|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-8-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry HijackThis Log: Self-GuideGo to the Tech-Forums Discussion Home PagePosted by: DMo224 [COLOR=blue][b]Credit: [i]HijackThis[/i], a great protection program known the world over, was created by Merijn Bellekom.[/b] He has also created some other really good programs (like CWShredder). [url=http://www.merijn.org/]Click here to visit his website.[/url] If you like his FREE programs, you can [url=http://www.merijn.org/donate.html]donate here[/url].[/COLOR] [color=red][b]Caution:[/b] Do NOT fix any items in your HijackThis log unless you are absolutely sure of what you are fixing. Many of the list items are necessary for the functioning of your PC.[/color] [i][b]This is a simple guide to explain what the notations mean in your HijackThis log and is not meant to replace asking for help. However, study of this list, along with the mentioned web sites can help with understanding the log and learning how to do the fixes.[/b][/i] [u]Listed below are the possible entries into your log. A more in-depth explanation will follow.[/u] [url=http://www.tech-forums.net/showthread.php?s=&postid=225767#post225767][b]R0, R1, R2, R3[/b][/url] - Internet Explorer Start/Search pages URLs [url=http://www.tech-forums.net/showthread.php?s=&postid=225767#post225767][b]F0, F1[/b][/url] - Autoloading programs [url=http://www.tech-forums.net/showthread.php?s=&postid=225795#post225795][b]N1, N2, N3, N4[/b][/url] - Netscape/Mozilla Start/Search pages URLs [url=http://www.tech-forums.net/showthread.php?s=&postid=225795#post225795][b]O1[/b][/url] - Hosts file redirection [url=http://www.tech-forums.net/showthread.php?s=&postid=228428#post228428][b]O2[/b][/url] - Browser Helper Objects [url=http://www.tech-forums.net/showthread.php?s=&postid=228428#post228428][b]O3[/b][/url] - Internet Explorer toolbars [url=http://www.tech-forums.net/showthread.php?s=&postid=249823#post249823][b]O4[/b][/url] - Autoloading programs from Registry [url=http://www.tech-forums.net/showthread.php?s=&postid=249823#post249823][b]O5[/b][/url] - IE Options icon not visible in Control Panel [url=http://www.tech-forums.net/showthread.php?s=&postid=249823#post249823][b]O6[/b][/url] - IE Options access restricted by Administrator [b]O7[/b] - Regedit access restricted by Administrator [b]O8[/b] - Extra items in IE right-click menu [b]O9[/b] - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu [b]O10[/b] - Winsock hijacker [b]O11[/b] - Extra group in IE 'Advanced Options' window [b]O12[/b] - IE plugins [b]O13[/b] - IE DefaultPrefix hijack [b]O14[/b] - 'Reset Web Settings' hijack [b]O15[/b] - Unwanted site in Trusted Zone [b]O16[/b] - ActiveX Objects (aka Downloaded Program Files) [b]O17[/b] - Lop.com domain hijackers [b]O18[/b] - Extra protocols and protocol hijackers [b]O19[/b] - User style sheet hijack [i]Included in the HijackThis program is a listing of all possible log items.[/i] [size=1]The different sections of hijacking possibilities have been separated into these groups: [b]R - Registry, StartPage/SearchPage changes[/b] R0 - Changed registry value R1 - Created registry value R2 - Created registry key R3 - Created extra registry value where only one should be [b]F - IniFiles, autoloading entries[/b] F0 - Changed inifile value F1 - Created inifile value F2 - Changed inifile value, mapped to Registry F3 - Created inifile value, mapped to Registry [b]N - Netscape/Mozilla StartPage/SearchPage changes[/b] N1 - Change in prefs.js of Netscape 4.x N2 - Change in prefs.js of Netscape 6 N3 - Change in prefs.js of Netscape 7 N4 - Change in prefs.js of Mozilla [b]O - Other, several sections which represent:[/b] O1 - Hijack of auto.search.msn.com with Hosts file O2 - Enumeration of existing MSIE BHO's O3 - Enumeration of existing MSIE toolbars O4 - Enumeration of suspicious autoloading Registry entries O5 - Blocking of loading Internet Options in Control Panel O6 - Disabling of 'Internet Options' Main tab with Policies O7 - Disabling of Regedit with Policies O8 - Extra MSIE context menu items O9 - Extra 'Tools' menuitems and buttons O10 - Breaking of Internet access by New.Net or WebHancer O11 - Extra options in MSIE 'Advanced' settings tab O12 - MSIE plugins for file extensions or MIME types O13 - Hijack of default URL prefixes O14 - Changing of IERESET.INF O15 - Trusted Zone Autoadd O16 - Download Program Files item O17 - Domain hijack O18 - Enumeration of existing protocols and filters O19 - User stylesheet hijack O20 - AppInit_DLLs autorun Registry value O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key O22 - SharedTaskScheduler autorun Registry key[/size] [I]Work in progress....more information to follow about the list items.[/I] Dave :D Posted by: DMo224 [b]R0, R1, R2, R3 - IE Start & Search page[/b] [i]Sample list items:[/i] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.com/ R3 - Default URLSearchHook is missing [i]Instructions:[/i] If you recognize the url at the end (as either your homepage or a search engine), then it's okay. If you don't recognize it, check it to be fixed. R3 items should always be fixed unless it mentions a program that you recognize/use. ------------------------------------------------------------ [b]F0, F1 - Autoloading programs [/b] [i]Sample list items:[/i] F0 - system.ini: Shell=Explorer.exe Openme.exe F1 - win.ini: run=hpfsched [i]Instructions:[/i] F0 list items are always bad and should be fixed. The F1 list items are usually old programs that are safe, but you should obtain more information on the filename to see if it needs fixed. Posted by: DMo224 [b]N1, N2, N3, N4 - Netscape/Mozilla Start & Search page [/b] [i]Sample list items:[/i] N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js) N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine:// C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplug ins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js) [i]Instructions:[/i] The Netscape and Mozilla homepage and search page are really safe because they rarely get hijacked. However, if you don't recognize the url as your homepage or search page, have HJT fix it. ------------------------------------------------------------------------- [b]O1 - Hostsfile redirection [/b] [i]Sample list items:[/i] O1 - Hosts: 216.177.73.139 auto.search.msn.com O1 - Hosts: 216.177.73.139 search.netscape.com O1 - Hosts: 216.177.73.139 ieautosearch [i]Instructions:[/i] This is a hijack that on the list item will redirect the adress on the right to the IP on the left. If the IP does NOT belong to the address, then you will be redirected to the wrong site everytime the url is entered. Unless you have entered those lines in your hosts file, have HJT fix them. Posted by: DMo224 [b]O2 - Browser Helper Objects [/b] [i]Sample list items:[/i] O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing) O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL [i]Instructions:[/i] If you don't readily recognize a Browser Helper Object's name, use [i]TonyK's BHO List[/i] ([url=http://sysinfo.org/bhoinfo.php]official list here[/url]) to find it by the class ID (CLSID, the number between curly brackets) to see if it's good or bad. [size=1]Listed BHO's are tagged X for certified spyware or other malware, L for legitimate items, O for 'open to debate' and ? for BHOs of unknown status.[/size] [url=http://www.spywareinfo.com/~merijn/files/bholist.zip]BHO List Zip File[/url] [url=http://www.spywareinfo.com/bhos/]SpywareInfo BHOs information[/url] ------------------------------------------------------------------------- [b]O3 - IE toolbars [/b] [i]Sample list items:[/i] O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing) O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:\WINDOWS\APPLICATION DATA\CKSTPRLLNQUL.DLL [i]Instructions:[/i] If you don't readily recognize a toolbar's name, use [i]TonyK's Toolbar List[/i] (link above) to find it by the class ID (CLSID, the number between the curly brackets) to see if it's good or bad. [size=1]Listed BHO's are tagged X for certified spyware or other malware, L for legitimate items, O for 'open to debate' and ? for BHOs of unknown status.[/size] If it is not on the list, and (1) the name seems to be a random string of characters, and (2) the file is somewhere in a folder named "[i]Application Data[/i]", then it is definitely bad and you should have HJT fix it. Posted by: DMo224 [b]O4 - Autoloading Programs from Registry [/b] [i]Sample list items:[/i] O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: winlogon.exe [i]Instructions:[/i] Use [b][url=http://www.sysinfo.org/startupinfo.html]PacMan's Startup List[/url][/b] to find the entry and see if it's good or bad. If the item shows a program sitting in a Startup group (like the last item above), HijackThis cannot fix the item if this program is still in memory. Use the Windows Task Manager to close the process prior to fixing. To use the startup list, copy the information between the [ ] brackets and paste into the search box. [url=http://www.sysinfo.org/startupinfo.html]PacMan's Startup List[/url] [url]http://www.sysinfo.org/startupinfo.html[/url] ------------------------------------------------------------------------- [b]O5 - IE Options icon not visible in Control Panel [/b] [i]Sample list items:[/i] O5 - control.ini: inetcpl.cpl=no [i]Instructions:[/i] Unless you, or your system administrator, have knowingly hidden the icon from Control Panel, have HijackThis fix it. ------------------------------------------------------------------------- [b]O6 - IE Options access restricted by Administrator [/b] [i]Sample list items:[/i] O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present [i]Instructions:[/i] Unless you have the [i]Spybot S&D[/i] option [i]'Lock homepage from changes'[/i] active, [u]or[/u] your system administrator put this into place, have HijackThis fix this. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |