reading HighJackThis logs

Tags:

Reading HighJackThis (HJT) logs is not for the faint at heart. It lists each and every possible point that a highjacker could use your system to infect you so the log can get quite big. Most entries are benign and it is up to you to figure out what is malicious and needs to be removed. You may want someone else to look at the log (see 'sites that analyze a HJT log'). But if you want to try it yourself, read on.

When you run the 'SCAN' option in HighJackThis, you get a list of places on your computer that may cause your computer or browser to be highjacked by another. Each line in a HijackThis log starts with a section name which indicates what catagory this problem may fall into. When you are analyzing a log, you need to follow the instructions below for the section of each line.

First you either need to go over the details of this "log" yourself or post it on a web site that specializes in looking at these problems. Next you need to decide how to fix anything you've decided needs to be removed. HJT can fix many of the problems itself but sometimes you need another program to help.

This is a list of categories the HJT log lists and how to handle those potential problems. Remember that they are only potential problems. Some people panic when they see this huge list- OMG, LOOK AT ALL THE SPYWARE I HAVE!

  • R0, R1, R2, R3 Thes are the start/search pages in Internet Explorer
    Usually all you'll want to do is look at the URLs and see if you recognize them as your homepage or a search engine. If is what you expected then don't worry. Otherwise let HJT fix it.

    • R0 - Changed registry value
    • R1 - Created registry value
    • R2 - Created registry key
    • R3 - Created extra registry value where only one should be

  • F0, F1 Autoloading programs

    • F0 - Changed inifile value (these are always bad, have HJT fix them)
    • F1 - Created inifile value (these are usually old programs and you need to do some research on them).

  • F2 and F3 Changed inifile value, mapped to Registry

  • N1, N2, N3, N4 Netscape/Mozilla Start/Search pages URLs
    (These are usually are safe. They rarely get hijacked, only Lop.com has been known to do this. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.)

    • N1 - Change in prefs.js of Netscape 4.x
    • N2 - Change in prefs.js of Netscape 6
    • N3 - Change in prefs.js of Netscape 7
    • N4 - Change in prefs.js of Mozilla

  • O1 Hosts file redirection
    This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.

    If the redirection is in C:\Windows\Help\hosts on a 2000/XP machine, this could be a CoolWebSearch infection (very bad!). Always fix this item, or use CWShredder to repair it.

  • O2 Browser Helper Objects
    If you don't directly recognize a Browser Helper Object's name, see if it's listed on TonyK's BHO & Toolbar List (see the reference sites).

  • O3 Internet Explorer toolbars
    If you don't directly recognize a Browser Helper Object's name, see if it's listed on TonyK's BHO & Toolbar List (see the reference sites).

    In a lop.com infection; the toolbar is not on the list, the name seems to be just a bunch of random characters (after "Toolbar:"), and the file is in the 'Application Data' folder. In that case, you should definitely have HijackThis fix it.

  • O4 Autoloading programs from Registry
    Verify an entries validity with PacMan's Startup List. and see if it's good or bad (see the reference sites).

    If the item shows a program sitting in a Startup group, HTJ cannot fix the the program because it is still in memory. Use the Windows Task Manager (TASKMGR.EXE) to close the process prior to fixing.

  • O5 IE Options icon not visible in Control Panel
    Unless you or your system administrator have knowingly hidden the icon from Control Panel, have HijackThis fix it.

  • O6IE Options access restricted
    Unless you have the Spybot S&D option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this.

    In the future, use the Spybot S&D option

  • O7 Regedit access restricted
    If you did not knowingly do this or you do not recognize it, have HijackThis fix it.

  • O8 IE's context menu
    If you did not knowingly do this or you do not recognize it, have HijackThis fix it.

  • O9 IE toolbar or 'tool' menu items
    If you did not knowingly do this or you do not recognize it, have HijackThis fix it.

  • O10 Winsock hijacker
    Fix these using LSPFix from Cexx.org, or Spybot S&D from Kolla.de (see reference sites).

    Note that 'unknown' files in the LSP stack will not be fixed by HijackThis, for safety issues.

  • O11IE 'advance options' entries
    The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. You can always have HijackThis fix this.

  • O12 IE plugins
    Most of the time these are safe. Only OnFlow adds a plugin here that you don't want. It always has the extension .OFB.

  • O13 IE defaultprefix hijack
    These are always bad. Have HijackThis fix them.

  • O14 'reset web settings' highjack
    If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

  • O15 Trusted Zone entry
    Most of the time only AOL and Coolwebsearch silently add sites to the Trusted Zone. If you didn't add the listed domain to the Trusted Zone yourself, have HijackThis fix it.

  • O16 ActiveX Objects
    If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.

    Javacool's SpywareBlaster has a huge database of malicious ActiveX objects that can be used for looking up CLSIDs. (Right-click the list to use the Find function.)

  • O17 Lop.com domain hijackers
    It lists a registry key, the domain, NameServer, and SearchList.

    • domain (if the entry is not from your ISP or company network, have HijackThis fix it)

    • SearchList (if the entry is not from your ISP or company network, have HijackThis fix it)

    • NameServer (a NameServer are the DNS servers you are using. If the entry is not from your ISP or company network, Google for the IP and see if it is good or bad)

  • O18 protocol alterations
    While only a few hijackers use this method, you should have HijackThis fix those that are known to be bad; 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar).

    If the log calls it a "protocol highjack" (i.e. the CLSID has been changed), have HJT fix it.

    Anything else simply has not been confirmed as safe or not so fix it with HJT at your own disgression.

  • O19 style sheet hijack
    If you have browser slowdowns and frequent popups, have HJT fix this it. However, since only Coolwebsearch does this, it's better to use CWShredder to fix it.

  • O20 Registry autorun- AppInit_DLL
    This Registry key is located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\ AppInit_DLL

    This key is used by very few legitimate programs like Norton CleanSweep, but usually it is used by a trojan or agressive browser hijacker. It loads a DLL into memory when the user logs in, and it stays in memory until you logoff.

    Sometimes a DLL name has a pipe (|) prefixed to it. This is a 'hidden' DLL which is only visible when using 'Edit Binary Data' option in Regedit.

    Once again, you sometimes have to decide if you think this should be fixed or not.

  • O21 Registry autorun-ShellServiceObjectDelayLoad
    This Registry key is located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad

    This is an undocumented autorun method, normally used by a few Windows system components which are loaded by Explorer when Windows starts.

    HJT keeps a list common SSODL items, so whenever an item is displayed in the log it is unknown and possibly malicious. Fix it but treat it with extreme care.

  • O22 Registry autorun- SharedTaskScheduler
    This Registry key is located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad

    This is an other undocumented autorun. It only works with Windows NT/2000/XP, so it is used very rarely. So far only CWS.Smartfinder uses it. Fix it and treat with care.

  • O23 Windows NT Services
    Non-Microsoft services list here should be the same as the entry in the Msconfig utility of Windows XP.

    However, several trojan hijackers use a homemade service in addition to other startups to reinstall themselves. Trojans usually use a full name that sounds very important, like 'Network Security Service', 'Workstation Logon Service' or 'Remote Procedure Call Helper'. But between the brackets is the actual name inside the registry and is usually just a bunch of random garbage. The program listed in the second part of the line is the one that uses this service.

    If it looks like a trojan (see above), use HJT to fix it. But will only stop the service, and it will still exist in the registry. You can delete it with Regedit.exe or with another tool. HijackThis 1.99.1 or higher has a button ('Delete NT Service') in the Misc Tools section to do this.

source: Merijn's HJT manual