How to evaluate a HJT Log and what to do about it.
By Dante7237 *updated 7/09*
HJT Index and info:
The info in the text box below is the complete index for the HJT log file.
You should find yourselves referring to this often as you investigate the various entries you find in the HJT log.
Common BHO Listing
(L= Legitimate O= at your option X= Malware Related)
As you do more and more of these logs you will eventually recognize most legitimate entries at a glance and can concentrate on the odd or "out of place" entries.
Also be sure to place checkmarks next to and fix any (file missing) entries.
Don't forget to research the (file missing) entries as they are sometimes symptoms of malware. Lookup the .dll or program being called, to determine whether its valid or not.
And understand that there are times when you will find valid filenames in the wrong directory.
Thats a tell as well.
I keep a window open with a blank notepad file to copy and paste entries into, as I determine if they are bad, or orphaned entries that need to be "fixed" with HJT.
After assembling your list of bad entries you need to consider a couple of things:
Do I have SpyBot Search and Destroy w/TeaTimer enabled?
While TeaTimer is an excellent tool for the prevention of spyware, it can
sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now. TeaTimer can be
re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Uncheck the "Resident "TeaTimer" (Protection of overall system
settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
Also, what other programs might prevent HJT from fixing my selections?
Anti-Hook Pro and other similar programs will prevent many HJT entries from being deleted, and should be disabled or placed into "fingerprint" mode.
So I "fixed" the entries. I'm good now right?
If it were only that easy.. No, not quite. We may see a couple more logfiles before it's all said and done.
And you need to manually delete the entries that you just "fixed". They are still there taking up hd space and potentially ready to activate again.
I use "KillBox" (Pocket Killbox) to delete these critters as it will delete your mom if you aren't careful.
KillBox can be downloaded from here:Clicky!
Depending on what you find in the log you may be nearly finished, or just beginning.
If there were serious symptoms before running HJT, and you identify 1 or more trojans in the logfile, then do the following after purging the restore folder like this:
Go to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'. (This is for XP, Vista systems are slightly different)
Download, install, update and run Malwarebytes Antimalware from here:MBAM-SETUP.EXE
(Be sure to update and run a "full" system scan.)
****If there are further issues see note at end****
At this point you will want to run a good antivirus and antispyware program.
I highly recommend "Avast!" antivirus and "SpyBot Search and Destroy" for antispyware.
Time now for a new HJT scan and logfile...
Repeat the process, until the file is clean. *NOTE* Some forms of malware need special instructions. Do those steps as they are identified by your research.
****Note at End**** As a final response to "stealthy" "persistant" malware infections that weren't resolved by Malwarebytes, do the following:
Download ComboFix.exe from here: Clicky! and save it to your desktop.
Close ALL open windows and apps before running ComboFix. And don't do anything with the mouse or keyboard unless the program asks for input from you until the program is complete. You'll have full instructions on the page. Take the time to read them.
As always, if you are unsure about any part of this process you should submit the logfile when opening a helpdesk ticket here at InfernalLogic.com, and we'll be happy to assist you with the procedure.