting, thanks to E-Liam for sharing his knowledge with us.........
Regards
FBW

Glad somebody agrees with me, thakns FBW :D
E-Liam, if you don't mind me asking, will there be any serious repecussions to a system if the wrong line is checked for fixing? :confused:

Most of the log you posted I have been able to fix using the links you provided but some still confuse me, thats probably not too difficult, but I'd just like to know what happens if you make the wrong choice, can it affect your OS?

Regards,

S.C. :ok:

And rather than start yet another new thread, I have one question for Liam; Windows Adstatus\winstat.exe. Looked extremely suspicious to me, but a goggle search indicates it is possibly legit, to do with Excel? Should I leave it alone?

Binoculars

www.geekstogo.com/forum/My_Hijackthis_Log-t7990.html

This site suggests that it needs to go.

DeepC

Thanks DeepC, though I could only find one question on AdStat which hadn't been answered. It's become fairly obvious to me though that it is a nasty, but getting rid of the little bugger has proven rather difficult.

I went through the whole process that Liam described on the major hijack thread, Adaware, Spybot, booting into Safe, deleting Windows temp, rebooting, Ccleaner, reboot, whatever, and a virus check, and still every time I did a HJT scan there it was again.

The main file appears to be in C:/Program Files/Windows/AdStat, or something like that. I deleted that file in safe mode (no idea why except that Liam suggested it ) and while I was there I noticed a little Registry cleaner program I have called RegCleaner which can be downloaded from here (http://www.tweaknow.com/RegCleaner.html)
so I ran that while I was there. It picked out the Adstat file as one to delete, I said go right ahead, and it seems for the moment at least that it has disappeared.

I've also noticed two folders sitting in Program Files called Search Relevancy and Search Relevant. I've deleted both of them, because after reading all these HJT scans I'm becoming paranoid about anything with search in it. :ooh:

(Disclaimer: this advice comes from a non-geek and should be treated with extreme caution)

As an afterthought, I thought I may as well post the final HJT log for the perusal of the experts.

Logfile of HijackThis v1.99.0
Scan saved at 10:56:59 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\webshots.scr
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: CAISafe - Unknown - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


Hmm, one further edit, I had a look at that and decided I didn't like the look of the O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file) so I deleted that as well.

what on earth am I doing?

A few to answer.. :)

Hi FBW

Thanks, if I know something, and can pass it on, I will. :ok: :)

Hi SC,will there be any serious repecussions to a system if the wrong line is checked for fixing?...

...but I'd just like to know what happens if you make the wrong choice, can it affect your OS?

If you are just fixing an entry, and then deleting the offending file, then no. You can though, bugger up programs if you delete critical files from them. This is easily enough fixed by using the backup facility in HJT. You'll notice in my starting C&Ps..
, and place it in it’s own folder, (not in the temp folder, or on the desktop)andThe first thing you need to do, is to place Hijack This in it’s own folder (e.g. C:\HJT\….) so it can generate backup files to the same folder; needed should an entry be accidentally deleted...that I ask, both on getting HJT downloaded, and also, if not already done on posting, to do the above. If it all goes to hell in a handbasket, then it's just a case [in HJT] of clicking on Config | Backups and restoring each entry individually (has to be done before you delete the offending file from the machine of course).

Binos,

Yup.. winstat.exe is a baddie.

and again.. :)

I'm just off out, but will check the log properly later on. As far as Search Relevancy goes though, right again, a baddie; part of Blazefind.

Cheers

Liam

Good Choice Binos,
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file) is a bad one. From my new experiences, I hope i'm right in saying it is a certified spyware browser helper object (BHO)

Regards S.C.

E-Liam, Three questions if I may.
When you said I could "bugger up programs if you delete critical files from them", would the mistake be easily noticable? Or is it a case of it may or may not affect a programme in a bad way? Also is it an easy thing to restore a file from Config | Backups in HJT?

Also, using castlecops to decipher 04 entries, what part of a record exactly do you type in on the search line? Deep C mentioned in another post about an 04 entry of "C:\WINDOWS\SYSTEM\FLBRGY.EXE" being one to fix, but I can't seem to find an answer for this with Castlecops, where am i going wrong?

One other question if you have time, you've mentioned to others about running in safe mode, and finding certain folders and either deleting the entire folder or just it contents, where do you come up with the info to tell you where to find these folders and what exactly to do with them:confused:

I'm glad I asked this question about learning HJT :{
It sure aint easy :ugh:

Take Care

S.C. :ok:

Deep C mentioned in another post about an 04 entry of "CWINDOWS\SYSTEM\FLBRGY.EXE" being one to fix, but I can't seem to find an answer for this with Castlecops, where am i going wrong?

I worked on the principle that if a file is legit it wold have appeared on at least one of the many thousand HJT logs that appear on google search. Therefore as it does not appear at all it must be a randomly generated file name. Therefore it goes.

E-Liam. this is where you step in and tell me that I'm talking rubbish!

Cheers

DeepC

After an attack left me unable to play with my pooter, I did a reformat of the C drive, reloaded all the software - MS XP Pro, Printer, Scanner, remote keyboard, MS Office Professional, Adobe Photoshop, Firefox etc. Then I reloaded Norton A/V, Blackice, Spybot, AdAware and HijackThis, did scans on the clean machine and saved the logs.

Any difference between the clean machine and anything added without me knowing about it now becomes more obvious.

Tedious I know, but what the hell, at least my machine's clean now. I dunno what was 'phoning home' before but I've had no infections or take-overs since doing that. It only took a day and I had to be there for just an hour or so of that. I'd certainly do it again any time my PC starts behaving in an odd way.

BTW, as well as being burned onto CDs on a reglar back-up schedule, I keep my data files - Word Documents, PDF files, and photos etc. - stored on the "D" drive partition, which remains untouched by the above process.

Switching my attention back to Windows Explorer on my desktop, I noted and deleted three folders, because I have become extremely suspicious of anything in Program Files which starts with Windows, except for the obvious like Windows Media Player. More so when they contain "ad" in any shape or form.

The three folders, which I still hold in the recycle bin pending confirmation they are baddies, are Windows AdControl, Windows ServeAd, and Windows SynchroAd.

Am I right to be deeply suspicious? If so, should I have used Safe Mode to delete them or will a simple delete from Explorer do the job?

P.S.

Whoa!!!! Cannot believe this but AdStat has reappeared on my lappy! Arrrggghhh!!!!!!!!!!!!!!

Hi all,

in order.. :)

SC,

The 02 is a baddie, it's the Blazefind/Search Relevancy BHO.. although this is just an orphaned registry entry.. When you said I could "bugger up programs if you delete critical files from them", would the mistake be easily noticable? Or is it a case of it may or may not affect a programme in a bad way? Also is it an easy thing to restore a file from Config | Backups in HJT?

To restore the entry, go to the backup section as described earlier, and put a tick in the box of the relevant entry, and click on Restore.. job done. For deleting a file from a program.. you may not notice. If you do, then a new install of the program will do it. It's for this reason (but mainly in case of corruption from other factors) that I download every program that I get, into a folder on the desktop called Desktop.exe before installation. That way, if I need to, a double click of the right setup file, and I'm back in business in minutes. (if you have a program disc, then it's obviously a simple enough problem to sort out).Also, using castlecops to decipher 04 entries, what part of a record exactly do you type in on the search line? Deep C mentioned in another post about an 04 entry of "CWINDOWS\SYSTEM\FLBRGY.EXE" being one to fix, but I can't seem to find an answer for this with Castlecops, where am i going wrong?

Type in (I copy/paste to save time, and ensure accuracy) either the filename (with or without the file extension), or use the description in the [***] box at the beginning..

O4 - HKLM\..\Run: [CARPService] carpserv.exe

As was mentioned later on.. if you can't find the file via Google, then fix it.. by now if it's not appeared on Google, it's a random filename. Remember though, with a 5 character filename, there are only so many combinations that can be used as a filename. You will sometimes get other occurences of the same random names, simply because of the amount of computers out there, and the fact that there are only around 12 million different variables to choose from.

You can also submit the file, for either your own or someone elses machine by following another of my handy C&Ps.. :) Go to here (http://www.kaspersky.com/remoteviruschk.html) ..and click in the little box that has browse beside it and paste this line into it,

C:\WINDOWS\SYSTEM\*****.exe

then press submit.
That sends a copy of the file to their virus checker to see if it is viral or not.

The asterixes are substitued for the filename in question, and I change the filepath as well if necessary.One other question if you have time, you've mentioned to others about running in safe mode, and finding certain folders and either deleting the entire folder or just it contents, where do you come up with the info to tell you where to find these folders and what exactly to do with them.I pull that info straight from the part of the log that I've asked the patient to fix. I then take out the extras to leave just the complete filepath from root. To determine whether the offending article is a file or a complete folder depends on a couple of things. Anything in the System(32) folder, is (almost) certainly gouing to be a file, where as from Program Files is almost always going to be a folder.. but then it's more a matter of experience than anything else, and is entirely dependant on what particular entry it is. You may fix just the single file, that controls adware in WildTangent for instance (see here (http://castlecops.com/startuplist-858.html)) without needing to delete the entire program. :ok: :)

Deep C,

As I mentioned above, you are indeed correct.. :ok:

Binos,

Firstly post up a log, and I'll have a look.. :)

AdControl (http://castlecops.com/startuplist-6126.html)

ServeAd (http://castlecops.com/startuplist-6603.html)

and SynchroAd is also a baddie, probably WinUpdates related as well.

The reason that I use safe mode to delete files, is that it stops pretty much all but essential OS services from running. If you can delete them without safemode, then fine. :ok:

Cheers

Liam