Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Understanding and Interpreting HijackThis Entries – Part 3

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

A word of caution: This program should be used with utmost caution as most of the entries shown after the scan will be necessary for smooth running of the operating system. All users are not expected to understand all of the entries it produces as it requires certain level of expertize. Unless you can spot a spyware program by the names of its Registry keys and DLL files it is best left to those specifically trained in interpreting the HijackThis logs. It is recommended that you reproduce the log file generated by HijackThis on one of the recommended online forums dedicated for this cause.


O10 – Winsock hijacker

Winsock is short for Windows Sockets API. It describes a standard way for Windows programs to work with TCP/IP. You use WinSock or the more recent Winsock2 if you directly connect your Windows PC to the Internet. Winsock incorporates a feature called Layered Service Provider (LSP), which allows legitimate third-party software like anti-virus, firewall and other security related software vendors to insert their own code into the "chain". It has access to every data entering and leaving the computer.

This feature is mis-used by a few hijackers to facilitate their own monitoring. Data packets outward bound from your computer to a legitimate destination on the web can be intercepted by a malware LSP and sent somewhere else, other than where you had intended it to go. As Merijn says "Only a very small selection of spyware used this method of infection as it requires hooking into the Winsock LSP chain, which lies very deep into the bowels of Windows and is one of the hardest parts of Windows to manipulate." Some examples are New.net, Webhancer, CommonName and a CWS variant CWS.Msspi do this.

Example 010 entries from HijackThis logs

  • O10 – Hijacked Internet access by New.Net
  • O10 – Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing
  • O10 – Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll
  • O10 – Unknown file in Winsock LSP: c:\windows\system32\msspi.dll

Recommendation: Do not fix 010 entries or use programs like LSPfix or WinsockFix yourself without any expert/helper advising you to do so. Fixing the LSP stack is not advised unless you are sure of what you are doing and know how to undo as a wrong fix will screw up your internet connection and in some cases only a repair install or a reinstall will get you back. A lot of legitimate programs use the LSP to perform their tasks, HijackThis has only a part of them in its ignored (safe) list, so many false positives are imminent. Please note that merijn also says that "unknown' files in the LSP stack will not be fixed by HijackThis, for safety issues."

If you want to have a look at the LSPs in your system, use Spybot S&D or download the free LSP explorer add-on for Ad-Aware SE.

Spybot-S&D is able to display a list of installed network drivers and allows this list to be exported for future reference. In version 1.3 entries that have changed since the last snapshot are displayed in bold letters.This allows you to see changes to the list at once. Ad-Aware SE LSP explorer goes a step further by letting you backup and restore the LSPs. It also lets you view active LSP and Name Service Providers on your system, along with detailed information about each so you can determine whether or not they're legitimate.

LSP's can be researched at SystemLookup – O10 List.

O11 – Extra group in IE 'Advanced Options' window

In this section HijackThis tags the addition of an extra group in the "Advanced" tab of Internet options in IE. The options in the "Advanced" tab of IE options are stored in the registry and extra options can be added easily by creating extra registry keys. Very rarely malware add their own options there, E.g,. CommonName adds a group with a few options. Some legitimate programs also add their group there.

Example of 011 entries from HijackThis logs.

  • O11 – Options group: [CommonName] CommonName
  • O11 – Options group: [Multimedia] Multimedia
  • O11 – Options group: [TB] Toolbar
  • O11 – Options group: [TOEGANKELIJKHEID] Toegankelijkheid

Recommendation: If the listed program name is 'CommonName', have HijackThis fix this. If you don't recognize the name, take an expert's opinion before fixing this entry.

O12 – IE plugins

Plugins are small programs that add particular functions to an existing larger programs like IE, typically used to display or play some multimedia content found on a web document. For example, QuickTime movies, Flash and Shockwave animations. When spyware or hijackers add plugins for their filetypes, the danger exists that they get reinstalled if everything but the plugin has been removed, and the browser opens such a file.

Example of 012 entries from HijackThis logs

  • O12 – Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
  • O12 – Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
  • O12 – Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  • O12 – Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

HijackThis lists all the plugins installed on your machine. There seems to be only one pest that use this method at present, it is Onflow media player, a graphics provider and ad-tracking and reporting company for Web advertisers. It appears in the HijackThis logs with an extension ".ofb".

Recommendation: All most all of the entries appearing in this section are harmless. Don't fix anything otherthan onflow.

O13 – IE DefaultPrefix hijack

When a website URL like www.microsoft.com is typed into IE's address bar without the prefix, http:// in this case, it is automatically added when you hit Enter. This prefix, together with the default prefixes for FTP, Gopher and a few other protocols are stored in the registry keys

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\URL\DefaultPrefix
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefix

A hijacker change these values to the URL of his server, as a result the victims, always get redirected to the hijacker's website when they forget to type the prefix. Many variants of CWS parasite uses this method.

Example of 013 entries from HijackThis logs

  • O13 – DefaultPrefix: http://ehttp.cc/?
  • O13 – WWW Prefix: http://ehttp.cc/?
  • O13 – DefaultPrefix: http://www.nkvd.us/1507/
  • O13 – WWW Prefix: http://www.nkvd.us/1507/
  • O13 – Home Prefix: http://www.nkvd.us/1507/
  • O13 – Mosaic Prefix: http://www.nkvd.us/1507/
  • O13 – WWW. Prefix: http://

Recommendation: You need not be selective here. Whatever changes the default prefix of various protocols cannot be good. Have HijackThis fix all instances of this.

O14 – 'Reset Web Settings' hijack

In this section HijackThis checks the file "iereset.inf" for changes which might indicate a hijack. When you click on "Reset Web settings" on the Programs tab of Internet options, IE restores the default values for home page, search page and a few other items from the registry files stored in "iereset.int" file. This file is located in inf folder in your system folder. Some OEM's create their own custom URL's for this file.

Malware changes the default URL's to its own, so that when you click "Reset web settings" you get re-infected rather than cured.

Example of 014 entries from HijackThis logs

  • O14 – IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
  • O14 – IERESET.INF: START_PAGE_URL=http://www.oninet.pt
  • O14 – IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
  • O14 – IERESET.INF: START_PAGE_URL=http://www.searchalot.com

Recommendation: If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

O15 – Unwanted site in Trusted Zone

In this section HijackThis lists the sites in the "Trusted Zone" – originally meant for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet – of Internet explorer. Web sites in the Trusted Zone (Internet options > Security > Trusted Zone > Sites) are allowed to use normally dangerous scripts and ActiveX objects other sites are not allowed to use as the default security level is low. Some malware programs will automatically add a site to the Trusted Zone without you knowing.

Example of 015 entries from HijackThis logs

  • O15 – Trusted Zone: *.registration.weather.com
  • O15 – Trusted Zone: *.i-lookup.com
  • O15 – Trusted Zone: *.offshoreclicks.com
  • O15 – Trusted Zone: *.teensguru.com

Recommendation: Some variants of CWS parasite are known to add sites to the Trusted Zone. If you didn't add the listed domain to the Trusted Zone yourself, have HijackThis fix it.

O16 – ActiveX Objects (aka Downloaded Program Files)

In this section HijackThis tags the items found in "Downloaded Program Files" folder in the Windows folder. This folder holds various types of files downloaded from the internet including ActiveX and Java objects. The legitimate purpose of ActiveX objects is to allow website creators to embed small programs in their sites which will interact with your browser to provide an enhanced experience to the visitor. Because of its nature, ActiveX makes a very good platform for installing spyware, adware, dialers, and hijackers.

Example of 016 entries from HijackThis logs

  • O16 – DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) – 66.48.68.135/save/makeover.cab
  • O16 – DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) – 207.188.7.150/093979d9dd85d80a6d03/net..
  • O16 – DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) – messenger.zone.msn.com/binary/Messenge..
  • O16 – DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) – v4.windowsupdate.microsoft.com/CAB/x86..
  • O16 – DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) – install.wildtangent.com/bgn/partners/

Recommendation: If you don't recognize the name of the object, or the URL it was downloaded from, it is safe to have HijackThis fix it. If you are unsure about an item get an expert opinion about fixing it. Even if you have choosen to fix a legitimate ActiveX object, you will be prompted to download it when you use that particular service from the website concerned. Please note that fixing those ActiveX objects required for sites using secure logins will cause problems when you try to login to that site again, So be careful what you choose to fix with HijackThis.

O17 – Lop.com domain hijackers

In this section HijackThis checks various keys in registry hive HKEY LOCAL MACHINE for specific values which help windows to resolve domain names into IP addresses. Hijacking these values can cause the programs which use the internet to be redirected to other malicious sites. Some versions of Lop.com use this method, together with huge list of cryptic domains.

Example of 017 entries from HijackThis logs

  • O17 – HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ao.lop.com
  • O17 – HKLM\System\CCS\Services\Tcpip\..\{665F2FE6-9364-453A-AD28-9DDF4773B522}: Domain = ao.lop.com
  • O17 – HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ao.lop.com
  • O17 – HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ao.lop.com
  • O17 – HKLM\System\CCS\Services\Tcpip\..\{ADB2672A-97BB-4C94-9EE0-5447635C8D03}: NameServer = 204.127.129.2 12.102.244.2

Recommendation: It's best to leave the O17s alone unless they clearly point to a bad site. Removing a needed 017 entry may break your internet connectivity as they may be used by your ISP or your company network.

O18 – Extra protocols and protocol hijackers

This section of HijackThis looks for new or changed protocols used by Windows to 'talk' to programs, servers or itself. A protocol is one IE interprets as the beginning of an address like http://, https://, ftp://, gopher:// etc,. LOP.com uses this method to make IE load content using an "ayb:// whatever address" similarly CommonName uses cn://. Several legitimate programs also do this.

Example of 018 entries from HijackThis logs

  • O18 – Protocol: ayb – {07C0D34D-11D7-43F7-832B-C6BB41726F5F}
  • O18 – Protocol: pcn – {D540F040-F3D9-11D0-95BE-00C04FD93CA5} – C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

Recommendation: Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked. If you are in doubt get an expert opinion before fixing it. The 018 items can be researched at SystemLookup – O18 List.

O19 – User style sheet hijack

IE has an option to use a user-defined stylesheet for all pages instead of the default one, to enable visually challenged users to better view the web pages. Many CWS parasites overwrite any stylesheet the user has setup and replaces it with one that causes popup, as well as system slowdown.

Example of 019 entries from HijackThis logs.

  • O19 – User stylesheet: C:WINNTsystem.css
  • O19 – User stylesheet: c:\windows\my.css
  • O19 – User stylesheet: C:\WINNT\default.css
  • O19 – User stylesheet: C:\WINDOWS\Web\oslogo.bmp
  • O19 – User stylesheet: C:\WINDOWS\Web\win.def
  • O19 – User stylesheet: C:\WINDOWS\default.css

Recommendation: At present as only CWS does this, it is recommended to use CWShredder to fix it unless you have setup a stylesheet for your use.

O20 – AppInit_DLLs Registry value autorun

AppInit_DLLs value is documented in MS Knowledge Base article, Working with the AppInit_DLLs registry value.

The AppInit_DLLs value is found in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

What the above means is that any DLL listed in the AppInit_DLLs value will run concurrently with every program launched, even in Safemode.

Example of 020 entries from HijackThis logs

  • O20 – AppInit_DLLs: cahooknt.dll
  • O20 – AppInit_DLLs: wbsys.dll
  • O20 – AppInit_DLLs: CLKERN.DLL
  • O20 – AppInit_DLLs: mad.dll
  • O20 – AppInit_DLLs: ssohook
  • O20 – Winlogon Notify: DPWLN – C:\WINDOWS\system32\DPWLEvHd.dll
  • O20 – Winlogon Notify: igfxcui – C:\WINNT\SYSTEM32\igfxsrvc.dll

Recommendation: The 020 entries can be researched at SystemLookup – O20 List. Very few legitimate programs use this autostart method, some variants of CWS infection are known to use this method to load a hidden dll at Windows startup. You should get an expert's opinion before deciding to fix (delete) these entries.

O21 – ShellServiceObjectDelayLoad

This is an undocumented autorun method, executed by "Explorer.exe" as soon as it has loaded. Each value under the following registry key contains information to the DLL name and location. The system will load the referred DLLs and link them to "

Explorer.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\ShellServiceObjectDelayLoad

Example of 021 entries from HijackThis logs

  • O21 – SSODL: DDE Control Module – {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} – (no file) O21 – SSODL: Trayz – {F5B7D0BE-5f02-4211-96DB-386DFA244900} – C:\WINDOWS\lghngdne.dll
  • O21 – SSODL: 0aMCPClient – {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} – (no file)
  • O21 – SSODL: XmLdrLocation – {0C887F38-5178-43DA-B9F0-B856141FCDA4} – C:\WINDOWS\System32\msuueng.dll
  • O21 – SSODL: WebExtLocation – {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} – C:\WINNT\system32\lrluser.dll

Recommendation: HijackThis tags only those entries that are not in its internal whitelist, but not all entries tagged by HijackThis are bad. The 021 items can be researched at SystemLookup – O21 List. Please obtain expert/helper help before fixing (deleting) these entries.

O22 – SharedTaskScheduler

This undocumented autorun method applies only to Windows XP, Windows 2000 and NT. Here HijackThis tags the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\SharedTaskScheduler

Example of 022 entry from HijackThis logs

O22 – SharedTaskScheduler: (no name) – {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} – c:\windows\system32\mtwirl32.dll

Recommendation: This is a rare entry appearing in the HijackThis logs. The 022 items can be researched at SystemLookup – O22 List. Please obtain opinion from helper/expert before fixing (deleting) this entry.

O23 – NT Services

An NT Service is a background process which is loaded by the Service Control Manager of the NT kernel. They are often loaded at bootup, before any user logs in, and are often independent of any specific user being logged on at the time. If a service is not launched automatically by the system at boot time, as many services are, it can also be manually launched by a user at the console, via the NT Control Panel's Services applet, or by another program which interfaces to NT's Service Control Manager. An Introduction to NT Services

HijackThis checks the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, for non-Microsoft services.
Note that not all entries tagged by HijackThis are bad.

Examples of 023 entries in HijackThis logs

  • O23 – Service: Remote Procedure Call (RPC) Helper – Unknown – C:\WINDOWS\system32\sdkkv32.exe
  • O23 – Service: ISEXEng – Unknown – C:\WINDOWS\system32\angelex.exe
  • O23 – Service: NOD32 Kernel Service (NOD32krn) – Unknown owner – D:\Program Partition\Eset\nod32krn.exe
  • O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

Recommendation:The 023 items can be researched at SystemLookup – O23 List. Please obtain help from helper/expert before fixing (deleting) these entries.

Ten Steps to Malware Prevention



{ 0 comments… add one now }

Leave a Comment