Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
Spyware Moaning
-
12-07-2004 11:32pm#1
Comments
-
-
-
Here is my contribution the one that everybody wants how to read Hijack this logs-
I have been reading and using this great tool for the last 1 year now and getting pretty good with it
The Best tool will going through this is Google if you not sure google it!!!!
Anyway
==================================================
The First thing that you see in the logs are all the EXE's that are running such as
SVhost.exe
lsass.exe
explorer.exe
and many many more- These are the first part that you need to check check for Spelling mistakes in there if your not sure google it!
Example lsass.exe is okay but if you see two of them and the other one is called LSASS.EXE you might have a problem
Second part of disecting the log is the Registry entries...not for the faint hearted.
==========================================
R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1 - Autoloading programs
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
O1 - Hosts file redirection
O2 - Browser Helper Objects
O3 - Internet Explorer toolbars
O4 - Autoloading programs from Registry
O5 - IE Options icon not visible in Control Panel
O6 - IE Options access restricted by Administrator
O7 - Regedit access restricted by Administrator
O8 - Extra items in IE right-click menu
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
O10 - Winsock hijacker
O11 - Extra group in IE 'Advanced Options' window
O12 - IE plugins
O13 - IE DefaultPrefix hijack
O14 - 'Reset Web Settings' hijack
O15 - Unwanted site in Trusted Zone
O16 - ActiveX Objects (aka Downloaded Program Files)
O17 - Lop.com domain hijackers
O18 - Extra protocols and protocol hijackers
O19 - User style sheet hijack
=============================================
R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
Example-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
R2 - (this type is not used by HijackThis yet)
R3 - Default URLSearchHook is missing
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it with google if valid and have HijackThis fix it.
For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.
=============================================
F0, F1 - Autoloading programs
Example-
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsche
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad again google it!!
=============================================
N1, N2, N3, N4
Example -
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
Netscape/Mozilla Start/Search pages URLs
This mostly do not have the same problem is IE explorer but can get it every now and again. only Lop.com has been known to do this. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it ro again google it!
=============================================
O1 - Hosts file redirection
Example-
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O1 - Hosts file is located at C:\Windows\Help\hosts
Now these ones are nasty little ones,This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.
The last item sometimes occurs on Windows 2000/XP with a Coolwebsearch infection. Always fix this item, so if your getting redirected the whole time check this one, again if you do not recognize the name google it and get rid of it!!
=============================================
O2 - Browser Helper Objects
Example-O2 -
BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)
Normally pretty harmless- Realplayer has plugings,abode has plugsins, but again the odd case if you don't directly recognize a Browser Helper Object's name, use Tony BHO Checker & Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.
=============================================
O3 - Internet Explorer toolbars
example- O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
Again If you don't directly recognize a toolbar's name, use TonyK's BHO & Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
If it's not on the list and the name seems a random string of characters and the file is in the 'Application Data' folder (like the last one in the examples above), it's probably Lop.com,Google it first and you definately should have HijackThis fix it
=============================================
O4 - Autoloading programs from Registry
Example-
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: winlogon.exe
Use to Check the list to see if it valid or not. If it is not like the last one listed above-and hijackthis cannot fix it - Use the task manager to end task run hijack this again and select it once more-
MAKE SURE YOU USE THE TASK MANAGER.If your still not sure google it!!
=============================================
O5 - IE Options icon not visible in Control Panel
Example-O5 - control.ini: inetcpl.cpl=no
Unless you or your administrator have knowingly hidden or have a good reason to hide the icon from Control Panel, have HijackThis fix it mostly porn dailer that is hidden away!!! not sure google it.
=============================================
O6 - IE Options access restricted by Administrator
Example-O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
If you have the Spybot S&D option 'Lock homepage from changes' active, or your administrator put this into place, have HijackThis fix this
=============================================
O7 - Regedit access restricted by Administrator
Example-O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Always have HijackThis fix this, unless your administrator has put this restriction into place to stop you!!
============================================0 -
Here the Rest orginal post was to long had to split in two
============================================
O8 - Extra items in IE right-click menu
Example-
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
If you do not recognize get rid of it!!
=============================================
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
Example-
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
If you do not recognize get rid of it!!
=============================================
O10 - Winsock hijacker
Example-
O10 - Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll
Use Lspfix to fix these ones BECAREFULL that 'unknown' files in the LSP stack will not be fixed by HijackThis, for safety issues
=============================================
O11 - Extra group in IE 'Advanced Options' window
Example-O11 - Options group: [CommonName] CommonName
The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this
=============================================
O12 - IE plugins
Example-
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb) not sure google it.
=============================================
O13 - IE DefaultPrefix hijack
Example-
O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?
O13 - WWW. Prefix: http://ehttp.cc/?
This are nastly little buggers get rid of them use hijack this to remove them- google first to check if there are valid
=============================================
O14 - 'Reset Web Settings' hijack
Example-O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com
If the URL is not the provider of your computer or your ISP, have HijackThis fix it you have been hijacked.
=============================================
O15 - Unwanted site in Trusted Zone
Example-
O15 - Trusted Zone: http://free.aol.com
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.msn.com
Most of the time only AOL and Coolwebsearch silently add sites to the Trusted Zone. If you didn't add the listed domain to the Trusted Zone yourself, have HijackThis fix it.
=============================================
O16 - ActiveX Objects (aka Downloaded Program Files)
Example-
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
f you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc,get rid of it!!!
==============================================
O17 - Lop.com domain hijackers
Example-
O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gla.ac.uk
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the 'SearchList' entries.
For the 'NameServer' (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad
==============================================
O18 - Extra protocols and protocol hijackers
Example-
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
These are my favorite liitle ones The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those.
Other things that show up are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed) by spyware. In the last case, have HijackThis fix it.
==============================================
O19 - User style sheet hijack
Example-O19 - User style sheet: c:\WINDOWS\Java\my.css
In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log. However, since only Coolwebsearch does this, it's better to use CWShredder to fix it
===============================================
Finally the end of it.
As you can see the most important tools that gets used is google my friend!!
Take you time when going looking at the logs.
Hope this help a bit should after 45 minutes of typing and rooting up links
kevin:ninja:0 -
-
Advertisement
-
-
-
-
-
-
Advertisement
-
-
-
-
-
-
-
-
Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭
Join Date:Posts: 91819
If get burgled because you leave your windows open, you don't go posting about it on a locksmiths forum. - Read the stickies here and comp and windows and then repost in the windows forum (why do I assume you have windows if you are asking about spyware ??) if you haven't found your answer by then.Korvanica wrote:anyone know any free adware/spyware removers??
i have about:blank on my pc and its really annoyin me!!
The average unprotected windows machines will have malware within 9 minutes of connecting to the information super highway, (Sophos UK)
about:blank is just your web browser starting on a blank page.
[Edit] or yet another hijack of IE - that's one of the main problems of using FireFox, you don't see a lot of this kinda crap
0 -
-
-
Advertisement
-
-
-
-
-
-
-
-
-
-
Advertisement
Advertisement