Analyse windows registry using Hijackthis

Hijackthis inspects your computers browser and operating system settings to generate a log file of the current state of your computer. Using Hijackthis you can selectively remove unwanted settings and files from your computer. Because the settings identified in a HijackThis log file can belong to both legitimate software and unwanted malware, it is important to use extreme caution when choosing to removing anything using Hijackthis.
Scan your computer to find settings changed by spyware, malware or other unwanted programs. Trend Micro HijackThis generates an in-depth report to enable you to analyze and fix your infected computer.

Using HijackThis

To analyze your computer, start HijackThis and run a scan. See the Quick Start Guide [link to Quick Start, FAQs and Feedback] for help in running a scan. HijackThis will display a list of areas on your computer that might have been changed by spyware. Do not change any settings if you are unsure of what to do. There are many popular support forums on the web that provide free technical assistance by using HijackThis log files to diagnose an infected computer. To download the current version of HijackThis, you can visit the official site at Trend Micro. 






















 
 Do a scan a save the Log file.























Let us check the Log file one by one.


R0, R1, R2, R3 - IE Start and Search pages.

R0- R0 is used for internet start pages and search assistant.

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

R1-R1 is for Internet Explorers Search functions and other characteristics.
  
HKLM\Software\Microsoft\InternetExplorer\Main,Default_Page_URL =  http://www.google.com.

R2- R2 is not using by hijackthis.

R3-R3 is used for used for url search hook(yahoo tool bar,google tool bar).

Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
04- Autoloading  programs from the registry  when computer  startup.Autoloading entries that can.

DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user').

O5 - Blocking of loading Internet Options in Control Panel.

Unless you or your system administrator have knowingly hidden the icon from Control Panel, have HijackThis fix it.


 O6 - Disabling of 'Internet Options' Main tab with Policies.

Unless you have the Spybot S&D option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this.
 
O7 - Disabling of Regedit with Policies.

This section corresponds to Regedit not being allowed to run by changing an entry in the registry.In corporate sectors administers disable regedit for security reason.

O8 - Extra MSIE context menu item.

Extra  button on the context (right-click) menu can prove helpful  or annoying.some recent hijackers add an item to the context menu. 

Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000.

09 -Extra menu button items and items.

This section corresponds to having buttons on main Internet Explorer toolbar or items in the Internet Explorer 'Tools' menu that are not part of the default installation.

10- Breaking of Internet access by New.Net or WebHancer.

This section corresponds to Winsock Hijackers or otherwise known as LSP (Layered Service Provider). The windows socket system( winsock) uses a list of providers for  resolving names (ie transitioning www.microsoft .com in to an IP address).This  is called the layered service provider(LSP).A few programs on yours system can access the internet.

11- Extra options in MSIE 'Advanced' settings tab.
Hijackers add  its own options group to the IE Advanced Options window is CommonName.

12 -MSIE plugins for file extensions or MIME types.
Internet Explorer Plugins are pieces of software that get loaded when Internet Explorer starts to add functionality to the browser. There are many legitimate plugins available such as PDF viewing and non-standard image viewers.


13 -Hijack of default URL prefixes.
 
When a website URL like www.microsoft.com is typed into IE's address bar without the prefix, http:// in this case, it is automatically added when you hit Enter. This prefix, together with the default prefixes for FTP, Gopher and a few other protocols are stored in the registry keys. DefaultPrefix: http://ehttp.cc/?.


14 -Changing of IERESET.INF.
In this section HijackThis checks the file "iereset.inf" for changes which might indicate a hijack. When you click on "Reset Web settings" on the Programs tab of Internet options, IE restores the default values for home page, search page and a few other items from the registry files stored in "iereset.int" file. This file is located in inf folder in your system folder. Some OEM's create their own custom URL's for this file.
IERESET.INF: START_PAGE_URL=http://www.oninet.pt.

15- Trusted Zone Autoadd.

In this section HijackThis lists the sites in the "Trusted Zone" – originally meant for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet – of Internet explorer.
Trusted Zone: *.ebay.com.

 16 -Download program file item.

This folder holds various types of files downloaded from the internet including ActiveX and Java objects. The legitimate purpose of ActiveX objects is to allow website creators to embed small programs in their sites which will interact with your browser to provide an enhanced experience to the visitor. Because of its nature, ActiveX makes a very good platform for installing spyware, adware, dialers, and hijackers.
  
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) – messenger.zone.msn.com/binary/Messenger.

17- Domain hijack.
Domain hacks are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want.By adding www.altavista.com,they can make it so that when you go to www.astavista.com, they redirect you to a site of their choice.

18-Enumeration of existing protocols and filters.

Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed) by spyware. In the last case, have HijackThis fix it.

19-User stylesheet hijack.

A style sheet is a template for how page layouts, colors, and fonts are viewed from an html page. This type of hijacking overwrites the default style sheet which was developed for handicapped users, and causes large amounts of popups and potential slowdowns.
 
20-Applnit DLL autorun Registry,Winlogon Notify Registry keys.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it (Norton CleanSweep uses APITRAP.DLL), most often it is used by trojans or agressive browser hijackers.

21-ShellServiceObjectDelayLoad (SSODL) autorun Registry key.

The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.
 
22-SharedTaskScheduler autorun Registry key.

The entries in this registry run automatically when you start windows. 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler.

23- Enumeration of NT Services.

This is the listing of non-Microsoft services. The list should be the same as the one you see in the Msconfig utility of Windows XP. Several trojan hijackers use a homemade service in adittion to other startups to reinstall themselves.
 
24-Enumeration of ActiveX Desktop Components.

 Active Desktop Components are local or remote html files that are embedded directly onto your desktop as a background. Infections use this method to embed messages, pictures, or web pages directly on to a users desktop. 



Press  Fix checked button, HijackThis will then prompt you to confirm if you would like to remove those items. Press Yes or No depending on your choice,if you are a advanced user ,select proper button and removed your selected fixes.If the configuration setting Make backups before fixing items is checked.Experts who know what to look for can then help you analyze the log data and advise you on which items to remove or upload the log file or copy paste click here.



 

Popular posts from this blog

Step by step configuration of Exchange 2010 Edge Transport server

Image
Edge Transport server role has been designed to provide improved antispam and antivirus protection for Exchange 2010 environment. The Edge Transport server role is deployed in your organization's perimeter network as a stand-alone server or as a member server of a perimeter-based Active Directory domain. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow, which provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server and act on messages as they are processed by the message transport components. These agents support the features that provide protection against viruses and spam and apply transport rules to control message flow.    Prerequisites for Edge Transport server 2010. 1. Microsoft .NET Framework 3.5 2. Windows Remote Management (Win...
Read more

Computer Equipment Disposal policy

Computer Equipment Disposal policy To minimize security risks associated with equipment disposal through ensuring the secure destruction of discarded data stores. Technology equipment often contains parts which cannot simply be thrown away.  Proper disposal of equipment is both environmentally responsible and often required by law.  In addition, hard drives, USB drives, CD-ROM's and other storage media contain various kinds of data, some of which is considered sensitive. To prevent information being stolen by dumpster divers. Dumpster diving is the colloquial name for going through somebody's garbage, which will usually be in dumpsters for large organizations. This is a powerful tactic because it is protected by social taboos. Trash is bad, and once it goes into the trash, something is best forgotten. The reality is that most company trash is fairly clean, and provides a gold mine of information. Phone lists Helps map out the power structure of the company, and gives po...
Read more

Audit your computer using Helix Incident response Live CD

Image
Helix is a live Linux CD carefully tailored for incident response, system investigation and analysis, data recovery, and security auditing. It is geared toward experienced users and system administrators working in small-to-medium, mixed environments where  threats  of data loss and security breaches are high .Helix is a very powerful tool. Helix focuses on Incident Response and forensics tools. But with great power comes great responsibility, and as a potential forensics investigator, it is your responsibility to learn how to use this tool properly.Let us check one of the fine tool for auditing windows based PC . WinAduit is a freeware program available for free download.  WinAudit can generate various amounts of information that is of interest only to the specialist user. The default behavior is to audit all categories except for Loaded Modules, System Libraries and Finding Files.WinAduit allows to save the audit ...
Read more