HijackThis - PowerPoint PPT Presentation

About This Presentation

Title:

HijackThis

Description:

Running spybot S&D, ad-aware ... Even using spybot S&D, AboutBuster, Spywareblaster, Ad-aware problem was still there ... rebooted normally, Ad-aware was run ... – PowerPoint PPT presentation

Number of Views:2354

Avg rating:3.0/5.0

Slides: 32

Provided by: nad8

Category:

more less

Transcript and Presenter's Notes

Title: HijackThis

1
HijackThis
- A general Homepage Hijacker Detector and
Removal Tool
By Tahira Farid 60-564 Project 1 Fall 2004
2
Overview

Browser Hijacking and Why
The Techniques
Preventing a Hijack
HijackThis- A Hijack Removal Tool
Download Information
Getting around with the tool

3
Overview (cont.)

Testing
Summary
Important things learnt
Useful Links
References

4
What is Browser Hijacking?

Where browsers default settings is forcibly
modified by using scripting tools
Spyware takes over our internet settings,
Redirects our searches and steals our homepage
adding links to favourites
changing homepage persistently
- scripting
- changing registry values
- auto-running programs
- secret files put on the hard disk

5
Why Hijacking?

Bring us back to a website or a sponsors site of
Hijackers choice
Generate advertising revenues
Keep users trapped in their sites
Expand websites traffic
Is it Reversible?
-as easy as to switch the internet options back
-as crucial as to undo the changes by going to
windows registry

6
The Techniques

Multiple Windows pop-ups while leaving the site
Windows half off screen hard to close and allows
no control
Offering freebies in their sites
Installing AOL software, messenger, ICQ adds
http//free.aol.com to IEs trusted sites zone
without our permission-can download activeX, run
scripts, perform various actions.
Removing internet options from tool menu and
control panel
Changing reg settings to reset homepage
Installing program to reset homepage on reboot

7
Preventing Hijack

Various anti-hijacking and anti-virus tools
available.
HijackThis- utility tool to remove browser
hijacks, viruses, trojans spyware
Does not target specific prog./URLs
Targets methods used by hijackers

8
HijackThis

Developed by Marijn
Freeware
178 KB
latest version 1.98.2
Intended for advanced users
Increasingly updated to detect remove new
hijacks
Runs on all windows OS

9
Download Info caution

http//www.spychecker.com/program/hijackthis.html
Required to place it in its own folder otherwise
backups will not be made.
Recommended to be used after running spybot or
spyware/hijacker remover- malware files will be
left behind.
Requires knowledge in windows and OS in general.
If deleted entries without knowing- problems as
IE not working, running windows.

10
Caution (cont)

Scans registry and various files in HD.
Entries similar to what a spyware/hijacker
program would leave behind
Interpreting the results can be tricky.
Legitimate programs get installed in similar way
hijackers get installed.
Extra causion should be taken fixing a problem.

11
Getting started

Go to the desired
folder where hijackthis
was created from zip
unpack. Double click
on hijackthis.exe

12
Scan results

Each line
starts with
a section
name

13
Info on selected items

To know info
about a
selected obj

14
Fix entries

Select an
item to
fix/remove

15
Restoring items deleted mistakenly

We can make
backup restore
items for erroneous
scenarios for
items which were
removed but
legitimate.
Under config
button

16
Generating startup listing

Has a built-in tool
to generate listing
of all the prog that
launch when comp
starts.
Under config,
Misc tools option.

17
Process Manager

Built-in tool to
1) Kill processes that
are currently running
2) Check what DLLs
are loaded in a
particular process
Under config,
Misc tools option

18
Process Manager (cont.)
19
Hosts File Manager

View our host file,
Delete lines
Toggle lines on/off
HijackThis will
add a sign
before the line
to comment it
out so that it will not
be used by Windows.

20
Delete on reboot

Sometimes files
obstinately reject
to get deleted from
the system by any
traditions means.
Could be virus/
spyware
HijackThis allows
windows to delete
the file on reboot.

21
HijackThis log

Each line on the
scan list starts
with a section name
Each entry has a
2-letter code to say
what it is.

22
Testing

Windows XP SP2
Running spybot SD, ad-aware
Specific problem in IE always redirects to
http//213.159.117.134/index.php
Even using spybot SD, AboutBuster,
Spywareblaster, Ad-aware problem was still there
Following entries were deleted after scan
O2 - BHO (no name) - 549B5CA7-4A86-11D7-A4DF-000
874180BB3 - (no file)
02 entries refers to BHO- plugins for browser
that extend the functionality of it. Used by
spyware legitimate programs.
CLSID refers to reg. entries that contains info
about BHO/toolbars. This particular entry means
the entry exists in the registry but the
associated file does not exist. Therefore cleaned
to tidy up the registry.

23
Testing (cont.)

R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page http//213.159.117.134/
index.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL
http//213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL
http//213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page http//213.159.117.134/
index.php
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Local Page http//213.159.117.134/
index.php
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Local Page http//213.159.117.134/
index.php
R0,R1 entries refer to IE start page search
functions. The url R0, R1 are pointing to is
unwanted. Therefore cleaned to get rid of it.

24
Testing (cont.)

O4 - HKLM\..\Run SysTime ? startup item
C\WINDOWS\system32\systime.exe ? Trojan
downloaded
O4 - HKCU\..\Run SysTime C\WINDOWS\system32\sy
stime.exe
04 entries refer to app that are listed in
certain keys in reg/startup folders and are
loaded automatically when windows starts.
Here 04 entry shows a CoolWebSearch Trojan.
Therefore fixed by HijackThis. The corresponding
file
C\WINDOWS\system32\systime.exewas deleted by
running windows on safe mode after fixing with
HijackThis.

25
Testing (cont.)

O16 - DPF 15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6
- http//public.windupdates.com/get_file.php...edc
eabcca450006
016 entries refer to ActiveX obj-programs that
are downloaded from websites and stored in our
computer. Also referenced in the reg by their
CLSID.
Here the object/URL could not be recognized from
where it was downloaded. Therefore cleaned by
HijackThis. HijackThis also deletes the offending
file from C\Windows\Downloaded Program Files-
where the these types of objects are stored.

26
Testing (cont.)

Booting with safe mode following file was deleted
C\WINDOWS\system32\systime.exe
Temp internet files were deleted
System rebooted normally, Ad-aware was run to do
some more cleanup.
No bad entries were found in the new log.

27
Summary

HijackThis is a very powerful tool to root out
serious infestation or attack in our system.
we should be cautious enough, since incorrectly
removing inappropriate objects can cause problems
with legitimate programs and compromise our
system.
Many online forums tutorials for inspecting
logfiles.
Useful links available for CLSID, startup lists.
we need a great deal of devotion, commitment and
knowledge towards our system security.
HijackThis by itself can not make our system
secure from Hijackers, we need other relevant
tools as well to detect and remove spyware and
viruses.