hijackthis

Intro

This tutorial is an indepth look into hijack this logs, not an HJT starter guide Hijack This by Merijn is a great tool for detecting and removing browser Hijacks. A browser hijack is when spyware takes over your internet settings, often redirecting your internet searches and stealing your default home page. This tutorial is aimed at TSGers who would like to help out in the security forum by examining Hijack This logs. First lets look at a typical Hijack This log
Click Here to View

You can see that it begins with Information about the users computer and version of Hijack This. All thats important here is to make sure they are using the latest version of HJT (currently 1.96). Next you have the running processes. These can not be "fixed" in Hijack This so its not a critical section in examining a log, but if you see something suspicious, Google the filename to see what it is. In examining a log, google is your friend.

Procedure

Now, before we start analyzing the log, here is my method for making it quick and painless to check it.
1. Open an extra browser window. You will need it to search for info.
2. Paste the user's log into Notepad.
3. As you identify items as good/bad, remove the Good ones from the log in Notepad. When your done, the bad entries will be left in a list you can post.
4. I suggest you put a line in between each item that needs to be removed. This makes it much easier to remove. Then post the list of what needs to be removed back to the user. 5. Have them run Spybot or AdAware afterwards. Hijack This will not remove other components of spyware besides what you list. You may have to have the person manually delete files (eg if you have them remove an HJT entry about bootconf.exe, they should also delete bootconf.exe from their hard drive).

Two Letter Codes

After the running processes, the list of entries found by Hijack This begins. Each entry starts with a 2-letter code to say what it is. According to Hijack This' Info, heres what each code means:
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols
O19 - User stylesheet hijack

There is no need to memorize all of these, just read through them so you are familiar with what HJT detects.

Legitimacy Check


In the following sections, you will be asked to "check if a url is legitimate". This means deciding if it is a URL that user would want to visit, or if it is a likely hijacker. URLs that you recognize such as Google, Yahoo!, a news website, or a ISPs website are clearly legitimate items. They do not need to fixed. If you do not recognize an item-go the URL. If the site has unending popup traps, or is in the domain of a known spyware (eg coolwwwsearch.com, gator.com, new.net, etc) is not a legitimate item. Most hijackers are sponsored search engine/portal sites. Usually they are pretty easy to detect. If it is a portal site with tons of links packed into one page, with categories such as gambling, insurance, computers, and adult, you can bet its a browser hijacker that should be fixed. If it is a search engine with the words "Pay Per Click" anywhere fix it. If it is a search engine with several or many entries for it in the R* section of Hijack This, you can also bet that its forcing itself on the user. If your not sure, ask the person if they use that site or not.

R - Registry, StartPage/SearchPage changes

Any entries whos 2 letter code begins with R should be checked to see if the URL is legitimate. Throughout this tutorials I will say "check if its legit". To do this, use the "Legitimacy Check" rules at the top of this tutorial.
R0-Advanced Info
R1-Advanced Info
R2-Advanced Info
R3-Advanced Info

F - IniFiles, autoloading entries


Basically anything beginning with "F0" is bad and should be fixed. F1 entries can be good or bad. Google the filename to find out what it is.
F0-Advanced Info
F1-Advanced Info

N - Netscape/Mozilla StartPage/SearchPage changes


Items that start with N are related to Netscape. These are similar to the R entries. Follow the rules for deciding if a URL is legitimate. Netscape homepages are not hijacked as often as IE though.
N1-Advanced Info
N2-Advanced Info
N3-Advanced Info
N4-Advanced Info

O - Other, several sections which represent:


O1 - Hijack of auto.search.msn.com with Hosts file
01 entries are entries in the HOSTS file. HOSTS is a way of redirecting a URL to an IP. It can be used for ad blocking, speeding up internet access, or Hijacking. If multiple URLs point to the same IP address, fix them all (UNLESS THAT IP ADDRESS IS 0.0.0.0 OR 127.0.0.1). This shows up a lot
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
They should all be fixed, see how it redirects all searches to 216.177.73.139 (type that IP in your browser for an example of non-legit page).
O1-Advanced Info

O2 - Enumeration of existing MSIE BHO's
The Browser Helper Object. Can't browse with em, cant browse without em. These are sort of plugins for the browser. Each has a unique, identifying number and a filename. Use TonyKlein's BHO list to check if each one is good or bad http://www.freespywareremoval.info/problem/bho.html After a few logs, you will start to recognize which BHOs are safe (such as MSN Radio and NAV Antivirus). Note: any BHO with ClientMan Or Clien~1 in the filename should be fixed. Sometimes spyware tricks you into thinking its legit by using a safe-sounding filename. Check each BHO carefully!
02-Advanced Info

O3 - Enumeration of existing MSIE toolbars
03 entries are toolbars in web browsers. Most are harmless, but many bad hijackers add toolbars to the browser. If it is named "Yahoo Companion" or Google Toolbar, or something of the sort, its probably legit. You can find out what a Toolbar is at TonyKlein's list
Any toolbar with a random-seeming filename should be fixed.
O3-Advanced Info

O4- Enumeration of suspicious autoloading Registry entries
Startups from the registry. Despite the name-many legit programs show up here. Ignore entries that you recognize to be from a legit program. Use this website to find out what the rest of the entries are.
http://www.sysinfo.org/startupinfo.html
04-Advanced Info

O5 - Blocking of loading Internet Options in Control Panel
There is only one entry here, and it should be fixed. This entry stops the Internet Options from showing in Control Panel. It is used by Hijackers to hide themselves
05-Advanced Info

O6 - Disabling of 'Internet Options' Main tab with Policies
Internet Explorer restrictions. Unless you have used a security program to lock your browser settings, fix these. You won't know if the user has done this or not. You can ask them, but if they have a lot of spyware, its safe to say that they should be fixed.
06-Advanced Info

O7 - Disabling of Regedit with Policies
Restricted registry access using Windows System Policies. Fix this, unless you are using a computer where it may be there on purpose eg. lab/shared/school systems.
07-Advanced Info

O8 - Extra MSIE context menu items
Extra right click options. If you don't recognize it, search google. "Browser Pal" should always be fixed. Programs such as popup blockers or google toolbar often show up here.
08-Advanced Info

O9 - Extra 'Tools' menuitems and buttons
Extra toolbar buttons. If you don't recognize it as a legit program-search google. A simple search will usually reveal if its spyware.
09-Advanced Info

O10 - Breaking of Internet access by New.Net or WebHancer
Winsock Hijacks. Using old versions of Spyware removers can cause these problems! Spybot can usually fix them, or a specialized tool such as LSPFix.
O10-Advanced Info

O11 - Extra options in MSIE 'Advanced' settings tab
Extra Advanced Options group in IE Adds another group of options in the Advanced section of IE's Internet Options, which are stored in the registry. CommonName does this.
O11-Advanced Info

O12 - MSIE plugins for file extensions or MIME types
Internet Explorer plugins. Usually pretty harmless. Used by programs like Acrobat Reader.
012-Advanced Info

O13 - Hijack of default URL prefixes
Default Prefixes. Eviiil-always fix these. The default prefix (Stored in the registry) adds itself to the beginning of any URL where you did not enter the prefix. Default Prefix should be http://.
O13-Advanced Info

O14 - Changing of IERESET.INF
Reset Web Settings Follow the rules for checking if a URL is legitimate.
O14-Advanced Info

O15 - Trusted Zone Autoadd
Unwanted trusted zone site. This could be bad, but not many hijackers use them. The common one is free.aol.com. This entry can be fixed.
O15-Advanced Info

O16 - Download Program Files item
ActiveX Controls These are downloaded when you play an online game, use iPix, etc. If it is from a known game site such as Yahoo or Pogo, or the Macromedia site, its legit. Other items you can search for to find out. I usually just do a quick check over these items. Always fix them if they seem to be dialers, adult, or casino software.
016-Advanced Info

O17 - Domain hijack
Domain hijacks always include an IP address, do a WHOIS on the IP address. If it comes up with a legitimate owner (like an ISP or college) leave it. Otherwise, fix these entries.
O17-Advanced Info

O18 - Enumeration of existing protocols
Extra Protocols. These don't show up very often, but Google will tell you what they are. I have seen LOP and CommonName use them.
O18-Advanced Info

O19 - User stylesheet hijack
Style sheet hijack. I have only seen 1 hijacker use this. If the filename is default.css, it can probably be fixed. You may want to tell the person not to fix it if they are using a custom CSS file in their browser (these are often used by colorblind, or vision disabled users).
O19-Advanced Info

Extra notes:


If you see anything about rb32, rb32.exe or lptt01 in Hijack This, have the user run Rbkiller.exe
If there are entries with encoded URLs like
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e%63%67%69?%36%35%36%33%38%37
have them run CoolWebShredder

Other HJT Features


Hijack This includes several other features. Select an item after scanning and click "Info On Selected Item" to get more info about what it is/does. Under config you can make backups, MD5 hash the files, and change your settings for Hijack This. Under "info" you can find version history and updates.


Home