Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Understanding and Interpreting HijackThis Entries – Part 1

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us


A word of caution: This program should be used with utmost caution as most of the entries shown after the scan will be necessary for smooth running of the operating system. All users are not expected to understand all of the entries it produces as it requires certain level of expertize. Unless you can spot a spyware program by the names of its Registry keys and DLL files it is best left to those specifically trained in interpreting the HijackThis logs. It is recommended that you reproduce the log file generated by HijackThis on one of the recommended online forums dedicated for this cause.



HijackThis Tutorial – Analyze, Understand and Interpret HijackThis logs


The first part of the log is commonly referred as the "Header" information. This contains details about the version of HijackThis, Windows and Internet Explorer alongwith the date and time of the scan. This information is crucial to the helper if you decide to post your log at one of the online help forums. This mainly lets the helper confirm that you have the latest versions of the mentioned software and also to tailor his reply suitable to the specific version of Windows.


Logfile of HijackThis v1.99.1 Scan saved at 8:59:25 AM, on 3/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


The next part of the log contains a list of currently running processes which will vary with each HijackThis scan as it depends on what a particular user is running at the time of the scan. This may reveal the presence of malware. Some examples of running processes are:

  • D:\WINDOWS\System32\smss.exe
  • D:\WINDOWS\system32\winlogon.exe
  • D:\WINDOWS\system32\services.exe
  • D:\WINDOWS\system32\lsass.exe
  • D:\WINDOWS\system32\svchost.exe
  • D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
  • C:\PROGRAMFILES\NEWSGROUP\NEWSGROUP.EXE
  • C:\WINDOWS\SYSTEM\ONP3E.EXE
  • C:\WINDOWS\MSMGT.EXE
  • C:\WINDOWS\GQLVDN.exe

An experienced HijackThis adept will know from the name of the exe file whether it pertains to a legitimate Windows program or to an unwanted software. The file name may be used to research the entry in Google or in specific sites which provide the information on known running processes. Couple of sites which provide such information are:

Following the processes list is the main body of HijackThis log. Each line in a HijackThis log starts with a section name, in the form of two-charecter numeric or alpha numeric code. The codes and corresponding section in IE or various registry entries are given below followed by explanation about the each entry.


  • R1 – Internet Explorer Start page/search page/search bar/search assistant URL
  • R2 – This is not used
  • R3 – Default URL Searchhook
  • F0 – Autoloading programs from system.ini file
  • F1 – Autoloading programs from win.ini file
  • F2 } F2/F3 are essentially F0/F1 items, mapped to the Registry.
  • F3 } Only present in NT based systems.
  • N1 – Netscape 4x default homepage and search page URLs
  • N2 – Netscape 6x default homepage and search page URLs
  • N3 – Netscape 7x default homepage and search page URLs
  • N4 – Mozilla default homepage and search page URLs
  • O1 – Hosts file redirection
  • O2 – Browser Helper Objects
  • O3 – Internet Explorer toolbars
  • O4 – Autoloading programs from Registry
  • O5 – IE Options icon not visible in Control Panel
  • O6 – IE Options access restricted by Administrator
  • O7 – Regedit access restricted by Administrator
  • O8 – Extra items in IE right-click menu
  • O9 – Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
  • O10 – Winsock hijacker
  • O11 – Extra group in IE 'Advanced Options' window
  • O12 – IE plugins
  • O13 – IE DefaultPrefix hijack
  • O14 – 'Reset Web Settings' hijack
  • O15 – Unwanted site in Trusted Zone
  • O16 – ActiveX Objects (aka Downloaded Program Files)
  • O17 – Lop.com domain hijackers
  • O18 – Extra protocols and protocol hijackers
  • O19 – User style sheet hijack
  • O20 – AppInit_DLLs Registry value autorun
  • O21 – ShellServiceObjectDelayLoad Registry key autorun
  • O22 – SharedTaskScheduler Registry key autorun
  • O23 – Windows NT Services


R0 – Internet Explorer Start page/search page/search bar/search assistant URL


A registry value that has been changed from the default, resulting in a changed Internet explorer start page, search page, search bar page, search assistant, search url, customize search etc. HijackThis monitors the following registry keys among others for changes;


  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl


Example of R0 entries from HijackThis logs

  • R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://best-search.cc/index.php?v=6&aff=3412714
  • R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1526
  • R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
  • R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Recommendation: The key in these R0 entries tagged by HijackThis are the URL's shown in each entry. If you don't recognize the URL or there are no URL's at the end of the entry, it can be safely fixed with HijackThis. Further, the URL's may be researched for CWS infection by using the known CWS Domains List.

R1 – Internet Explorer Start page/search page/search bar/search assistant URL

A registry value that has been created and is not present in a default windows install nor needed, possibly resulting in a changed Internet Explorer start page, search page, search bar page, search assistant, search url, customize search etc. HijackThis monitors the above mentioned registry keys in addition to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Example of R1 entries from HijackThis logs

  • R1 – HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
  • R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl…r=iesearch
  • R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search http://red.clientapps.yahoo.com/customize/…//www.yahoo.com
  • R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

Recommendation: The same rule as for R0 entries applies. The Key to look for are the URL"s. If you don't recognize the URL or there are no URL's at the end of the entry, it can be safely fixed with HijackThis. Also research for CWS infection by using the CWS Domain List.

R2 – This is not used

Merijn, the author says "this type is not used by HijackThis yet".

R3 – Default URL Searchhook

URLSearchHook is called by the browser when the browser cannot determine the protocol of a URL address.. When attempting to browse to a URL address that does not contain a protocol, Internet Explorer first attempts to determine the correct protocol using the unmodified address. If this fails, Internet Explorer creates URL Search Hook objects that have been registered, and calls each object's translate method until the URL has been translated or until all hooks have been called. Normally there should be only one value in this key.

URL Search Hooks are registered by adding a value that contains the object's class identifier (CLSID) string under the following key in the registry:

HKEY_LOCAL_MACHINE/Software/Microsoft/Internet Explorer/UrlSearchHooks

Many IE hijackers will add their UrlSearchHook to your system so every time when you type a url without protocol, you will be redirected to the hijacker's site. HijackThis tags this, if the default search hook value is changed, missing or a new value added in the above key.

Example of R3 entries from HijackThis logs.

  • R3 – URLSearchHook: (no name) – {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ – (no file)
  • R3 – URLSearchHook: (no name) – {707E6F76-9FFB-4920-A976-EA101271BC25} – C:\Program Files\TV Media\TvmBho.dll
  • R3 – URLSearchHook: PerfectNavBHO Class – {00D6A7E7-4A97-456f-848A-3B75BF7554D7} – C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
  • R3 – URLSearchHook: IncrediFindBHO Class – {5D60FF48-95BE-4956-B4C6-6BB168A70310} – C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

Recommendation: Generally it's safe to have HijackThis fix this entry.

F0 – Autoloading programs from system.ini file

This is one of the way, out of many different possible ways, Malware can automatically start and run in your system. HijackThis targets the "shell=" line in the system.ini file in your windows folder. The default legitimate line should read as "shell=explorer.exe". However malware like trojans, viruses etc., use this line to execute themselves at startup, for example Dumaru.Y Worm , W32.HLLW.Caspid worm and Subseven Trojan. This is achieved by adding an entry to the "shell=" line, like this:

shell=Explorer.exe C:\Windows\Capside.exe

So that when the system boots, the worm is also set to start alongwith explorer.exe. It is to be noted that in windowsNT based systems, the shell line is not located in the ini files but in the registry. Typically, in the "shell" string value of

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon

whose contents again should be just "Explorer.exe". HijackThis tags this, if the line contains more than just "Explorer.exe" and restores the default value if you choose to fix it.

Example of F0 entries from HijackThis logs

  • F0 – system.ini: Shell=Explorer.exe C:\WINDOWS\System32\FF.EXE
  • F0 – system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
  • F0 – system.ini: Shell=explorer.exe winuser32.exe
  • F0 – system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe

Recommendation: Unless you are running one of those shell changing programs which changes the default windows interface (explorer.exe) to one of its own, F0 entries are most probably bad, fix them always.

F1 – Autoloading programs from win.ini file

Like F0 entries, HijackThis targets "win.ini" file, one of the possible autoloading location for both valid programs and a lot of viruses use to run at startup.

  • [windows]
  • Run=
  • Load=

Any filename after the run or load= will start everytime you boot into windows. Seperated by semicolons, multiple programs may be started using this method.

In windows NT based systems this is once again found in the Registry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
  • "run"=""
  • "load"=""

HijackThis will tag all items listed in these locations.

Example of F1 entries from HijackThis logs

  • F1 – win.ini: load=C:\WINDOWS\Msgsvr32win.exe
  • F1 – win.ini: run=hpfsched
  • F1 – win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
  • F1 – win.ini: load=d:\progra~1\YDPDict\watch.exe
  • F1 – win.ini: run=msinfo.exe

Recommendation: As win.ini file is used by many older programs to auto start programs, you should be selective in fixing those entries with HijackThis. Try to find some more info on the filename to see if it's good or bad before deciding to fix it.

F2 & F3 – Autoloading programs from registry in windows NT based systems

In the words of Merijn, "F2/F3 are essentially F0/F1 items, mapped to the Registry. Only present in WinNT/2k/XP."

On Windows NT based systems,most sections of the win.ini and system.ini files are mapped into the registry. That is to say, Windows intercepts certain requests to access these files and, instead,accesses the registry. To determine which sections are mapped in this way, refer to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping

Note that although Windows NT based systems retains the Win.ini file for compatibility with older programs, it does not use the Load= and Run= lines in Win.ini itself.

Let's see what MS says about inifilemapping in windows NT resourcekit,

When you install an application created for 16-bit Windows, the application's setup program creates its own .ini file or creates entries for the Win.ini or System.ini file in the same way that it does for any version of Windows 3.x. These entries are not updated in the Registry because these applications do not have a way to access the Windows NT Registry. For this reason, basic System.ini, Win.ini, and Winfile.ini files appear in the Systemroot directory in Windows NT.

If a Windows-based application tries to write to Win.ini, System.ini, or any other section listed in the IniFileMapping key, and if the application uses the Windows NT Registry APIs, the information is stored in the Registry. If the application writes to other sections of the .ini file or tries to open the .ini file directly without using the Windows NT Registry APIs, the information is saved in an .ini file.

To find mapping information in the HKEY_LOCAL_MACHINE \Software key, the system searches for the filename extension of the initialization file. If it finds the filename extension, it looks under the mapped key for the name of the application associated with that file type and a variable name. If necessary, it continues to look for keys whose value entries are the variable names. If no mapping for either the application name or filename is found, the system looks for an .ini file to read and write its contents. You can see where the Windows initialization files are mapped in the Registry by viewing the subkeys and value entries under this path:

HKEY_LOCAL_MACHINE\Software\MicrosoftWindowsNT\Current Version\IniFileMapping


F2 entry in a HijackThis log also refers to the Userinit value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and by default, Winlogon runs Userinit.exe, which is an application used to run a program before a shell starts. The service runs logon scripts, reestablishes network connections and starts the shell.

The default value is C:\WINDOWS\SYSTEM32\Userinit.exe, (note the comma at the end).This value could be hacked by malware to read:

C:\WINDOWS\SYSTEM32\Userinit.exe, trojan.exe

HijackThis will tag the contents of this key even if only the comma is missing and it's OK to have it fixed though it's harmless.

Example of entries from HijackThis logs

  • F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
  • F2 – REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\sysctl.exe

Recommendation: Do not use HijackThis to fix these entries without expert guidance. If you fix the wrong entry, your computer may not be bootable without some serious trobleshooting. This is especially true for F2 entries as the restore function of HijackThis for this particular section has some potentially serious issues.

N1 – Netscape 4x default homepage and search page URLs

N1 entry in a HijackThis log refers to the homepage URL settings in Netscape 4.x browser in the prefs.js file located in the users Netscape directory.

Example of N1 entries from HijackThis logs

  • N1- Netscape 4: user_pref("browser.startup.homepage", "http://www.travelocity.com/?Service=TRAVELOCITY"); (C:\Program Files\Netscape\Users\default\prefs.js)
  • N1 – Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\doug\prefs.js)
  • N1 – Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)

N2 – Netscape 6x default homepage and search page URLs

N2 entry in a HijackThis log refers to homepage and searchpage URLs of Netscape 6 browser in the prefs.js file located in the 'Application Data' folder.

Example of N2 entries from HijackThis logs

  • N2-Netscape6:user_pref("browser.startup.homepage","http://www.plymslayer.com/graphics/plymmies/dumbass.gif"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\p7clsp39.slt\prefs.js)
  • N2 – Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profilesdefaulto9t1tfl.slt\prefs.js)
  • N2 – Netscape 6: user_pref("browser.search.defaultengine","engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206% 5Csearchplugins% 5CSBWeb_01.src"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\20gihcu7.slt\prefs.js)

N3 – Netscape 7x default homepage and search page URLs

N3 entry in a HijackThis log refers to homepage and searchpage URLs of Netscape 7 browser in the pref.js file located in the 'Application Data' folder.

Example of N3 entries from HijackThis logs

  • N3 – Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\xg8itvly.slt\prefs.js)
  • N3 – Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE% 5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\xg8itvly.slt\prefs.js)
  • N3 – Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Kir\Application Data\Mozilla\Profiles\default\sij0wvc1.slt\prefs.js)
  • N3 – Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape% 5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kir\Application Data\Mozilla\Profiles\default\sij0wvc1.slt\prefs.js)

N4 – Mozilla default homepage and search page URLs

N4 entry in a HijackThis log refers to homepage and searchpage URLs of Mozilla browser in the prefs.js file located in the 'Application Data' folder.

I have not seen the N4 entries in any of the HijackThis logs.

Recommendation: The N entries are similar to the R0 and R1 entries which refers to the IE browser. Again the key is the URL shown in the respective entries. If you don't recognize the URL or there are no URL's at the end of the entry, it can be safely fixed with HijackThis. It's very unlikely that Netscape or Mozilla browsers to get hijacked unless you download and install a malware installer unknowingly. An example would be LOP.com hijack. This comes in the form of an executable installer which may masquerade as 'mp3_finder.exe, download_file.exe, free_warez exe or free_sex_viewer.exe among others. These installers change your preferred home and search page URL's in Netscape and Mozilla browsers. It also adds a task to run on startup which sets your homepage and search back to lop if you change them.


Understanding and Interpreting HijackThis Entries – 01 to 09



{ 4 comments… read them below or add one }

German March 27, 2011 at 4:25 AM

Thank you a lot for the help with this topic: “F0 – Autoloading programs from system.ini file”.

Really helpful.

Thanks!

Reply

Johnny August 17, 2011 at 10:25 PM

Thanks for your detailed explanation.
It is a good start for me to understand the various malware removal tools.

Thanks again.

Reply

Gosa October 19, 2011 at 2:52 PM

Hi,

Just want to say that I appreciate this a lot.
Thanks for the good explanation and the work!!!

Cheers,

Gosa

Reply

Waleska October 31, 2011 at 10:23 PM

I can’t determine if there is a keylogger in my computer. I have installed HiJackThis several weeks ago but I don’t know if I am using it correctly.

Reply

Leave a Comment

{ 2 trackbacks }