[Kraellin]

well, i've just spent the last two days trying to get rid of a virus, a trojan horse type, Zlob. this was one nasty sucker to get rid of. it hijacked my browser, stuck some 'security' software on my system, and drove me just about nuts for two days.

part of this thing is the 'mssearchnet.exe' file, which embeds itself in the registry, your startup (but hidden in the normal startup areas, so that msconfig cant see it) and some other place. part it was in system 32 of windows and there were several accompanying .dll's and files and other hidden startups.

this tended to remind me of the old protection rackets, where someone approaches you and demands you pay them protection money to protect you from 'someone'. of course the someone is the guy demanding the money, but that always seems to be missed by the racketeers. this virus, being a trojan had managed to install some 'security' software that popped up as a result of my system being infected. of course, they infected me, but now if i'll just go to their site, they'll remove it for me. yeah, right. fat chance there, bud.

i ran hijackthis and it couldnt find it. i ran avg antivirus and it didnt find it. i went to trend micro and ran their online scan. they found parts of it and some other junk, but they couldnt remove all of it, though they thought they had. tech support at my isp helped a tiny bit also, but couldnt do it either. ad-aware saw no part of it at all. win patrol knew something was wrong, but also couldnt correct or block it effectively. i called up 'services' on my machine and found some peculiar and suspicious services running, particularly nvctrl.exe. i killed the service. 2 seconds later it's back. kill it again and the same thing happens. cute, so now i know i've got a loader virus. something is reloading this thing. regedit showed me a tiny bit of it. booting to dos mode i did manage to erase the mssearchnet.exe file and that part didnt come back. i ran cwshredder and it found something, but i forget what. i also found a reference in the registry about mssearchnet.exe and erased that key, but there were others there and erasing those just put them back. so, again, a loader. cute.

continuing, i updated winpatrol to the latest version and also got 'task catcher', another program from those same folks. these could see the parts that were in services, but couldnt kill it all off. i checked for the latest version of ad-aware, but mine was already up to date. i actually tried trend micros again but to no avail.

all in all this thing was a stinker. i had continuous popups from win patrol alerting me that something was trying to load into my browser as a helper object. i always said no. they were .tmp files in the system 32 folder. this thing also kept trying to call home with an NT logon (winlogon) but i just kept telling zone alarm no to that one. i also went to microsoft.com and used their little zapper program (i forget what it's called now) and it found nothing. i also downloaded their 'windows defender ver 2 beta' and installed that. it could also see the errant services but couldnt kill them effectively.

i swear, if i could put my hands on the person's neck that wrote this and distributed it, i'd.... well, you get the point.

little by little i did find enough of this to make some headway, but i was getting quite frustrated. i still had this idiot fake' anti-malware' program stuck in my system tray, popping up with an alert every 2 minutes. shortly after that i'd get win patrol telling me something was trying to load into my system. you see what was happening here? the 'security program' was loading the virus and trying to bring in friends from the net.

so, having managed to get rid of some of this thing, i was finally getting frustrated and desparate enough to do one of two things, either try a system restore point or call up my full backup of the c: drive had been updated a week ago (thankfully). so, i decided that i'd try system restore first. if that didnt work, call up the backup and replace the entire c: drive.

i knew roughly when i had contracted this thing, as odd things had started to happen shortly thereafter, so i opted for a system restore checkpoint from before that point in time. i ran the system restore and crossed my fingers. i was expecting the worst, that not only would i still have this thing, but that it would infect the restore point somehow. remarkably, the system restore seems to have worked! that's twice now it's saved my bu..bacon. now, i'm fairly sure some or all of those nasty files are still on my system. but because the registry is restored to an older point, all the links are killed to activate this junk! and that's probably the only reason the system restore worked. and amen to that!

and, since i know the names of some of these files, i can now go through and erase them, since they are no longer 'active', open files that cant be deleted in a normal fashion.

like i said, the system restore wiped the links to this piece of malicious garbage, but it also wiped everything installed after that point that i wanted, like the updated winpatrol and task catcher and windows defender. lol. but that's a small price to pay at this point.

this virus is rated 'low' by most sites, but i think they've underrated it. the potential for damage here is quite large. ANY trojan is potentially lethal to a system, since the trojan is like the trojan horse of old; it can carry nasty attackers inside and call for reinforcements.

so, i'm sorry for scaring anyone i might have, but i'm also not sorry for the same thing in that these things are real and you pretty much need a trojan (condom) on your system to catch a trojan surf safe, folks!

craig

[lkroll]

Just don't click anything with SpySheriff. Though these suckers keep me in business, I dispise having to do this work. I'm currenting running 70% success rate at removing virus/spyware on customers' machines (meaning I have to make Phoenix's out of the others). Still costs the customers a lot of dough to get their machines cleaned. System restore (for other reasons) have saved my bacon too, but nothing replaces a good backup. Then you can always re-install the OS (though you may have to give Uncle Bill a call to reactive Windows ). Sorry for you woes Craig, but welcome back to the living. If you have another PC, the best way to remove viruses is to first do an external scan using the other PC. Then place the harddrive back into your main system and boot into Safe Mode with Networking. After you run the virus scans (TrendMicro, Etrust, and, believe it or not, Microsoft have some pretty good web-based scanners; TrendMicro sometimes have problems running in safemode though) from safemode, run Hijaakthis to see and remove any suspicious BHO's and startup programs. Then pray for the best when you boot into regular mode. That's pretty much what I do for my customers. Sometimes too, a system repair fixes issues as well, but most of the time it does not unless you removed all traces of the virus first. Usually, I have no choice but to do registry hacks as well. Man, I much prefer doing new builds or hardware repair as opposed to Virus/Spyware removal, but over 80% of what I do involves removing infestations.

Forgot to add, that you need to take ownership of you System Volume Information folder so that you can remove viruses stored here too (normally, this folder is locked; Home Edition makes it a little more difficult, but it can be done in Safemode for sure).

[Gary Richardson]

Hi Craig,

Zlob (Zolob) is a version of Smitfraud, and is relatively easy to remove if approached correctly (needs special tool(s)). Lots of versions, depending on which "Security Program" it foists onto you.

Wish you'd posted a HJT log, could have got you up and running in no time.

It might be a good idea if you posted a HJT log so I can see if there's any residual infection left.

[Ziaphra]

My daughter has this on her computer too! I have run both adware and spyware and got rid of alot of other stuff but these pop ups are still coming...so I will be watching this thread...

I also have a problem where when you start up her computer it says 'NTDLR is missing...press ctrl+alt+del to start'. I have tried changing the boot sequence to no avail...what I did eventually was copy the NTLDR and ntdetect.com files from my computer onto floppy, then change the boot sequence to start at a: and that seems to force her computer to find the correct boot.ini file and boot up correctly. If anyone knows how to stop this from happening as we can't keep booting up like that! (I will eventually figure it out but would be eternally grateful for an 'inside track'!)

[NancyJ]

For removal instructions just google for zlob. There is a lot of info out there about it.

Ofcourse the best solution is to not get infected at all Dont use IE unless absolutely necessary. Firefox and Opera (and Safari for mac) are all much safer browsers, partially because they're not integrated into the OS and partially because as less common browsers they're less likely to be attacked.
I also highly recommond spybot search and destroy with teatimer, spybot S&D has a browser immunisation feature that currently protects against over 8k known bad products.
Teatimer is a nice little app that notifies you any time a program attempts to change your registry - very useful early detection of attempted attacks.

[Gary Richardson]

hi Ziaphra,

For problems with most of the Smitfraud variants, try http://malwareremoval.com/plog/index...Id=85&blogId=3

Follow the instructions there, if any problems after that, post a HJT log in the forums at www.malwareremoval.com

I help out at that forum, or at www.spywarewarrior.com

[Ziaphra]

Thanx so much...will do and update.

[Gary Richardson]

You're welcome.

Which OS are you using with the NTLDR problem ?

[Ziaphra]

It's Windows XP Pro.

[CJ Swartz]

Saturday evening I was just getting ready to quit checking out my forums and go to bed, but got a message from WinPatrol -- msoff.exe wanted to add itself to my startup -- was that okay? I hadn't installed any new software or made any changes to old software, so I knew that there was no good reason for the request, but thought it might be okay since it looked like it might be some Microsoft "thing" (ms-something). I told Scotty (WinPatrol's guardian) NOT to allow it while I looked it up on google... results:

Filename: msoff.exe
Command: C:\Windows\System32\msoff.exe

Description: Added by the Troj/Raker-C Trojan backdoor. This infection will also attempt to steal your online banking information from certain online banks.

And found this - which is either part of the above, or a separate infection.
Trojan.Renver is a Trojan horse that steals confidential information.
C:/documents and settings/all users/Documents/settings/ rvnkey_a, _b, _f, _v.dat

According to Symantec -- When Trojan.Renver is executed, it performs the following actions:

1. Copies itself as the following file: %System%\msoff.exe

2. Creates the following file:
%UserProfile%\Local Settings\Temp\[RANDOM].tmp
3. Adds the value: "Microsoft Office" = "%System%\msoff.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.

4. Creates instances of the following processes and injects it's code into those processes: * svchost.exe * lsass.exe

5. Gathers username and password information from the following file:
wcx_ftp.ini.

6. Gathers email server and username information by querying registry entries:
7. Gathers Protected Storage passwords.
8. Saves the information in the following files:

* %UserProfile%\All Users\Documents\Settings\desktop.ini
* %UserProfile%\All Users\Documents\Settings\rvnverps
* %UserProfile%\All Users\Documents\Settings\rvnver_a.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_b.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_f.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_v.dat

9. Sends the information to the following domain: winsoftwareupdate.org

I had just switched over to Firefox from IE due to the vulnerability (and no fix offered till April 12), my AVG didn't find it, online scan by Trend Micro didn't find it, but an online scan by PCTools Spyware Doctor found and listed the whereabouts of several files -- but wouldn't eliminate them unless I bought their software. While I was learning where all the bad stuff was hiding, WinPatrol would keep going off asking about "MSoff.exe wanting to be added to my startup", I'd keep eliminating it from the Registry, and it would keep being added back by some part of the trojan still resident on my system. I had turned off system restore until I tracked down all the parts of the trojan that I and Spyware Doctor could find, then ran the Doctor again and ran Spy Sweeper since I use their Window Washer software and decided that I would buy their product over Spyware Doctor since it's rated well. I spent hours, but at last Scotty was no longer barking at "msoff.exe", it was no longer loading into my registry, the .dat and .ini files were gone and hadn't returned, and none of my scans were finding anything -- BUT then some of them had NEVER found anything to begin with!!

I use safe practices -- have avoided emails with phishing links/trojans/viruses, but somewhere on the web that was deemed safe by my security controls -- something attacked me from behind -- IF Scotty the WinPatrol watchdog hadn't barked in time, I could have lost a lot. My info may have been gathered by the trojan even though I found it -- I've changed passwords again to hopefully add some protection in case they got my bank account number, etc.
I don't like to hate people, but I am NOT happy with people who have nothing better to do than sneak around trying to steal from me.

[Kraellin]

gary,

trust me, i thought about coming here and posting, but pride or sheer stubbornness at wanting to 'handle my own problems' i guess kept me from doing so. i like to think i can handle my own system. i cant, really; not all the time, but i always like to try first. but trust me, i did think about you in particular

here is a log of hjt as it currently stands. i made this immediately after running the restore point:

Logfile of HijackThis v1.97.7
Scan saved at 12:11:04 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe * ati card
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe *inCD cd burning
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe * ati card
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe *could be norton ghost or old norton anti virus
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe * also ghost or anti virus
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe * i forget at the moment, but i know this is ok.
H:\Program Files\Norton Ghost\Agent\VProSvc.exe
H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe * phone answering machine on the computer.
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\VMware\VMware Player\vmware-authd.exe * virtual machine i installed
C:\Program Files\Common Files\VMware\VMware Virtual Image
Editing\vmount2.exe * also virtual machine
C:\WINDOWS\system32\vmnat.exe *virtual machine
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe *virtual machine
C:\WINDOWS\system32\BRMFRSMG.EXE *brother printer
C:\Program Files\BroadJump\Client Foundation\CFD.exe * broadband
C:\WINDOWS\System32\hphmon05.exe *hewlett packard printer
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\MXOALDR.EXE * external harddrive ...usb type.
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\Program Files\Norton Ghost\Agent\GhostTray.exe
P:\Program Files\Abyss Web Server\abyssws.exe * abyss web server
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
P:\Program Files\Abyss Web Server\abyssws.exe *abyss
C:\WINDOWS\System32\HPZipm12.exe
J:\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src");
*** normally, the former would have been mozilla, but during the validation process on microsoft, i tried to use netscape because mozilla wasnt working for this. and i.e. was so screwed up at the time i didnt want to ever try with that.
(C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINDOWS\Speech\Dragon\web_ie.dll * voice activated speech/typing/computer control.
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\FlashGet\VERSIO~2\FlashGet\jccatch.dll * fast downloader
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm *the trial version of neo trace
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM) *really not needed.
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136317380093
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23

most all of this i understand. the ones i'm a bit unsure of are the smss, lsass in the running processes and the last line with the name server. if i kill that last one, i'll lose my internet connection, though.

craig

edit: hmmm, i better edit that a bit to show what some things are.

[Ziaphra]

Both the lsass and smss are ok...I know this from having to 'hijack this' my own computer some time ago.

[Kraellin]

hehe, you guys have to understand here, that i didnt know it was a trojan to begin with. so, looking up 'zlob' was not an option. not at first, anyways. it wasnt till quite a ways into this process that i even found out it was zlob. what i first got was a 'NT logon' request by zone alarm and then this 'security' popup that i knew i hadnt installed; at least not on purpose. i then noticed a new icon on my desktop, the 'security' one.

this all occurred right before my weekly backup routine...the same day and when i first saw it i was about to leave for work. i was also getting a win patrol request. i ran hijack this and found nothing really odd to begin with. i tried to kill the new 'security' thing in my systray, but couldnt.

when i got home from work, with the computer running while i was away, i found more 'alerts' from win patrol stacked up and a popup ad on my desktop for some casino or something. that's when i got mad and knew for sure i was infected. i ran adaware and it came up blank. i deleted that 'name server' item in hijack this and promptly lost my internet lookup. i called my isp to see if there was an outage, thinking that that name server thing was a hijack and not needed.... lol. wasnt thinking straight at that point. they tried to help and i did some lookups on 'mssearchnet.exe' and told me it was definitely a trojan on the bad lists. after that things sort of get blurry. i ran a whole lot of checks and fixes and probably not in the right order. in all fairness to trend micro, i had already wiped out part of this thing, so their detection might have been dependent on those things i wiped and subsequently their detection couldnt see it to remove it. they did find about 24 other things, however, including about 20 java viruses which i hadnt even suspected were there and might have been there for a long time.

so, in my obstinate, prideful, pissed-off mood, i was probably hindering the helps that would have handled this. lol. go figure.

at any rate, it seems to be gone, or at least inactive/dormant. like i say, the restore point seemed to have killed any existing links to make the thing active and removed the registry entries that were keeping it alive.

i've, if nothing else, learned a bit more about where some of these things get hidden and what they use to run hidden startup stuff. i've also learned to alter my surfing practices a bit and to add more protection.

nancyj,
i like that teatimer idea. great idea. i have an api monitor program but never use it because it tends to be a system hog, but the teatimer sounds like just the right item. it's those things that get into the hidden start locations that kill you.

also, folks shld know that a lot of current viruses dont just load a virus, they also load a reloader. the reloader will restart the virus if you manage to kill it. these are often in the form of hidden .dll's (library files). so, you have to also find and kill the .dll.

and cj,
yes, mine was doing almost the exact same things. i couldnt live without Scotty! and now that i've killed the links/registry, i need to go back again and reinstall the new good old scotty. i'm still on version 5.x.x now that i used the restore point. and i need to re-install task catcher too.... and windows defender. lol. wiped out the good with the bad. kill em all and sort it out later

craig

[Kraellin]

oh, and here's another idea for anyone that wants TRULY impervious protection while surfing.... vmware! this is a 100% foolproof method of NEVER getting infected...NEVER! (yeah, never say never and i'm sure it could be cracked, but ok).

vmware stands for virtual machine software. you may have seen me make mention of it in my hijackthis log posted above. vmware is a virtual machine within windows. it basically runs as a module inside of windows, but isnt windows. it is its own operating system operating as a sort of shell within windows.

for those that remember the days when you loaded the o/s from a floppy disk into the machine at startup, this is somewhat the same thing. when you start vmware it creates a new o/s within your o/s. in fact, it can create any o/s you want, if you have that module. so, you could run windows within windows, linux within windows, mac within windows (when they finish that module. it's not quite ready yet) and so on. it comes with browsers and modules and is currently free.

the way this works is, you run the vmware, run their browser within vmware and surf to your heart's content. you could pick up 50 trojans, worms, etc, etc and it wouldnt matter. once you kill the vmware module, EVERY PART OF I DISAPPEARS FOR GOOD! when you start a new vmware module it's like loading the o/s from a floppy again. it's completely new. so, you can 'never' get infected.

the way it was explained to me was, it creates a virtual harddrive when you load the vmware. this harddrive has an o/s on it. when you exit the module, the drive is wiped...gone....poof! so, no infection can remain.

you might wonder why you would need such a thing as vmware. i mean, it seems a bit much for anti-virus protection. and, it will slow your machine down a bit. you wont be playing any multiplayer shooters with it, trust me on that one but, it's not so slow that you cant surf in a fairly normal manner.

this technology came about from a need within updating and restoring systems. if a company is running 50 computers all using vmware and they all crashed, got infected or just plain quit for some reason, restoring these computers is a breeze. it's also highly transportable. make a copy of your vmware module at the corporate office and you can simply ship out copies to your remote locations and they simply pop them into their systems and they're running.

i dont really know a lot abotu it. my brother in law uses it and i found it interesting and downloaded and installed a version for surfing. and that's another thing. with these modules you can customize them for certain things. there is a windows module, a linux module, a basic surfing module and so on. so, if you had 20 employees on computers and didnt want them to be able to access the internet, you simply put modules on their machines that cant surf. simple.

it has more uses, i'm sure, and i've only installed it and used it once, so like i say, i really know little about it, but i do recall talking to my brother in law and that he recommended it as THE safest way to surf the web.

a google shld turn up what you need if you want to give it a shot. there is an official site and it shld turn up near the top of a google search.

oh, and one last thought on this... it might also make the perfect web server for your web pages. you make your base module, store a copy and always have that backup if something goes crazy on your server.

craig

[Gary Richardson]

Hi Craig,

You are using an outdated version of HijackThis.

Please download the latest version from Here to a location on your computer where you can find it.

We recommend you create a New Folder C:\Hijack This

Before your first scan, we need to check the configuration.

• Click on the Config button in the bottom right hand corner.
• Now confirm the following are checked.
  • Make backups before fixing items.
  • Confirm fixing & ignoring of items (safe mode).
  • Include list of running processes in logfiles.
• The other items should be unchecked.
• Click the Back button to return to the Scan page.

Now run a scan, and send me a new log please.


Sorry about the "canned" speech, it's the easiest way to give you the info.

Your version of HJT does not scan all the areas that the newer version does, therefore vital info is missing.

Don't add any comments to the new log, as it causes problems for some of my semi-automated log checking. (I have a program that checks lines on your log against a database of "Good" lines that I've compiled, and marks them on your log). For the rest, I have access to a large database of valid and invalid processes, and rarely find any that I can't get info on. (I'll ask you about any I can't find).