[Wendy!]

Is there a central list of what all the Hijack This entries mean? I realize that a novice looking up each entry could take a LONG time, but I am looking for a source to learn more about Hijack This...

[jvic]

http://www.spywareinfo.com/~merijn/htlogtutorial.html

[petersleeter]

This is a really great resource. Thanks for posting it.

[Wendy!]

Thanks, I have been reading and reading....

[petersleeter]

Clicking on the link is now returning a http 404 file not found error. Trying spywareinfo.com, brings up the following...
"We'll Have More Soon

This domain has been parked. This site is currently under construction and we will have more for you soon.

For This Site Owners:

Please check subscription confirmation e-mail for instructions

"
I wonder what's up with that!

[jvic]

just tried it again and link is still working

[TOGG]

Two other links;http://aumha.org/a/hjttutor.php and a more detailed one with graphics http://www.bleepingcomputer.com/foru...howtutorial=42

[petersleeter]

Great site TOGG.

[KeithKman]

Awesome links, thanks!

[jvic]

This How To: area is designed to help people understand how to spot problems in a Hijack This! log. If you don’t know what a Hijack This! log is or have never used one, check out the "Introduction to Hijack This" thread. The other tutorials that will appear here are the basics needed to troubleshoot problems using the information found in Hijack This! logs. To understand these threads, you should already have a basic understanding of the different Windows operating systems, their internal file structures, and the Windows registry.

Within the past few months, The forums have seen a lot of activity that require the use of Hijack This! logs. Unfortunately, those few of us who know how to work with them are being flooded with logs, which take considerable amounts of time to review. It’s my hopes that by producing this area, more people will understand how to fix the problems and assist in providing a faster response time for people in need of this kind of help.

Keep in mind that what I’m writing here is by no means to be considered written in stone. These are just guidelines that have worked for me countless times in developing more efficient means of handling more then one HJT log at a time. With that said, start reading the next post for what I’ve been personally calling a crash course in Hijack This!

[jvic]

Hijack This! is like a registry editor program that displays areas of the Windows registry where the majority of Virus’s, Trojans, Spyware, Adware, and Malware reside. It never scans for actual files on the Hard Drive (like an anti-virus program does), but relies on us to interpret the areas of the registry that it displays. Because of this, we have to be careful what we fix in the log, otherwise we might cause the user more problems then they first had.

The program was written by Merijn Bellekom (who also created CWShredder). What most people don’t realize is that Merijn has a tutorial website for Hijack This. Here’s the link to the site (which I encourage you all to read):

http://www.spywareinfo.com/~merijn/htlogtutorial.html

The log is actually broken down into three parts, the HEADER, the RUNNING PROCESSES and the actual REGISTRY keys. The header of the log tells us the version of "Hijack This!" we are using, the time and date stamp of when the log was created, the Windows operating system (including service packs), and the version of Internet Explorer (including service packs). Here's an example:

Logfile of HijackThis v1.98.0
Scan saved at 10:31:54 AM, on 07/03/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Since most trojans and virus's take advantages of vulnerabilities in the Windows operating system, the header information tell us if the system needs to get the latest critical updates installed so we can plug the vulnerability and prevent future problems. Also knowing how recent the log is helps us in determining whether the user had enough time to go back out on the system and accidentally get re-infected again. Finally, knowing the version of "Hijack This!" helps as well because older versions do not show all areas that Trojans infect (latest version is 1.98.0).

The next part of the log is the "Running Processes". These are the processes running in the Task Manager at the time the log was created. Sometimes we'll see all sorts of files, which we may not understand why they are running. The reason is that users don't run the log at the exact same instance. The user may have been working on his system for several hours before running the log, which would show all kinds of open files. The best thing to do is have the user reboot their system and then immediately run "Hijack This!" and post the log. This gives us a baseline to work from. Usually I'll troubleshoot the log, tell the user what to fix, have them reboot their system, and then post a new log so I can determine if I've gotten everything. I find this method to work best with most users who don't know much about their systems. If I use this method with techie types who know their systems, they usually follow my instructions out of order or leave out pertinent information.

I was dealing with one guy recently who would fix things in the log, then post it without telling me what he had "Hijack This!" fix. When I finally told him his log was clean, he then pointed out the infiltrations that kept coming back that he was fixing each time. Once I saw those, I knew through experience that he had a CoolWebSearch infection and fixing entries in the log won't work until he ran the CWShredder program (which he didn't know existed).

The last part of the log is the "Registry Entries". As you probably have observed, each entry begins with a letter and number sequence that represents a different part of the registry. Here’s a listing that briefly explains what each one means:

R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1 - Auto loading programs Win.ini and System.ini
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
O1 - Hosts file redirection (from a system's Host table)
O2 - Browser Helper Objects (DLL's that assist in browsing)
O3 - Internet Explorer toolbars
O4 - Programs that Automatically load from the Registry
O5 - IE Options icon not visible in the Control Panel
O6 - IE Options access restricted by the Administrator
O7 - Regedit access restricted by the Administrator
O8 - Extra items in IE right-click menu's
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
O10 - Winsock hijacker (usually requires an LSPFix utility)
O11 - Extra group in IE 'Advanced Options' window
O12 - IE plug-ins
O13 - IE Default Prefix hijack
O14 - 'Reset Web Settings' hijack (these are usually legitimate)
O15 - Unwanted site in Trusted Zone
O16 - ActiveX Objects (links to Downloaded Program Files)
O17 - Lop.com domain hijackers (these are usually legitimate as well)
O18 - Extra protocols and protocol hijackers
O19 - User style sheet hijack
O20 - AppInit_DLLs Registry value autorun
O21 - ShellServiceObjectDelayLoad Registry key autorun
O22 - SharedTaskScheduler Registry key autorun

Merijn's tutorial site gives actual examples for everyone of these and a brief synopsis on what do with each one. If you haven’t read the tutorial yet, now would be a good time to do so.

[jvic]

Ok, now that you understand what the log is and how it is created, let's start the troubleshooting process. First of all, if you're one of those people who think "Gee, I wish I was as good as at troubleshooting those HJT logs", guess what? You are as good as me. This is not rocket science we are dealing with. Most of this is technique and paying attention to detail.

The first thing you want to do with a "Hijack This!" log is copy and paste the entire log to Notepad. The overall process for researching the log is one of elimination. Each line of the log or parts of each line (both the running processes and registry entries alike) need to be researched, preferably in Google. If you learn your Copy & Paste hot keys (CTRL-C to Copy, CTRL-V to Paste, CTRL-X to Cut, and SHIFT-Down Arrow to Highlight) this makes things go much faster. Your goal for each line is to determine if the line is related to something bad (spyware, adware, trojan, virus, etc...) or if it is something legitimate (good). If the line is bad, you leave it in notepad. If the line is legitimate (good) you delete the line from Notepad. Theory is that when you get to the end of the log, everything that remains in notepad is what the user needs to fix with Hijack This. Since the "Running Processes" don't have options to be fixed in Hijack This, then what's left over under here are files that need to be deleted (preferably in "Safe Mode").

It averages about 1 hour to fully research a "Hijack This!" log using the above method (with high speed internet connection). However, there are some things we can do to cut back on this research time. The first thing I do after copying the HJT log is to look for three things (in the log), before I start my research. The first is a CoolWebSearch hijack.

Merijn has a site called "The CoolWebSearch Chronicles". Here he currently lists 43 variants in detail of CoolWebSearch. Now I don't know about you, but that's too many variants for me to memorize, plus he keeps adding new ones here all the time. I found that if you go to his page, listed here:

http://www.spywareinfo.com/~merijn/cwschronicles.html

and click on View -> Source it will show you the html code of the page. If you scroll down to the bottom of this page, you'll find a list of every URL that is associated with CoolWebSearch. Find the top of the list and copy & paste it to notepad. Then save the file and name it something like CWS_URL. Then when you look at a HJT log, look immediately at the URL's contained in the R0, R1, and R2 entries. Cross-reference those URL's with the ones in your text file. If you have a match, then I guarantee that the system is infected with CoolWebSearch. Also see if a "(obfuscated)" tag is at the end of the R0, R1, or R2 entry. This indicates a newer variant of the CoolWebSearch hijack.

Once you know they have CoolWebSearch, tell the user immediately to download the CWShredder program at this link:

http://209.133.47.200/~merijn/files/CWShredder.exe

Run the program, have it get the latest updates, and let it do it's thing. When finished, have the user reboot the system and post a new HJT log. If the URL is close to some of the listings in your text file, but not exact, have them run the CWShredder program anyways, it doesn't hurt anything and can buy you some more research time (also makes the user feel useful while you figure things out). Recently, I found a site that posts the CWS Domains. I'm not sure how often it is updated, but it does have some entries that are not listed in the source code. Here's a link to it:

http://users.skynet.be/bk136527/CWS/CWSdomains.htm

The second thing you want to look for is the Peper Trojan (aka Sandboxer). The Pepper Trojan is easily identified by looking at the naming portion of the entry on all O4 lines. Here's an example:

O4 - HKLM\..\Run: [46#QN2#57#XTYN] C:\PROGRAM FILES\MEMORYWATCHER\WOWEX32.EXE

The area between the brackets "[]" is where the program naming of the registry key is displayed. If you see 14 characters between those brackets, that appear randomly generated, and start with a number, rest assured you're looking at the Peper Trojan. The Peper Trojan (aka Sandboxer) was one of the most difficult Trojans to catch and remove, because it was constantly changing file names and it's location. Finally someone developed a removal tool. Here's the link I send them to get the tool from:

http://www.zerosrealm.com/downloads/uninst.exe

http://www.memorywatcher.com/uninst.exe

The user must run the tool while they are connected to the internet. After they've done this, have them post a new log. It may look to them as if nothing has happened, but you'll immediately notice that the entry you found earlier is no longer there.

The last thing I look for is an O10 Winsock Hijacker entry. When you have an O10 entry you may have to use an LSPFix utility to safely remove the infecting DLL listed in the entry. Here's an example:

O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

In this situation I have the user download the LSPFix Utility from this site:

http://cexx.org/lspfix.htm

Then have them use these instructions to remove the bad DLL:

1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select 'inetadpt.dll'.
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.
6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the following file: c:\windows\system\inetadpt.dll
8. Restart your computer and bring it up in normal mode.

Note that the bad DLL in the above examples is 'inetadpt.dll'. This name may be different on a similar hijack.

Since I've mentioned LSPFix, let me point out another use of this program. Sometimes when you run a Spyware removal program (like Ad-aware or Spybot Search & Destroy) or even an anti-virus program, the removal process of certain spyware (like New.Net and Webhanser) will cause the Winsock2 file in Windows to become corrupt. The results are usually that Internet Explorer cannot get to any sites whatsoever (including the homepage). Sometimes other programs may be able to get out (like Instant Messenger, Anti-Virus Live Updates, or Outlook Express) and then sometimes nothing will be able to use the internet connection (depends on the severity of corruption to the Winsock2 file). This doesn't happen that often, only about 1% of the time. When this does happen, have the user run the LSPFix utility (using all defaults) and this will usually fix the situation.

So, if you run across a situation that sounds like this
as I was booking my flights online last night, I get fed up with all the pop-ups and run ad-aware in hopes of helping. It finds a bunch of stuff and I delete it, WITHOUT a quarantine, and then like 2 minutes later I can't access any website at all, but AIM still works.


Have them download and run LSPFix.

Another tip I need to mention at this point is to always let other applications do as much of the work as they can for you. If you're looking at a long log or one with a lot of obvious problems in it, tell the user to go and run a program like Ad-aware, Spybot Search & Destroy, or Trend Micro's Housecall (online Trojan scanner). They are all free to use and could eliminate as much as 50% of your research time or more.

[jvic]

Ok, now for some tips (that are probably obvious) on how to reduce the actual log so you'll have less research to do. As I stated before, you copy the entire HJT log to Notepad, then research each entry, one by one, with Google. When doing the "Running Processes" a number of these are common to the Windows operating system that the log was run on. Here's an example:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ClearSearch\Loader.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Look at the files I highlighted in red. These are common files to the Windows XP operating system, but ONLY if they are in the folders that are specified with them. If say WINLOGON.EXE is in the C:\Windows\ folder, then it is a trojan. These lines can immediately be removed from the log in your Notepad, because you know they are safe. If you want, create a "Cheatsheet" that has the Windows OS listed along with their common files seen in HJT logs.

Next thing you look for in the "Running Processes" is any folder, which belongs to a known manufacturer or product. Look at the example again for all the lines I marked in blue. These lines can be immediately removed from the log in your Notepad, because they are from a common product or manufacturer. Remember, if you do not know the product or manufacturer, then you have to research it. The one I highlighted in blue are from Hewlett Packard, MSN, Bitdefender, and Norton Anti-Virus.

Of course the last line of the Running Processes is usually the Hijack This program and it can be removed as well (highlighted in brown). Notice that we originally had 30 lines in the Running Processes that we have now reduced to only 8, in a matter of minutes.

This same process can also be done for the registry entries. Here's an example of that:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...b?1083558701345
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://scgroups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Again, red are your common Windows XP entries, and blue are your know manufacturers and products. Remember that blank lines that only have CSLID numbers need to be fixed by Hijack This as well:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Also if you see an O2 entry that has a "(file missing)" at the end of an entry, this means that the file is no longer in that location. Here's an example:

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL (file missing)

This can be caused by anti-virus’s suddenly quarantining the file, or that the file was deleted before the entry was fixed by Hijack This!. Either way have Hijack This! fix the entry, as it is not really doing anything anyways. O4 entries will not show this "(file missing)" at the end of their entries. If the file isn’t there, they simply do not run.

[jvic]

Once the log is reduced, the research is almost ready to begin. You need to check at this point and see if the user is running Windows XP or Windows ME. If they are, they need to disable the System Restore feature; otherwise, the problem files will get sucked into the restore folder and will become a system restore point. Usually I'll give the user one of the following links that explains how to do this:

Windows XP:
http://service1.symantec.com/SUPPOR...src=sec_doc_nam

Windows ME:
http://service1.symantec.com/SUPPOR...=&osv=&osv_lvl=

Now, as I've already stated, each entry in the log (or parts of the entry) needs to be researched in Google. Don't try retyping the entry (unless it's extremely short), just copy & paste the entry into Google (remember your hot keys).

Now 9 times out of 10, a search on a HJT entry will yield you links to other HJT logs. Actually, this is often what you want. By looking at how others handled the entry can help you determine how to handle your entry. To help you quickly navigate these linked logs there are two features you can use. First is the "Find (on this page)" feature (Ctrl - F, or click Edit -> Find). By pasting your search criteria here, you can quickly go through the link seeing how someone fixed the problem. The second way is to use the "Cached" feature in Google. Most links will have a "Cached" link you can click on (located at the end of the URL line). The cached feature will show the page as it was cached on Google's server. This is often faster to load and your search criteria are highlighted on the page in yellow (sometimes other colors depending on the length of the line). This will allow you to quickly scroll down the page to see how the problem was fixed (or not fixed).

Some of the links you find will point to security forums. Usually I will look at all of these first, as they will most likely contain your answer. Some of the better security forums to look at are:

computercops.biz
forum.tweakxp.com
www.wilderssecurity.com
www.spywareinfo.com
forums.net-integration.net
boards.cexx.org
forums.tomcoyote.com
www.lavasoftsupport.com
www.dslreports.com (Broadband Forums)
www.cybertechhelp.com
www.security-forums.com

These links are where a lot of the anti-spyware guru's hang out. To spot a Guru, he'll usually have total posts that number in the thousands. If you find someone who gives an answer to fix a log, check his or her total posting value. If it is only in the low hundreds (or less) keep researching for a second opinion. When someone does give an answer and it doesn't include the search criterion that was found in the log, you can usually assume that the entry is good and remove it from the log in your Notepad.

You'll probably see a lot of logs go unanswered due to the fact that these boards are swamped with people seeking help through their HJT logs. Sometimes you'll see logs go days and weeks without an answer. This is because there are not enough people out there who know how to read HJT logs to keep up with the demand.

There are some bits of false information out there that might trip you up from time to time. PestPatrol often lists a lot of files that are not malicious to your system, just because they meet certain criteria for their classifications. It's usually simple to recover from these and we'll most likely point them out to you as you discover them (and we hope you would do the same for us, as we are only human as well).

If you come across a log that has you perplexed, bring it to our attention (that's what we're here for). Together we should be able to figure out what is going on. Remember, we can encounter new variants and new problems that have never been seen or documented by anyone. Often these will take a combined knowledge in order to sort through and finally fix.

After you’ve posted the fix, have the user reboot his system in Safe Mode and delete any files, or folders that contain files, that might re-infect the system. Have the user post a new Hijack This! log once back up in normal mode so you can verify that the log is clean. When verifying the log, simply check and make sure that none of the entries you had the user remove came back, and check to see if any new entries have suddenly appeared.

Once a clean log has been established, I like to provide a link to a general thread that will tell the user how to make their system more secure, in order to prevent these types of problems in the future. Right now I'm using one I posted to TheTechGuys that came from another site, and a second one from an article someone pointed out to me. Here's a link to them:

http://www.pcstats.com/articleview.cfm?articleID=1579

http://forums.thetechguys.com/showthread.php?t=4544