Hijack This usage
Results 1 to 8 of 8

Thread: Hijack This usage

  1. #1

    Hijack This usage

    Ennis made the suggestion that someone write a tutorial on Hijack this-

    Sources (I used them a lot)
    http://www.mjc1.com/mirror/hjt/
    http://hjt.wizardsofwebsites.com/

    What Hijack This is for, is to search key area’s of your computer that are commonly used to change your browsers settings. It doesn’t scan them, it shows you everything, and it’s your decision what can stay and what can go. Most of the entries Hijack This will come up with are legit, so it can make Hijack This somewhat tricky. You have to determine what stays and what goes.

    Download Hijack this
    http://209.133.47.200/~merijn/files/HijackThis.exe
    If you have used ad-aware, spybot, or any other spyware removal software since your last boot, reboot your computer. Open it, click ”config” in the bottom right of the window.
    edit- Because of malware restricting access to the site, merjin moves the download links around. http://www.spywareinfo.com/~merijn/downloads.html

    It should look like this when you run it:
    http://www.mjc1.com/mirror/hjt/begin.png

    Main settings:
    Basic configuration Make sure safe mode and backups are turned on, as well as processes. Safe mode and backups will help you if you screw up.
    Ignore list:
    Used to help clean up your results. When you scan, you can ignore results you know are legit and they will be moved here.
    Backups
    When you fix entries in Hijack This, they will appear here as backups, given that you’re setting is turned on.
    Misc Tools:
    Generate Startup Log - I’ve never used it, but it does what it says. Shows you autoexec.bat and other things that boot up with your pc.
    Uninstall
    Check for update - I didn’t even know that existed until now…

    The process!

    Click scan in the bottom left corner, if you don’t see it, click back in the bottom right corner.
    Should look like this:
    http://www.mjc1.com/mirror/hjt/fix.png

    A whole bunch of crazy lookin’ files will appear in the box above. About now, you have to start using common sense. If you see something like:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.somekindapornsite.com/
    Where the website shown is something you want nothing to do with, then check it. Basically, you just need to look for entries that look funny, google them, and see if they are commonly listed as a hijack or spyware.

    Here is a section from http://hjt.wizardsofwebsites.com/
    Two Letter Codes
    After the running processes, the list of entries found by Hijack This begins. Each entry starts with a 2-letter code to say what it is. According to Hijack This' Info, heres what each code means:
    R - Registry, StartPage/SearchPage changes
    R0 - Changed registry value
    R1 - Created registry value
    R2 - Created registry key
    R3 - Created extra registry value where only one should be
    F - IniFiles, autoloading entries
    F0 - Changed inifile value
    F1 - Created inifile value
    N - Netscape/Mozilla StartPage/SearchPage changes
    N1 - Change in prefs.js of Netscape 4.x
    N2 - Change in prefs.js of Netscape 6
    N3 - Change in prefs.js of Netscape 7
    N4 - Change in prefs.js of Mozilla
    O - Other, several sections which represent:
    O1 - Hijack of auto.search.msn.com with Hosts file
    O2 - Enumeration of existing MSIE BHO's
    O3 - Enumeration of existing MSIE toolbars
    O4 - Enumeration of suspicious autoloading Registry entries
    O5 - Blocking of loading Internet Options in Control Panel
    O6 - Disabling of 'Internet Options' Main tab with Policies
    O7 - Disabling of Regedit with Policies
    O8 - Extra MSIE context menu items
    O9 - Extra 'Tools' menuitems and buttons
    O10 - Breaking of Internet access by New.Net or WebHancer
    O11 - Extra options in MSIE 'Advanced' settings tab
    O12 - MSIE plugins for file extensions or MIME types
    O13 - Hijack of default URL prefixes
    O14 - Changing of IERESET.INF
    O15 - Trusted Zone Autoadd
    O16 - Download Program Files item
    O17 - Domain hijack
    O18 - Enumeration of existing protocols
    O19 - User stylesheet hijack

    There is no need to memorize all of these, just read through them so you are familiar with what HJT detects.
    Legitimacy Check

    In the following sections, you will be asked to "check if a url is legitimate". This means deciding if it is a URL that user would want to visit, or if it is a likely hijacker. URLs that you recognize such as Google, Yahoo!, a news website, or a ISPs website are clearly legitimate items. They do not need to fixed. If you do not recognize an item-go the URL. If the site has unending popup traps, or is in the domain of a known spyware (eg coolwwwsearch.com, gator.com, new.net, etc) is not a legitimate item. Most hijackers are sponsored search engine/portal sites. Usually they are pretty easy to detect. If it is a portal site with tons of links packed into one page, with categories such as gambling, insurance, computers, and adult, you can bet its a browser hijacker that should be fixed. If it is a search engine with the words "Pay Per Click" anywhere fix it. If it is a search engine with several or many entries for it in the R* section of Hijack This, you can also bet that its forcing itself on the user. If your not sure, ask the person if they use that site or not.
    R - Registry, StartPage/SearchPage changes
    Any entries whos 2 letter code begins with R should be checked to see if the URL is legitimate. Throughout this tutorials I will say "check if its legit". To do this, use the "Legitimacy Check" rules at the top of this tutorial.
    R0-Advanced Info
    R1-Advanced Info
    R2-Advanced Info
    R3-Advanced Info
    F - IniFiles, autoloading entries

    Basically anything beginning with "F0" is bad and should be fixed. F1 entries can be good or bad. Google the filename to find out what it is.
    F0-Advanced Info
    F1-Advanced Info
    N - Netscape/Mozilla StartPage/SearchPage changes

    Items that start with N are related to Netscape. These are similar to the R entries. Follow the rules for deciding if a URL is legitimate. Netscape homepages are not hijacked as often as IE though.
    N1-Advanced Info
    N2-Advanced Info
    N3-Advanced Info
    N4-Advanced Info
    O - Other, several sections which represent:

    O1 - Hijack of auto.search.msn.com with Hosts file
    01 entries are entries in the HOSTS file. HOSTS is a way of redirecting a URL to an IP. It can be used for ad blocking, speeding up internet access, or Hijacking. If multiple URLs point to the same IP address, fix them all (UNLESS THAT IP ADDRESS IS 0.0.0.0 OR 127.0.0.1). This shows up a lot
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    They should all be fixed, see how it redirects all searches to 216.177.73.139 (type that IP in your browser for an example of non-legit page).
    O1-Advanced Info

    O2 - Enumeration of existing MSIE BHO's
    The Browser Helper Object. Can't browse with em, cant browse without em. These are sort of plugins for the browser. Each has a unique, identifying number and a filename. Use TonyKlein's BHO list to check if each one is good or bad http://www.spywareinfo.com/bhos/ After a few logs, you will start to recognize which BHOs are safe (such as MSN Radio and NAV Antivirus). Note: any BHO with ClientMan Or Clien~1 in the filename should be fixed. Sometimes spyware tricks you into thinking its legit by using a safe-sounding filename. Check each BHO carefully!
    02-Advanced Info

    O3 - Enumeration of existing MSIE toolbars
    03 entries are toolbars in web browsers. Most are harmless, but many bad hijackers add toolbars to the browser. If it is named "Yahoo Companion" or Google Toolbar, or something of the sort, its probably legit. You can find out what a Toolbar is at TonyKlein's list
    http://www.spywareinfo.com/toolbars/
    Any toolbar with a random-seeming filename should be fixed.
    O3-Advanced Info

    O4- Enumeration of suspicious autoloading Registry entries
    Startups from the registry. Despite the name-many legit programs show up here. Ignore entries that you recognize to be from a legit program. Use this website to find out what the rest of the entries are.
    http://www.pacs-portal.co.uk/startup...artup_full.htm
    04-Advanced Info

    O5 - Blocking of loading Internet Options in Control Panel
    There is only one entry here, and it should be fixed. This entry stops the Internet Options from showing in Control Panel. It is used by Hijackers to hide themselves
    05-Advanced Info

    O6 - Disabling of 'Internet Options' Main tab with Policies
    Internet Explorer restrictions. Unless you have used a security program to lock your browser settings, fix these. You won't know if the user has done this or not. You can ask them, but if they have a lot of spyware, its safe to say that they should be fixed.
    06-Advanced Info

    O7 - Disabling of Regedit with Policies
    Restricted registry access using Windows System Policies. Fix this, unless you are using a computer where it may be there on purpose eg. lab/shared/school systems.
    07-Advanced Info

    O8 - Extra MSIE context menu items
    Extra right click options. If you don't recognize it, search google. "Browser Pal" should always be fixed. Programs such as popup blockers or google toolbar often show up here.
    08-Advanced Info

    O9 - Extra 'Tools' menuitems and buttons
    Extra toolbar buttons. If you don't recognize it as a legit program-search google. A simple search will usually reveal if its spyware.
    09-Advanced Info

    O10 - Breaking of Internet access by New.Net or WebHancer
    Winsock Hijacks. Using old versions of Spyware removers can cause these problems! Spybot can usually fix them, or a specialized tool such as LSPFix.
    O10-Advanced Info

    O11 - Extra options in MSIE 'Advanced' settings tab
    Extra Advanced Options group in IE Adds another group of options in the Advanced section of IE's Internet Options, which are stored in the registry. CommonName does this.
    O11-Advanced Info

    O12 - MSIE plugins for file extensions or MIME types
    Internet Explorer plugins. Usually pretty harmless. Used by programs like Acrobat Reader.
    012-Advanced Info

    O13 - Hijack of default URL prefixes
    Default Prefixes. Eviiil-always fix these. The default prefix (Stored in the registry) adds itself to the beginning of any URL where you did not enter the prefix. Default Prefix should be http://.
    O13-Advanced Info

    O14 - Changing of IERESET.INF
    Reset Web Settings Follow the rules for checking if a URL is legitimate.
    O14-Advanced Info

    O15 - Trusted Zone Autoadd
    Unwanted trusted zone site. This could be bad, but not many hijackers use them. The common one is free.aol.com. This entry can be fixed.
    O15-Advanced Info

    O16 - Download Program Files item
    ActiveX Controls These are downloaded when you play an online game, use iPix, etc. If it is from a known game site such as Yahoo or Pogo, or the Macromedia site, its legit. Other items you can search for to find out. I usually just do a quick check over these items. Always fix them if they seem to be dialers, adult, or casino software.
    016-Advanced Info

    O17 - Domain hijack
    Domain hijacks always include an IP address, do a WHOIS on the IP address. If it comes up with a legitimate owner (like an ISP or college) leave it. Otherwise, fix these entries.
    O17-Advanced Info

    O18 - Enumeration of existing protocols
    Extra Protocols. These don't show up very often, but Google will tell you what they are. I have seen LOP and CommonName use them.
    O18-Advanced Info

    O19 - User stylesheet hijack
    Style sheet hijack. I have only seen 1 hijacker use this. If the filename is default.css, it can probably be fixed. You may want to tell the person not to fix it if they are using a custom CSS file in their browser (these are often used by colorblind, or vision disabled users).
    O19-Advanced Info
    Don’t remove things you aren’t sure of. If you need help, post your log in the adware section of AO and some of us can help you decide what to remove.

    All done

  2. #2
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    OK. I'm first it seems, here is the generated log from my sys.
    As you say, I can see that some are obviously safe / ignore types, I have left them in for the purpose of clarity ????

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: WinMySQLadmin.lnk = C:\MySQL\bin\winmysqladmin.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...018.3728935185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32C298EC-87E1-4C34-BDBB-8C3C195A2B80}: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{32C298EC-87E1-4C34-BDBB-8C3C195A2B80}: NameServer = 194.168.4.100 194.168.8.100
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  3. #3
    Well, it looks to me like you have a google toolbar, you use norton internet security, ad aware, winmysqladmin, ITunes, Nero, Quicktime and your start page is virgin.net. If you are asking which ones are legit, then I guess those are if you intended to have them as start up items. Usually the ones that you don't recognize are the ones that cause the trouble. Is your browser hijacked or did you just post your log regardless?

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    Google came up with some spyware results, but I couldn't tell what it was.

  4. #4
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Soda...

    Thanks for doing all the leg work for us. I had started to tinker with it and didn't really find anything wrong. But I hadn't really got serious about generating the ignore list. Your tut was easy to follow and now with the ignore list established, if anything shows up on my scans, I'll know changes were made. Good job!


    cheers

  5. #5
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Sorry Soda, I posted so as to check it over on AO as well as by myself.
    I am not hi-jacked that I am aware ? of, and have already used the tut you posted to work through the file. I would just like to add that following the instructions was a pleasant suprise to one brought up on a 'suck it and see' methodology. I am now the proud owner of an ignore file, and am beginning to feel a little safer out in cyberspace. If someone posts a sys with problems I will delete this post, I found it useful to roll from one to the other as I was reading the tut.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  6. #6
    Banned
    Join Date
    Apr 2004
    Posts
    410
    ok this may be out of the post , but plz don negg me for this, am i the only one to notice that the link given to Hjack given bt sode does not work????
    ____

  7. #7

  8. #8
    http://www.spywareinfo.com/~merijn/downloads.html

    The official site has multiple mirrors now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides