Software

  Home arrow Software arrow Page 3 - Interpreting HiJackThis Logs in Window...
Watch our Tech Videos 
Dev Hardware Forums 
Computer Cases  
Computer Processors  
Computer Systems  
Digital Cameras  
Flat Panels  
Gaming  
Hardware Guides  
Hardware News  
Input Devices  
Memory  
Mobile Devices  
Motherboards  
Networking Hardware  
Opinions  
PC Cooling  
PC Speakers  
Peripherals  
Power Supply Units  
Software  
Sound Cards  
Storage Devices  
Tech Interviews  
User Experiences  
Video Cards  
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
SOFTWARE

Interpreting HiJackThis Logs in Windows XP
By: Codex-M
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating: 5 stars5 stars5 stars5 stars5 stars / 2
    2009-09-22

    Table of Contents:
  • Interpreting HiJackThis Logs in Windows XP
  • Process Analysis, an Example
  • HJT Group Analysis
  • Malware Removal Steps

  • Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
     
     

    SEARCH DEV HARDWARE

    Interpreting HiJackThis Logs in Windows XP - HJT Group Analysis


    (Page 3 of 4 )

    After analyzing those processes to see whether or not they are malware entries, we will proceed to the group analysis. There are lots of HJT group codes, as shown in this reference:

    http://hjt-data.trendmicro.com/hjt/display_data.php?report=

    You can also implement the steps shown in the process analysis to confirm processes that appear in the HJT entries for those hijack group codes. However, one of the effective ways to analyze is by applying some common sense to the values provided. For example, in this HJT incident:

    http://social.technet.microsoft.com/Forums/en-US/Forefrontclientgeneral/thread/d3158d94-b260-4235-9470-4f6154e488ea

    the original poster of the thread complained "internet explorer windows title keeps reporting that it has been hacked by Spiderman 2007-june-10"

    Based on the HJT code guide provided above, this must be something to do with registry changes on the start and search pages pertaining to Internet Explorer. In short, a browser hijacking problem.

    Examining his HJT entries reveals this line:

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Hacked by Spiderman 2007-June-10)

    Common sense tells us that it is a bad entry and needs correction. If the browser has been hijacked, this means a change in registry to point it to bad sites. For example, for the IE start page, instead of pointing to good sites like MSN.COM or YAHOO.COM, it opens to sites not decided by you. HJT logs can clearly show this type of problem, typically in the R0- R3 entries.

    So the hacker above created a registry value (indicated by R1) to always show for the title in Windows Internet Explorer the value: "Hacked by Spiderman 2007-June-10." The key to the success in the analysis of R0 to R3 entries is to double check whether the URL value is legitimate or not.

    O2 to O4 entries are Browser help objects (BHO or "browser help objects" is a plug-in to enhance the IE browsing experience that can be used by developers, but also by malicious code developers), MSIE toolbars and automatic loading registry entries (processes that run automatically without your intervention).

    In general, O5 to O24 entries point to issues involving browser hijacking like O10 -> "Breaking of Internet access by New.Net or WebHancer," something is changed in the Winsock LSP, which is one of the most important processes for your Internet connection. Someone hijacking this process means the data entering and leaving your computer has been compromised. You can test whether the file found in this section is legitimate or malware by using the procedure provided.

    These can contain both legitimate and non-legitimate entries. Examples of legitimate entries are the following:

    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:PROGRA~1Yahoo!CompanionInstallscpnyt.dll

    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:Program FilesWindows LiveToolbarwltcore.dll

    O2 is a Yahoo toolbar helper, O3 is a Live toolbar and O4 is an NVIDIA video card process card entry. How do I know? I researched Google and applied the techniques in the first section of this article.

    For example, according to http://www.processlibrary.com

    Yt.dll process path: %programfiles%yahoo!companioninstalls

    Using Google, I got this search result:

    http://www.tallemu.com/oasis2/file/microsoft_corporation/windows_live_toolbar/
    wltcore_dll/814296

    wltcore.dll process path: %ProgramFiles%Windows LiveToolbar

    The above result is consistent with the HJT entries, so they are not malware or spyware entries.

    More Software Articles
    More By Codex-M

    blog comments powered by Disqus

    SOFTWARE ARTICLES

    - Top Add-ons for Gmail
    - Top Free Photo Editors
    - Administering Google Apps for Your Domain
    - Setting up Google Apps for Your Domain
    - EmailTray Helps Organize Email
    - Portable KeePass Tutorial for Ubuntu Linux a...
    - Windows 7: Applications to Enhance Your OS
    - Windows 7: Great Additions
    - Google Wave Waves Goodbye
    - Netvibes Releases Dashboard Engine
    - Monitoring your Children`s Online Activity w...
    - Evernote: a Lightweight Organizational App
    - A New Way to View Photos Online in 3D
    - Smartphone App iZup Helps Make the Roads Saf...
    - Adobe Elements 8 and Premiere 8 Editing Soft...

    Developer Shed Affiliates

     




    © 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
    KEITHLEE2zdeconfigurator/configs/INFUSIONSOFT_OVERLAY.phpzdeconfigurator/configs/ OFFLOADING INFUSIONSOFTLOADING INFUSIONSOFT 1debug:overlay status: OFF
    overlay not displayed overlay cookie defined: TI_CAMPAIGN_1012_D OVERLAY COOKIE set:
    status off