Warning: HijackThis is an advanced tool. To use it effectively you may need to understand concepts such as the Windows registry, and be willing to make changes to system critical files. Use at your own risk.
HijackThis is a program that will produce a textual output of all the applications and settings set up on your computer which could be involved in malware attacks, such as spyware or BHOs. It's frequently used by tech support staff to help diagnose software problems, and by technical computer users to solve their own problems.
Once you have downloaded and produced a HijackThis log (the easy part), you must learn how to read it. Each section in the log is designated by an identfier, a two or three letter/number combonation at the beginning of the line, which tells you what the line means.
The "R" sections (R0, R1, R2, and R3) specify Internet Explorer specific settings. Since Internet Explorer is a frequent target for Browser Hijacker Objects, this is frequently one of the most important sections. Lines beginning with R0 are related to Internet Explorer Search settings, R1 is for the "search functions," R2 is not used, and R3 is the URL search hook for when an entry is typed in the address bar with no protocol designator.
As you move in to the "F" sections, you may see some entries you don't understand. The majority of the "F" sections are for .ini settings, which are no longer frequently used by regular software, but can still be used by spyware to attempt to hide it's start up time, or leverage an extra "early" control.
N1-4 are the same as the "R" sections, except with reference to Netscape-compatible browsers, such as the popular Mozilla Firefox.
O1 corresponds to your HOSTS file, while the HOSTS file is a very complex and in-depth topic that could warrant an entire article of it's own, each entry in here makes domain names act as "aliases" for IPs: this can be used to hijack popular websites, such as Google or anti-virus update domains.
O2 (and O3, to an extent) are your BHOs, "Browser Helper Objects," frequently mislabeled as Browser Hijacker Objects, since that is what they are commonly used for. Googling these BHOs can help you identify what they are.
O4 covers everything in the Windows Registry's start up section. Anything in this section is run at boot time.
O5-9 are security related settings such as administrative lock down.
O10 are "Winsock Hijackers," again, a very in-depth topic that could be covered by volumes of articles, however, overall, these are "bad," and should be looked in to.
The remainder of the "O" sections are fairly rare, as they correspond to high level settings which are not established on most systems, and rarely used by malware. You can look these sections up in the HijackThis manual.
Adam X. Knife runs a process library for users to look up processes running on their computers, and provides a powerful HijackThis Log Analyzer to help users understand their HJT logs.
No comments:
Post a Comment