Hi all. I have been playing with HJT a little bit (but not fixing anything!) just trying to get a better idea of how it works. Although the HJT Tutorial is pretty thorough, it leaves me with a few unanswered questions regarding 04 items. For simply a point of reference for my questions, here are ther 04 items found on my computer:

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Programme\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = C:\Programme\Siemens\Gigaset WLAN Adapter\WLM.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE

My questions are as follows:

1) What are the differences between HKCU, HKLM, Startup, and Global Startup entries?

2) What happens when HJT fixes these items? - is the item deleted from the registry or is the process that it represents deleted from the computer. This question deals with, for example, if I didn't want to run OSA.EXE at startup. Could I, theoretically, let HJT fix this or should I do this from the msconfig startup programs utility? Theoretically speaking, of course.

3) The startup program information list at http://www.sysinfo.org/startuplist.php?filter=sound&letter=
is rather vague. Not even half of the items found on my 04 list is represented on this site. What should we do if we cannot find the entry, or if we find the entry and it is listed as 'N', meaning that it is not necessary to have it run at startup (kind of goes along with question #2)?

4) This question actually deals with 017 items. First, Here are my entries:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GARYSPC
O17 - HKLM\Software\..\Telephony: DomainName = GARYSPC
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GARYSPC

My question is if this is normal to have one entry listing DomainName = and the others listing Domain = ? I ask because I don't remember using VoIP or any other telephony related services on my machine, and the HJT Tutorial didn't have any examples with DomainName =.

Thanks for any help, and please no lectures that I shouldn't fix anything on my own - I already know that! I am just curious as to how this tool actually works.

HKLM: This means the item is loading from a specific part of the registry called HKEY Local Machine.

HKCU: This means the item is loading from a specific part of the registry called HKEY Current User.

I don't know where the global start-up items load from

HJT deletes them from the registry, but does not delete them from the system unless you take extra steps to tell it to.

Theoretically speaking, if you wanted to try to disable an item, like OSA for instance, I would do it with MSCCONFIG and observe the results. If you want it removed permanently, then re-enable in MSCONFIG and remove with HJT.

The 017 items may have to do with how many dial-up accounts you have or how many network adapters you have as Windows really treats dial-up accounts as network cards and has specific TCP/IP setting for them.

I hope that provides you with a general overview.

Theoretically speaking, if you wanted to try to disable an item, like OSA for instance, I would do it with MSCCONFIG and observe the results. If you want it removed permanently, then re-enable in MSCONFIG and remove with HJT.



Thanks for the great info, classicsoftware. The only question I still have relates to your comment in quotes above. I am not really sure what this means, to be totally honest. To put my question a different way, let me use the line

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

So, if I 'fixed' this with HJT, the program Soundman.exe would remain in tact on my computer and only the reference to it in the registry would be deleted? I'm real interested in this because if the program Soundman.exe was a Trojan, for example, and if the program is not erased along with the registry entry, then HJT is not really 'fix'ing anything. Thanks for clarifying, csw.

To put my question a different way, let me use the line

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

So, if I 'fixed' this with HJT, the program Soundman.exe would remain in tact on my computer and only the reference to it in the registry would be deleted? I'm real interested in this because if the program Soundman.exe was a Trojan, for example, and if the program is not erased along with the registry entry, then HJT is not really 'fixing anything. Thanks for clarifying, csw.

You are correct in your assumption that removal of a file by HJT does not delete it. If you read the posts where HJT logs are analyized, you will see they are always followed by instructions to delete the files manually. Just because a file is on your PC does not mean it will execute. The only programs that execute are:

Those loaded by the registry
Those loaded by the start-up group
Those loaded by the user
Those loaded by other running programs


I hope that clears things up....

Hijack this removes the "run" entry in the registry, for O4 entries. As the file is running, Hijack this is unable to delete the file.
Removal of the registry entry prevents the file loading at reboot, after which it can be deleted.

If the item under consideration were a trojan/worm etc, it would be harmless, but should still be deleted.

A legitimate program that you want to stop loading at startup, if "fixed" with Hijack this, will no longer run at startup, but will still be available to run when needed.

FastLearner,

I don't think the startup list at sysinfo is being updated any more. The list at CastleCops (http://castlecops.com/StartupList.html) is more useful now a days.
So, if I 'fixed' this with HJT, the program Soundman.exe would remain in tact on my computer and only the reference to it in the registry would be deleted?
The O4 entries refer to the section in the registry where programs that you want (or don't want) to start up when the computer boots reside. When you "fix" an O4 entry, you are only removing the reference that tells the program to start at bootup. "Fix" is just a figure of speech.

Edit: Boy, ya gotta be quick around here. David and CS got here while I was day dreaming. ;)

Thanks all for the prompt and useful responses. This is all really some great info. OTwo last questions since you are all on such a roll!:

I have learned from this thread that 'fix'ing things with HJT is a way to remove their registry entry, but it leaves the program in tact.

1) Does this hold true for all items found on a HJT log (not just =4 entries)?
2) What then, is the difference between using HJT to disable a start-up item or using msconfig? Most would recommend using msconfig to alter the start-up list for legitimate programs, but why?

Thanks again, gang.

There are a number of us who believe that running Windoze in Selective Startup from msconfig all the time is not a good idea... This means that fixing the item with HJT is a better solution... I needed, the item can be reestablished by reinstalling the program...

As for what HJT fixes versus removes... It will remove the BHO (O2) items, so they do not need to be manually deleted... Pretty much everything else does need to be deleted manually if it is appropriate to delete it... Not everything should be deleted... The O16s are ActiveX controls and don't have files to manually delete...

Do you know about the Boot Camp and Classroom where you can learn about all of this stuff??

The O16s are ActiveX controls and don't have files to manually delete...
Actually, if I'm not mistaken you will find the O16 items in the \Downloaded Programs Files folder. In IE click Tools > Settings > View Objects and there they be. You can easily delete them there.

Do you know about the Boot Camp and Classroom where you can learn about all of this stuff??

Budfred:
No, I'm afraid I don't know about that. This is something that I would definitely be interested in doing during my spare time (all 20 minutes a day!), though, so any info you could provide would be most appreciated. Thanks.

Steve: Thanks for that tip. It was right on the money. The only thing you may find interesting is that there were 2 ActiveX elements listed that for some reason did not appear in my HijackThis log. (Both have the name JavaRuntime 1.5.0 and appear to be identical). I wonder why that wouldn't show up on the HJT log.

Thanks to both of you for the additional info.

Spywareinfo hosts the Boot Camp and admission is open to anyone that is interested in learning how to deal with malware... I am one of the Mods there...

http://forums.spywareinfo.com/index.php?showtopic=34

Tom Coyote hosts the Classroom which is very similar to Boot Camp, but admission requires a more formal application to enroll...

http://forums.tomcoyote.org/index.php

There are a few other schools in other forums, but these two were the first....

Thanks Budfred. I'm going to look into that.

Three days into boot camp now...

I can HIGHLY recommend it for anyone else who's interested in the HJT logs. Budfred and the gang over at SWI really have their stuff together and I have learned more in three days than I had ever imagined possible! Thanks again Budfred, and go easy on me in Boot Camp!!!

I agree. For anyone who wants to learn and keep up on fighting malware, that's the place to be. I have been a member for a long time, but have not had the time to really get into it. Not to say I haven't learned anything just lurking behind the scenes. Just don't have the time to go through the whole trainee thing. :(

Great place. :cool: