Kisara
02-08-2006, 05:54 PM
If you don't know, HiJackThis is a program used to scan for malware on a computer. These can be confusing, but here's some tips on udnerstanding a simple one. Let's look at one I just got (Some stuff taken out because my machine is hopelessly infected ^^; ):
Logfile of HijackThis v1.99.1
Scan saved at 1:35:32 PM, on 2/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
((*insert list of processes running in here. I'm not saying what mine are*))
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsvCC8.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
Note from Admin: sorry, I had to delete this link. Please read the rules of the tutorial forum (it's on the sticky at the top of this forum. No links to outside sites in the tutorial forum, thanks!!
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
~*~*~*~*~*~*~*~*~*~*~*~*~*
At the beginning of the log, it says that it's a HiJackThis log. It provides the info on when the log was saved (Here, 1:35:32 PM, on 2/8/2006), what Windows platform is being used (XP Home Edition with Service Pack 2 installed on this), and on what version of Internet Explorer is on the user's machine (On mine, 7 beta 2, but I never use it :P. Firefox ^^). Next, it has a list of running processes. I'd rather not say all I have running right now, and it even cuts frm the log with the way it is now ^^. After that, it shows what it found. I took out a lot. Now, obviously, people with technical knowhow can say my system's infected, and tell me what to fix. I know, yeah. The first one refers to something in the Windows Registry (REG), in the system.ini file key (system.ini), and lists what it found (Shell=Explorer.exe C:\WINDOWS\nail.exe). In this example (Technically not one because it's my log >>; ), the user's shell is compromised. Explorer.exe should be in there; it's vital for Windows to run. But C:\WINDOWS\nail.exe refers to a file in the Best Offers adware. I would advise NOT to "fix" this with HiJackThis's tool, because it could wipe out the part that says Shell=Explorer.exe, causing massive grief. After that, we've got a BHO (Browser Helper Object). Truth be told, I'm not sure what this one does myself, so I'd rather leave it alone. After that, a toolbar. The Viewpoint toolbar to be exact. Now, people are divided on the issue of whether or not ViewPoint manager is adware or not. I'll leave that entry alone, just in case. Now, a registry key. It's in the LOCAL MACHINE area, and it runs the igfx tray at startup. I'm pretty sure that can be left alone. The next one is a startup area. It starts up LimeWire. That can definitely be left alone, as Limewire is a mere file sharing program. The next item talks about an extra menu item in the "tools" menu in IE. It's the Sun Java Console. That can be left alone. Next, a DPF. I'm not sure of what DPFmeans, but I know it can be left alone, because it's a Windows validation tool. Downloaded when I installed IE 7. And finally, an extra protocol (like http:, file:, aim:, etc.). It's "msnim". That can be left alone, because it's part of MSN messenger. Well, that pretty much concludes this. Thanks for reading, and happy malware hunting ^^!
Edit: ((Please do not click or remove that link that appears, it's part of the log))
Logfile of HijackThis v1.99.1
Scan saved at 1:35:32 PM, on 2/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
((*insert list of processes running in here. I'm not saying what mine are*))
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsvCC8.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
Note from Admin: sorry, I had to delete this link. Please read the rules of the tutorial forum (it's on the sticky at the top of this forum. No links to outside sites in the tutorial forum, thanks!!
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
~*~*~*~*~*~*~*~*~*~*~*~*~*
At the beginning of the log, it says that it's a HiJackThis log. It provides the info on when the log was saved (Here, 1:35:32 PM, on 2/8/2006), what Windows platform is being used (XP Home Edition with Service Pack 2 installed on this), and on what version of Internet Explorer is on the user's machine (On mine, 7 beta 2, but I never use it :P. Firefox ^^). Next, it has a list of running processes. I'd rather not say all I have running right now, and it even cuts frm the log with the way it is now ^^. After that, it shows what it found. I took out a lot. Now, obviously, people with technical knowhow can say my system's infected, and tell me what to fix. I know, yeah. The first one refers to something in the Windows Registry (REG), in the system.ini file key (system.ini), and lists what it found (Shell=Explorer.exe C:\WINDOWS\nail.exe). In this example (Technically not one because it's my log >>; ), the user's shell is compromised. Explorer.exe should be in there; it's vital for Windows to run. But C:\WINDOWS\nail.exe refers to a file in the Best Offers adware. I would advise NOT to "fix" this with HiJackThis's tool, because it could wipe out the part that says Shell=Explorer.exe, causing massive grief. After that, we've got a BHO (Browser Helper Object). Truth be told, I'm not sure what this one does myself, so I'd rather leave it alone. After that, a toolbar. The Viewpoint toolbar to be exact. Now, people are divided on the issue of whether or not ViewPoint manager is adware or not. I'll leave that entry alone, just in case. Now, a registry key. It's in the LOCAL MACHINE area, and it runs the igfx tray at startup. I'm pretty sure that can be left alone. The next one is a startup area. It starts up LimeWire. That can definitely be left alone, as Limewire is a mere file sharing program. The next item talks about an extra menu item in the "tools" menu in IE. It's the Sun Java Console. That can be left alone. Next, a DPF. I'm not sure of what DPFmeans, but I know it can be left alone, because it's a Windows validation tool. Downloaded when I installed IE 7. And finally, an extra protocol (like http:, file:, aim:, etc.). It's "msnim". That can be left alone, because it's part of MSN messenger. Well, that pretty much concludes this. Thanks for reading, and happy malware hunting ^^!
Edit: ((Please do not click or remove that link that appears, it's part of the log))