Home > Can You > Can You Please Check This HJT Log?

Can You Please Check This HJT Log?

Prefix: http://ehttp.cc/? These entries will be executed when any user logs onto the computer. These zones with their associated numbers are: Zone Zone Mapping My Computer 0 Intranet 1 Trusted 2 Internet 3 Restricted 4 Each of the protocols that you use to connect to Logfile of HijackThis v1.99.1 Scan saved at 7:48:58 PM, on 4/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe http://linux4newbie.com/can-you/can-you-check-my-hjt-log-please.html

This run= statement was used during the Windows 3.1, 95, and 98 years and is kept for backwards compatibility with older programs. Several functions may not work. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from. Next go to Add/Remove programs on the control panel and remove the following if you decide to remove it: MyWebSearch 0 Kudos All Forum Topics Previous Topic Next Topic Popular Help

If you see an entry Hosts file is located at C:\Windows\Help\hosts, that means you are infected with the CoolWebSearch. The hosts file contains mappings for hostnames to IP addresses.For example, if I enter in my host file: 127.0.0.1 www.bleepingcomputer.com and you try to go to www.bleepingcomputer.com, it will check the It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have

  • It should be noted that the Userinit and the Shell F2 entries will not show in HijackThis unless there is a non-whitelisted value listed.
  • If you allow HijackThis to remove entries before another removal tool scans your computer, the files from the Hijacker/Spyware will still be left on your computer and future removal tools will
  • Windows 3.X used Progman.exe as its shell.

This will split the process screen into two sections. Figure 7. This program is used to remove all the known varieties of CoolWebSearch that may be on your machine. A F1 entry corresponds to the Run= or Load= entry in the win.ini file.

There is a security zone called the Trusted Zone. Options Mark as New Bookmark Subscribe Subscribe to RSS Feed Highlight Print Report Could someone please check this for me.....Thanks Frogget Logfile of HijackThis v1.99.1 Scan saved at 2:59:01 PM, on Many users understandably like to have a clean Add/Remove Programs list and have difficulty removing these errant entries. Newer Than: Search this thread only Search this forum only Display results as threads Useful Searches Recent Posts More...

Figure 8. Oct 5, 2008 #2 Manjit TS Rookie Topic Starter Posts: 82 Ok I have run HJT again and removed the files you requested, I have attached a new log. All Rights Reserved. The log file should now be opened in your Notepad.

This site is completely free -- paid for by advertisers and donations. If a user is not logged on at the time of the scan, their user key will not be loaded, and therefore HijackThis will not list their autoruns. Jump to content Sign In Create Account Search Advanced Search section: This topic Forums Members Help Files Calendar View New Content Forum Rules BleepingComputer.com Forums Members Tutorials Startup List HijackThis will then prompt you to confirm if you would like to remove those items.

Sorry for the delay. useful reference No, create an account now. Also, when did Run, etc., in the temp folder there were a lot of other folders as well as items. Every line on the Scan List for HijackThis starts with a section name.

Dismiss Notice TechSpot Forums Forums Software Virus and Malware Removal Today's Posts Please check my HJTlog ByManjit Oct 5, 2008 My computer has been running slowely, so I have done a RunOnceEx key: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx The Policies\Explorer\Run keys are used by network administrator's to set a group policy settings that has a program automatically launch when a user, or all users, logs How to use the Hosts File Manager HijackThis also has a rudimentary Hosts file manager. my review here O13 Section This section corresponds to an IE DefaultPrefix hijack.

Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Dashboard for XFINITY TV on the X1 Platform Get details on weather, traffic, sports and more all from your XFINITY TV on the X1 Platform Dashboard. Short URL to this thread: https://techguy.org/355749 Log in with Facebook Log in with Twitter Log in with Google Your name or email address: Do you already have an account?

RunOnce keys: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce The RunServices keys are used to launch a service or background process whenever a user, or all users, logs on to the computer.

Registry Keys: HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar Example Listing O3 - Toolbar: Norton Antivirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll There is an excellent list of known CSLIDs associated with Browser Helper Objects and RunServices keys: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices The RunServicesOnce keys are used to launch a service or background process whenever a user, or all users, logs on to the computer. Use google to see if the files are legitimate. O14 Section This section corresponds to a 'Reset Web Settings' hijack.

The standalone application allows you to save and run HijackThis.exe from any folder you wish, while the installer will install HijackThis in a specific location and create desktop shortcuts to that Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\ Login _ Social Sharing Find TechSpot on... Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 1:28:57 p.m., on 19/02/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: http://linux4newbie.com/can-you/can-you-check-my-log-please.html Show Ignored Content As Seen On Welcome to Tech Support Guy!

Any further steps to take? Site Changelog Community Forum Software by IP.Board Sign In Use Facebook Use Twitter Need an account? So if someone added an entry like: 127.0.0.1 www.google.com and you tried to go to www.google.com, you would instead get redirected to 127.0.0.1 which is your own computer. Example Listing O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPix ActiveX Control) - http://www.ipix.com/download/ipixx.cab If you see names or addresses that you do not recognize, you should Google them to see if they are

For F1 entries you should google the entries found here to determine if they are legitimate programs. O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - HijackThis will delete the shortcuts found in these entries, but not the file they are pointing to. If the file still exists after you fix it with HijackThis, it is recommended that you reboot into safe mode and delete the offending file.

Hopefully with either your knowledge or help from others you will have cleaned up your computer. Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. O7 Section This section corresponds to Regedit not being allowed to run by changing an entry in the registry. As you can see there is a long series of numbers before and it states at the end of the entry the user it belongs to.

Be aware that there are some company applications that do use ActiveX objects so be careful. To delete a line in your hosts file you would click on a line like the one designated by the blue arrow in Figure 10 above. Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it F0, F1, F2, F3 Sections For those who are interested, you can learn more about Alternate Data Streams and the Home Search Assistant by reading the following articles: Windows Alternate Data Streams [Tutorial Link] Home Search

While that key is pressed, click once on each process that you want to be terminated. Under the Policies\Explorer\Run key are a series of values, which have a program name as their data.