Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Understanding and Interpreting HijackThis Entries – Part 2

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us


A word of caution: This program should be used with utmost caution as most of the entries shown after the scan will be necessary for smooth running of the operating system. All users are not expected to understand all of the entries it produces as it requires certain level of expertize. Unless you can spot a spyware program by the names of its Registry keys and DLL files it is best left to those specifically trained in interpreting the HijackThis logs. It is recommended that you reproduce the log file generated by HijackThis on one of the recommended online forums dedicated for this cause.


O1 – Hosts file redirection

The hosts file maps host names to IP addresses.

The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites. What is a hosts file


Hosts file can also be hijacked by malware, by changing the DNS entries in your hosts file, effectively making windows believe a web site has a different IP than it really has and thus making IE open the wrong page. A benign hostname such as cnn.com could be made to point to a malicious website. HijackThis can detect the re-direction entries.

Example of 01 malicious entries from HijackThis logs

  • O1 – Hosts: 64.191.95.139 www.google.com
  • O1 – Hosts: 66.98.178.19 cookies.cmpnet.com
  • O1 – Hosts: 66.98.178.19 counter.aaddzz.com
  • O1 – Hosts: 66.98.178.19 counter14.sextracker.com
  • O1 – Hosts: 216.177.73.139 auto.search.msn.com
  • O1 – Hosts: 216.177.73.139 search.netscape.com

Here the hijack will redirect the address on the right to the IP address to the left.

i.e,

In the first entry of the example, if you type 'www.google.com' in your browser you will be taken to the malicious website 64.191.95.139 instead of google.com. Many variants of CWS (Cool Web Search) parasite uses this method to hijack IE.

You may find one another entry in HijackThis logs pertaining to hosts file redirection. It may look like this;

  • O1 – Hosts file is located at C:\Windows\Help\hosts
  • O1 – Hosts file is located at: C:\WINNT\nsdb\hosts

Here the HijackThis tags the redirection to the hosts file itself perperated by some parasites. The legitimate hosts file is located in the following locations in various flavours of windows;

  • Windows NT/2K/XP = [System root]\system32\drivers\etc
  • Windows 95/98/ME = [drive]\windows
  • The [drive] is usually drive "c:"

The [System root] is usually "c:\winnt" or "c:\windows"

Recommendation: You can always have HijackThis fix these, unless you knowingly put those entries in your Hosts file.

O2 – Browser Helper Objects

In this section, HijackThis tags all the "Browser Helper Objects" that is being used by your IE, whether good or bad. A browser helper object, or BHO, is a component that Internet Explorer loads whenever it starts or if you have Active Desktop turned on, even when you open a file folder on your own computer and can perform many actions on available windows. BHOs can be either good or bad, but most of them contain spyware in one form or another.Sometimes these BHOs just sneak onto your computer and you don't even realize they are there! Some of them can be downright malicious!

Some common examples of BHOs are Aureate/Radiate, Alexa, Flyswat, Gator, GetRight, Gozilla, RealDownload, and Yahoo Companion.

Example of 02 entries from HijackThis logs

  • O2 – BHO: (no name) – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  • O2 – BHO: (no name) – {0982868C-47F0-4EFB-A664-C7B0B1015808} – C:\WINDOWS\System32\mskhhe.dll
  • O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  • O2 – BHO: (no name) – {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} – C:\WINDOWS\System32\bridge.dll

Recommendation: Need to be careful in selecting entries in this section for fixing with HijackThis as it lists both benign (google toolbar, acrobat reader and Spybot S & Ds download protection etc) and malicious BHOs. Look up SystemLookup – CLSID List where it is possible to search by the CLSID's (the alpha-numeric charecters in between the curly brackets). Choose to fix an entry only if you are absolutely sure otherwise consult an expert as deletion of certain BHOs will affect the smooth functioning of IE.

O3 – Internet Explorer toolbars

A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. IE Toolbars are created by Browser Helper Objects. Many toolbars available on the Internet are spyware. They can be annoying or even outright malicious by tracking your online behaviour and displaying popup ads.

Example of 03 entries from HijackThis logs

  • O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar1.dll
  • O3 – Toolbar: Band Class – {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} – C:\WINDOWS\dealhlpr.dll
  • O3 – Toolbar: &Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:\WINDOWS\SYSTEM\MSDXM.OCX

Recommendation: As Hijackthis lists all the 3rd party toolbars good and bad, discretion is required when selecting entries to fix. Again the exhaustive list at SystemLookup – CLSID List may be used to search for the offending CLSID's, if you don't directly recognize a toolbar's name.

O4 – Autoloading programs from Registry & Startup group

As the title indicates, this section of HijackThis logs lists all programs that autolaod from the registry and startup group. Autoloading entries can load a registry script, VBScript or Javascript file possibly causing the IE start page, search page, search bar or search assistant to revert back to a hijackers page after a system reboot. Also, a DLL file can be loaded that will hook into several parts of your system.

Example of 04 entries from HijackThis logs

  • O4 – HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
  • O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe
  • O4 – HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
  • O4 – HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
  • O4 – Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  • O4 – Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
  • O4 – Startup: PowerReg Scheduler.exe
  • O4 – Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Recommendation: An amazing number of Windows applications, from freeware and shareware utilities to full-blown commercial suites such as Microsoft Office, manage to insert some portion of themselves into your Windows Startup. There are some you should never turn off, though. Definitely leave entries such as ScanRegistry and SystemTray well alone, as these are critical parts of Windows itself and are best left alone. How do you identify malware or unnecessary programs loading at startup? If you don't recognize the program from its name or if you are plainly suspicious of an entry, use the following lists. They provide searchable, comprehensive list of the programs you may find that run when you switch on your PC as typically identified by MSCONFIG or the registry "Run" keys – and whether you need them.

O5 – IE Options icon not visible in Control Panel

In this section HijackThis checks for the "Internet options" applet available in the control panel. Each item in Control Panel has an associated ".cpl" file. These files, along with the Control Panel initialization file, "Control.ini", are loaded into memory when Control Panel is opened. A hijacker may modify the control.ini to prevent access to the "Internet Options" window, thereby preventing the user from resetting various hijacked options.

Example of 05 entries from HijackThis logs

O5 – control.ini: inetcpl.cpl=no

This entry is not commonly seen in HijackThis logs.

Recommendation: Unless you or an administrator has chosen to hide the 'Internet options' applet from the control panel by modifying the control.ini file, it's safe to have HijackThis fix this entry.

O6 – IE Options access restricted by Administrator

This section is similar to 05 section in the sense that HijackThis tags the disabling of the "Internet options" applet in the windows control panel and the restriction on changing the startpage setting. The difference here is HijackThis checks the registry key "HKCU\Software\Policies\Microsoft\Internet Explorer\" for any restrictions placed by using administrative policies. HijackThis lists this even if the option in Spybot S&D is used to protect the startpage from being changed by malware.

In this section, Hijackthis lists different types of entries,

Example of 06 entries from HijackThis logs

  • O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  • 06 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  • O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

Restrictions present: You or an administrator has set a policy which disables changing IE start page for the current user.

Control Panel present: You or an administrator has set a policy which restricts access to the 'Internet options' from within the IE or in the control panel.

Toolbars\Restrictions present: You or an administrator has set a policy which restricts access to the IE toolbar.

This setting is also used by malware to restrict the user from changing the hijacked start page, search page etc,. and generally to restrict the user from accessing the "Internet options" applet in the control panel.

Recommendation: Unless you or an administrator has applied this policy in your system for the users, it is safe to have HijackThis fix these entries.

O7 – Regedit access restricted by Administrator

Once again this setting is applied through administrative policies. Disabling the ability to use the registry editor is normally used by administrators to restrict their users, it can also be used by malware to prevent access the registry settings. HijackThis checks the registry key "


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" for any restrictions.

Example of 07 entries from HijackThis logs

O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Recommendation: Unless you or an administrator has applied this policy in your system for the users, it is safe to have HijackThis fix this entry.

08 – Extra items in IE right-click menu

In this section HijackThis lists the extra items -i.e. not those default items like back, forward etc,.- only the items installed by 3rd party software, both legitimate and otherwise. HijackThis checks the registry keys

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt

and lists all the extra items. These extra context menu items can prove helpful or annoying. Some hijackers are known to add to the context menu.

Example of 08 entries from HijackThis logs

  • O8 – Extra context menu item: &Google Search – res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
  • O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
  • O8 – Extra context menu item: Zoom &In – C:\WINDOWS\WEB\zoomin.htm
  • O8 – Extra context menu item: Coupons – file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
  • O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

Recommendation: If you don't recognize the name of the item or if you don't use an item in the right-click menu in IE, it can be safely fixed with HijackThis.

O9 – Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu

In this section HijackThis tags the extra buttons on main IE tool bar and extra items in the 'Tools' menu of IE. HijackThis checks the registry keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions

and lists all the extra buttons and extra items on the "Tools" menu of IE. These can be researched at SystemLookup – O9 List.

Example of 09 entries from HijackThis logs

  • O9 – Extra button: Messenger (HKLM)
  • O9 – Extra button: Joyo (HKLM)
  • O9 – Extra button: Run DAP (HKLM)
  • O9 – Extra button: Copernic Agent (HKLM)
  • O9 – Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
  • O9 – Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

Recommendation: If you don't recognize the name of the item or if you don't use an item in the right-click menu in IE, it can be safely fixed with HijackThis.


Understanding and Interpreting HijackThis Entries – 010 to 023



{ 0 comments… add one now }

Leave a Comment