I'm not lean and mean...

**Dan** · 3 Jun 2007, 08:32 PM

I'm not all that familiar with this app, but I noticed I don't have any R0 or R1 entries. Is this a problem? Or, what am I doing wrong?

Code:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:26:16 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\APPLICATIONS\ZIP FILES\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

EDIT

Okay, this shed some light on things for me. But I'm still not sure if I should have some R0, R1 entries. I'm thinking I shouldn't??

Explanation of the codes

R - Registry, StartPage/SearchPage changes

* R0 - Changed registry value
* R1 - Created registry value
* R2 - Created registry key
* R3 - Created extra registry value where only one should be

**katzdvd** · 3 Jun 2007, 09:14 PM

for advanced users...

sudo apt-get remove --purge Windows XP

...

**locoeng** · 3 Jun 2007, 09:56 PM

@Dan

I think you are good to go...if I'm correct you haven't installed anything that has added itself to or changed your registry.

**Dan** · 3 Jun 2007, 11:07 PM

Originally Posted by locoeng

@Dan

I think you are good to go...if I'm correct you haven't installed anything that has added itself to or changed your registry.

Thanks loco, I wasn't sure how to read all of the results.

Once I saw the code explanation it made more sense to me.

**soup** · 4 Jun 2007, 12:19 AM

You probably already know this.

[ATTACH]13108[/ATTACH]

[ATTACH]13109[/ATTACH]

[ATTACH]13110[/ATTACH]

[ATTACH]13111[/ATTACH]

[ATTACH]13112[/ATTACH]

**Chewy** · 4 Jun 2007, 12:27 AM

let me caution anyone reading this thread that hijackthis is like a loaded gun,
it can be very useful for killing vermin in trained hands but is dangerous is
untrained hands

**soup** · 4 Jun 2007, 12:32 AM

I totally agree. I personally go by what somebody long ago & far away said, "if you don't know what you are doing, don't do it".

**Chewy** · 4 Jun 2007, 12:42 AM

run spybot/adaware, cleanup your startup list, run a virus scan

then go to hijackthis and see what shows up, then you might need some speciality tools if you had very bad malware

**locoeng** · 4 Jun 2007, 12:45 AM

I think the best way to use it is to run it and post the log at a site that specializes in reading the recommending corrective actions....I had good luck with removing a nasty a year or two ago by posting the log at AD.

**Dan** · 4 Jun 2007, 01:03 AM

Seems most of those R0 R1 entries are IE related, which is likely why I didn't have any show up.

Thanks for the pics soup, I have used that part but it's good info.

let me caution anyone reading this thread that hijackthis is like a loaded gun,
it can be very useful for killing vermin in trained hands but is dangerous is
untrained hands

Wise words, which is the reason I was being so cautious. It looks like a simple little program on the surface but is anything but.

**soup** · 4 Jun 2007, 01:20 AM

Bleeping computer is another good site to post the log but they will ask you to do basically what Chewy said before posting it, just maybe not with the same programs.

Edit: another good one: http://www.techsupportforum.com/

**doctorhardware** · 4 Jun 2007, 02:36 AM

Also Trend Micro's houscall is also a good app to run. There is 5 apps we run at work before Hijackthis is even used. But Chewy is absolutely right, if you don't know what you are doing do not do it or at least save a copy of your registry before making any changes.

**katzdvd** · 4 Jun 2007, 03:50 AM

et me caution anyone reading this thread that hijackthis is like a loaded gun,
it can be very useful for killing vermin in trained hands but is dangerous is
untrained hands

That's why I stick with spybot/adaware/avg or avast; and I also use trend micro occasionally. Hijackthis looks powerful enough to do some real damage, so I always shied away from it. I suppose i could take the time to learn it more...

**soup** · 4 Jun 2007, 05:45 AM

It's like anything else, it's a good tool in the right hands.

**locoeng** · 4 Jun 2007, 05:54 AM

I tend not to use any of them...my philosophy is what I don't know won't hurt me.

I'm not lean and mean...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment