Opera Now Runs On Windows Mobile 2003 Smartphone »

Guide To Use HijackThis

Saturday 2 July 2005 @ 3:27 am

Usually, when people ask me about spyware detectors or removers, I will definitely recommend Spybot Search & Destroy and AdAware Personal to them. Both are freeware, yet powerful and reliable in detecting and removing most spyware programs.

Now I would recommend another more advance tool, HijackThis. HijackThis is written specifically to detect and remove browser hijacks, or software that takes over your web browser, alters your defaut home page and search engine and other malicious things.

Once you install HijackThis and run it to generate a log file which allows you to analyze the log data and let you on which items to remove and which ones to leave alone. Using HijackThis is a lot like editing the Windows Registry yourself, but you should definitely not do it without some guidance unless you really know what you are doing.

So, basically here is a guide to help you analyzing the log data generated.

R0, R1, R2, R3 – Internet Explorer Start/Search pages URLs
F0, F1 – Autoloading programs
N1, N2, N3, N4 – Netscape/Mozilla Start/Search pages URLs
O1 – Hosts file redirection
O2 – Browser Helper Objects
O3 – Internet Explorer toolbars
O4 – Autoloading programs from Registry
O5 – IE Options icon not visible in Control Panel
O6 – IE Options access restricted by Administrator
O7 – Regedit access restricted by Administrator
O8 – Extra items in IE right-click menu
O9 – Extra buttons on main IE button toolbar, or extra items in IE ‘Tools’ menu
O10 – Winsock hijacker
O11 – Extra group in IE ‘Advanced Options’ window
O12 – IE plugins
O13 – IE DefaultPrefix hijack
O14 – ‘Reset Web Settings’ hijack
O15 – Unwanted site in Trusted Zone
O16 – ActiveX Objects (aka Downloaded Program Files)
O17 – Lop.com domain hijackers
O18 – Extra protocols and protocol hijackers
O19 – User style sheet hijack
O20 – AppInit_DLLs Registry value autorun
O21 – ShellServiceObjectDelayLoad Registry key autorun
O22 – SharedTaskScheduler Registry key autorun
O23 – Windows NT Services

The following are my log data:-

------------------------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 2:24:03 AM, on 7/2/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\User\My Documents\Downloaded Program\Spyware Detector\HijackThis\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web 
Accelerator\GoogleWebAccToolbar.dll

O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton 
AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton 
AntiVirus\NavShExt.dll

O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web 
Accelerator\GoogleWebAccToolbar.dll

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant 
Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Google AdSense Preview Tool - 
http://pagead2.googlesyndication.com/pagead/preview/en/preview.html

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!
\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!
\Messenger\yhexbmes0521.dll

O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
Files\Messenger\msmsgs.exe

O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - 
http://202.71.104.89/ibrowser/cibrowser.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - 
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{37F69AF1-9DD6-47A5-A32B-AC9AAEF0E35F}: NameServer = 
202.188.0.133,202.188.1.5

O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file 
missing)

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton 
AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton 
AntiVirus\AdvTools\NPROTECT.EXE

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1
\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common 
Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec 
Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------------------------------------------------------------------

Looks quite healthy huh? Anyway, I’m not an expert in this software, though I am able to spot some common nasty spyware if there is any. Luckily mine is quite healthy. For expert’s advice, you can seek for help in Spywareinfo Forums, Lavasoft Support Forums, and many more.

For more detail in analyzing HijackThis log data please view the guides provided in the source link below.

Blogsphere: TechnoratiFeedsterBloglines
Bookmark: Del.icio.usSpurlFurlSimpyBlinkDigg
RSS feed for comments on this post