HijackThis - PowerPoint PPT Presentation

About This Presentation
Title:

HijackThis

Description:

Running spybot S&D, ad-aware ... Even using spybot S&D, AboutBuster, Spywareblaster, Ad-aware problem was still there ... rebooted normally, Ad-aware was run ... – PowerPoint PPT presentation

Number of Views:2354
Avg rating:3.0/5.0
Slides: 32
Provided by: nad8
Category:

less

Transcript and Presenter's Notes

Title: HijackThis


1
HijackThis
- A general Homepage Hijacker Detector and
Removal Tool
By Tahira Farid 60-564 Project 1 Fall 2004
2
Overview
  • Browser Hijacking and Why
  • The Techniques
  • Preventing a Hijack
  • HijackThis- A Hijack Removal Tool
  • Download Information
  • Getting around with the tool

3
Overview (cont.)
  • Testing
  • Summary
  • Important things learnt
  • Useful Links
  • References

4
What is Browser Hijacking?
  • Where browsers default settings is forcibly
    modified by using scripting tools
  • Spyware takes over our internet settings,
    Redirects our searches and steals our homepage
  • adding links to favourites
  • changing homepage persistently
  • - scripting
  • - changing registry values
  • - auto-running programs
  • - secret files put on the hard disk

5
Why Hijacking?
  • Bring us back to a website or a sponsors site of
    Hijackers choice
  • Generate advertising revenues
  • Keep users trapped in their sites
  • Expand websites traffic
  • Is it Reversible?
  • -as easy as to switch the internet options back
  • -as crucial as to undo the changes by going to
    windows registry

6
The Techniques
  • Multiple Windows pop-ups while leaving the site
  • Windows half off screen hard to close and allows
    no control
  • Offering freebies in their sites
  • Installing AOL software, messenger, ICQ adds
    http//free.aol.com to IEs trusted sites zone
    without our permission-can download activeX, run
    scripts, perform various actions.
  • Removing internet options from tool menu and
    control panel
  • Changing reg settings to reset homepage
  • Installing program to reset homepage on reboot

7
Preventing Hijack
  • Various anti-hijacking and anti-virus tools
    available.
  • HijackThis- utility tool to remove browser
    hijacks, viruses, trojans spyware
  • Does not target specific prog./URLs
  • Targets methods used by hijackers

8
HijackThis
  • Developed by Marijn
  • Freeware
  • 178 KB
  • latest version 1.98.2
  • Intended for advanced users
  • Increasingly updated to detect remove new
    hijacks
  • Runs on all windows OS

9
Download Info caution
  • http//www.spychecker.com/program/hijackthis.html
  • Required to place it in its own folder otherwise
    backups will not be made.
  • Recommended to be used after running spybot or
    spyware/hijacker remover- malware files will be
    left behind.
  • Requires knowledge in windows and OS in general.
  • If deleted entries without knowing- problems as
    IE not working, running windows.

10
Caution (cont)
  • Scans registry and various files in HD.
  • Entries similar to what a spyware/hijacker
    program would leave behind
  • Interpreting the results can be tricky.
  • Legitimate programs get installed in similar way
    hijackers get installed.
  • Extra causion should be taken fixing a problem.

11
Getting started
  • Go to the desired
  • folder where hijackthis
  • was created from zip
  • unpack. Double click
  • on hijackthis.exe

12
Scan results
  • Each line
  • starts with
  • a section
  • name

13
Info on selected items
  • To know info
  • about a
  • selected obj

14
Fix entries
  • Select an
  • item to
  • fix/remove

15
Restoring items deleted mistakenly
  • We can make
  • backup restore
  • items for erroneous
  • scenarios for
  • items which were
  • removed but
  • legitimate.
  • Under config
  • button

16
Generating startup listing
  • Has a built-in tool
  • to generate listing
  • of all the prog that
  • launch when comp
  • starts.
  • Under config,
  • Misc tools option.

17
Process Manager
  • Built-in tool to
  • 1) Kill processes that
  • are currently running
  • 2) Check what DLLs
  • are loaded in a
  • particular process
  • Under config,
  • Misc tools option

18
Process Manager (cont.)
19
Hosts File Manager
  • View our host file,
  • Delete lines
  • Toggle lines on/off
  • HijackThis will
  • add a sign
  • before the line
  • to comment it
  • out so that it will not
  • be used by Windows.

20
Delete on reboot
  • Sometimes files
  • obstinately reject
  • to get deleted from
  • the system by any
  • traditions means.
  • Could be virus/
  • spyware
  • HijackThis allows
  • windows to delete
  • the file on reboot.

21
HijackThis log
  • Each line on the
  • scan list starts
  • with a section name
  • Each entry has a
  • 2-letter code to say
  • what it is.

22
Testing
  • Windows XP SP2
  • Running spybot SD, ad-aware
  • Specific problem in IE always redirects to
    http//213.159.117.134/index.php
  • Even using spybot SD, AboutBuster,
    Spywareblaster, Ad-aware problem was still there
  • Following entries were deleted after scan
  • O2 - BHO (no name) - 549B5CA7-4A86-11D7-A4DF-000
    874180BB3 - (no file)
  • 02 entries refers to BHO- plugins for browser
    that extend the functionality of it. Used by
    spyware legitimate programs.
  • CLSID refers to reg. entries that contains info
    about BHO/toolbars. This particular entry means
    the entry exists in the registry but the
    associated file does not exist. Therefore cleaned
    to tidy up the registry.

23
Testing (cont.)
  • R0 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Start Page http//213.159.117.134/
    index.php
  • R1 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Default_Page_URL
    http//213.159.117.134/index.php
  • R1 - HKLM\Software\Microsoft\Internet
    Explorer\Main,Default_Page_URL
    http//213.159.117.134/index.php
  • R0 - HKLM\Software\Microsoft\Internet
    Explorer\Main,Start Page http//213.159.117.134/
    index.php
  • R0 - HKCU\Software\Microsoft\Internet
    Explorer\Main,Local Page http//213.159.117.134/
    index.php
  • R0 - HKLM\Software\Microsoft\Internet
    Explorer\Main,Local Page http//213.159.117.134/
    index.php
  • R0,R1 entries refer to IE start page search
    functions. The url R0, R1 are pointing to is
    unwanted. Therefore cleaned to get rid of it.

24
Testing (cont.)
  • O4 - HKLM\..\Run SysTime ? startup item
    C\WINDOWS\system32\systime.exe ? Trojan
    downloaded
  • O4 - HKCU\..\Run SysTime C\WINDOWS\system32\sy
    stime.exe
  • 04 entries refer to app that are listed in
    certain keys in reg/startup folders and are
    loaded automatically when windows starts.
  • Here 04 entry shows a CoolWebSearch Trojan.
    Therefore fixed by HijackThis. The corresponding
    file
  • C\WINDOWS\system32\systime.exewas deleted by
    running windows on safe mode after fixing with
    HijackThis.

25
Testing (cont.)
  • O16 - DPF 15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6
    - http//public.windupdates.com/get_file.php...edc
    eabcca450006
  • 016 entries refer to ActiveX obj-programs that
    are downloaded from websites and stored in our
    computer. Also referenced in the reg by their
    CLSID.
  • Here the object/URL could not be recognized from
    where it was downloaded. Therefore cleaned by
    HijackThis. HijackThis also deletes the offending
    file from C\Windows\Downloaded Program Files-
  • where the these types of objects are stored.

26
Testing (cont.)
  • Booting with safe mode following file was deleted
  • C\WINDOWS\system32\systime.exe
  • Temp internet files were deleted
  • System rebooted normally, Ad-aware was run to do
    some more cleanup.
  • No bad entries were found in the new log.

27
Summary
  • HijackThis is a very powerful tool to root out
    serious infestation or attack in our system.
  • we should be cautious enough, since incorrectly
    removing inappropriate objects can cause problems
    with legitimate programs and compromise our
    system.
  • Many online forums tutorials for inspecting
    logfiles.
  • Useful links available for CLSID, startup lists.
  • we need a great deal of devotion, commitment and
    knowledge towards our system security.
  • HijackThis by itself can not make our system
    secure from Hijackers, we need other relevant
    tools as well to detect and remove spyware and
    viruses.

28
Important things learnt
  • In order to keep computer clean and secure
  • Make our Internet Explorer more secure by
    customizing security options.
  • Use an AntiVirus Software
  • Use Spyware Malware remover utility tools
  • Spybot SD, Ad-aware, CWShredder , HijackThis,
    SpywareBluster
  • Update our AntiVirus Software
  • Use a Firewall
  • Visit Microsoft's Windows Update Site Frequently
  • Update all these programs regularly

29
Useful links
  • HijackThis log file analysis
  • http//www.hijackthis.de/index.php?langselecteng
    lish
  • TonyK's Browser Helper Obj (BHO) Toolbar list
  • http//www.sysinfo.org/bholist.php
  • PacMan's Start-up list to find the entry and see
    if it's good or bad.
  • http//www.sysinfo.org/bholist.php

30
References
  • http//www.spywareinfo.com/7Emerijn/htlogtutorial
    .html
  • http//www.bleepingcomputer.com/forums/index.php?s
    howtut orial42RDiag

31
  • Thank You!
Write a Comment
User Comments (0)
About PowerShow.com