"splain it to me Lucy
vanagon40
Indiana Member
I'm trying to get a better handle on the HJT functions.
Correct me if I'm wrong.
All the R entries seem to deal with home page and search assistants. Wiping them all out can't hurt, I just need to reset my home page and search assistant later.
The 04 entries are registry functions. "Fixing" these with HJT normally modifies the registry, but has no effect on the system files.
The 16 entries show downloaded programs. If I wipe them out, I will simply lose the stored functions I downloaded (e.g., the info stored for a Panda scan)
In other words, wiping out the R entries and 16 entries cannot do too much damage, but wiping out the 04 entries can cause major problems.
Correct me if I'm wrong.
All the R entries seem to deal with home page and search assistants. Wiping them all out can't hurt, I just need to reset my home page and search assistant later.
The 04 entries are registry functions. "Fixing" these with HJT normally modifies the registry, but has no effect on the system files.
The 16 entries show downloaded programs. If I wipe them out, I will simply lose the stored functions I downloaded (e.g., the info stored for a Panda scan)
In other words, wiping out the R entries and 16 entries cannot do too much damage, but wiping out the 04 entries can cause major problems.
0
This discussion has been closed.
Comments
The 016 DPF's are downloaded installers, such as the one you get from the Windows Update website when you go there. If you wipe that out, the next time you go to Windows Update, you will have to wait a few seconds while it re-downloads the Windows Update portal program to your DPF. If the user is on high-speed, this is not a problem.
Often you will see installers for toolbars, Shockwave games, etc, in there. Sometimes you see malware installers as well. When the 016 entry list becomes so long that they are hard to weed through, I often just recommend chucking them all and starting fresh. Anything that you really need can be downloaded easily the next time you visit the site that uses a DPF, such as Windows Update. This way you can "clean out the trash", so to speak.
The R entries, you can tell a user to just chuck 'em all out and reset them manually later. If they want the IE defaults, they can always go to Tools -> Internet Options -> Programs -> Reset Web Settings. This will reset all the search page entries, and give the option of resetting the homepage to MSN. Again, if it is getting complex to weed through them, have the user chuck then all out, and start fresh.
The 04's are registry RUN and RUN SERVICES entries. Many of those are legit, and deleting the wrong ones will disable needed functionality. For instance, if you delete the startup entries for anti-virus software, or printer drivers, etc, you will cause problems. Most of those are repairable by using HJT's "Backups" function to restore them, or by re-installing the software in question.
HJT version 1.98 also reports two "F" values for system.ini Shell and system.ini: UserInit. In most cases, these should always be:
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
Anything other than that is probably wrong, a reloader or infectant file that is hiding deeper than just in the startup list. Some viruses have been using that trick for a while, but it seems to be popping up more and more in spyware infections too, hence why Merjin included it in HJT 1.98's scans. IN a recent example here, a user had a problem with "Web Search Assistant",and his F2 was:
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
"wsaupdater.exe" was the reloader for Web Search Assistant. Removing that entry fixed the problem.
If you are having trouble with a stubborn infection, and you notice that the user is using v 1.97 of HJT, ask them to upgrade to 1.98, and check those 2 F values.
Finally, for very stubborn infections, there is also the Generate StartupList Log feature of HJT, located by clicking CONFIG then selecting the MISC tab. By choosing a full log (clicking on both checkboxes) you will get a hugely long text file, that shows every single startup entry, from Reg entries to start menu startups to Task Scheduled items, sevices, system;ini file entries, and more. It even looks to see if the system has multiple versions of EXPLORER.EXE, which is a trick used by some viruses as well. The startup log is more complex, but can be very useful when needed.
Cheers,
Dexter...
I dunno if you saw this link, but here's a breakdown of the entries if you haven't seen it yet:
http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html