Hijackthis Logs
The first section, R0 and the like, are what your default pages are set to. Make sure that you recognize any site that is listed in that section. If it's not from Microsoft, and you don't know what it is, remove it.
The next, 01, means that auto.search.msn.com is hijacked courtesy of an entry in your HOSTS file. This means that when your computer tries to use the above site, it is redirected towards a malicious site that may cause some sites not to appear, fake sites to appear, or perhaps just redirect all your traffic through some advertising agent. Remove it.
02 is the section that I pay very close attention to. BHO's are great, if they're good. Browser Help Objects can also be malicious items as well. ANYTHING in this section that you don't EXPRESSLY recognize you should remove. It will be fairly obvious what you will remember, and what you won't. If you're in doubt, then just remove it. If it is something you want, it'll be easy enough to get back. For instance, look at the above pic. In the 02 section you see 2 entries. AcroIEHlprObj Class is up there. If you pay attention to it's path which is shown after it you can see that it is part of Adobe Acrobat. I read PDF's all the time, so that BHO is OK. The next one says Google Toolbar Helper. That's pretty self-explanatory, and since I have the Google Toolbar, it's even more obvious. Like I said, if you don't recognize what it is, remove it.
03 has the information for the toolbars. In the entry above, you see the name &Google. Also in the path after it you can see that it comes from the Google directory, and that the file is even named googletoolbar1. This section is yet another example of if you don't recognize, then remove. Toolbars are also another common thing for adware to add to your system in the faux of being helpful. Anything that looks randomly named 99.9% of the time is bad. If it feels funky, whack it.
04 is now getting into the startup section of the system. Yes, you could remove every single entry here and your system would likely boot just fine. You don't need anything in your startup most of the time for the system to load, but handy little programs like your antivirus software as well as your printer drivers, pocket PC program, messengers, etc all load in the startup. You'll definitely want to be more careful in this section, but it is also the one you will want to scrutinize the very most. Just look through the items and see if all of it rings a bell. Most of it should. Even if the executable file itself looks confusing, the path will often tell you what it is. WCESCOMM.EXE isn't terribly descriptive, but if you look above you can see that the path is Microsoft ActiveSync. Obviously it's for my Dell Axim. In this section, what I usually do is this: Remove everything you know to be bad. ANYTHING that loads out of a temporary directory. NO legit program would reside in any temp directory, so you'll definitely want to kill that. As for the items that you're not so sure about, I usually use MSCONFIG to disable those. That way if it turns out that you need it, it's easy enough to get back. So, in summary, remove any obviously bad items. The one's your not sure about, use MSConfig to disable.
08 Extra content menu item. Now we're to a section that isn't all that dangerous. Even if you accidentally left a bad spyware item behind, it wouldn't much matter. You would only activate it if you clicked on that particular extra item. I usually clean up most entries here, simply because you don't really need them, and I'm a bit of a minimalist. Same rules apply here too though, just make sure it's something you recognize.
09 Almost the same thing as the extra menu item, only this actually adds a button to IE's toolbar. Scrutinize this a bit better than the 08 items, simply because it's easier to accidentally click a button that's always readily available.
016 Keep an eye on this one. DPF, or Downloaded Program Files are stored in the Windows base folder and holds misc programs from the internet. They are loaded when IE is, (like a BHO) so there is a strong possibility that some malware has put itself there.
020 The AppInit_DLLs section. I've NEVER seen a legit use of the AppInit_DLLs key. Ever. This key loads the DLL specified in it every time a program is opened. If you see an entry here it is almost definitely spyware.
023 is for services. Norton registers services, my ATi video card has a couple, etc. Services load very similar to the entries in the 04 section, so scrutinize it carefully. It's a favorite hiding spot for viruses, because services don't show up in most startup configuration programs. Even in MSConfig you have to specifically select the services tab.
I haven't gone through every singe type of entry available with HijackThis, because there are tons and it's impossible to describe every situation. Keep in mind that not everything that HJT displays is bad. In fact, most of it is good. (Most of the time) Just keep in mind the rule of thumb, if you don't recognize the entry, or some part of it, you probably should remove it. Also keep in mind that what you scan usually shouldn't be much longer than this. They all vary in length, but that's a fairly average one.
If you're still intimidated by the results displayed, then you can always save a logfile and post it on a forum for some people to analyze for you. After the scan, just click the 'Save Log' button on the bottom left. Save the txt file and post its contents on a forum somewhere.
If you think you've removed an item you shouldn't, worry not. HijackThis creates backups of everything that it removes.
Combofix Logs
This line shows what files/folders were created between the 2 supplied dates. Its up to you to decide what is good and what is bad, this is purely diagnostic
Each sections is separated in what they do/look for or remove.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
((((((((((((((((((((((((((((( SnapShot@2009-10-29_00.33.01 )))))))))))))))))))))))))))))))))))))))))
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
************************************************** ************************
This one is important:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
as well as this for Rootkits, etc.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-28 20:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
When you see this below, Combofix found and removed infections it was designed to remove.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Ed\Application Data\inst.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Data
c:\windows\system32\dumphive.exe
c:\windows\system32\E95THK16.EXE
c:\windows\system32\encapi32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
Most of the Combofix log is for diagnostics, it does however actually remove spyware.
One program will find what another program wont. Just because you run Malwarebytes and it comes back clean doesnt mean your system is clean and vice versa. Some times Malwarebytes cant remove an infection so I instruct members to run Combofix and then Malwarebytes because Combofix "Breaks down the infection or parts of it" so then Malwarebytes can remove the rest.
Just look over all the logs on here and start taking notes. This is just a short description of what both these tools can do.
