![Page 1: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/1.jpg)
HijackThis
- A general Homepage Hijacker Detector and Removal Tool
By: Tahira Farid
60-564 Project 1
Fall 2004
![Page 2: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/2.jpg)
Overview
Browser Hijacking and Why The Techniques Preventing a Hijack HijackThis- A Hijack Removal Tool Download Information Getting around with the tool
![Page 3: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/3.jpg)
Overview (cont.)
Testing Summary Important things learnt Useful Links References
![Page 4: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/4.jpg)
What is Browser Hijacking?
Where browser’s default settings is forcibly modified by using scripting tools
Spyware takes over our internet settings, Redirects our searches and steals our homepage
adding links to favourites
changing homepage persistently - scripting- changing registry values- auto-running programs- secret files put on the hard disk
![Page 5: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/5.jpg)
Why Hijacking?
Bring us back to a website or a sponsor’s site of Hijacker’s choice
Generate advertising revenues Keep users trapped in their sites Expand website’s traffic Is it Reversible?
-as easy as to switch the internet options back
-as crucial as to undo the changes by going to windows registry
![Page 6: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/6.jpg)
The Techniques
Multiple Windows pop-ups while leaving the site Windows half off screen hard to close and allows no control Offering “freebies” in their sites Installing AOL software, messenger, ICQ adds http://
free.aol.com to IE’s trusted sites zone without our permission-can download activeX, run scripts, perform various actions.
Removing internet options from tool menu and control panel Changing reg settings to reset homepage Installing program to reset homepage on reboot
![Page 7: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/7.jpg)
Preventing Hijack
Various anti-hijacking and anti-virus tools available.
HijackThis- utility tool to remove browser hijacks, viruses, trojans & spyware
Does not target specific prog./URLs Targets methods used by hijackers
![Page 8: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/8.jpg)
HijackThis
Developed by Marijn Freeware 178 KB latest version: 1.98.2 Intended for advanced users Increasingly updated to detect & remove new
hijacks Runs on all windows OS
![Page 9: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/9.jpg)
Download Info & caution
http://www.spychecker.com/program/hijackthis.html Required to place it in its own folder otherwise
backups will not be made. Recommended to be used after running spybot or
spyware/hijacker remover- malware files will be left behind.
Requires knowledge in windows and OS in general. If deleted entries without knowing- problems as IE
not working, running windows.
![Page 10: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/10.jpg)
Caution (cont)
Scans registry and various files in HD. Entries similar to what a spyware/hijacker
program would leave behind Interpreting the results can be tricky. Legitimate programs get installed in similar
way hijackers get installed. Extra causion should be taken fixing a
problem.
![Page 11: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/11.jpg)
Getting started
Go to the desired
folder where hijackthis
was created from zip
unpack. Double click
on hijackthis.exe
![Page 12: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/12.jpg)
Scan results
Each line
starts with
a section
name
![Page 13: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/13.jpg)
Info on selected items
To know info
about a
selected obj
![Page 14: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/14.jpg)
Fix entries
Select an
item to
fix/remove
![Page 15: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/15.jpg)
Restoring items deleted mistakenly
We can make
backup & restore
items for erroneous
scenarios for
items which were
removed but
legitimate. Under config
button
![Page 16: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/16.jpg)
Generating startup listing
Has a built-in tool
to generate listing
of all the prog that
launch when comp
starts. Under config,
Misc tools option.
![Page 17: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/17.jpg)
Process Manager
Built-in tool to
1) Kill processes that
are currently running
2) Check what DLLs
are loaded in a
particular process Under config,
Misc tools option
![Page 18: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/18.jpg)
Process Manager (cont.)
![Page 19: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/19.jpg)
Hosts File Manager
View our host file, Delete lines Toggle lines on/off HijackThis will
add a “#” sign
before the line
to comment it
out so that it will not
be used by Windows.
![Page 20: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/20.jpg)
Delete on reboot
Sometimes files
obstinately reject
to get deleted from
the system by any
traditions means. Could be virus/
spyware HijackThis allows
windows to delete
the file on reboot.
![Page 21: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/21.jpg)
HijackThis log
Each line on the
scan list starts
with a section name Each entry has a
2-letter code to say
what it is.
![Page 22: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/22.jpg)
Testing
Windows XP SP2 Running spybot S&D, ad-aware Specific problem in IE: always redirects to http://213.159.117.134/index.php Even using spybot S&D, AboutBuster, Spywareblaster, Ad-aware
problem was still there Following entries were deleted after scan:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)02 entries refers to BHO- plugins for browser that extend the functionality of it. Used by spyware & legitimate programs.CLSID refers to reg. entries that contains info about BHO/toolbars. This particular entry means the entry exists in the registry but the associated file does not exist. Therefore cleaned to tidy up the registry.
![Page 23: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/23.jpg)
Testing (cont.)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0,R1 entries refer to IE start page & search functions. The url R0, R1 are pointing to is unwanted. Therefore cleaned to get rid of it.
![Page 24: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/24.jpg)
Testing (cont.)
O4 - HKLM\..\Run: [SysTime] startup item C:\WINDOWS\system32\systime.exe Trojan downloaded
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\system32\systime.exe
04 entries refer to app that are listed in certain keys in reg/startup folders and are loaded automatically when windows starts. Here 04 entry shows a CoolWebSearch Trojan. Therefore fixed by HijackThis. The corresponding file
C:\WINDOWS\system32\systime.exe
was deleted by running windows on safe mode after fixing with HijackThis.
![Page 25: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/25.jpg)
Testing (cont.)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006
016 entries refer to ActiveX obj-programs that are downloaded from websites and stored in our computer. Also referenced in the reg by their CLSID.
Here the object/URL could not be recognized from where it was downloaded. Therefore cleaned by HijackThis. HijackThis also deletes the offending file from C:\Windows\Downloaded Program Files-where the these types of objects are stored.
![Page 26: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/26.jpg)
Testing (cont.)
Booting with safe mode following file was deleted
C:\WINDOWS\system32\systime.exe Temp internet files were deleted System rebooted normally, Ad-aware was run to do
some more cleanup. No bad entries were found in the new log.
![Page 27: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/27.jpg)
Summary
HijackThis is a very powerful tool to root out serious infestation or attack in our system.
we should be cautious enough, since incorrectly removing inappropriate objects can cause problems with legitimate programs and compromise our system.
Many online forums & tutorials for inspecting logfiles. Useful links available for CLSID, startup lists. we need a great deal of devotion, commitment and knowledge
towards our system security. HijackThis by itself can not make our system secure from
Hijackers, we need other relevant tools as well to detect and remove spyware and viruses.
![Page 28: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/28.jpg)
Important things learnt
In order to keep computer clean and secure: Make our Internet Explorer more secure by customizing
security options. Use an AntiVirus Software Use Spyware & Malware remover utility tools
Spybot S&D, Ad-aware, CWShredder , HijackThis, SpywareBluster
Update our AntiVirus Software Use a Firewall Visit Microsoft's Windows Update Site Frequently Update all these programs regularly
![Page 29: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/29.jpg)
Useful links
HijackThis log file analysis:
http://www.hijackthis.de/index.php?langselect=english TonyK's Browser Helper Obj (BHO) & Toolbar list:
http://www.sysinfo.org/bholist.php PacMan's Start-up list to find the entry and see if it's good or
bad.
http://www.sysinfo.org/bholist.php
![Page 30: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/30.jpg)
References
http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html
http://www.bleepingcomputer.com/forums/index.php?showtut orial=42#RDiag
![Page 31: HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649ddf5503460f94ad81e8/html5/thumbnails/31.jpg)
Thank You!