If you would like to do HijackThis (HJT) analysis for others, assisted training in HJT analysis is available here:
Tom Coyote's Forum
BootCamp at SpywareInfo.com
Analyzing your own HJT log, you have the advantage of knowing what is supposed to be on your computer and the ability to compare new and old logs for changes. You can detect suspicious changes on your own computer by comparing pre- and post-infection logs.
When analyzing someone else's HJT log, you typically only have the post infection log. The training in the above two courses teaches a person to consider CSLIDs, naming patterns, directory location, registry codes and other clues. The people there are friendly, and what you learn there can be applied here to infections people report in the BBR Security Forum.
There are no rules on who can and can't give advice in the BBR Security Forum, but the makers of HijackThis encourage people who want to help others to take the free training offered. And the training is interesting whether your main goal is "learning about computer security" or "increasing the accessibility of the Internet."
An interest in helping people is all that is vital when signing up.
Analyzing your own HijackThis log:
a) In Windows Explorer, create new a permanent folder just for HijackThis. C:\HJT is a good folder name.
b) Download HijackThis from either of these websites www.tomcoyote.org/hjt/ or www.majorgeeks.com.
c)Move hijackthis.exe to the folder you created (for example C:\HJT). (Putting HJT in its own permanent folder ensures that HJT will make backups before it deletes something.)
d) Double-click hijackthis.exe, click "Scan" and wait for the scan to finish.
e) When the scan is finished, the "Scan" button will change into a "Save Log" button. Click the "Save Log" button.
f) Only if you are currently having problems with your computer, copy the contents of the log you just saved and paste it into the BBR Security Forum
- Start a new topic, one topic per infected computer.
- Near the top of your post, put "I am following the steps in the 'I think my computer is infected or hijacked FAQ.'" (HJT analysis takes some effort. That line tells the volunteer HJT specialists that you respect their time and ran the above scans first.)
- Include the results of the earlier AV, AT and AS scans, since this will help in the analysis of the HJT log.
- If nothing turned up in earlier AV, AT and AS scans, say which scans you did and that nothing turned up.
- Most of what HJT lists will be harmless or even essential; don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
- Wait for feedback from HJT specialists in the forum before deleting anything.
g) If you are not currently having problems with your computer, you can study the HJT log to see what it should normally look like and save it for future reference.
1.0 The process of analyzing the log alone depends largely on filenames. However, it is file contents, not filenames, that dictate what a file does. Files can be easily renamed.
Therefore, short cuts to the problem determination process are inadvisable. The first step in cleaning your computer is to go through the checklist here: Click here.
As you work through that checklist, you will be drawn back here. The checklist begins with free automated scans that examine file contents, moves on to the HijackThis log, covers virus encyclopedias, auxiliary virus removal steps and tools, finally ending up with system security integrity tests.
Automated protection is preferable to the automated cleaning out of malware after it has gotten on your computer.
Also, automated cleaning is preferable to manual cleaning.
If your HJT log reveals some suspected new malware that the automated tools have missed, please submit a copy of the suspected malware file to the anti-virus and anti-trojan vendors here.
If you find suspected adware or hijackware that the automated tools missed, please follow the submission instructions for those products here: Ad-aware, Spybot S&D. If you think you know it, mention the website where you think the adware or spyware probably came from.
2.0 A good approach is to run a HJT log every couple of weeks, saving it with a filename that includes the date (hijackthis08MARCH04.log). If you can, start doing this before your computer is infected.
It is a lot easier to find problems by comparing logs from before and after the problem started, as opposed to looking just at an after-infection HJT log.
To make it even easier, HJT lets you add items you've checked out to the ignore list (add checked to ignore list).
Once your first log has been examined, and the safe items have been ignored, on subsequent scans you can focus on changes.
3.0 Before you change anything, backup your registry following the instructions here.
4.0 The process of actually examining your own log is straightforward: you have the advantage of more or less knowing what is supposed to be on your own computer, and you have the ability to compare pre- and post-infection logs for changes. It requires patience and double checking. It does require some experience, so it is a good idea, especially when you are contemplating actually removing something from your computer, to double check by posting in a forum to get the opinions of more experienced HJT analysts.
Be sure to read one of these tutorials before getting started.
- How to use HijackThis to remove Browser Hijackers & Spyware (very good)
- TomCoyote's HijackThis Quick Start
- Tutorial by the author of HijackThis, Merjin
These three sites are excellent resources for looking up log entries.
- AnswersThatWork: Task List Programs
- Windows Process Library - Common Applications
- Windows Process Library - Security Risks
- Windows Process Library - System Processes
- Resource on programs from Computer Cops*
- Resource on browser helper objects (BHOs) from Computer Cops*
- Resource on LSPs (network Layered Service Providers)*
- ProcessLibrary.com: Free Process Information
- CastleCops.com StartupList Index
- CastleCops.com O23 List of Windows XP/NT services
- FBJ's HJT list
- FAQ on "O1 - Hosts" entries
(*Thanks to Tony Klein, Pieter Arntz, Zupe and others.)
For things I'm not absolutely sure on, or that aren't listed on those two websites, I use www.google.com. I read a selection of the search hits that come back. With a bit of practice, you figure out which sites are better than others.
Four things you need to be careful of:
4.0.1 Reports of files containing malware, where the files are common system files that are sometimes infected. Just because some copies of notepad.exe are infected doesn't mean your copy of notepad.exe is infected.
This is why virus scanners are so useful, they look at the file contents.
4.0.2 Two companies can give their files the same name. Just because someone else's logger.exe is a trojan doesn't mean every file any programmer every called logger.exe is a trojan. In Windows Explorer, right-clicking on the file and examining the file's Properties, and also noting the file location, are good tips on where the file comes from and what it might be a part of.
File behavior is another tip that a file with a friendly name is malware. This is where anti-trojan monitors come in. They usually include components to look for trojan-like behavior.
4.0.3 Erroneous, poorly researched claims that software is malware or spyware happen.
4.0.4 There are differences in the trade off between privacy and anonymity versus ease of use and automated systems maintenance that a privacy advocate will accept, versus the level of trade-offs an ordinary computer user will accept.
Many computer users are more secure, letting add-on tools check for program updates regularly, rather than trying to remember to check manually. Not applying program updates is a major security flaw, versus the small flaw of letting the people who made a product know you are using it.
You are probably going to be posting your HJT log in a public security forum where anyone can see it.
It doesn't make sense that the kind of person who would post that kind of detailed system information in a public forum would object to a software company collecting reports of program errors in the programs they wrote, but collecting reports of program errors in the programs they wrote has gotten some software classed as spyware by some anti-spyware companies.
You definitely don't want a virus, and much spyware and adware is definitely not something you want; however, sometimes software that is classified as spyware or adware is actually useful, making your life easier or helping keep your system up-to-date.
If you enjoy using a service, take the time to checkout what got them classified as so-called spyware. Go to their website, and check out their privacy policy. Google them, and see what others say. Maybe you want to keep it, maybe not.
The final decision is yours, based not just on what the program does, but also on what your needs and desires are.
You do want to be careful, so if you're not totally sure, post in the BBR Security Forum before you make a change. Start a new topic for the computer, include the full HijackThis log and specifically state what your problem is and what you've already tried to do to correct it.
5.0 Don't just delete something. With files you can manually navigate to them, right-click and rename them to stop them activating (the automatic trigger will look for the old name). With registry entries, you can write them down or use regedit to export them before you delete them.
6.0 Not knowing what is supposed to be on the computer, a remote analyst can see in Google if the software has the same name as known spyware, trackingware, adware or a virus with a distinctive name, and they can refer to other identifying characteristics of malware.
In your case, you have a better idea what is on the computer. Although, do keep in mind that many programs have components made by other companies, such as automatic updating software (so don't be too easily spooked).
7.0 You may have a lot of programs set to autostart, like RealPlayer / RealOne components, QuickTime and so on. If you don't use these products frequently, you might want to take some of them out of autostart.
You can still use them, and they aren't spyware -- they will just load if and when you start using them instead of during the bootup process.
8.0 A useful tool for seeing which process is using up your system resources is Sysinternal's process explorer from: »www.sysinternals.com/ntw2k/freew···xp.shtml
Special Notes:
Run CWShredder (from TrendMicro) if there are encoded URL entries like
"R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%77%77%73%65%61%2e%63%6f%6d/ %7a/%62/%78%31%2e%63%"
Run Rbkiller.exe if you see anything about rb32, rb32.exe or lptt01.
Click here for a step-by-step illustrated guide on how to run dllfix.exe to find the hidden appinit value of cws.searchx.
More links:
- Wilderssecurity - Browser Hijacks and Spyware Problems: News, General Information, and FAQs
- Resources on Parasites
- Parasite Library
- Hijack Removal
- How to Clear a Hijack Manually & URL Codes
- How to clear Hosts file hijacking
- Removing Browser Hijacks
- Spyware Info security articles
- User-friendly registry editing tool Reglite
- Subtram's Removal Tool Links. (Please use these tools only when advised to do so by an expert.)
- Subtram's Useful Tool Download Page
- Microsoft's DLL Help Database
- Microsoft Knowledge Base
Many thanks to CalamityJane.
Recent changes:
2005-07-21
By Keith2468
- Updated links.
 show feedback form
 close
by keith2468  edited by JMGullett
last modified: 2007-07-25 13:29:36 |
