1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

What You Should Do Before Posting A HijackThis Log For The First Time

Discussion in 'Virus & Other Malware Removal' started by flavallee, Jan 26, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. flavallee

    flavallee Trusted Advisor Thread Starter

    Joined:
    May 12, 2002
    Messages:
    80,745
    First Name:
    Frank
    1. Make sure to use the latest version of HijackThis. Make sure not to place it in a temporary folder, such as C:\WINDOWS\TEMP. Create a folder for it right on the desktop, in the C:\PROGRAM FILES folder, or whereever you choose.

    2. Go to the spyware tools section at http://www.majorgeeks.com (or whatever site you choose) and download and install Ad-Aware SE Personal 1.05 and Spybot - Search & Destroy 1.3.

    Once you install them, make use of their update function and get them up-to-date with the latest detection files.

    Run a full system scan with Ad-Aware. Once the scan is finished, click "Next". Place a checkmark in all items, then click "Next - OK". Close Ad-Aware and reboot.

    Run a scan with Spybot by clicking "Check all problems". Once the scan is finished, place a checkmark in all items in red, then click "Fix selected Problems" . Close Spybot and reboot again.

    3. Click Start - Find - All Files And Folders, select the hard drive to look in, then allow it to display what it finds under:

    *.TMP

    C:\TEMP\*.*

    C:\WINDOWS\TEMP\*.*


    Delete everything listed, regardless of the file type or extension.

    ----------------------------------------------------------------

    By following these steps before posting a log, you will get rid of a good part of the "nasties" hiding in your computer (and they do sometimes hide in temp files), and it will reduce the clutter in the log (which makes it easier to examine and deal with). (y)
     
  2. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,371
    First Name:
    Wayne
    there where some comments recently where rebooting the PC actually made the situation a lot worse....

    would you advise this action for everyone ???
     
  3. flavallee

    flavallee Trusted Advisor Thread Starter

    Joined:
    May 12, 2002
    Messages:
    80,745
    First Name:
    Frank
    I always reboot after running either or both of them.

    I read somewhere awhile back that rebooting should be done after running a scan and removing registry-related entries because it makes the next scan more accurate.
     
  4. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,371
    First Name:
    Wayne
    yes i read that - but also that some spyware on each reboot actually made the system worse - maybe that varient of trojan no longer around so much.

    some calls flrman1 was working on and said do not reboot
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi etag-- That is correct, fixing malware is basically situation specific, such as the VX2 type you have seen lately...the files change if you do reboot, and AdAware etc will not fix anything. It should not hurt anything too much, IF the user runs the programs and scans, and reboots...before posting here, but I would not swear to that. The reboot issue is important AFTER he/she has started any set of directions, after we have seen a HJT log, and they are given the special tools to use to make logs.
    All the above is only in regard to the new VX2 malware.

    Rebooting also affects some variants of about:Blank (CWS) infections- those files also randomly change names...but, running the basic removal tools first does not seem to harm anything, and many of the posters who come to TSG after using them, and not having anything fixed, go away after some special help here without about:Blank. The rebooting is critical to the poster during the fix then, too.

    Trojan infections and malware are made worse by long periods on online use> more things are downloaded during their time here for instance, and during updates, online scans...so all in all it's best to keep rebooting AND Internet use as low as possible. When things freeze up etc and someone just has to get things going> they have to start back at the beginning, posting new logs first and get new advice, which usually works out in the long run.

    The chance of any poster having some of the more common things like New.Net, WebHancer and similar...that when removed by SpyBot or AdAware....without first uninstalling from Add/Remove Programs also has to be dealt with. There are ways to fix the problem if the user has broken their Internet access/connection by improper removal, so we don't worry about it too much. Probably 90% of posters having malware problems have used AAW or SpyBot or some other common removers first.
    Still- the best thing to do I feel, is post an HJT log provided the computer will let you! We can often point them to the latest version, updated releases they may not know about, special downloads they will need and must have before attempting anything.
    We can tell if they are using Msconfig and have turned off things that should be running, and we can see the operating system, service Packs, and general setup of the system, all from one or a couple of HJT logs.

    The majority of people posing will not have any ill affects by using AAW and/or SpyBot etc before posting but a few will. They usually get on another computer someplace, and post to us and get help that way.

    When a reply is made, if you are going to just tell them to get AAW etc and run them, you stand the chance of creating a bad time for that poster, if they end up with no Internet access and don't have another machine there to use. It's my feeling that the first thing to have anyone do is post a Hijackthis log.
    Then> post the links to latest versions of the removers and continue. We often see in a beginning of a thread that someone is using an older version of Hijackthis...and then, it should be suspected they do not realize about newer versions of the other tools...
     
  6. flavallee

    flavallee Trusted Advisor Thread Starter

    Joined:
    May 12, 2002
    Messages:
    80,745
    First Name:
    Frank
    I'll bow to the differences in opinion about rebooting between scans and running them before posting a log.

    It seems to me that running these scans and rebooting before posting a log would shorten the size of the log and make it easier to read and deal with. If I'm wrong, I apologize for the post.
     
  7. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,371
    First Name:
    Wayne
    I'm really no expert here at all with spyware, so no right or wrong - however, I have often requested people to post a hjt log - so I was just making sure that if i followed any advice - like run cwshedder, ad-aware, spybot, etc before posting a hjt log , that i did not make it worse for the poster.
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi etaf The question has always been around and cannot be answered 100% either way. The majority of people who post have run the common programs but found that they have something they cannot completely fix...others have run them and found broken Internet access, but they are a small minority...there are only a few malwares that it happens with. I would say, that for over 90% of people, having them run AAW etc first would not be a problem. For those that do have one of the malwares that are not yet or cannot be fixed without breaking Internet connection> we can normally see that in their first log, and get them the repair tool, LSPFix or Winsockfix, BEFORE they lose their connection and have no idea how to fix it.
    Simply removing Kazaa with Kazaabegone, is also an easy way to lose your Internet connection...so, when we see them with K, we also post the download for LSPFix etc, in our first reply so they have the tool handy and directions..in case Kazaabegone breaks their connection.
    Though the Security forum has some stickied threads at the top of the forum, a lot of posters do not read them.
    Several other great forums absolutely REQUIRE Adaware and SpyBot and some other things BEFORE they will help!! And, I would think that in cases where someone loses Internet access, they either get onto another computer and continue, get help locally, or they reinstall Windows...
    There are the other things HJT logs show, that make me personally feel it's always best to have that info before advising someone to continue using the Internet for downloads or surfing around, reading threads etc.
     
  9. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,371
    First Name:
    Wayne
    OK thanks i 'll carry on as before - the advice I give is (a) to get the poster to run hjt and post a log and (b) also to download lpsfix just in case

    this is the text i usually post
    ---------------------------------------
    post a hjt log

    HIJACK THIS:

    Download and copy hijackthis [should be version 1.99] to its own folder , it makes backups so keeping them separate and available can be useful.
    SO DO NOT put hjt onto the desktop or temp files.

    create a directory say my documents/hjt


    Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

    Version at 16/12/04

    http://computercops.biz/zx/Merijn/hijackthis.zip (Version 1.99)
    http://www.merijn.org/files/hijackthis.zip (Version 1.99)
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Version 1.99)
    http://209.133.47.200/~merijn/downloads.html (Version 1.99)
    http://www.thespykiller.co.uk/ (Version 1.99)
    http://aumha.org/downloads/hijackthis.exe (Version 1.99)
    http://www.tomcoyote.org/hjt/ (Version 1.99)
    http://www.majorgeeks.com/download3155.html (Version 1.99)
    http://www.thewhities.com/ (Version 1.99)

    http://www.lurkhere.com/~nicefiles/ (1.98.2)
    http://www.net-integration.net/tools/hijackthis.html (Version 1.98.2)
    http://www.merijn.org/files/hijackthis1982.zip (Version 1.98.2)
    http://computercops.biz/zx/Merijn/hijackthis1982.zip (Version 1.98.2)

    http://www.sherrylynn.us/privacypolicy (this has an older version 1.97 - if you can not get to any of the above sites)

    {NOTE: Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HijackThis 1.99.x since this parasite deliberately crashes programs that try to detect it. For such cases, Use HijackThis 1.98.2 }


    Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”.
    Click on “Save Log” and then it should save and open in NotePad.
    Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.
    DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

    I currently do not have the skill/competence to advise and poor advice can be far more damaging to your PC with this software, and so I will be unable to add any advice on the log and so will nolonger be replying to your post with regards to the HJT issue, so please have patience and wait for one of the secruity experts to provide further detailed advice

    i will however, be notified when you post the log

    The secruity forum gets very busy - so you may not get an instant reply to your log - If you do not get a response in 24hrs - they post another reply and this will bring the log back to the top of the forum, just in case its missed



    ----------------------
    Just in case download LPSfix
    http://www.cexx.org/lspfix.htm
    and keep safe - do not use until requested
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi etaf...Just a couple of comments for you.

    1. Definitely a great way to respond and lots of good help there.

    2. Hijackthis 1.99 on a bad system can take quite a while to finish....I think you would be better off to change "takes only a second" to something about letting the top red line finish...or the Fix checked button appearing, to indicate the scan part is over.
    Otherwise they will start trying to stop the scan...


    Good work, if I am any judge!
     
  11. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,371
    First Name:
    Wayne
    thanks - have altered wording
     
  12. tj416

    tj416

    Joined:
    Nov 18, 2004
    Messages:
    747
    Hi etaf,

    It would be nice if you also asked them to check all the Startup items in msconfig. Many people usually forget to do that.

    You can use the wording I use:

    Open Start> Run and type MSConfig in the 'Run' box. When the System Configuration Utility opens, ask them to go to the 'Startup Tab' and make sure there is a checkmark beside each entry. Then the general tab should have the "normal startup" option checked. REBOOT when asked to by Windows to complete the change.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323624

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice