Can't Delete from Hijack

Computing.Net > Forums > Security and Virus > Can't Delete from Hijack

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Can't Delete from Hijack

Name: KRastro
Date: December 20, 2003 at 02:50:08 Pacific
OS: XP
CPU/Ram: NA

Comment:

I have used Adaware, Spybot, CW Shredder and found nothing strange. I also used Window Washer. I had also used Hijack This and didn't find anything strange. But, today I updated Hijack This Version v1.97.7 and I got three items I've never seen before. I read on some forums that "FO" items should be deleted. However, even after I click on the items press delete, delete the backups and then clean out my recycle bin. But the "FO" items are still there when I scan again. Why would that be? I am pasting my Hijack This Log below.
Logfile of HijackThis v1.97.7
Scan saved at 7:35:28 PM, on 12/20/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe
F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Bookmarks] C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe /S
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.3667013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Sponsored Link

Ads by Google

Response Number 1

Name: KRastro
Date: December 20, 2003 at 03:31:42 Pacific

Reply:

I've done a bit of surfing on the Net since I posted the above Hijack This log. I couldn't find anything in English that mentioned this. But I found something on a Japanese website saying the "FO" entries are a bug in the lastest HijackThis version. This is the URL:
higaitaisaku.web.infoseek.co.jp/htkaiseki.html
Can anyone confirm this? Basically the above site claims that it is just a bug and that for some reason the entries can't be deleted.
By the way, thanks in advance for your help. I really enjoy these forums.
KR

Response Number 2

Name: iceblue
Date: December 20, 2003 at 05:43:06 Pacific

Reply:

KR,
I've sent away to get some kind of official word on this. The bug reports may be true, and time will tell on that point. As soon as I hear something on this, I'll post it here.
May I ask if there are any apparent problems or unusual symptoms that you have noticed?
iceblue

Response Number 3

Name: KRastro
Date: December 20, 2003 at 05:51:19 Pacific

Reply:

>As soon as I hear something on this, I'll >post it here.
Iceblue,
Thank you very much for your reply. I'm looking forward to hearing what the official word might be. Please post the information as it becomes available.
>May I ask if there are any apparent >problems or unusual symptoms that you have >noticed?
Actually, nothing that I can see. I had just done a scan before with the previous version ofHijackthis and nothing unusual was in the log. Then I updated to v 1.97 and the extra entries appeared.
Just want to make sure everything is okay.
Again, thank you and thank you in advance of the upcoming information.
KR

Response Number 4

Name: iceblue
Date: December 20, 2003 at 06:05:43 Pacific

Reply:

KR,
Glad to help and it's an interesting topic.
A couple of items to be checked on:
It may be possible that it's a bad read from the installation earlier today. There was a thought that the language/character set used may not be able to be read by HijackThis.

ie. Some non western character sets cannot be read correctly by Hijack this, giving the sort of entry seen here. Could I get you to run a check on the language script and language preference in your browser settings? It may eliminate this as a cause..

Response Number 5

Name: KRastro
Date: December 20, 2003 at 07:06:30 Pacific

Reply:

>Could I get you to run a check on the >language script and language preference in >your browser settings? It may eliminate >this as a cause..
I have English and Japanese languages set on my browser. I also have Eastern Asian Fonts and right to left Middle Eastern fonts installed on my XP. The OS is English. I have the computer set to read all non Unicode Japanese fonts as well. I was thinking somehow these Hijackthis "FO" entries might have to do with the Japanese language input. It is interesting that the previous version didn't have a problem with them. By the way, before I posted the first post, I uninstalled and installed Hijackthis 1.97 twice before downloading the one in my computer now because I thought the download might not have gone well. But the results were the same each time.
If you need any other specifics, just let me know. Thank again.
KR

powerreg scheduler delete igfxtray Easy Cleaner doesn't delete registry	userinit delete hijack.regedit CLIPPER XP INI
See More

Response Number 6

Name: iceblue
Date: December 20, 2003 at 07:45:05 Pacific

Reply:

KR,
This could well be the main factor in creating these F0 entries and in their inability to be removed.
I have seen these exact entries in another log with v1.97.5 on their system, and in that instance, both English and Japanese languages were on the browser settings.
This may well get cleared up completely when news comes through, but that may not be until at least tomorrow.
In the meantime try disabling extra languages and fonts temporarily - pare it back to a latin based minimum - and rescan with HjT to see if those F0 entries pop up.
More news on this when it comes to hand...
iceblue

Response Number 7

Name: KRastro
Date: December 20, 2003 at 07:59:48 Pacific

Reply:

>In the meantime try disabling extra >languages and fonts temporarily - pare it >back to a latin based minimum - and rescan >with HjT to see if those F0 entries pop up.
Iceblue,
I will try that. I did try disabling them in the browser alone, but the entries were still there even after doing that. Quite the little puzzle. Hopefully, the official news will make things a bit clearer.
Again, thanks for the assistance. I will check back here again later on.
Take care,
KR

Response Number 8

Name: Teesa
Date: December 20, 2003 at 09:19:54 Pacific

Reply:

Someone will correct me if I'm wrong [I hope!], but I was always under the impression that if you had to delete something in HijackThis that the changes wouldn't take effect until after you've rebooted your computer. Your post didn't say if you did that or not.
So my advice is to run the HijackThis, delete the FO's from there and your recycle bin, reboot and run HijackThis again. Let us know if this does anything. If not, then we'll know I'm wrong.
Teesa

Response Number 9

Name: masimar
Date: December 20, 2003 at 13:25:07 Pacific

Reply:

I noticed a reference - though garbled - to "System.ini" in the hijack log. It could be that HijackThis! doesn't correct .ini files. If there is an entry added to "Shell=Explorer.exe" in the system.ini, it could start whatever executable that's been left behind (maybe disguised). There should be nothing after "Shell=Explorer.exe". If HijackThis! doesn't delete a registry entrie, I found from experimenting that if you hunt down the .dll reported and delete it, then run Hijack again, it will sometimes report "Broken Internet" because the .dll is missing. Run Hijack again and it will fix that, then the problem is solved. Some of these thing have so many hooks in the registry that they're hard to get rid of.

Response Number 10

Name: iceblue
Date: December 20, 2003 at 15:45:19 Pacific

Reply:

Hi Mark,
Good comment.
All things being equal, HjT will fix bad .ini entries and even separates them into 2 distinct categories to sort them with a little more ease.
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
Basically anything beginning with "F0" is bad and should be fixed. F1 entries can be good or bad. >> HjT tech tute at http://hjt.wizardsofwebsites.com/#f
It was the identical garbling of the F0 entries to elsewhere in the world, particularly Japan, and the identical inability to delete the garbled F0�s, that indicated the fairly boring �system conflict� rather than system hijack.
HjT has been designed to categorise the �many hooks in the registry�, but as you say, sometimes the malware is embedded so deeply that deletion and fix is necessary. These cases are the exception rather than the rule.
Sometimes the system is unrecoverable; but that appears to quite infrequent � most cases are fairly lightweight although incredibly annoying. Perhaps we don�t hear back from many of the unresolvable cases.
You seem to know your way around the HjT logs well enough�care to do some helping in the forum in your spare time? There always seems to be plenty of posts that need some attention!
Thanks for your input on this one, and I�m sure there will be some more word on this yet.
iceblue

Response Number 11

Name: KRastro
Date: December 20, 2003 at 16:56:45 Pacific

Reply:

Hello everyone,
I'm back.
Quote from Teesa>So my advice is to run the HijackThis, delete the FO's from there and your recycle bin, reboot and run HijackThis again. Let us know if this does anything. If not, then we'll know I'm wrong.
Hi,Teesa. Thanks Yes, The entries are still there upon reboot. I should have mentioned that.
Quote from Mark>If there is an entry added to "Shell=Explorer.exe"in the system.ini, it could start whatever executable that's been left behind (maybe disguised).
Hello Mark,
I checked my registry using regedit and I can't seem to find the shell=Explorer.exe that you are refering to. I even did a search of the computer and could not find it. So, I am not sure whether there is anything typed after it.
>I found from experimenting that if you >hunt down the .dll reported and delete >it,then run Hijack again, it will
>sometimes report "Broken Internet" because >the .dll is missing.
Which dll should I be looking for? I didn't notice any strange dll's.
Iceblue quote>F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
Basically anything beginning with "F0" is bad and should be fixed. F1 entries can be good or bad. >> HjT tech tute at http://hjt.wizardsofwebsites.com/#f
Hi Iceblue,
Actually, that is the information that got me a bit spooked although I don't seem to have a problem at all. Then I found the Japanese site which said it was a bug.
Ladies and Gentlemen,
Where specifically should a be looking for problems? I have done searchs on my computer of the three strange entries. But just came up with these webpages which have been stored on my computer.
Thanks again for all the help.
KR

Response Number 12

Name: KRastro
Date: December 20, 2003 at 18:24:20 Pacific

Reply:

>In the meantime try disabling extra >languages and fonts temporarily - pare it >back to a latin based minimum - and rescan >with HjT to see if those F0 entries pop up.
Iceblue,
I just now changed the non-unicode characters back to English as opposed to Japanese and the FO entries are now gone as evidenced by the below HijackThis log. Interesting, somehow HijackThis sees the converted non-unicode characters as a problem. I wonder if this is a bug or just an intended function that gets confused when non-English characters are involved. Anyway, my assumption is that everything is okay with my log now. Would anyone care to confirm that for me?

Again thank you to Teesa, Mark and Iceblue. You have been very kind indeed!
KR
p.s. Here is the newest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 11:16:02 AM, on 12/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\CTFMON.exe
C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/hp.adp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Bookmarks] C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe /S
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.3667013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Response Number 13

Name: iceblue
Date: December 20, 2003 at 20:30:14 Pacific

Reply:

Thanks for all your input, KR.
You actually did all the hard work,
and desrve lots of credits.
Well Done.

Response Number 14

Name: iceblue
Date: December 20, 2003 at 20:46:46 Pacific

Reply:

Btw, that log looks pretty good to me.
ciao,
iceblue

Response Number 15

Name: Abnormal
Date: December 20, 2003 at 21:03:33 Pacific

Reply:

Nice job iceblue, quote from you.
"There always seems to be plenty of posts that need some attention!"
I say we invite more log readers, or
send them to the hijackthis forums.
Just wait till Christmas, think about
all the unprotected new computers
that will be online.

Response Number 16

Name: iceblue
Date: December 20, 2003 at 21:12:33 Pacific

Reply:

"Ouch" to the Xmas onslaught of 'holiday' virus.
Umm, I can see you've been to the aaah ..resort ..heh heh bit different here at the coalface....invite some, yes, or kidnap them in a xmas stocking and release them here in the forum....like little elves running around 24/7... works for me...lol...
thanks for your thoughts and have a lovely chrissie....
iceblue

Response Number 17

Name: KRastro
Date: December 20, 2003 at 23:00:19 Pacific

Reply:

Hi all,
Just wanted to say thanks again to everyone for all your imput. It made finding the solution so much easier.
Iceblue,
Thanks for rechecking my new HJT Log. Glad to hear its okay!
Happy Holidays and Happy Trouble-Free Computing!
KR

Response Number 18

Name: masimar
Date: December 21, 2003 at 09:55:59 Pacific

Reply:

Since there aren't nearly enough reponses posted here, I thought I would add one more.
The "Shell=Explorer.exe" is in the system.ini file, but not, by default, in Xp.
In 9x, it's under [Boot] Virus writers are using it more and more as their startup, e.g., "Shell=Explorer.exe maliciousfile.exe"
They also use "run=" and "load=" in the win.ini file.
Until now, I wasn't sure if it would work by adding those entries to the Xp.ini's, but I experimented - ironically with hijackthis.exe - and couldn't make it start. Of course, I haven't researched it real well. Since I deal with a large number or computers, 9X/XP/2000/NT, I usually look for a sort of shotgun approach to problems.
This is the way a forum is supposed to work. In all of these responses, not one person insulted anyone's intelligence. Everyone thought and studied and we're all better because of it. May you all escape Santa's wrath. (Oh, wrong forum.)

Response Number 19

Name: iceblue
Date: December 21, 2003 at 13:37:23 Pacific

Reply:

nodsnods
Thats good research. The guys at SWI &Tom Coyote would be able to chat with you on this, particularly re: the XP.ini/HjT connection- look for Mosaic1 or mjc1- it's right up their alley. Lets hope the virus writers leave the XP.inis alone, but thats wishful thinking, I guess.
iceblue

Response Number 20

Name: masimar
Date: December 22, 2003 at 06:39:15 Pacific

Reply:

While researching unrelated viruses, I found the Xp equivolent of the System.ini start method.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
Anything added after Explorer.exe will start on login. A simple reg file will rewrite anything there,effectivley removing it, e.g
-------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
-------

Sponsored Link

Ads by Google

Mouse freezes

AVG multiboot with xp

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Can't Delete from Hijack

Can't delete a hijacker

Summary

www.computing.net/answers/security/cant-delete-a-hijacker/12160.html

Can't delete W32KLEZH@mm infected email

Summary

www.computing.net/answers/security/cant-delete-w32klezhmm-infected-email/985.html

Server hacked, can't delete dirs

Summary

www.computing.net/answers/security/server-hacked-cant-delete-dirs/2124.html

From the Geek Dictionary
GLaDOS - Genetic Lifeform and Disk Operating System. A computer in the half-life uni...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
Hyper-V kills all other wireless clients

server busy

internet explorer script error

gaberiel knight 3

hardware properties

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE