You can also implement the steps shown in the process analysis to confirm processes that appear in the HJT entries for those hijack group codes. However, one of the effective ways to analyze is by applying some common sense to the values provided. For example, in this HJT incident:
the original poster of the thread complained "internet explorer windows title keeps reporting that it has been hacked by Spiderman 2007-june-10"
Based on the HJT code guide provided above, this must be something to do with registry changes on the start and search pages pertaining to Internet Explorer. In short, a browser hijacking problem.
Examining his HJT entries reveals this line:
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Hacked by Spiderman 2007-June-10)
Common sense tells us that it is a bad entry and needs correction. If the browser has been hijacked, this means a change in registry to point it to bad sites. For example, for the IE start page, instead of pointing to good sites like MSN.COM or YAHOO.COM, it opens to sites not decided by you. HJT logs can clearly show this type of problem, typically in the R0- R3 entries.
So the hacker above created a registry value (indicated by R1) to always show for the title in Windows Internet Explorer the value: "Hacked by Spiderman 2007-June-10." The key to the success in the analysis of R0 to R3 entries is to double check whether the URL value is legitimate or not.
O2 to O4 entries are Browser help objects (BHO or "browser help objects" is a plug-in to enhance the IE browsing experience that can be used by developers, but also by malicious code developers), MSIE toolbars and automatic loading registry entries (processes that run automatically without your intervention).
In general, O5 to O24 entries point to issues involving browser hijacking like O10 -> "Breaking of Internet access by New.Net or WebHancer," something is changed in the Winsock LSP, which is one of the most important processes for your Internet connection. Someone hijacking this process means the data entering and leaving your computer has been compromised. You can test whether the file found in this section is legitimate or malware by using the procedure provided.
These can contain both legitimate and non-legitimate entries. Examples of legitimate entries are the following:
O2 is a Yahoo toolbar helper, O3 is a Live toolbar and O4 is an NVIDIA video card process card entry. How do I know? I researched Google and applied the techniques in the first section of this article.
For example, according to http://www.processlibrary.com
Yt.dll process path: %programfiles%yahoo!companioninstalls
KEITHLEE2zdeconfigurator/configs/INFUSIONSOFT_OVERLAY.phpzdeconfigurator/configs/ OFFLOADING INFUSIONSOFTLOADING INFUSIONSOFT 1debug:overlay status: OFF overlay not displayed overlay cookie defined: TI_CAMPAIGN_1012_D OVERLAY COOKIE set: status off