Welcome to the SVT Discussion forum -Steps to take before posting a HijackThis log:

primesuspectprimesuspect Beepin n' BoopinDetroit, MI Icrontian
edited April 2005 in Spyware & Virus Removal
Hello. Welcome to Short-Media. In order to expedite the removal of spyware located on your system, we request that you do the following:

Please update and run Ad-Aware SE Personal 1.06 and Spybot Search & Destroy 1.4

If you don't have either, they can be found in the Downloads Section of Short-Media.com

When you post your thread, please let us know that you have followed these instructions and ran these programs on your computer. If you don't tell us that you did this, our first reply will probably be "did you run Ad Aware and Spybot first?" So please don't waste your time or ours, run these programs first and then LET US KNOW THAT YOU DID!


*** PLEASE DO NOT POST LOGS FROM AD AWARE OR SPYBOT UNLESS YOU ARE REQUESTED TO DO SO! THEY ARE TOO LOOOOOONG. STICK TO LOGS FROM HIJACK THIS.***

Instructions for updating Ad-Aware SE Personal:

1) After starting Ad Aware, Click "Check for updates now"
Ad-aware.png


2) Next, the following dialog will appear. Click "Connect" to search for any available updates
Ad-aware-2.png


3) If there are any updates available, you will be prompted to download them. Click OK.
Ad-aware-3.png


4) After the updates finish downloading, a dialog similar to this will appear. Click Finish
Ad-aware-4.png

Instructions for Spybot S&D 1.4

1) After starting Spybot S&D, click the "Search for Updates" button
SpyBot.png


2) A dialog will appear, informing you if there are any new updates. If this does not occur, click Search for updates. If Spybot locates any updates, they will be shown in the green shaded area. Ensure all boxes are checked. Press Download Updates to update SpyBot
SpyBot-2.png


3) After updating SpyBot, click Search and Destroy on the menu towards the left. Then click the "Check for problems" button

SpyBot-3.png


If Spybot tells you that you have DSO Exploits, DO NOT WORRY ABOUT THEM! These are not "bad files" on your computer, they are just warnings that you have a security flaw that *could* be exploited. However, this is a bit of a glitch in Spybot. As long you do regular Windows updates, these problems will have been patched. If you do not have Automatic Updates turned on on your computer, then visit www.windowsupdate.com or, in Internet Explorer, click Tools -> Windows Update. Download all critical updates. Then you can safely ignore the DSO exploit warnings. They will still show up in Spybot, but they are safely patched, and Spybot just does not know how to read that.

You can also set Spybot to ignore this item. In Spybot, click MODE -> Advanced Mode. Locate the Settings button in the lower left hand corner, and click it to open it. In the right hand window, find the button that says Ignore Products. Click that, then when that opens the ignore menu, click the Tab that says Security. You will see DSO Exploit listed. Put a checkmark beside it to ignore the DSO's. Then click on the right hand button Spybot- S&D to return to the main menu.


If you need assistance with any of these steps, feel free to ask, and someone will help at the earliest convenience.

Following these simple guidelines will allow you to receive help faster, as well as make it easier for us to help you.

Thank You,
-The Short-Media SVT SWAT Team



MAKE SURE TO READ THE NEXT POST ON HOW TO USE HIJACK THIS BEFORE POSTING A LOG IN OUR FORUMS!





.

Comments

  • DexterDexter Vancouver, BC Canada
    edited August 2004
    How to use Hijack This to Generate a Log File


    If you still have problems after running Ad Aware and/or Spybot S&D, please download HijackThis from our Security Downloads Page.

    Please make sure that HijackThis.exe is in its own folder (eg: c:\hijackthis or C:\HJT). When you use HijackThis to remove unwanted items, it creates backup files. If you ever mistakenly remove an item that you later discover you need, you can recover these items from the backup file. Having HijackThis.exe in its own folder gives these backup files a safe place to reside, and reduces clutter on your Desktop or My Documents folder.

    DO NOT RUN HIJACK THIS FROM INSIDE THE ZIP FILE! Make sure to actually EXTRACT the Hijack This.exe program from the Winzip file. Drag it out of the Zip file into the HJT folder you should have made for it, or use the EXTRACT button and browse to the HJT folder you made as the destination for the extraction.

    Always make sure that all Internet Explorer or other browser windows are closed when using HJT. Some problems cannot be fixed if they are actively in use by browser windows.



    Open HijackThis and click on the "Do a system scan and save a logfile" button

    Hijackthis.png



    HijackThis will scan and produce in a log in Notepad. Copy and paste the entire contents into your thread. Save the logfile if you want.

    Hijackthis-2.png


    Many of the HJT entries are supposed to be there!! Do not delete anything unless you know exactly what you are doing.


    Start a new thread in the Security - Spyware / Virus / Trojan forum. Make your thread name understandable, preferably with your username and type of problem you have. In the thread, explain your problem, tell us if you have run AdAware and Spybot as instructed in this thread, then copy all the text from the Hijack This log, and paste it in. Please take a moment to read our thread on Forum Etiquette. A please and thank you make us much more willing to help you out. :)

    If you need assistance with any of these steps, feel free to ask, and someone will help at the earliest convenience.


    THE REST OF THE POSTS ON THIS PAGE DO NOT NEED TO BE READ AT THIS TIME IF YOU DO NOT WANT TO. THEY ARE "HOW-TO's" PROVIDED FOR HANDY REFERENCE, AND WE WILL LINK TO THEM TO GIVE INSTRUCTIONS TO USERS FOR TASKS THAT ARE USED OFTEN IN SPYWARE KILLING.




    .
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    How to Show Hidden Files and Folders


    You may be asked to manually move or delete some files. Make sure your Windows OS is set to show all hidden files and folders!

    (NOTE: This tutorial uses Windows XP as the main guideline, as that is what most users are running on their systems. On other Operating Systems this process will be slightly different. For an explanation on how to do this on other Operating Systems, scroll down a bit further for an explanation on each major Windows OS.)

    Open your My Computer Icon, or open any folder on your computer . Click on the Tools Menu, and select -> Folder Options. From the Folder options windows that opens, click on the View tab.


    folder_options_01.jpg


    Then:

    1 - Set it to "Show hidden files and folders." Uncheck "Hide extensions for known file type." Uncheck "Hide Protected Operating System Files."

    2 - Click Apply.

    3 - Click on Apply To All Folders. This will set all folders to show any hidden files.

    4 - Click OK.



    folder_options_02.jpg


    At this point, all files on your hard drive(s) should be visible.

    **Note: turning off the option to Hide Protected Operating System Files can be risky, because it leaves important OS files out in the open, where they may be accidentally deleted by users who are not familiar with them! When you are finished cleaning up your infection problem, you should change this option back on.**


    HOW TO SHOW HIDDEN FILES AND FOLDERS ON OTHER OPERATING SYSTEMS:

    Windows 2000

    1- Open My Computer.

    2 - Click Tools menu then click Folder Options.

    3 - Click the View tab.

    4 - Scroll to the "Hidden files and folders" section and click "Show hidden files and folders."

    5 - Uncheck the "Hide protected operating system files (recommended)" option. (SEE NOTE ABOVE ON THIS OPTION!) Click Yes to confirm. Then click OK.


    Windows ME

    1- Open My Computer.

    2 - Click the Tools menu then click Folder Options.

    3 - Click the View tab.

    4 - Scroll to the "Hidden files" section, and click "Show hidden files and folders."

    5 - Uncheck the "Hide protected operating system files (recommended)" option. (SEE NOTE ABOVE ON THIS OPTION!) Click Yes to confirm. Then click OK.

    7 - Click the Start button -> Programs and Accessories -> Windows Explorer.

    8 - Choose the hard drive you wish to view from the left hand pane. Click "View the Entire contents of this drive."


    Windows 98


    1 - Open My Computer.

    2 - Click View menu then click Folder Options.

    3 - Select the View tab.

    4 - Scroll to the "Hidden files" section Click "Show all files." Then click OK.


    Windows 95

    1 - Open My Computer.

    2 - Click View menu and then click Options.

    3 - Click the View tab.

    4 - Select the option to "Show all files." Then click OK.


    In any case where you have turned off the option to Hide Protected Operating System Files, we recommend you re-enable this option after you are finished cleaning the problems from your computer.



    If you need assistance with any of these steps, feel free to ask, and someone will help at the earliest convenience.
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    How to Disable System Restore & How to Set a New Restore Point

    You may be told to disable System Restore if you are running Windows XP or ME! This prevents your system from re-loading infected files from the Restore directory.

    To Disable System Restore:

    Click on Start Menu -> Control Panels -> System -> System Restore. Click the checkbox to "Turn off System Restore" for all drives. Click Apply and then click YES to the confirmation dialog that will appear. Then click OK to exit the control panel.

    Then proceed to fix your infection problem as instructed.

    (NOTE: In some rare cases, spyware or viruses may disable access to the System control panel. If you cannot access the System control panel by the above procedure, please see the Alternate Methods later in this post to get directly to the System Restore Utility. )



    To Re-enable System Restore:


    After your problem is fixed, turn System Restore back on with that same control panel. Start Menu -> Control Panels -> System -> System Restore. Uncheck the checkbox "Turn off System Restore" for all drives. This will turn it back on. Click Apply and then OK to exit the control panel.


    Then, create a new restore point to be safe. Click Start Menu-> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens click "Create a Restore Point" then click Next.


    system_restore_01.jpg


    Enter a name for this Restore Point such as "After Sweeping Spyware" or something to that effect (the date will be added automatically) and click Create. This will create a new restore point which hopefully is now clean of whatever problems you had.


    system_restore_02.jpg


    Alternate Methods to Enable or Disable System Restore:

    1 - Click Start Menu-> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click on "System Restore Settings", and that will open the control panel which allows you to deactivate System Restore.

    2 - Click Start Menu-> RUN. In the Run dialog box, type in "config.msc." When the Configuration utility opens, click "Launch System Restore." This will activate the Restore utility. Click on "System Restore Settings", and that will open the control panel which allows you to deactivate System Restore.


    If you need assistance with any of these steps, feel free to ask, and someone will help at the earliest convenience.
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    How to Quarantine Files

    You may be told to Quarantine certain files.

    When your Hijack This log is analyzed by our SWAT Team members or experienced users, we will identify HJT entries which are known bad, or appear suspicious because their file names are random, nonsense, or fit patterns of certain infection problems. If you are told to "Manually locate all the .exe / .dll / htm / html files indicated above and quarantine them", this means you need to look at each HJT entry that has been highlighted for you and identify the location of the files. For example, here are a couple of HJT entries, with the actual file location highlighted in red:

    O2 - BHO: (no name) - {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} - C:\WINNT\mfcwz32.dll

    O3 - Toolbar: sitemove - {45084689-F2B1-ACD4-5C96-37D71CCC71D7} - C:\PROGRAM FILES\VC JUNK\FIVE MAPI.DLL

    O4 - HKLM\..\Run: [sdkql.exe] C:\WINNT\sdkql.exe

    Examine the HJT entries identified to you to determine the locations of any files you need to quarantine.



    What you need to do is open My Computer, then open your C drive, then work your way to the folder(s) and file(s) indicated. If you cannot see the files, you may need to set your system to Show Hidden Files and Folders, as per the instructions here.


    Sometimes a directory name will not be shown fully, but will be "truncated" to 8 characters, with a "~" in the name. For example:

    C:\PROGRA~1\THATTI~1\castplay.exe
    C:\PROGRA~1\ELSETONS\2DOES.exe

    Anything with a "~" in the name is a folder with a longer name, but it starts with the letters indicated. In these examples, "progra~1" = Program Files. The folder "thatt~1" with the letters "thatt" and have more letters after that. It may be "thattimeof year" or, with spaces "that time of year." Locate the folder that is most likely to be the match, and open it. See if the exe or dll file in question is inside of it, for instance, castplay.exe in the 1st example.

    To quarantine the files, open My Computer, open your C drive, and create a new folder by right-clicking, selecting New Folder, and naming it QUARANTINE. Then, move each of the files you have located above into the Quarantine folder by dragging and dropping them. (If you are moving them from a different hard drive, make sure to actually move them, not just copy them. A drag and drop between hard drives will copy a file, not move it. Hold down the SHIFT key when dragging and dropping between hard drives to do a move instead of a copy.)

    One you have all the suspect files in the Quarantine folder, you now need to rename them to prevent them from accidentally (or purposefully) being re-run on your computer. Right click on each file, and rename the 3 letter "extension" part of the names. I recommend using the following naming system:

    - rename .exe files to .xxx
    - rename .dll files to .ddd
    - rename .htm or html files to .hhh or .hhhh
    - rename .tmp files to .ttt
    - if quarantining a whole folder, add an XXX to the end of the folder name. You do not need to rename everything inside the folder, as having moved it to a different location and renaming the folder as well will break the filepath of any startup entries or services, so nothing inside it will run at startup.


    If you are told to quarantine a file type that is not on this list, just take one of the 3 letters in the extension that will make it easy to remember what type of file it is (eg, using "x" for .exe's) and type that letter 3 times.


    Why quarantine files? Why not delete them?


    Well, we are all human. We all make mistakes sometimes. You may grab the wrong file by accident, and if you delete it and empty the recycle bin...it's gone. Or someone helping you with your HJT log may make a mistake, and tell you to get rid of a certain file, which is actually a legitimate file. If one of the HJT entries identified to you turns out to be a legitimate entry, and you delete the file associated with it, then you may encounter problems with some software package. Or, if you delete files instead of quarantining them, and you delete the wrong file by mistake, you can have software problems. Quarantining files is safer than deleting them, as you can always rename them and move them back if you need to. If you cannot remember where to move a file back to, you can always check your HJT log you posted here on Short-Media to find out where it came from. :)


    Deleting Quarantined Files


    If you want to clean out the quarantine after a couple of weeks, feel free to do so. Just make sure you have run most of your other programs to make sure that nothing appears to have been affected. If everything is running properly, go ahead and delete the quarantined files after 2 weeks or so.

    If you need assistance with any of these steps, feel free to ask, and someone will help at the earliest convenience.
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    How To Boot In Safe Mode

    There is an excellent tutorial for all Windows operating systems located at the Symantec website (makers of Norton Anti-virus and many other security and utility software.)

    Click here for their tutorial, and click on the yellow/black + sign beside your Operating System version to open the specific instructions for your system.

    If you need assistance with any of these steps, feel free to ask, and someone will help at the earliest convenience.



    .
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited April 2005
    How To Register and Post in the forums:

    TheSMJ has written a brief and concise guide to registering and posting on the forums :)
This discussion has been closed.